02 Apr 2023
Recently I worked on attaining the CRTO so I thought I would just share my experiences on the course and the exam. For those of you who may not be familiar with it, the course is run by RastaMouse aka Daniel Duggan of Zero-Point Security based in the UK.
The course is named ‘Red Team Ops’ and you get certified as a ‘Red Team Operator’ following its succesful completion. The aim of the course is to provide an introduction to how Red Teams operate using the command and control (C2) framework named ‘Cobalt Strike’. Cobalt Strike (CS) is a very expensive C2 to use personally so getting the chance to use it is a rarity unless you are currently performing a red team role.
The course is made up of the following sections:
- Command & Control
- External Reconnaissance
- Initial Compromise
- Host Reconnaissance
- Host Persistence
- Host Privilege Escalation
- Host Persistence (Reprised)
- Credential Theft
- Password Cracking Tips & Tricks
- Domain Reconnaissance
- User Impersonation
- Lateral Movement
- Session Passing
- Pivoting
- Data Protection API
- Kerberos
- Active Directory Certificate Services
- Group Policy
- MS SQL Servers
- Domain Dominance
- Forest & Domain Trusts
- Local Administrator Password Solution
- Microsoft Defender Antivirus
- Application Whitelisting
- Data Hunting & Exfiltration
- Extending Cobalt Strike
If you have already attended the other excellent course by Pentester Academy called ‘Attacking and Defending Active Directory’ a lot of these topics will look familiar although performing these same techniques via CS is a whole different ball game. I would recommend attending the Pentester Academy course first if you do intend on doing both courses as it provides a solid grounding in Active Directory before using CS.
The labs are performed entirely from your browser to avoid people taking Cobalt Strike onto their own machine which is understandable. I didn’t find any issues working through the labs via Chrome and everything worked fine for me.
I also found the techniques were well explained by Rasta and when there was a tricky topic he also provides a useful video of himself performing the technique so you can follow along. Maybe one thing that may have helped at times is at the beginning of each chapter to let us know what user and what machine we are currently meant to be operating from because at times after a weeks break it’s hard to know this at times. I see in some screenshots he displays ‘getuid’ and ‘hostname’ to show the info but it isn’t throughout the course but that is only a minor point to be honest.
One of the sections I particularly enjoyed in the ‘Application Whitelisting’ section was a subsection named ‘Living Off The Land Binaries, Scripts and Libraries’ which is known colloquially as LOLBAS. These are executables and scripts that come as part of Windows but allow for code execution. Because they are Microsoft owned they allow us to bypass AppLocker since they’re allowed to be executed under the normal ‘allow’ criteria.
In this section we learned how to use MSBuild to provide a reverse shell back to our Cobalt Strike teamserver bypassing Windows restrictions which is really useful to know and these binaries I will definitely explore further in my career.
Another big part of the course is being able to move laterally from one machine to the next whilst avoiding AV detection. This is achieved by using the CS artifact and resource kits to help us mask the executables that for example ‘psexec’ drops onto a server before executing it therefore allowing us to login. As we hop from one machine to the next we build up chains of access across the network as pictured below which is pretty neat in my opinion.
After spending about 60 hours of lab time I felt I was in good shape to take the exam. You can easily buy extended lab time priced at £20 for 40 hours which is very reasonable.
Exam
I won’t give away too much detail so as not to provide spoilers but I must admit the exam was trickier than I thought it would be. I think that was mainly due to my persistence on some machines not triggering so I had to run through the hacks that got me to that position again.
I think if I had my time over I would focus on making sure that the persistence was very secure and to use pipe names that may not conflict with a pipe name being used to try and psexec into the same machine as Rasta said afterwards that this may have caused me problems. Anyhow I got the passing number of flags and received my certification 1 hour after the 4 day event ended. You can’t finish the event early so you have to wait until it finishes.
Overall I highly recommend this course which is lots of fun playing around with Cobalt Strike. If you know the course well you will have no problems with the exam because there is no CTF element, just run through the various checks Rasta perofrms and you will find your way to the next flag.