I’m excited to announce my recent achievement: successfully passing the Red Team Operator (RTO) exam offered by Zero Point Security. This journey has been both challenging and rewarding, and I’m eager to share my experiences, insights, and tips with you. The CRTO certification, provided by Zero Point Security, equips individuals with the skills needed to conduct Active Directory (AD) penetration testing using the Cobalt Strike C2 framework. While the course materials and techniques are akin to those discussed in the CRTP course offered by AlteredSecurity, the RTO exam stands out for its integration of the C2 framework, offering a unique opportunity to delve deeper into the realm of Red Teaming.
Course Structure
The course structure is a marvel in itself.
Participants get access to Cobalt Strike through browser-based Snap Labs, eliminating the need for a separate license. The labs serve as a personal Red Team playground, private and customizable. The course encompasses different sections covering various topics, such as pre-engagement, host/domain persistence and post exploitation.
Prerequisites
While the course materials adequately cover exam content, it’s advisable to possess a foundational understanding of Windows authentication mechanisms and concepts such as Domains ,Forests, powershell and basics of C#. Lacking this baseline knowledge may lead to a significant learning curve when engaging with the course material.
Exam Experience
The exam spans 48 hours over four days, allowing you to start and stop at your convenience. While all the challenges are discussed in the course material but with a twist.
Balancing my day job alongside daily responsibilities limited the time I could dedicate to the exam. Despite this, on the initial day, I managed to secure the first three flags after investing around 4–5 hours. Initially, I faced challenges setting up the beacon, but after some troubleshooting, I identified and rectified the error. Subsequently, compromising the first three machines became relatively straightforward.
On the second day, approaching the task with renewed focus, I dedicated approximately 7–8 hours to the challenges. This effort led to the compromise of three additional machines and the retrieval of their respective flags, bringing my total to six. With this accomplishment, I successfully passed the exam and concluded my efforts for the day. I then planned to tackle the remaining two machines on the following day, taking advantage of my scheduled week off.
By the third day, I had a solid understanding of the tasks at hand through thorough enumeration. However, as I initiated the attack, I encountered multiple errors from the tool I was utilizing. Following my usual procedure, I conducted extensive research online to find solutions. After modifying the source code of the binary, I managed to achieve domain admin privileges and acquire the remaining two flags. This endeavor took around 6–7 hours of persistent effort.
Right after clearing 6 flags I had my RTO badge and certificate sent to my inbox. Finally I can say “ This was FUN!! ”.
Takeaways / Tips
- subscribe to RTO labs with the course so that you can battle test yourself before going to exam.
- manage your exam lab and course lab time wisely.
- In the RTO lab, Windows Defender is initially disabled. I suggest completing the course with Defender turned off first, then enabling it and going through the course again. This approach will better prepare you for the exam since Defender will be enabled during the examination.
- While every aspect of the course holds significance, I recommend placing particular emphasis on host persistence, host lateral movement, Forest/domain enumeration, Kerberos, and ADCS.
- Prepare yourself to utilize Google and search for solutions whenever you encounter errors while performing attacks.
Conclusion
Following the exam, I’ve resumed my preparations for CRTO2. Yet, I strongly advocate for RTO to anyone seeking entry into red-teaming or aiming to understand the attack aspects of Microsoft AD.
I trust that sharing my journey and insights will benefit those planning for RTO. Best of luck to all!
My Journey with CRTO: A Review was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
Article Link: My Journey with CRTO: A Review. I’m excited to announce my recent… | by JustAnother-Engineer | Apr, 2024 | Medium