CRTO - Sneaky Beaky like.
I've been a professional penetration tester for 4+ years now, but I've been a Counter Strike player for 12. As a young teenager playing with my older brother and his friends, I was always the run-and-gun kid with no discipline. Sneaky-beaky like was never my taste. And for much of my pentesting career, I've had the same attitude. Jump in head-first, crack the perimeter, stomp around the internal (without breaking anything), and write the report (but that's what is required for a fast-paced pentesting workflow). However, I've recently come to appreciate the extra effort and skill required to be a Red Teamer - to fly under the radar and avoid being called up at 8pm by some Blue Team guy asking if I was doing a pentest earlier that day and made a new Domain Admin account on the network. So as a first step into the sneaky-beaky world, I purchased the CRTO course from Zero Point Security. This article documents my experience.
The Course 🔥
The Red Teaming Operator course takes an established penetration tester and gives them a portal into the world of Red Teaming. Starting with Malware basics for Windows, it unveils the practical steps and things to consider when you need to go undetected in a network. The course is focused on the use of Cobalt Strike as a C2 framework for Red Teaming, but the concepts and techniques taught are transferable to other C2's and to a manual workflow. Understanding processes, threads, Windows internals, Kerberos, initial access vectors, pivoting techniques, privilege escalation, and more gives you the tools to tackle an engagement with confidence (not perfection, but confidence because you aren't completely lost and if you don't know something, you can figure it out).
The course content prepares you thoroughly for the exam, that includes the text modules, videos, and the labs. Here are a few highlights from the course:
Several process injection techniques.
Deep-dive into Kerberos authentication and delegation attacks.
AppLocker and Defender bypass methodology which enables you to bypass it yourself without someone else's code snippets - (a video I made about this topic: https://youtu.be/0j-JeJoILOE)
Stealthy Active Directory enumeration so you don't have to nuke the domain controller with a Bloodhound collector.
Persistence techniques that will give you endless ideas for future engagements.
Phishing and initial access content which takes a look at how APT's have successfully used phishing as a way to breach the perimeter.
There is a lot more in the course, but those were the things I enjoyed most and look forward to using in my work.
The Exam 😅
The exam is no walk in the park. Thankfully, the course allows you to take the exam as many times as you want without paying more. The only restriction is that you can't spam exam attempts, you need to wait 7 days between them.
After finishing most of the course content, I started my first attempt. You are given 24 hours of exam lab time which you can spread over 7 days (pause the lab and start it again whenever you want).
I stood at my desk for 24 hours, with a mere 4 hours of sleep inbetween solid hacking sessions. With an hour to spare I cracked the exam objective and submitted the attempt. The results are returned right after the exam. I was crushed to see 79/100. I missed it by 6 points (you need 85 to pass). The reason I failed is because I wasn't OPSEC-safe enough. I made a mistake in the Cobalt Strike configuration, I didn't check a payload against Defender before deploying it, and I hooked into LSASS to dump credentials. All of which combined to give me a failing mark.
After that first attempt, I made a flow chart of the exam lab, made notes of where I went wrong, and waited 7 days. On the next Friday I spun up the exam and crushed it in just under 4 hours. I finished with 95 points.
The exam was difficult and the OPSEC element pushed it over the edge. I'm convinced it is harder than OSCP (don't be mad). The exam isn't a CTF, it's a simulation of a realistic kill chain through an AD environment with multiple domains and VLANs.
Conclusions
I'd recommend the CRTO to anyone who has graduated from the OSCP grind. It takes you away from the CTF mindset and shows you that there is more to hacking than a flag. There is more to Counter Strike than flashing onto site with a P90 in hand (hard to believe, but it's true).
