Opinions of a CRTSv2 graduate.
On the 15th of January at 11pm (UTC+2), I took the CRTSv2 exam, and by 1:45am the next day, I had sent my exam report to be graded — that’s 2 hours and 45 minutes. I was quite happy with that, but maybe the exam is just easier than advertised…
I bought the CRTSv2 course from CyberWarfare Labs during their Christmas sale at the end of 2025 for a mere $50. I was looking for something that was a good step back into advanced hacking techniques without breaking the bank. I considered the ZeroPointSecurity courses, the Altered Security courses, and a bunch of others, but for $50, nothing could beat CRTSv2. The purchase comes with the course content (videos and PDF slides), 30 days of access to a really cool lab (though I had some issues), and 2 exam attempts.
The Course
I really enjoyed the course material. It included a lot of subjects which I’ve never touched. Linux AD, gMSA, Sapphire Tickets, and FSPs. There was also some great information about ADCS, but I already had experience with it, so it wasn’t a highlight for me. The content was broken up into two major sections: Initial Access and Advanced AD Attacks.
Initial Access focused on Web compromise, Phishing with MFA bypass, malicious VS Code extensions, exploiting GitLab, and DLL hijacking to backdoor Zoom. The Advanced AD Attacks section included Kerberos exploitation, Linux AD, gMSA, ADCS, and a few other specific AD attacks.
I loved the level of technical details in the videos. It dives deep, but not so deep that you’re drowning in network protocol sequence diagrams. All the details included in the course were practically applicable to exploitation, which is rare. There was no fluff, which I really appreciate. I couldn’t recommend the course content enough.
The Lab
A major selling point for the CRTSv2 course is the lab. It is a rather large enterprise environment with multiple domains, firewalls and a variety of services. It gives you the opportunity to practice all of the techniques taught in the course.
There are two documented paths to compromise the lab, one focuses on the initial access vectors and the other emphasises the AD-relevant vulnerabilities. The walkthroughs are awesome. They not only show you how to use the tools and techniques, but they often go the long way around just to demonstrate new techniques, even though there is an easier path forward. Working through the walkthroughs and taking detailed notes was the most effective part of my preparation for the exam.
I only have one complaint about the lab. It’s a shared lab, so a lot of the exploitation paths were already executed on the environment. I found DCSYNC rights on a user account that was meant to be low-priv. I found specific tools, certificates and keytabs on the servers which weren’t meant to be there yet (in my exploitation process). It’s not a huge issue, but it did ruin the immersion. I was still able to use the lab to learn, I just had to ignore the artefacts left behind by other students.
Overall, the course and the lab were amazing 🔥
The Exam
I was really excited for the exam. Ever since I did OSCP near the end of 2022, I felt I hadn’t been challenged in an exam. The exam is a 24-hour practical lab and another 24 hours for reporting your exploitation path. After my experience in the lab, I had high hopes for the exam environment.
You can schedule your exam in the online portal. When I looked at the booking portal, I saw that the only available slot in the next 2 weeks was the next day at 11pm, so I booked it, thinking I could just log in, run some scans and go to bed.
When the time came (11pm UTC+2), I downloaded the VPN config, tested my connection, read the exam instructions, and started to attack the environment. At first, my nmap scans picked up nothing. After 10 minutes, I saw that my VPN tunnel interface didn’t have the exam network IP range as one of its routes. So I fixed that with:
sudo ip route add 192.168.88.0/24 dev tun0
Just keep that in mind if you can’t find anything with nmap. After adding the route, my nmap sweep found all the hosts, and I started exploiting. I can’t say much about the path or environment, but it was really fun. The course and lab overprepare you for the exam. If you work through the lab paths, you’ll be more than fine.
Ultimately, I fully compromised both domains and captured the flag in 2 hours. I took the next 45 minutes to write the report and format my screenshots in the document. My report was a simple walkthrough with a lot of screenshots showing the step-by-step exploitation path, similar to my OSCP report. I took screenshots of every important command and its output and downloaded a lot of data from the environment to ensure I could get screenshots of them later if I needed them during reporting. After about 7 working days, I received a notification to say I had passed the exam.
Conclusion
If you have a week to kill and want a really fun Red Team challenge, get CRTSv2; you won’t be disappointed. For anyone taking the course, here are my points of advice.
Use the lab walkthroughs and take detailed notes as you work through them.
Take as many screenshots as possible during the exam.
As you go through the course, collect tools and keep them somewhere safe — so you can use them in the exam.
Get bloodhound ready (netexec BH collector + Bloodhound CE docker).
Don’t stress about the exam — it’s not that deep — 24 hours is waaaaay more than enough time.
Thanks, CyberWarfare Labs, for the course; it was great. Keep up the good work. From here, I’ll be finishing up my CWL journey with MCRTA and also take on CRTO+CRTL as I prepare for OSEP 🫡
