CRTP Bootcamp Review

Kartik Sharma
5 min readFeb 10, 2021

--

This blogpost talks about the Pentester Academy’s Active Directory Beginner’s Edition Bootcamp and CRTP exam review.

Pre Requisites

The prerequisites for the course are as follows:

  • General knowledge about what exactly Active Directory is.
  • Basic understanding of windows command line.

In my case, I had slight information about Active Directory and a bit of hands-on experience with Impacket scripts (without actually understanding how each of the scripts worked). Further, I had absolutely no experience with PowerShell scripting.

The BootCamp

Live Classes

There were a total of 4 live sessions by the AD God Nikhil Mittal. Each class was supposed to be 2 hours 30 minutes long but usually lasted more than 3 hours (due to pre and post-class doubt sessions).

The 4 live sessions were divided as follows:

  • Enumeration and Local Privilege Escalation
  • Lateral Movement, Domain Privilege Escalation and Persistence
  • Domain Persistence, Dominance and Escalation to Enterprise Admins
  • Defences, Monitoring and Bypassing Defences

Note: During the live sessions, never try to run the commands simultaneously in the lab. You will for sure lag behind. The best you can do is open a blank notepad and write down your thoughts/ideas and doubts. Later, discuss them during the doubt session.

Labs and Assignments

The labs consisted of 22 unique objectives covering each and every aspect of the course. Further, we had weekly assignments which were directly related to the labs.
There are 2 methods to access the labs:

  • VPN based (RDP connection)
  • Web Access (through URL)

The total time period for the lab is 30 days which is sufficient to go over the labs at-least thrice!

Why thrice?
During the Bootcamp, I was working as a Full-Time Security Consultant and worked part-time on bug bounties. I managed to complete the labs 3 times, and I feel I could have gone once more (had around 3–4 days left before the labs expired).

I would also suggest to not rush through the labs (saw most of my batchmates doing this), you should go slow after understanding each and every session’s objectives.

Running the commands is super easy, but understanding how they work is a bit tricky!

Note Taking

This is the most important part of the Bootcamp. Try to make as verbose notes as possible. Note down the mistakes as well. Understand why something does not work and the way you fixed that the issue. Sometimes you might skip things while solving the objectives, thinking that it’s easy and you will remember it in the end. In the exam, you might make a similar mistake but you will not remember the fix for it, which might create a tough situation for you!
During the Bootcamp, I made the notes as follows:

Index for my CRTP notes

I used notion.io to create my notes. If you go through the index on the left, you might notice that the 4 live sessions are written twice. This is because I used to rewatch the complete session on the next day and made super detailed notes with proper PowerShell syntax so that I can copy-paste the commands while working.
The conceptual understanding is something that matters, you will not be required to cram the commands. Also, once done with the labs, make a consolidated cheatsheet with one-line explanations about every command.

CRTP Exam

The last Bootcamp session was on 30th January 2021 and I planned to take the exam on 6th February 2021. Don’t delay the exam, the sooner you give, the better. This is because you will lose your lab access and staying out of practice would be the worst thing for you.

The exam consists of 5 servers excluding the low privileged user access provided. The goal of the exam is to attain command execution all 5 target servers within a 24 hours time period. Next, you need to create a report within 48 hours, after the exam time period expires.

I read a lot of blog posts before attempting the exam. Each one of them had one thing in common, ENUMERATE ENUMERATE ENUMERATE. I will mention the same thing in this post as well. Do a thorough enumeration during the exam. Every time you gain access, recheck the knowledge gained from the previous enumerations and re-run your enumeration scripts from the privileged shells.

Also, I would like to mention that the exam is not super hard to solve. Yes, it would be challenging, but you just need to be patient, there would be some rabbit holes. However, with good practice in the labs and understanding what exactly you are running will help you sail smoothly through the exam.

1 Day before exam
This was my first time attempting a 24 hour long exam. Therefore, to make things easy in the exam I did the following:

  • Created an exam specific cheatsheet (skipping persistence and brute-force related concepts, as they are not required in the exam).
    Link to my cheat sheet:
  • setup bloodhound on my local machine.
  • created 3 separate zip files for faster tool transfer.
    enum.zip: local privesc and enumeration
    forest.zip: for forest level attacks
    lat_mov.zip: for lateral movement attacks
  • Bought 2 Red Bull cans (in case things went out of hand).

The final Exam day
I woke up early, went to the gym and started with my exam around 11:30 AM. It took me a total of 7–8 hours including the 15 min lunch break to get root on the forest (sorry for the flex :p). Again, the key is enumeration. During the labs, try to chain commands and see what kind of custom outputs you can get for yourself. I did not create some enumeration automation script (because I can’t, I simply suck at PowerShell) but I manually went through each and every Powerview/Bloodhound output.
After taking a break, I completed my report and on the next day, I received this!

It was indeed a challenging exam with a couple of rabbit holes, but proper enumeration helped me get out of each of them.

Was the Bootcamp worth it?

Absolutely yes! It costs 300$, i.e 50$ extra than the normal videos, lab access and 1 exam attempt. The Bootcamp provided me with a channel to connect with the instructor directly over discord. Further, I found some like-minded people in the group that helped me to learn and gain a deeper understanding of AV evasions and other AD-based attacks.

--

--

Kartik Sharma
Kartik Sharma

No responses yet