CRTP Reflections

My hope is to provide those who are interested in the bootcamp, the lab environment, or in the CRTP certification some insight into what skills are provided and the overall structure of the offerings. There are a large number of options out there and choosing the right one for you is important.

Rabbot goes to school to learn how to be hacker
Rabbot goes to school to learn how to be hacker

At the beginning of this year (2021), I was given the opportunity to enroll in the Attacking and Defending Active Directory: Beginner’s Edition bootcamp offered by Altered Security. Included in this bootcamp is four live sessions with the instructor, a complete lab environment to practice in, a set of flags to obtain while in the lab and one attempt at the Certified Red Team Professional (CRTP) certification exam. My hope is to provide those who are interested in the bootcamp, the lab environment, or in the CRTP certification some insight into what skills are provided and the overall structure of the offerings. There are a large number of options out there and choosing the right one for you is important.

As mentioned previously, the bootcamp packages everything Altered Security has to offer at the beginner level regarding attacking an Active Directory (AD) environment. What is unique about the bootcamp is the access you have to the instructor. In my case, the instructor was Nikhil Mittal (@nikhil_mitt). He has presented over the years to multiple conferences including Defcon and Black Hat. He also has developed a number of tools aimed at red team operations targeting AD. Nikhil was an excellent instructor. He provided great insight to complex concepts and was always willing to answer student questions. Also provided by Nikhil was a Discord server where he remained extremely active and responsive. He is very understandable and easy to follow, taking the necessary amount of time to walk you through the various techniques and terminology involved. If you are considering signing up for the bootcamp, I couldn’t recommend Nikhil more as your instructor.

The live sessions go alongside a very large presentation. The slides include a hefty amount of information including diagrams that serve as visual aids for more elaborate concepts, command line instructions for executing at every stage of an assessment, terminology definitions, helpful tips for dealing with random oddities, etc. It is made very clear, however, that not all information being offered in the live sessions is included in the presentation slides. It will absolutely behoove you to take part in the live sessions or, at the very least, watch the recorded sessions closely. (Yes, they are recorded and can be saved for your reference later) The presentation is made available to you, so there isn’t a need to scribble notes away while partaking in the course. I personally take very well to traditional education methods like the dreaded PowerPoint presentations. I know, I’m weird. That being said, if you are the type that really loathes these presentations and finds yourself drifting off to another dimension within minutes, this may be something to consider. Do also consider though that the sessions (approximately 3.5 hours each) are around 50/50 split between going through slides and putting to practice the slide contents.


If you are enjoying this article your support would be greatly appreciated!


If all you are interested in is the lab environment, it can be purchased separately as their Attacking and Defending Active Directory Lab. The lab consists of multiple forests, each containing one or more domains. It is structured in a way to provide students the opportunity to practice a number of attacks while pivoting through a complex network that would typically be seen in larger organizations. You have two routes to access the lab. You may either connect to your student system through the web portal utilizing Apache Guacamole or use the provided OpenVPN connection pack to join the VPN and then use RDP to connect to your system. You can access these from either a Linux or Windows environment. Topics covered in the lab range from basic domain/forest enumeration, service abuse, lateral movement within domains and between forests, privilege escalation techniques, common defenses and techniques to bypass them, and how to execute these activities as quietly as possible. Please understand that you will not be encountering “sophisticated” defense mechanisms in the lab environment. You will be dealing with baked in Microsoft protections like AMSI, Windows Defender, and Constrained Language Mode. I won’t go into great detail about the various techniques presented. The one main point I would like to make is that most of the knowledge required to complete the lab environment is freely available if you search hard enough. For some, this is enough and detailed instruction or assistance is not necessary. For others, especially those who are completely in the dark when presented with an AD environment, would likely benefit from a more structured approach rather than being thrown to the wolves. What you don’t get from learning on your own though is the lab environment to put what you read to practice. I find this type of resource invaluable if you do not have the ability to set up your own lab.

The flags you are required to obtain in order to achieve course completion are (mostly) not the typical CTF style flags. You will not find yourself spending hours upon hours digging through obscure directories to find some hash value or obfuscated string. The flags are presented in line with what your progress should look like, and they will be meaningful in nature. For an example, you may be asked during the reconnaissance phase to provide the domain name for a forest you are not currently a member of. If you are like me and tend to get a little aggravated by the needle-in-a-haystack flags often seen in CTF challenges, you will be delighted to not have that experience here. If you are electing to take the bootcamp, you will be required to submit all of the flags before you are presented with a course completion certificate. If you are not interested in the course completion certificate, you may elect to skip them and go straight for the certification exam if you feel you are ready for it.

The last bit I’d like to cover is the actual CRTP examination. It is a 24 hour exam with a little extra time to help cover initial setup time. Like the lab, you can access your exam system via the web portal or via VPN. You will be required to gain access to five systems other than the one you start on if you want to pass. That does not mean you are required to gain access to the local administrative account on all five systems. By the end of the exam, you will have full Domain Admin privileges. The exam environment is smaller than the one presented in the lab, and is not a subset of systems copied directly over. You will need to perform all stages of an attack to be successful here. If you were studious and learned what you were taught in the bootcamp, you will not have any gaps in knowledge required to pass this exam. The exam will provide you with subtle hints along the way so don’t disregard things you come across. Try to document your progress as you move through the exam by taking screenshots, documenting commands executed and noting the reasoning behind your actions. These will make the secondary part of the examination much easier, the report. You will be given another 24 hours to complete the report. It is made very clear that an insufficient report will result in not receiving a certification, even if you completed the active portion.

My overall experience with Altered Security and their bootcamp offerings have so far been extremely positive. I readily recommend their services to anyone looking to brush up on topics they aren’t already familiar with. I thoroughly enjoyed the AD bootcamp, and am hoping to take the following iterations of the bootcamp for more advanced users. The only warning I will give to those still unsure about signing up is, be aware that the course is centered around the use of PowerShell and PowerShell scripts. While this knowledge is still applicable against organizations with less mature defenses, many organizations with more sophisticated defenses in place will be catching your use of PowerShell and nullifying your hard work. More modern attack methods would include the use of C# tools, and the recently popular Nim language. Many of the tools covered in the bootcamp have versions written in C# and the knowledge is transferable between them, so don’t let that be what holds you back from giving the course a try.