My CRTO course and exam review

Gustav Shen
6 min readJan 25, 2022
CRTO Exam

Motivation of The Journey

3 months ago, I passed OSCP exam. After that, I want to dig penetration testing domain deeper , and I become more interested in Red Teaming. At that time, I considered multiple choices, such as CRTP, CRTO, OSEP, etc. I found a fantastic github repo (https://github.com/ryan412/ADLabsReview) that reviewed multiple advanced penetration testing/red teaming courses/labs. Actually, I heard that many people choose CRTP or CRTO after OSCP to prepare for OSEP. Therefore, I had difficulty choosing from CRTP and CRTO. Even though I enrolled both of them, but time is also a kind of resource. I decided to learn CRTO first. I roughly go through course materials of CRTO and CRTP, I find CRTP focus on AD exploitation more while CRTO is more comprehensive, it covers the whole engagement of red teaming, from initial beacon to all domains takeout, both technical and non-technical. And the most important thing is that CRTO teaches Cobalt Strike, and it provides a student with licensed Cobalt Strike in Lab and exam environment. I know that CRTO is a relative new certification, it would not help me to much bypass HR firewall (I am glad that some positions mention CRTO in Job Requirement now), so I enrolled this course just for improving my skills. Then, my CRTO journey started!

Course Introduction and Review

RTO (Red Team Ops) is held by zeropoint security, check the link (https://www.zeropointsecurity.co.uk/red-team-ops/overview) to know more about it. Information gathering is a basic skill for a penetester/red teamer, therefore I will not tell too much about something you can directly find from official website, such as price, chapters of courses, etc. Once your order is approved, you can get access to course materials via canvas. Course materials include videos. Videos are not too long, they help you understand steps better. Sometimes, steps in video are different from steps in articles. When you meet this situation, always trust video first. For example, Constrained Delegation Abuse can not be reproduced successfully if you follow steps from article materials, but steps in video work.

The course bundle contains one exam voucher and 1 hour lab. Many people may ask, how many hours of lab is proper? I used about 42 hours before passing the exam. And I strongly suggest you to purchase more than 40 hours. Even though you feel you are prepared for the exam, you can still play with lab for a long time. Your goal is not only to exploit, but also to keep youself stealth and bypass defence. For example, you can try different ways to exploit and then use splunk to gather indications of your exploitation.

The material is very good, it is not so long but it teaches us the most important knowledge and skills with brief and simple expression. You will commend that relative short materials can cover so much knowledge but it can make you understand well. Let’s talk about the lab . The lab can be access through snap lab. You don’t need to use openvpn to connect to it, just start the lab and access machines via browser. The design and quality of the lab environment is quite so good, but the connection is not so good. I feel laggy from time to time. Since attacker machines have licensed cobalt strike installed and some other reasons, typically we cannot transfer file between our host and lab environment. But copying and pasting text is okay.

Snap Lab

If you have any issues during the course, you can join the official Discord server to talk to other students and Daniel.

Exam Experience and Review

Last week, I started my RTO exam. If you pass the exam, you will get CRTO certification badge. The exam is totally 48 hours, you have 4 days to allocate 48 hours. Many people choose 4 days * 12 hours. But you can absolutely choose 2 days * 24 hours. Nobody monitors you when you are in exam, and it is very convenient to schedule/reschedule the exam. When it is time for the exam, you just need to launch the exam from snaplab. Don’t forget to download the threat profile file. The time is far enough for passing the exam, but the exam itself is not easy. It is even intensive. To pass the exam, you need to collect 6 flags out of 8 flags. Apart from the last flag, whenever you have admin privilege on a new host, you can capture the flag. The final flag requires you to compromise multiple host to capture it. By the way, you will be provided with a low privilege domain user, so you don’t need to gather information to launch phishing attack.

I say the exam is not easy, why?

1: Many people waste a lot of time before getting their first beacon. But if you carefully go through course materials, you will know why. The preparation work is very very important.

2: In exam, you only have Kali as the attacker machine, which means you will not have access to some tools that you used in lab. Some of my favourite tools are absent. So, be familiar with multiple similar tools instead of depending on single tool.

3: Course materials have all thing you need to pass the exam, but it does not mean copying and pasting steps can help you pass the exam easily. You need to understand these steps and think out of box.

4: Apart from the last two flags, the attack path is clear and obvious, but you need to be extreme careful. I spent 90% of my exam time on troubleshooting and debugging lol. Something you need to pay attention to include but not limited to AV, AMSI, hostname, special characters, single/double quotes, firewall rules, etc.

5: If you just want to pass the exam, flag 6 requires multiple steps. You need to be very careful to avoid any error, or you will fail. You will capture flags by order, so if you cannot capture flag 6, you will not capture flag 7 and flag 8.

6: The last flag is difficult, you need to fully compromise 4 hosts to capture it. Due to work and some personal schedule, even though I still have few hours left and I am very eager to fully compromise the exam environment, but I have to stop my exam.

The exam is very fun, I think it is much more fun and challenging than lab. CRTO exam is the most enjoyable exam I have ever taken.

Final Review

In general, I am very satisfied with CRTO course, lab, and exam. I like the exam most, let me list pros and cons of CRTO.

Pro:

1: Course material, lab, and exam are high-quality and enjoyable

2: Cover the whole red teaming engagement

3: Proper difficulty and depth, the best bridge between OSCP and OSEP

4: Teach Cobalt Strike C2

Con:

1: The lab time is calculated by hour, I feel stressed when I am doing lab.

2: Laggy connection

3: It’s new to HR

Happy hacking! I hope this article can help more people who are interested in CRTO.

--

--