Posted on 2024-12-07 by Nathan Jarvie in Certifications
Recently a friend of mine and I decided to tackle Altered Security’s Certified Red Team Master (CRTM) and we found that it wasn’t what we expected at all.
Was it worth it? Was it fun? Is this a clickbait introduction?
Read on to find out!
CRT-What?
Altered Security has 3 tiers of infrastructure Red Team certifications that increase steadily in difficulty.
- Certified Red Team Professional (CRTP)
- Certified Red Team Expert (CRTE)
- Certified Red Team Master (CRTM) - Previously known as PACES
While most people are generally familiar with CRTP, as it is commonly, and incorrectly, compared to Offsec’s Offensive Security Certified Professional (OSCP), the intermediate (CRTE)* and advanced (CRTM) certifictions are less well known. In fact, when researching for whether the CRTM course was worth taking, I found surprisingly little information on it aside from a few vague blog posts.
Certified Red Team Master (CRTM) is an advanced level challenge lab. It is designed for pentesters (and defenders) who are well versed in Active Directory and Windows exploitation. It is meant to help reinforce knowledge and develop new skills that build on what you already know. If you have completed CRTE or Certified Red Team Operator by Zero-Point security, then you will probably feel comfortable giving this a shot.
So let’s talk about what it is, and perhaps more importantly, what it is not.
Note: You can read my blog on Certified Red Team Expert (CRTE) here.
What is it?
CRTM is broken into two key parts. The first is the GCB lab, in which you will spend the majority of your time, and the second is the certification exam itself.
The important thing to note here is that this is a challenge lab, and not a course in the traditional sense. While Altered Security does provide some minimal training materials, mostly around new concepts you may not have yet encountered in the wild, the learning really takes place in the lab environment. It requires a solid understanding of Kerberos and how Windows authentication works. You will be exploiting misconfigurations in Active Directory and user permissions. There are no point-and-shoot exploits in this that you can pull off GitHub or Metasploit.
The lab is designed to mimic a bank in which your goal is to obtain the funds transfer key (flag) which is on the last machine in the network. It consists of multiple forests and domains with various trust relationships you will need to abuse to move through the network. It is up to you how you work through the lab but some parts may not be available to you until other sections have been completed.
You are provided a windows workstation on the client network, a foothold if you will, from which you can launch your attacks. But no tools or guidance is provided directly.
Once you have obtained the flag you can sit the accompanying exam. This exam consists of three parts:
- Hacking the environment
- Patching the environment
- The report
Yes, you read that right. You need to hack your way in, then patch your way back out. Kind of like a King of the Hill CTF game.
I will go into some more details of the exam a little later.
I would suggest taking the 60 or 90 day options as it may take some time to work your way through the lab thoroughly.
What it is not
This is not a course. Altered Security themselves describe it as a challenge lab.
You will not be fed hours of videos, transcripts, documents and reading to do like you would find in most other certification courses. The provided documentation is minimal. All up there are less than 5 hours of videos to watch, which are separated based on specific concepts you may encounter in the lab, and some attack path diagrams. If you have completed CRTP or CRTE previously you may have used their lab guide. No such guide is provided here.
The attack path guides provide a nudge in the right direction for each section of the lab, but nothing more. They are designed specifically to make you think about how you may approach that task and to attempt it yourself. Troubleshooting issues encountered on the way yourself.
There is no real hand holding for this course, but don’t let that put you off. The learning is in the challenge.
The GCB Lab
This was a very fun and frustrating experience.
As mentioned before you start from a foothold machine on the network without administrator privileges and with no tools. You are expected to escalate privileges and transfer your tools on as needed. personally, I found the tools provided in the CRTE course to be more than sufficient. I didn’t need all, or even most of them to complete the lab.
If you have done CRTP or CRTE in the past, then the lab layout and design should feel familiar. You will rely heavily on PowerShell, WinRM, and Microsoft signed binaries to complete the tasks. If you haven’t done any of Altered Security’s courses previously, and instead rely heavily on Linux (like Kali) you may find this a difficult adjustment. While it’s not impossible to do the course with Kali or similar, it is much more difficult and unsupported.
The good
This lab is designed to challenge you. It will present you with obstacles for you to overcome with your experience and extensive research. With each challenge solved you will learn a new skill or application that will help in the journey.
But despite all that you are not alone. The lab is a solo challenge but not without a support network. Altered Security have a support team that can help you as you are working through the lab, and a discord channel in which enrollee’s can chat openly about the lab and provide assistance and nudges. In some cases the answer is posted right there in the chat for anyone to see. While this may feel like cheating, the lab is designed to test you but not frustrate and dishearten you. This is an opportunity for growth and learning. While everyone will encourage you to “Try Harder” when necessary, they will also recognise when someone is struggling and will often rush to help.
If you get completely stuck, you can always email the GCB lab support team and they will send you through step-by-step instructions that you can follow to continue your progress, or reset your lab if you broke it. Sometimes it’s a problem with syntax. Sometimes the lab breaks. Sometimes you just have no idea what they are trying to teach you and you have gone down rabbit holes for several days and just need a hand to get out.
The lab itself has lots of interesting challenges that will make you think differently about how to approach the issue. I often found myself staring at the screen thinking “Man, THAT is cool!”. As I was working through it with a friend, there were often times where we would sit and discuss the issue, coming up with interesting ways that the problem may be solved. We often had different approaches to the task which allowed us to learn a lot from eachother.
There is also an Elastic Stack that users can access to see how their attacks are being flagged in an effort to test stealth. This is especially useful if you are trying to fine-tune your techniques, but it is not a requirement for the lab.
The bad
Unfortunately there are a few parts to the lab that bothered me. Reading through a few of the other blogs about CRTM, it’s clear there is a bit of a trend too.
The first is that because it’s a shared lab environment, it is possible for another user to lock you out of progressing. This is often accidental and in no way is it malicious, but it’s a pain in the butt when you work on a problem for hours only to find the first method works the next day when the lab is reset. In saying that it was a rare occurance to run into troubles while working in the lab, but it did happen occasionally.
On that point, the lab is reset each day, so you need to ensure you have accurate notes for how you got to certain places, because you will need to put it all back again every 24 hours. This is not a big deal in itself but something to take note of.
But my biggest issue is with some of the challenges themselves. While the vast majority are interesting and fun examples of how to perform certain attacks and techniques, some are very contrived, and in some cases outright unrealistic to the point that without assistance from support I would not have considered the option. One example of this is the requirement to shutdown a live Domain Controller, which is something I would never do in a real engagement. I understand that they are designed to teach you a technique that can be used in the real world, but they perhaps need some additional consideration. I used an alternative method in this case, which worked for the most part, except I was having issues with the tooling. When I asked for support I was given completely different instructions (shut down the server), and my original (and arguably better) method was patched out of the environment within 24 hours.
The exam
Once you have completed the lab and got your flag you can sit the exam. You have 48 hours to hack the environment, compromising all the machines, then patch the vulnerabilities to prevent that attack path being executed again. Equal weighing is applied to both attack and defence, so simply compromising the systems is not enough for a pass grade.
Fear not! The defence part is not as hard as it seems. With some creative googling you will find the answers you need.
Once you have completed this, you have a further 48 hours to submit a full report detailing both the attack path and mitigation strategies that you have implemented. This should be accompanied with evidence such as full commands and their output, and screenshots. The report should be presented in such a way that a technically competent person can follow your steps from start to finish.
While this sounds like a lot, you have plenty of time to achieve these tasks.
What I would like to see changed
There are a few things that I would like to see that would make this experience a little smoother overall.
Hints system
The first is that while the support provided by the Altered Security team and the Discord community is helpful, not everyone likes to go down this route. Also due to time zones and other restrictions, it may result in a long time before you receive a reply, which can cause issues for users on a limited time budget. So I would like to see a hints system implemented in lieu of a lab guide. Each machine should have a flag on it, that when submitted to the portal presents the user with 3 hints. The first is similar to the attack path diagrams that simply indicates the next machine to target. The second present the user with a little more detail that can give a clearer picture of what is expected. The last hint being the commands themselves as they would be presented by the support team or the discord community.
I believe this would alleviate some of the pressure on the GCB lab team in the long run and present the user with a better overall experience.
Breadcrumbs
In order to address some of the more contrived challenges, I would like to see more breadcrumbs throughout the network. There is a simulated phishing attack that is a bit of blind trial and error to resolve that could be assisted by adding in some additional email correspondence that can nudge in the right direction. Documentation could be left on administrator desktops that has some information on configurations so that it’s not so blind.
It would still be up to the user to find this information, read it, analyse it, and understand it. But it would probably lead to less stumbling in the dark. The hardest part would be finding the balance between a hint and giving the answer away.
Defence practice
There is not a lot of opportunity to practice defence techniques in the lab. You are in a shared environment so testing out defences can negatively impact other users, resulting in that user asking for the lab to be reset, possibly while you are attempting to defend it. This loop can mean that users do not have a great opportunity to practice their defence strategies before the exam.
Hack The Box and other platforms have a voting system to reset shared machines that may be helpful here. Once someone has done some defence work they can vote to have the server reset. When 80% of the lab’s participants have clicked reset it will do so automatically, putting the vulnerabilities back in place for the rest of the participants to continue.
Exam difficulty
Without giving anything away here, I honestly think the exam is too easy. For all the interesting concepts introduced in the lab, I would have liked to see more of them appear on the exam itself. I understand that the achievement of completing the lab is the real prize for this course, but it is entirely possible to cheese the lab then go into the exam and pass if you have a solid enough understanding of AD exploitation before starting. I feel that this devalues the certification a little but there is a lot of potential here.
Tips for those considering the course
I have 5 tips for you.
-
Take notes on everything! - This generally goes without saying but you will only be as good as your notes. As I mentioned previously, your lab will reset every 24 hours so having good notes on how you got to each place will be invaluable. Capturing examples of both command syntax and outputs give you reference to use in a pinch. It is also worth taking the time to explain the syntax to yourself so that when you are in the exam you know the difference between the
/sid
and/sids
switches. -
Don’t approach this like a course - This is more like a big CTF with an exam at the end. Each challenge is designed to practice a specific technique. There is quite a bit of railroading here so if your method doesn’t work, step back and reevaluate. Often times you will get stuck on challenge because you dont yet have all the pieces of information. Take your time to check every machine for useful information.
-
Ask for help if you need it - This is a learning experience. It is not meant to be impossible. If you get stuck and need help, that is okay. Just ensure you have tried “everything” first. When sending emails to support or using the Discord, try to provide as much information on what you have tried so far as possible. Be open to the idea that maybe you are just doing it wrong. “I tried that and it didnt work” is not helpful to anyone. Check your syntax against the one provided. Try to work out WHY yours didnt work, don’t just grab the flag and run.
-
Bring a friend if you can - The lab environment is a challenge and while it can certainly be done solo, and many people do, hacking with friends is a lot more fun and engaging. You can make it a competition or a cooperative effort. However, the exam must be done solo, so do not rely on them too much. Make sure you understand what you are doing and why you are doing it to ensure you are in the best position possible to tackle the exam. If you don’t have a friend, make one! Join the Discord server and see if anyone is in your time zone and wants to work together.
-
Prepare for the exam appropriately - This involves both attack and defence so knowing roughly how to defend against your attacks will help speed up the process of frantically Googling the answers. Taking the time to look at possible remediation efforts for your attacks while you have access to the lab is invaluable. Remember that it resets every day, so if you do block the attack path you can continue again the following day (or ask Support to reset it for you). Have your notes prepared and examples of output so you know what to look for.
Was it worth it?
Absolutely.
Minor gripes aside, the challenge lab was a great experience and I learned a lot in the process. Techniques I had never considered, that are built into Windows as security features. The tricks I learned have already helped me on live engagements, and will continue to do so for a long time.
Good luck on your journey! And as always, if you have any questions, please feel free to reach out to me on my socials.
About the author
Nathan is certification addict, he can’t stop and it’s becoming a problem. We can’t talk to him about it directly but consider this a call for help.
If you need help with your security,
get in touch with Volkis.
Follow us on Twitter and
LinkedIn