Zero-point Security's Red Team Ops (CRTO) review

CRTO logo

Context

I recently took Zero-point Security’s Red Team Ops) course and associated exam (CRTO). It is also known as Daniel Duggan’s a.k.a Rastamouse course, even if since then Zero-point security has released other courses on offensive programming. It is so far the best learning experience I had on an online certification and I wanted to share a bit of what to expect from the course as well as what you can gain from it.

Course

As its title suggests, the main subject is red teaming, often confused with pentesting, even by IT security professionals. Indeed, the scope of both is different in many ways and as this is not the topic of this article, you can have a look at Mitnick’s article on the difference between both if you do not already know it.

The course is available on Zeropoint Security’s website, it costs 399 pounds (around 473 euros). If you scroll a bit, the outline gives you a good overview of covered topics.

Once acquired, the course is available for life, whereas you get fourty hours of lab time. The course is working as a rolling-release so you can get back to it whenever Duggan makes updates. The lab is an online virtual lab accessible via Guacamole, a HTML5 remote desktop client. That means labs can be reached from any machine with a recent-enough browser. One of the downside of Guacamole is that it makes a completely hermetic environment so that, for example, you can not download your favorite script or tool from a compromised machine.

I completed all labs in around thirty hours, without rushing it, so I think fourty hours is enough. However, if having the countdown on top of your window when doing the labs kind of stresses you, I suggest you forget about it totally if you decide to take the course.

The course heavily relies on Active Directory security and the use of CobaltStrike, describing concepts (briefly) and associated attacks (deeper). It explains red team mentality as well as give advice on how to be stealthy and efficient, with examples on detection evasion and principle of least privilege but on the offensive side.

I really enjoyed these paragraphs during the course labeled “opsec” (for “operational security”) which I nickname “pro tips” as it is to me the same kind of insight than mentors gives to students in classical, physical teaching. It is obvious that the author got these advice from field experience and previous errors and is unvaluable for students.

The course explains a lot of known techniques such as kerberoasting, unconstrained delegation abuse, credential dumping, DPAPI etc. Each concept is described, then follows a guided lab where it is possible to put in application the learnt knowledge. For some of these, there are also videos of Duggan explaining step by step how to reproduce the attack.

The labs consists in small but full Active Directory domains where you have to compromise hosts one after the other. This is very much like real assessments and realistic in my opinion as you rarely get a one-step compromission towards the machine or the role you are interested in. This however has the drawback that you need to establish persistence on the machines you have already compromised so that when you pause the lab, you can resume it without having to perform again all previously seen techniques.

It is a good opportunity to use CobaltStrike if you never did before, as there is a full license instance in the labs. I think Duggan makes a good job at showing how easy CobaltStrike makes an attacker’s life. I also found this CobaltStrike user guide) very useful during the learning phase.

Exam

The exam consists in a Capture The Flag (CTF) exercise lasting 48 (lab) hours spread on four calendar days. That mean you can take twelve hours per day if you wish or fourty-eight hours straight if you would rather. There are eight flags to gather but only six are needed to pass.

I think the closest training for the exam you can get is the course itself. Even if it differs from the course lab, the examination environment is vulnerable to flows covered by the course and is using Guacamole for deployment. A difficulty into finding other available material is that you need a CobaltStrike license in the practical labs.

I would say the exam is not hard if you thoroughly studied the course, but still challenging, and that is, if you do not get stuck. Let me explain better; I spent two calendar days figuring out one of the first flags while after that I scored up to flag six in less than half a day work. My mistake was that I did not enumerate correctly one host, leading me to believe that this machine was not vulnerable to that technique and going on into fake leads after that. So be torough in enumeration, that will save you a lot of time. I would suggest having a checklist of “how to test technique X using command Y” and go though it.

Apart from that, the path to the flags was clear to me, I could see how to go from flag n to flag n+1 thanks to the course methodology. I passed with 6/8 flags, a bit frustrated to not give a go to the last two flags but my exam time remaining was one hour thirty minutes at 3:12 A.M. and I decided to rest :) .

Conclusion

I can only recommend this course, it is a real educational value for your money. Unlike other online courses such as Offensive Security ones, Daniel Duggan explains things in detail and makes the student gain a phenomenal amount of time by teaching concepts clearly and precisely.

As the certification is not so known in the HR world as the time of writing, I doubt this has a big impact in passing their filters but a majority of security professionals knows it so you still get value from it in your career.

References