Zero-Point Security’s Certified Red Team Operator (CRTO); Probably the best learning resource I have ever used so far (yes, I think it’s even better than HTB Academy!). I initially bought the course during last year’s Black Friday sale and took about 4 months of studying to complete all the course materials (I know I’m slow but I have to serve National Service sigh). CRTO, excluding the fundamental skills required for Pentesting, tests the practitioner’s ability to:
- Utilize Cobalt Strike
- Evade Microsoft Defender + Blend/Camouflage post-exploitation activities into the surrounding environment
- Maintain proper OPSEC practices
Cobalt Strike
Cobalt Strike is a C2 (Command & Control) Framework for Adversary Simulations and Red Team Operations. This was my first ever C2 framework and my goodness did it set my expectation sky-high to the moon. Cobalt Strike is extremely useful with all of the various BOFs available online, and configuring it wasn’t as hard as I expected it to be!
The course covers how to use Cobalt Strike and configure CS to evade Microsoft Defender and AMSI. It also goes through many useful Beacon Object Files (BOFs), and guides students behind the methodology of exploiting services and vulnerabilities via Cobalt Strike.
- Furthermore, I really like how the Lab videos showcases the exploitation with OPSEC practices in mind. The labs also provide students a guided sandbox to practice exploitation with good OPSEC and it really helps with the exam.
Overall, the teaching materials were excellent and I very quickly became proficient enough to use Cobalt Strike at a baseline “red team operator” level. Therefore, don’t expect yourself to become a Wizard just from CRTO alone; It quite literally only covers the fundamentals of using CS and red-teaming.
Course Materials
Other than the beginning Cobalt Strike chapters, the rest of the course materials were fantastic and super well made as well. However, the ‘Defence Evasion’ chapter, ‘Kerberos’ chapter, and ‘Forests and Domain Trusts’ chapter stood out amongst the rest and are as valuable as gold. Those chapters were so concise, informative, and foolproof that I couldn’t believe how much easier it was to comprehend compared to other resources like HTB Academy. The chapters dive deep into the underlying concepts and provide students with a comprehensive understanding on the “3W1H” of exploitation:
- What to exploit? E.g. What forms of enumeration should I be performing?
- Why to exploit? E.g. Why should I be abusing this technique?
- When to exploit? E.g. When should I use this technique?
- How to exploit? Eg. How to perform the steps required to abuse this vulnerability?
This is not to say the other chapters are bad! In my opinion, the quality of every chapter is equal if not outright superior to HTB Academy materials, that’s how amazing the CRTO was in my opinion. I learnt so much and the community discord is welcoming and EXTREMELY HELPFUL as well. I highly recommend anybody studying the CRTO to join the discord and use it to augment your studies.
POV: My reaction when the course materials just clicked and made perfect sense
Attempt 1 - Failed
Yup, I failed my first attempt. I nearly compromised the entire exam environment but got stuck on the last step. However, I made many OPSEC mistakes and received an extremely low score of 20/100. At that point of time, I didn’t really think too much about it as I felt I made it pretty far! The only issue was lacking confidence in my second attempt as I was COMPLETELY LOST on the final step to compromise the exam environment.
Honestly, looking back, the OPSEC mistakes I made were pretty foolish but understandable as I chose to forsake OPSEC practices in an attempt to gather more information. This was because there were several points in time where I was quite lost or was unable to proceed due to skill issue.
- This obviously made me desperate and throw caution to the wind which in hindsight was a horrible mindset to have.
POV: When you’re surprised you did that well on your first attempt
Attempt 2 - Passed
Yup, I passed my second attempt! Honestly I did not expect myself as I was pretty tired going into the exam, and didn’t feel like doing it. But, I somehow managed to compromise the entire exam environment in 12 hours! Don’t ask me how, I’m pretty surprised I performed that well haha.
I took my time going through the environment before reaching where I left off last attempt, ensuring I blended post-ex activities naturally and maintaining good OPSEC practices. My vigilance eventually paid off as I managed to pass with 87/100, further proving that Cobalt Strike isn’t some panacea, and that operators need to actively maintain the red-team methodology to stay undetected during operations.
However, not everything was sunshine and rainbows. Firstly, I’m still unsure on how a student could get 100/100 on their first try as I feel progression of certain steps required the use of riskier techniques, thereby sacrificing OPSEC. However, I’m quite sure that’s just a skill issue on my part and I was just unable to find the correct method (OPSEC best practice).
Secondly, managing your P2P beacon chains was quite important in the examination but was neither really highlighted nor mentioned much in the course. There are multiple methods of solving this (implementing persistence, killing chains when certain credentials/tickets have been retrieved, etc.) but learning this on-the-fly was quite chaotic.
- This isn’t a bad thing though! It was a fruitful experience that really improved my skills as an operator.
- I simply wanted to highlight that not everything in the exam went according to plan, and learning to adapt and improvise your methodologies as you progress is vital in performing red-team TTPs and tradecraft well as an operator.
Lastly, certain “things” just weren’t working properly. I’m not sure if it’s an issue with the exam machines, an issue with the tools, or just skill issue, but there was one step where I had to “assume” the machine was vulnerable as I couldn’t gather information properly and was thereby unable to verify my findings.
- I’m learning towards issues being present in the exam environment as all of my tools worked flawlessly except for that one step.
POV: You’re tweaking out after submitting the exam and finding out you passed
All in all, I had a blast hacking the exam environment as I was able to freely play around with Cobalt Strike and hone my red-team methodologies (defence evasion, blending post-ex, OPSEC best practices, etc.). A part of me wishes I would have failed my 2nd attempt so that I could practice more with the exam environment (I’m not kidding, the exam environment is just that good for practicing. It’s configured beautifully for practicing the TTPs taught in the course) but that’s selfish behaviour which I neither respect nor condone.
- Don’t purposely fail to keep playing with the exam environment! It’s a huge cost that RastaMouse has to bear. If you would like to practice more, set up your own home lab and attack it with AdaptixC2 instead.
Should you take the CRTO?
TLDR; Yes and No. The CRTO contains the best course material I have studied till this day at an affordable price due to Price Purchase Parity (PPP). However, I wouldn’t recommend CRTO for beginners as it requires a solid understanding of pentesting fundamentals. I would only recommend it to students either looking to build upon their existing skillset, or looking to learn about red-team tradecraft and TTPs.
Hence, I recommend beginners, especially students, to use HTB Academy instead as it’s cheaper and has more basic modules and materials. Beginners can consider studying HTB Academy’s “Pentester Pathway” first to build a strong foundation before pursuing CRTO.
It’s complicated chat :(, I love the CRTO but it’s not the easiest for beginners
