CRTO review - Red-Team Ops from Zero Point Security

CRTO review - Red-Team Ops from Zero Point Security

in

Preface

Meme

I very recently completed the RTO course from Zero-Point Security and passed the exam over Christmas. Eversince I completed CRTP from PentesterAcademy awhile back, I was keen on this course as it teaches you alot of the fundamental AD methodologies with a C2 framework approach. Since their update from using Covenant to Cobalt-Strike, I decided to just give it a go since the usage of Cobalt-Strike in courses provided from majority of the vendors are near non-existent! I thoroughly enjoyed this course with a lot of OPSEC inclusion, it felt fresh in this market of security training. What is even better is the course and lab can always be used even after completing the exam. I hope this review will help someone else who has decided to take this course & exam.

Course Review

Quite simply, the RTO course is a hands-on course with a complete Active Directory lab environment hosted on Snaplabs and it is charged hourly rather than being for 30,60 or 90 days. You get access to a platform called Canvas where every registered user will have lifetime access to the courses and also future upgrades towards it for free!

The course is divided to multiple chapters ranging from:

  • Course Introduction on what is Red Teaming, OPSEC and also usage of Cobalt Strike
  • External Reconnaissance
  • Initial Compromise
  • Host Reconnaissance
  • Host Persistence
  • Host Privilege Escalation
  • Domain Reconnaissance
  • Lateral Movement
  • Credentials and User Impersonation
  • Password Cracking
  • Session Passing
  • Pivoting
  • Data Protection API
  • Kerberoasting
  • Group Policy
  • DAC Listing
  • MS SQL Servers
  • Domain Dominance
  • Forest and Domain Trusts
  • Local Adminstrator Password Solutions
  • Bypassing Defence
  • Data Hunting and Exfiltration
  • Post-Engagement & Reporting
  • Extending Cobalt Strike

Each of these modules has a taught topic which goes in-depth and complimented with videos. People who have completed CRTP from PentesterAcademy or The Mayors Movement,Pivoting, and Persistence might have noticed quite similar modules - and indeed they are but the approach is pretty different and it is what I personally felt stood out from this course.

RTO exam

The exam is a 48 hours in four days span red teaming engagement where you will be provided with a threat actors profile and the goal is to compromise a fictional network. You will need to get atleast 6/8 flags to pass the exam. The exam isnt proctored either but you do get direct support from RastaMouse from his discord channel! (I have to apologies here as I had to disturb him during Christmas :D)

How I studied for RTO exam

Eversince the completion of CRTP, I wanted to get into Windows AD more and since I am a big fan of elearn courses, I went with their red teaming course eCPTX - this course really teaches you some good black box stuff and I thoroughly enjoyed it. Ontop of that, with Mayors MPP course, I was able to replicate a full functional AD enviroment at home which just made studying for these courses easier! Both of these courses really set a good foundational base to tackle CRTO since Mayors course teaches with a Covenant C2 Framework so it gives you some good idea on how to manage a C2 framework.

I personally enjoyed CRTO alot more cause the course teaches you alot more than just various Active Directory attacks but immerses you how Red Teaming works with alot of OPSEC concepts kept in place.

Since this course is built on Cobalt Strike, you will also learn how to manage and work with this framework - which I thought was pretty amazing cause as a student, you dont usually get this exposure. But it needs to be emphasized that knowing how to use a framework doesnt make you great as the saying goes:

A poor craftsman always blames his tool

Someone wise

RTO Labs

RTO labs are quite new and unique in its own way cause its built ontop of Snaplabs and also charges you only for the duration used. I thought this was a good idea since rather than having to pay for a full duration fo lab time, you pay for what you use.

Eventhough the lab environment has some hiccups due to how licensing works, its nothing gamebreaking or loosing sleepover and I definitely recommend people to try this course!

Exam

The Exam is personally tough for me cause my knowledge on bypassing AV is quite limited and I was stuck a few times just at the beginning of the exam due to this. Once I overcame that, I understood what needs to be done overall since the environment concept is very much similar to whats out there. The exam sticks up to you to place a check on your basic methodologies and grasp a red teaming mindset which was pretty awesome!

I was not able to get all 8/8 flags but just 6/8 but overall it was a fun and also a comfortable exam environment since there was no time pressure like doing an OSCP exam for instance. If you have completed the course completely, you should be able to tackle this exam without much issue apart from knowing how to use when and where.

CRTO Badge

Outro

Seeing how popular Red Teaming has become lately - this course does a sublime job in highlighting that by embedding alot of the more updated concepts within the course. I personally loved the course more than the exam but thats subjective. I would definitely rate this course high up my books.