Certified Red Team Expert (CRTE) - Review 🚀

Hey again everyone! This is Foued SAIDI: Senior Penetration Tester at Cyber-SSI , holder of CRTE, CRTP and CARTP professional certifications, currently an Elite Hacker ranking within the top 100 WorldWide on Hack The Box platform.

I have recently passed my Certified Red Team Expert (CRTE) certification from Altered Security and I would like to share my feedback regarding it along with a few tips for anyone planning on passing it.

CRTE Overview

First of all, CRTE is a 96-hour certification where the holder has the expertise to assess the security posture of a fully-patched Windows Infrastructure having multiple Domains and Forests by purely abusing functionalities and trusts.

What I really like about Altered Security is that their professional certifications only rely on misconfigurations and logic abuses, not some CTFy unrealistic stuff.

I consider achieving this certification a really worthwhile investment as it is reasonably priced at 299$ (compared to other vendors with pricy certs and less provided value) which includes a 30-day lab access alongside lifetime access to the course material and Tools and one exam attempt. In case of failure, the retake fee is also a reasonable 99$ with a 1-month cooldown period.

Course Content

Regarding the course content, we were provided with access to the new Altered Security platform which is a centralized hub for all your certs and materials: Course videos, learning objectives walkthroughs, a full Lab Manual, course pdf, diagrams describing all attack paths for the course and finally a zip file containing all the necessary Tools for the lab which is a HUGE plus.

While going through the course, you’ll be learning a LOT of stuff regarding advanced Windows Active Directory Exploitation: from initial compromise and enumeration to Local Privilege Escalation Techniques to Stealthy Lateral Movement and secrets exfiltration to Domain PrivEsc and Dominance.

You will be taught almost ALL the techniques there are to fully Pwn and Own the domain, all while trying our absolute best to stay as stealthy and evade protection mechanisms (like MDE, MDI..) as possible.

Comprated to the Certified Red Team Professional (CRTP) course, the CRTE took a deeper dive into complex concepts and the internals behind every attack path, we targeted everything from Delegation attacks to every secret and credentials dumping technique to Kerberos attacks and to Persistance.

But personally, what I REALLY liked about the course is how we worked on Cross-Forest and Trust abuses. It was really the most thorough course I’ve seen on the subject by trying to break the unbreakable.

Course practice Lab

As for the provided course lab (duration of 30 days with the 299$ plan), I really liked how stable it was (it was really that stable during every course I have taken). Every issue I thought I had with the lab. I would also like to really thank the support team, they are REALLY available 24/7, the latest they have ever answered me was after 45mn (They usually respond withing 15mn max). They are really helpful, respectful, patient and know what they’re doing.

I didn’t encounter any issues, latency or lag whatsoever (just make sure to choose the closest location to you geographically when choosing your server access).

Exam Environment

The exam is a 48-hour completely hands-on experience. Once started, the exam lab runs for 49 hours. You get an additional hour to compensate for the lab setup time of 10-15 minutes (a huge + for Altered Security).

“The exam lab has 5 target servers which are spread across domains and have different configurations and applications running on them. You get access to a VM named ‘userexam’ in the lab and that doesn’t count as a target server.”

You can reboot your exam machine that you’re using or the lab environment:

The goal of the exam lab is to compromise all the resources and get OS command injection on them (not necessarily with Administrator privileges).

A detailed report of the engagement must be delivered withing 48h of the exam attempt ending (which is a very good time to allow you to get some rest). As for me, after my previous experiences with CRTP and CARTP I figured to just start writing the report in parallel while attempting the exam: that allowed to me stay organized and not miss any details. (I’m also a bit lazy to write it without lab access later haha)
I managed to compromise the whole infrastructure and finish the report in around 6.5 hours. Note that during that time I took two 15-minute breaks, had lunch and dinner, prayed my 5 prayers (priorities of course). So the 6.5 hours were not fully for the exam only. (And I also play Hack The Box machine and make writeups for them weekly that’s why I’m a bit familiar with Active Directory, don’t feel discouraged if it took you more time to achieve it!)

Time Management

One thing that those who think of passing the CRTE exam should give a really good thought to, is time management. Since you have 48 hours to compromise the infrastructure and make screenshots of the steps you have taken.

One thing I could advise you to do, is to try and avoid rabbit holes (there isn’t any but still) and don’t get too stuck on a single endpoint or vulnerability (or something you might think is vulnerable), everything on the course material will be on the exam lab and you don’t have to look for any vulnerabilities that you did not study for.

CRTE exam pros and cons

Pros:

What I really liked about CRTE:

The extensive course material offered and the Tools that are sufficiant for any pentester/red teamer during their engagement.
The really stable lab and exam environments.
The responsive support team who have never failed to provide students with support.
Nikhil Mittal’s methodology and way of explaining things by making it sound really easy (and actually his dad jokes never fail to make me laugh haha).
The realistic side about the exploits and vulnerabilities treated in the course and the exam.
The really nice pricing on the certificate.
The deep-dive we did on the Trust and cross-domain and cross-forest abuse.

Cons:

Even tho we really dove deep into Trust abuses on the course, I didn’t really find it that often/present during the exam lab. It would have been really cooler to have more of it during the exam.
That was the only con for me really

Things I’d like to see in the future

The only missing part in my opinion in this course was to try and tackle another well-utilized EDR/XDR/Security Solution like SentinelOne, CrowdStrike, etc. So seeing a partnership between these entites and Altered Security in the future would really step up the game. In the course we’re only dealing with MDE (Microsoft Defender for Endpoint), so trying to work on more sophisticated (in my opinion) solution would really enhance the quality of the exam.

Practical Tips

Some tips that will help you alond the way:

Take notes, they will REALLY help you while studying and you can get back to them anytime.
If you feel too stuck, try restarting the machines. Errors may occur.
Remember to get some sleep or to take a 10mn walk if you feel stuck, it can really refresh your mind.
Review your course notes and lab notes before passing the exam, also keep them open on the side for easy access.
Always try to thing out of the box and as a creator of the exam, it’ll give you new insights
Stay hydrated :=) (seriously haha)

Personal Opinion

I really loved the CRTE exam. Great course material, responsive lab support team, stable infrastructure both for the course and exam lab. It is a great Certification for anyone looking to get into Windows Active Directory security.
I will hopefully be getting back for CRTM/CARTE/CARTM (expert and master) certifications, also from Altered Security.
Stay tuned ! Hope you enjoyed this blog post, and see you soon with a new review!

Foued SAIDI (A.K.A. 0xkujen)