CRTO Review
I’m very pleased to announce that I passed the Certified Red Team Operator(CRTO), from Zero-Point Security. It was quite an enjoyable experience, appreciating not only the opportunity to reinforce my existing knowledge but also the newly gained skills.
Throughout this post, I will go through my thoughts about the learning material, the exam experience, and the final conclusion about the certificate itself.
The Training Material and Lab
The format of the learning material is straight forward. You will get access to a learning portal on the website that contains a mix of text based learning and a few videos in more advanced parts of the course. Everything needed in order to pass the exam is within the course (looking at you(again), Offsec 👀..)If you read thoroughly trough the training material and complete the lab fully, you should be good to go….However, there are some prerequisites, imo, in order for this to apply to you:
TAKE notes, and do it thoroughly; this means writing down commands, tool syntaxes, short descriptions of topics, and so on. Finally, this is the deciding factor in whether you will succeed or fail.
Think basic, and rely on your GOOD notes.
Be comfortable with enumeration in Active Directory using manual tools like PowerView or ADSearch, bloodhound and other graph tools are not available or allowed in the exam or lab .
Format
Regarding the format of the learning material, as mentioned above, the learning material is based on mostly text and a few videos in the more advanced parts of the course. The content is accessed trough a learning portal on the website itself. It includes a nice progress tracker and gives you a good overview of how far you are in the course and what sections you are currently working on. This model really supports the student and shifts focus to just absorbing the knowledge presented in the course.
Content
I really liked the content and the knowledge presented in the course. It covers everything from simple enumeration in Active Directory to persistence, etc. Rasta does a good job of presenting the content, and it’s up-to-date. The course is built around the use of Cobalt Strike, and it takes you from setting up the teamserver to messing with the artifact kit to create less detectable payloads. Besides that, the course does a good job of teaching all the basics of Active directory enumeration and exploitation. Lastly for the “Red Team part”, there is a section on initial access that introduces you to the basics of initial access and relevant techniques and External Reconnaissance. Overall, the course is filled with awesome content, that covers many aspects of traditional pentesting and Red Teaming.
However, one thing that got my attention throughout the course, was that some parts had really short explanations. It felt like we had to guess what commands that was used in order to complete an attack or which user we were running the attack as. The lab exploitation is not in chronological order, so it kept jumping between different machines and users, which can be confusing for the student.
Lab time
The lab is all-round very well built; it’s reasonable stable, a BUNCH of attack primitives are covered. The lab is based on a Snaplabs environment and can be accessed within the bought time. The machines are accessed trough a guacamole interface trough the browser and it works fairly decent, even though i prefer a VPN connection(but i do understand why this is not case, due to the use of Cobalt Strike). I really recommend to complete alle the challenges mentioned throughout, they give a deeper understanding of the attacks and how they can be achieved(really recommend to do the challenge under One-Way Outbound trust).
The exam
The exam itself was in a very stable environment, and it was easy to access (same access method as the lab). The one thing that the CRTO does, that really sets it apart from other related certs, is how it approaches the exam (and I can’t stress this enough, this is setting the bar for how exams should be within the industry). You are given 48 hours of exam runtime within the lab; this is the time where you exploit the environment. However, you just need to complete the exam within a 4-day window. This means that you can pause your lab at any given time to sleep, relax, exercise, etc. This is huge in terms of the student’s mental and physical ability to pass the certification, and people with families can have an easier time taking the exam because it does not pause their entire life when starting the exam. It’s great to see the industry moving away from Offsec’s “sweatshop” exam mentality where you have to pause your life for 24 stressful hours in order to attend the exam.
My experience with the exam didn’t start out great. I had major technical issues with my payloads and had to do a lot of custom fixes, but I eventually figured it out. Once the technical problems were fixed, things went more smoothly. I managed to get the first 3 out of 8 flags on the first day, and after a good night’s sleep, I compromised the remaining parts of the environment and collected all 8 flags(You need 6 flags to pass). The exam is pretty straightforward and doesn’t have any CTF-style rabbit holes. Just stick to what the course taught you, rely on your notes and the course material, and you will be fine.
Conclusion
The Certified Red Team Operator (CRTO) Zero-Point Security offers a comprehensive and enjoyable learning experience. The course material is well-structured, combining text and videos, and covers everything from Active Directory enumeration to persistence and initial access. While some explanations could be more detailed, thorough note-taking and focusing on the basics will help you pass the exam in the end.
The lab environment is robust and stable, providing a wide range of attack scenarios. The exam format, with 48 hours of runtime within a 4-day window, significantly reduces stress and accommodates personal schedules, making it accessible for those with other commitments.
Overall, the CRTO sets a standard for certification exams by prioritizing student well-being and effective learning. Whether you’re a beginner, a blue teamer, or an experienced pentester, this certification is a worth your time.
Good luck and have fun!