top of page
Search

Passed CRTP First Try — Here’s What Actually Helped

  • Writer: Guy .
    Guy .
  • May 27
  • 3 min read

Updated: Jun 1



My Background Before CRTP

When I started the CRTP (Certified Red Team Professional), I already had solid experience in offensive security, especially around AD:

  • Three years of hands-on experience in offensive security and red teaming.

  • OSCP holder.

  • Practical knowledge of real-world internal environments.

  • Comfortable with scripting, post-exploitation, and privilege escalation in Windows.


CRTP wasn’t my first dive into AD — but it was my first structured, certified course focused purely on abusing Active Directory from a red teamer’s perspective.


What Is CRTP?

The Certified Red Team Professional (CRTP) by Altered Security is a certification that proves you know how to enumerate and exploit common Active Directory misconfigurations .


It’s pure, real-world internal AD exploitation — the kind of stuff you’d do post-initial-access in a real red team engagement.


You get access to a multi-tiered AD environment, learn to abuse misconfigs and escalate across trust boundaries, and eventually take an offensive, hands-on exam inside a lab network.


The exam is 24 hours. You’re given a user shell on a machine that’s already domain-joined. Your job: compromise the entire AD environment. You then have 48 hours to submit a detailed report.

No guesses. No CTF-style flags. Either you got DA, or you didn’t.


My Preparation

I took this seriously but didn’t overthink it. I gave it about 8-9 weeks of structured prep while working on other things. No grind, just focused effort.

Here’s what I did:

  • Did the CRTP Bootcamp instructed by Nikhil Mittal.

  • Watched again all recorded videos at 2x speed, took key notes.

  • Labbed every attack path multiple times.

  • Practiced a lot on the course lab.

  • Rebuilt every technique from memory.

  • Re-executed every misconfig path manually with minimal tools.


Tools That Made a Difference while preparing:

Enumeration & Mapping:

  • PowerView.ps1 – The bread and butter. Use it enough, and you’ll dream in LDAP queries.

  • InviShell.ps1 – A stealthier option to run powerShell commands without setting off alarms.


Privilege Escalation & Exploitation:

  • PowerUp.ps1 – For local PE situations.

  • Mimikatz.ps1, SafetyKatz.ps1 – For dumping creds and tickets, multiple flavors for different EDRs.

  • MS-RPRN.exe – PrintSpoofer-style RCE vector.

  • Rubeus.exe – Kerberoasting, AS-REP roasting, ticket extraction.

  • Built-in PowerShell – Honestly, being able to use PowerShell commands freely and intuitive will save you a lot of time.

  • All the custom tools provided by Altered Security. They’re golden. Use them, understand them, then break them apart and run manually.


The Exam

Date: December 07, 2024


Passed on First Attempt — full domain compromise.

I didn’t try to be fast. I tried to be methodical.


My strategy:

  1. Start with full enumeration: users, groups, trusts, ACLs, SPNs, and GPOs.

  2. Build an attack path on paper.

  3. Exploit one path. Validate it. Screenshot it.

  4. If stuck, rebuild the graph and look for missed links.


I finished the full compromise within ~10 hours, and spent the rest of the day documenting and checking that every screenshot was clear and sourced.


My Reporting Workflow

Honestly? Nothing fancy.

I used Obsidian Markdown + screenshots = enough. Clean, reproducible, and easy to organize.

Don’t overthink reporting. Just make sure your commands, reasoning, and hashes/tickets are there.

My report ended up being ~32 pages.


Takeaways

  • CRTP isn’t hard if you understand the why behind every misconfiguration.

  • Don’t memorize commands — internalize the mindset. Be able to explain each attack path out loud.

  • You don’t need flashy tools — you need steady logic.

  • Lab everything twice. First to understand, second to own it.


Final Advice

  • If you’re new to AD, this is the best intro course on the market.

  • If you’ve done real-world AD before, this is your “proof-of-competence” cert.

  • Take it slow. Every technique you learn here is a real-world skill.

  • After OSCP, this was refreshing — no rabbit holes, no unknowns, just clear logic.


If you're heading into CRTP soon:

build your discipline, don’t rush, and make sure you know why every technique works — not just how.

You don’t need to be a genius.

You just need to respect the process.

Good luck.


Next Stop: OSWP, then PORP.

Tuesday. Same time. Stay tuned.

Comments

bottom of page