[PA] Certified Red Team Expert

Shortly after passing CRTP, I enrolled in CRTE.

The lab environment is fully patched and looks like this:

Unlike CRTP you do not have kind of video walkthrough of challenges and lab machines. You have to figure it out on your own.

I have to agree it was a little torture but after finishing all the challenges there was such a great feeling of accomplishment.

The lab

In the lab there are 3 active directory forests. You get to practice kerberoasting, unconstrained & constrained delegation, MSSQL abuse and abusing MSSQL servers links, ACL abuse and other type of attacks.

A very important aspect is pillaging (gathering information from each machine), especially on the MSSQL servers. You never know what you can come across databases which you can leverage.

As i said, you have to figure it out on your own, but if you are really stuck and ran out of ideas don’t be shy and email the support team. The support team is fantastic and they point you in the right direction without spoiling the lab.

If you don’t figure it out with the hints provided by the support team you can also email them and ask the specific command or to give you another hint/point you in the right direction.

The Exam

I started the exam on 1st December and I’ve spent a few good hours on enumerating the domain.

However, even with this, I ended up not owning the entire network but the requirement was to own at least 3 machines. I’m not proud of this, to be honest, but I also realized red teaming is not only about owning the entire network (more specifically the DC/DCs even this helps with forest persistence, cross-forest attacks, and others) it’s more on lurking inside the network, pillaging and exfiltrating data.

I’ve sent the report and the team or person reviewing it considered it was good enough to pass the exam.


Here’s a list of articles/blog posts that might help you get through the lab and tackle the exam:


  • https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/

Abusing unconstrained delegation:

  • https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html

Abusing MSSQL Servers

  • https://blog.netspi.com/hacking-sql-server-stored-procedures-part-2-user-impersonation/
  • https://blog.netspi.com/how-to-hack-database-links-in-sql-server/
  • http://andreas-wolter.com/en/1810_privilege-escalation-to-sysadmin-via-trustworthy-database/
  • https://vimeo.com/user66245791

Abusing ACLs

  • https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces


  • https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/

Attacking domain trusts

  • http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
  • https://adsecurity.org/?p=1588