Author: Adam Pawloski
Happy New Year everyone! I’ve recently passed the exams for the Offensive Security Experienced Penetration Tester (OSEP) and Certified Red Team Operator (CRTO) certifications and wanted to share my thoughts on the courses, how they relate to day-to-day work activities and how the courses compare.
OSEP Course Content
The OSEP is a continuation of the OSCP certification and considered an “advanced penetration testing course” by Offensive Security. I passed the OSCP at the end of 2020, so there was a bit of downtime between the courses, but coming into the course I felt working as a penetration tester full time would help bridge the gap. The course syllabus is outlined below:
- Operating System and Programming Theory
- Client Side Code Execution With Office
- Client Side Code Execution With Jscript
- Process Injection and Migration
- Introduction to Antivirus Evasion
- Advanced Antivirus Evasion
- Application Whitelisting
- Bypassing Network Filters
- Linux Post-Exploitation
- Kiosk Breakouts
- Windows Credentials
- Windows Lateral Movement
- Linux Lateral Movement
- Microsoft SQL Attacks
- Active Directory Exploitation
- Combining the Pieces
- Trying Harder: The Labs
To summarize the content above, the course digs into antivirus evasion, privilege escalation techniques for Linux and Windows, applocker bypasses, MSSQL attacks and active directory abuse. The course also covers Kiosk Breakouts, which I did not find to be a realistic scenario for my day-to-day job so this section was completely skipped. The course is very heavy on C# programming for antivirus evasion, and you will be using visual studio to create your own payloads to bypass Windows Defender. These sections were the most challenging for me, but helped me get a better understanding of how antivirus evasion works.
The active directory sections contained a lot of information that I felt was very useful, covering topics such as Constrained Delegation, Unconstrained Delegation, Resource-Based Constrained Delegation, DACL abuse and forest trusts. I was able to gain a better understanding of using domain enumeration tools such as PowerView and SharpView, which I learned these tools will help you gather additional information that may not be included in Bloodhound dumps.
At completion of the course content, you can jump into the six challenge labs. These challenge labs will help you get a better understanding of the course content by getting hands-on experience with systems that are vulnerable to attacks covered throughout the course. I would recommend going through these challenges thoroughly and understanding the content, as this is the best way to harness your skills before the exam.
Whenever I get asked about the OSEP exam, I always mention that it felt like the OSCP on steroids. Offsec continues where they left off with a 48-hour exam filled with their tricks and rabbit holes. This combined with the “try harder” mentality has always made me felt like I was being hazed at times. It is worth mentioning that any topics that were covered on the OSCP are fair game for the OSEP exam. The exam requires you to capture 10 flags or capture a “secret.txt” flag on a segmented file server to pass the exam.
With that being said, I spent most of the first 32 hours of the exam completely stuck and felt like I was going to fail. After enumerating everything, thinking outside the box and applying the techniques learned from the course, I was able to pull through 10 hours later by grabbing the “secret.txt” flag (which coincidently was my 10th flag). I did not feel like extra courses or preparation was needed outside of the OSEP material to pass, however, you certainly need to “try harder” when exam time comes. For the exam, you will need to be on top of your game. Exploitation will not always be as straight forward as it was in the course and you will need to really think about what you learned and how to apply it in different ways.
Thoughts on the Course
As a course that was created in 2020, I feel some of the information included is becoming outdated in a field that is constantly changing. This is mostly centered around the antivirus evasion techniques, many of the techniques used in the course that were tailored around a 2020 version of Windows Defender will no longer work and are detected on newer versions of defender. These antivirus techniques also will not help you in many real-life engagements as they will be easily detected by endpoint solutions such as Sophos, CrowdStrike, SentinelOne and other next-gen AV/EDR solutions. I feel that the course should cut some of the filler content (kiosk section) and outdated content and include newer content such as active directory certificate services attacks (ADCS).
The active directory, lateral movement and MSSQL sections were my favorite and I felt helped me improve my methodology and get more experience with domain enumeration tools. The information found in these sections was really useful to add to my repertoire for my penetration testing work. Overall, I would recommend this course to anyone in the penetration testing field that is looking to add to their skillset and dig deeper into more advanced topics.
CRTO Course Content
The CRTO course is considered an entry level red teaming course provided by Zero Point Security and RastaMouse that teaches the “basic principles, tools, and techniques synonymous with red teaming.” This course is centered around the command and control (C2) framework Cobalt Strike. The course syllabus is outlined below:
- Command & Control
- External Reconnaissance
- Initial Compromise
- Host Reconnaissance
- Host Persistence
- Host Privilege Escalation
- Host Persistence
- Credential Theft
- Password Cracking Tips & Tricks
- Domain Reconnaissance
- User Impersonation
- Lateral Movement
- Session Passing
- Data Protection API
- Active Directory Certificate Services
- Group Policy
- MS SQL Servers
- Domain Dominance
- Forest & Domain Trusts
- Local Administrator Password Solution
- Microsoft Defender Antivirus
- Application Whitelist
- Data Hunting & Exfiltration
- Extending Cobalt Strike
The course teaches you the basics on how to gain a beacon (Cobalt Strike session on the compromised host), interact with that beacon and utilize the beacon for credential extraction, lateral movement, active directory abuse and a wide range of other attacks. The step-by-step nature of the course makes it very easy to follow and learn the techniques by practicing the module’s content in the SnapLabs environment. This is a much different experience from the OSEP course, as offsec will often teach you something, then make you apply it in a different way than how it was taught. The CRTO content is very straightforward and easy to follow, as you will be taught something and will replicate that exact series of steps to practice the technique.
The 48-hour exam is setup in a way that is similar to the course content, everything is mostly straight forward and almost in a step-by-step fashion too. I will say there are a few parts that are designed to be a bit more tricky that will take some more thought or require you to chain a few techniques together that were learned during the course. The exam requires you to capture six out of eight flags to pass, and I was able to get the sixth flag about 12 hours in.
Thoughts on the Course
Zero Point Security and RastaMouse do a great job at introducing Cobalt Strike and providing you with the information you need to be able to use it effectively. This in addition to keeping the content relevant and up-to-date makes it a no brainer to take this course to further your penetration testing/red teaming skills. There are a few drawbacks I felt with the course though, one being that you are required to use a segmented SnapLabs server and cannot use your own virtual machine setup. Also, the course is so heavy on Cobalt Strike that if you work for an organization that does not have a CS subscription you may not find it as valuable as some alternatives.
Comparing the Courses
I will start out by saying that the CRTO is labeled as an entry level red team course while the OSEP is labeled as an advanced penetration testing course. With that in mind, the OSEP definitely seemed a bit more challenging then the CRTO course. Offensive Security will teach you a technique and then have you perform the technique in a different way while Zero Point Security follows a very cut and dry form of learning by replicating what is shown. This same thought process goes for the exams too, as the OSEP exam was much more challenging then the CRTO exam (in my opinion). There is some overlap between the courses with active directory abuse, MSSQL attacks and utilizing mimikatz for credential extraction. Which I would say this is a good thing, as it helps re-enforce these topics and shows how important it is to understand how these attacks work.
As mentioned before I think Zero Point Security does a great job at keeping their course up-to-date. The information I learned from the CRTO felt more relevant and useful for my job than the information taught in the OSEP and I find myself referencing CRTO material more than OSEP material. RastaMouse is constantly keeping the material updated and tweaking/adding new sections to the material. I think Offsec needs to do a better job at keeping their course material up-to-date, as it will be coming up on three years since the course has been released, which is a like an eternity in this field. Offsec also has a track record of charging a premium for updated course materials which, in my opinion, is something that they should provide at no charge for certificate holders. For anyone looking to obtain these certifications, I would recommend to take the CRTO first then take the OSEP after. This would be of course after you have obtained your OSCP.
I am very excited to start the Certified Red Team Lead (CRTL) aka the CRTO2 certification in the new year to even further my skills in the field. I was very happy from what I learned during the CRTO course, so I imagine the CRTL will do a great job at improving my skillsets even more. On that note, I wish everyone a safe and Happy New Year!