CRTP - Review - AlteredSecurity
This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.
Introduction
On 17 November, I received confirmation that I had passed the CRTP. The purpose of this post is to share my personal experience of both the preparation and the exam.
Why CRTP?
Honestly, I think this is the best certification for getting your foot in the door with AD. It is Altered Security’s first certification in this area and is therefore beginner-friendly, although that does not mean it only covers the basics. It teaches the fundamentals of AD and how they can be abused to compromise a fully patched environment.
I decided to prepare for it so that I could understand the fundamentals of pentesting AD environments and establish a solid foundation before facing OSCP. I was also looking for a certification that would take me away from web environments, which I had covered extensively both professionally and personally, as I wanted to expand my knowledge into other areas.
Previous Knowledge
I had virtually no experience with AD environments, apart from a few HTB machines where I had encountered basic AD concepts. When people describe CRTP as beginner-friendly, they are correct.
The most important knowledge required to pass the current version of the exam is:
- A well-established reconnaissance methodology.
- A clear understanding of both privilege escalation and lateral movement in AD environments.
- An understanding of AD fundamentals and how they can be exploited.
Nothing more is required. The key is understanding how Kerberos works behind the scenes, including TGTs and TGSs and how they are used across an AD network.
Preparation
AS Resources
Slides + Lab
Altered Security offers two ways to prepare for the certification. The first is self-paced and gives you access to the lab, slides, Discord and so on. You should not have any problems because AS has prepared a series of Learning objectives associated with specific knowledge and attacks. As you progress through the slides, challenges prompt you to put the theory into practice, so the material never becomes tedious.
Bootcamp + Slides + Lab
The second option consists of bootcamps in which Nikhil Mittal, who is brilliant, delivers four video sessions of roughly four hours each. These sessions cover all the knowledge required for the exam in detail, along with some additional material, and you can ask questions live. A bootcamp happened to be running when I was not yet able to dedicate time to the certification, so I purchased it and downloaded the sessions afterwards to complete them later.
I recommend the bootcamp without hesitation. Nikhil makes the classes very enjoyable and knows how to communicate the concepts to beginners. For anyone worried about it, his level of English is perfect and entirely understandable.
Lab
The lab is fantastic. At the time of writing, it is the best format I have encountered.
Strengths
- It allows you to practise every attack.
- It is not divided into separate environments for each objective, forcing you to deploy a different lab every time; everything is contained within the same one.
- The AS support team is INCREDIBLE. Any problem you encounter during practice is resolved almost immediately, 24/7.
Weaknesses
- The lab is shared, with around 25 students accessing each environment. This introduces several problems.
- Somebody carrying out an attack may accidentally leave a machine unresponsive. When you reach it, you may become frustrated because you think you are executing the attack incorrectly, only to find that your solution is identical to the official one. This is where a good lab support team matters, and the excellent team at AS compensates for these problems extremely well.
- The second concern, and the one that worried me most, was security. You are putting 25 people who love cybersecurity into a vulnerable, interconnected AD environment. What could possibly go wrong? My recommendations are:
- When uploading tools or mounting a local host folder on the student machine, do so only temporarily: transfer what you need and close the RDP session.
- For the more paranoid among you, connect to the student machine from a VM. If your computer is short on resources you may notice some slowdown, but it is a very good precaution.
- To provide some reassurance, I did not see anything suspicious during my time in the lab, but prevention is better than cure.
My Preparation Advice
Here are a few tips for preparing:
- If you choose the bootcamp, I recommend watching the entire class and only moving on to hands-on work in the lab once you have understood the concepts.
- Practise every possible attack in the lab to avoid surprises during the exam. I left quite a long gap between the bootcamp sessions and taking the exam. During those sessions, Nikhil said that certain topics would not appear, but the exam included vulnerabilities from areas that had previously been excluded. Fortunately, I had exploited every vulnerability in the lab, so nothing was new to me.
- Join Discord and search for your questions, as they have almost certainly been answered before. If you cannot find anything similar, ask. Someone will surely help you; that is one of the best things about our community.
Exam
The exam was a walk in the park… That is what you wanted to hear, was it not? It was not, and that is something to appreciate. The exam is designed to make you think about the concepts you have learnt, and its 24-hour limit makes it a genuine challenge.
Format
The exam has a very specific objective: execute commands on five different machines, excluding your own student machine. You do not need to escalate privileges on all five, so if you are running short on time, do not waste it on that task.
Once you finish the exam, you have 48 hours to complete the report.
Difficulties
The greatest difficulty is undoubtedly the 24-hour time limit, just as with OSCP. The problem is that if you become stuck at any point, frustration sets in and you begin to waste time. People recommend taking a break and getting some fresh air. I find that impossible: when I get stuck, I keep thinking about the problem until I solve it. That may be counterproductive, but it is what works for me.
Technically, if you have exploited every vulnerability in the lab, you should have no problems. What you absolutely need is a good methodology.
Exam Advice
Here are some tips that will help during the exam:
- Create a visual diagram so that the AD structure is clear. A good diagram helps expose potential attack vectors that you may have overlooked.
- Enumerate, enumerate, enumerate, and enumerate thoroughly. I lost almost three hours because I had copied a username incorrectly into my notes.
- Do not doubt your knowledge. If you are doing something that you know is correct, check for a simple syntax mistake. If there is none, use the option to restart individual machines.
- Set up BloodHound CE on your machine. It is an incredible tool for displaying attack paths, but remember that there are things it cannot show because you run the
SharpHoundcollector as a specific user. Either run it from every compromised account, which is rather tedious, or understand what BloodHound cannot see and enumerate it manually, which is what I recommend. - At present, you do not need to obfuscate tools to evade AD defences, so do not waste time doing so. Use the latest Tools.zip provided by AS, which is updated to evade the lab’s Defender.
- During the exam, make sure you capture screenshots of everything useful and paste both the image and command into your note-taking tool. I recommend Obsidian.
- Produce a high-quality report. Although AS sets compromising five machines as the objective, some people apparently pass with four. I assume this is because they submitted an excellent report. Anyone can become stuck at some point, and a good report may compensate for one missing machine.
Report
The report is essential because it reflects what you did in the lab. Completing the exam perfectly in three hours means nothing if the report is poor. This is ultimately a simulation of a real pentest, where the client — in this case AS — sees only the report.
I used TCM’s template and adapted it for AD environments. I used the MITRE ATT&CK framework and CVSS v3.1 to classify the severity of the vulnerabilities.
Another recommendation is to draft the report in Obsidian first. This makes the reporting stage much faster: when you begin writing the final report, you only need to copy and paste the screenshots and clean up the explanation of what you did. My final report was 68 pages long. I made it as detailed as possible, as I would for a real client. Yours may be shorter; that is a matter of personal preference. As long as it represents your work clearly, there should be no problem.
Conclusion
Overall, the certification is excellent. I think it is the perfect certification for starting with AD, and the 24-hour format makes it an ideal challenge before OSCP.
At certain times of year, such as Black Friday, it is available for €200 including the material and one month of lab access, or €280 for the bootcamp, material and lab access. It is worth noting that access to the material is permanent. For me, this is the best certification I have found in this price range.
Contact
If you have any questions, feel free to contact me through X. I want to stress that I will not answer questions about the exam itself, but if you have any problems or questions about preparation, do not hesitate to ask.






