⚙️CRTP Methodology

This Methodology is intended to help to stay focus and don't miss anything during the exam.

Important to know:

CRTP consists on Live Of The Land then no phishing, no exploits, and no CVEs.

The exam environment won't include any tools, but we can add the tools we need to a specific folder in Windows Defender exclusion settings.

What you have learned in the course is everything you need in order to pass the exam.

The exam goal is to execute OS command on 5 targets not matter what privileges the user have

0. Defenses

Policy language mode

Enumerate PS Language Mode - Language Mode

if the Language is constrained: try to bypass using PS v2 or List AppLocker Rules

Bypass AMSI

Bypass AMSI every new PowerShell session -AMSI Bypass

Also Invisi-Shell can be used

Bypass Defender

Windows Defender

Turn off Firewall

Firewall

1. Local Privilege Escalation

check our privileges using whoami /all

Use PowerUp and discover the vectors:

Unquoted Service
Modifiable Service File
Modifiable Service

Once we are Local admin use Credentials Dumping to find other users logons

2. Domain Enumeration

ACL

Better to write down the interesting ACL so they might be useful later

BloodHound is very useful visualizing ACLs

General

Gnereral

Start to build up a mind map for attacking paths

Domain
Domain Controller
Users
Computers
Domain and Enterprise Administrators
OUs
GPOs
SPNs

Forests and Trusts

Understand trusts and map them between the domains

Forests and Trusts

3. Domain Privileges Escalation

Reverse shell by abusing Jenkins

User Hunting

User Hunting - Hunt for local admin access

AD CS

Delegations

Delegations - Search for Delegations

ACL

abusing ACL can lead

4. Lateral Movement

Bypass Defenses

CRTP Methodology

OPTH

Credentials Dumping after getting Admin privileges then moving inside the domain using Over Pass The Hashthen spawn PowerShell session using WinRM.

User Hunting

User Hunting - Hunt for local admin access

5. Cross Domain Privilege Escalation

MSSQL

MSSQL Servers

Inter-Realm TGT

Trusts - After abusing Trust keys or krbtgt of trusted domain it is possible to abuse other forest abusing Inter-Realm TGT

Last updated 1 year ago

hashtagImportant to know:

hashtag0. Defenses

hashtagPolicy language mode

hashtagBypass AMSI

hashtagBypass Defender

hashtagTurn off Firewall

hashtag1. Local Privilege Escalation

hashtag2. Domain Enumeration

hashtagACL

hashtagGeneral

hashtagForests and Trusts

hashtag3. Domain Privileges Escalation

hashtagReverse shell by abusing Jenkins

hashtagUser Hunting

hashtagAD CS

hashtagDelegations

hashtagACL

hashtag4. Lateral Movement

hashtagBypass Defenses

hashtagOPTH

hashtagUser Hunting

hashtag5. Cross Domain Privilege Escalation

hashtagMSSQL

hashtagInter-Realm TGT

Important to know:

0. Defenses

Policy language mode

Bypass AMSI

Bypass Defender

Turn off Firewall

1. Local Privilege Escalation

2. Domain Enumeration

ACL

General

Forests and Trusts

3. Domain Privileges Escalation

Reverse shell by abusing Jenkins

User Hunting

AD CS

Delegations

ACL

4. Lateral Movement

Bypass Defenses

OPTH

User Hunting

5. Cross Domain Privilege Escalation

MSSQL

Inter-Realm TGT