⚙️CRTP Methodology
This Methodology is intended to help to stay focus and don't miss anything during the exam.
Important to know:
CRTP consists on Live Of The Land then no phishing, no exploits, and no CVEs.
The exam environment won't include any tools, but we can add the tools we need to a specific folder in Windows Defender exclusion settings.
What you have learned in the course is everything you need in order to pass the exam.
The exam goal is to execute OS command on 5 targets not matter what privileges the user have
0. Defenses
Policy language mode
Bypass AMSI
Bypass Defender
Turn off Firewall
1. Local Privilege Escalation
check our privileges using whoami /all
Unquoted Service
Modifiable Service File
Modifiable Service
Once we are Local admin use Credentials Dumping to find other users logons
2. Domain Enumeration
ACL
Better to write down the interesting ACL so they might be useful later
BloodHound is very useful visualizing ACLs
General
Start to build up a mind map for attacking paths
Domain
Domain Controller
Users
Computers
Domain and Enterprise Administrators
OUs
GPOs
SPNs
Forests and Trusts
Understand trusts and map them between the domains
3. Domain Privileges Escalation
Reverse shell by abusing Jenkins
User Hunting
AD CS
Delegations
Delegations - Search for Delegations
ACL
abusing ACL can lead
Reset user password
4. Lateral Movement
Bypass Defenses
OPTH
Credentials Dumping after getting Admin privileges then moving inside the domain using Over Pass The Hashthen spawn PowerShell session using WinRM.
User Hunting
5. Cross Domain Privilege Escalation
MSSQL
Inter-Realm TGT
Trusts - After abusing Trust keys or krbtgt of trusted domain it is possible to abuse other forest abusing Inter-Realm TGT
Last updated