⚙️CRTP Methodology
This Methodology is intended to help to stay focus and don't miss anything during the exam.
Important to know:
CRTP consists on Live Of The Land then no phishing, no exploits, and no CVEs.
What you have learned in the course is everything you need in order to pass the exam.
0. Defenses
Policy language mode
Enumerate PS Language Mode - Language Mode
if the Language is constrained: try to bypass using PS v2 or List AppLocker Rules
Bypass AMSI
Bypass AMSI every new PowerShell session -AMSI Bypass
Also Invisi-Shell can be used
Bypass Defender
Turn off Firewall
1. Local Privilege Escalation
check our privileges using whoami /all
Use PowerUp and discover the vectors:
Unquoted Service
Modifiable Service File
Modifiable Service
Once we are Local admin use Credentials Dumping to find other users logons
2. Domain Enumeration
ACL
Better to write down the interesting ACL so they might be useful later
BloodHound is very useful visualizing ACLs
General
Start to build up a mind map for attacking paths
Domain
Domain Controller
Users
Computers
Domain and Enterprise Administrators
OUs
GPOs
SPNs
Forests and Trusts
Understand trusts and map them between the domains
3. Domain Privileges Escalation
Reverse shell by abusing Jenkins
User Hunting
User Hunting - Hunt for local admin access
AD CS
Delegations
Delegations - Search for Delegations
ACL
abusing ACL can lead
Reset user password
4. Lateral Movement
Bypass Defenses
OPTH
Credentials Dumping after getting Admin privileges then moving inside the domain using Over Pass The Hashthen spawn PowerShell session using WinRM.
User Hunting
User Hunting - Hunt for local admin access
5. Cross Domain Privilege Escalation
MSSQL
Inter-Realm TGT
Trusts - After abusing Trust keys or krbtgt of trusted domain it is possible to abuse other forest abusing Inter-Realm TGT
Last updated
Was this helpful?