# CRTP Methodology

{% hint style="info" %}

### **Important to know:**

{% hint style="warning" %}
CRTP consists on **Live Of The Land** then no phishing, no exploits, and no CVEs.
{% endhint %}

{% hint style="info" %}
The exam environment won't include any tools, but we can add the tools we need to a specific folder in Windows Defender exclusion settings.
{% endhint %}

{% hint style="success" %}
What you have learned in the course is everything you need in order to pass the exam.
{% endhint %}

{% hint style="info" %}
The exam goal is to execute OS command on 5 targets not matter what privileges the user have
{% endhint %}
{% endhint %}

## 0. Defenses&#x20;

### Policy language mode

Enumerate PS Language Mode - [#language-mode](https://dudisamarel.gitbook.io/crtp-notes/basic-enumeration/protection#language-mode "mention")

if the Language is constrained:\
try to bypass using PS v2 or  [#list-applocker-rules](https://dudisamarel.gitbook.io/crtp-notes/basic-enumeration/protection#list-applocker-rules "mention")

### Bypass AMSI&#x20;

Bypass AMSI every new PowerShell session -[#amsi-bypass](https://dudisamarel.gitbook.io/crtp-notes/misc/bypass-defenses#amsi-bypass "mention")

Also [#invisi-shell](https://dudisamarel.gitbook.io/crtp-notes/misc/bypass-defenses#invisi-shell "mention") can be used

### Bypass Defender

[#windows-defender](https://dudisamarel.gitbook.io/crtp-notes/misc/bypass-defenses#windows-defender "mention")

### Turn off Firewall

[#firewall](https://dudisamarel.gitbook.io/crtp-notes/misc/bypass-defenses#firewall "mention")

***

## 1. Local Privilege Escalation

check our privileges using `whoami /all`

Use [#powerup-1](https://dudisamarel.gitbook.io/crtp-notes/privilege-escalation/local-privilege-escalation#powerup-1 "mention") and discover the vectors:

* Unquoted Service
* Modifiable Service File
* Modifiable Service

Once we are Local admin use [lsass-dump](https://dudisamarel.gitbook.io/crtp-notes/lateral-movement/lsass-dump "mention") to find other users logons

***

## 2. Domain Enumeration

### ACL

[acl](https://dudisamarel.gitbook.io/crtp-notes/ad-enumeration/acl "mention")

Better to write down the interesting ACL so they might be useful later

**BloodHound** is very useful visualizing ACLs

### General

[gnereral](https://dudisamarel.gitbook.io/crtp-notes/ad-enumeration/gnereral "mention")

Start to build up a mind map for attacking paths

* Domain
* Domain Controller&#x20;
* Users
* Computers
* Domain and Enterprise Administrators
* OUs
* GPOs
* SPNs

### Forests and Trusts

Understand trusts and map them between the domains

[forests-and-trusts](https://dudisamarel.gitbook.io/crtp-notes/ad-enumeration/forests-and-trusts "mention")

***

## 3. Domain Privileges Escalation

### Reverse shell by abusing Jenkins

### User Hunting

[#user-hunting](https://dudisamarel.gitbook.io/crtp-notes/ad-enumeration/gnereral#user-hunting "mention") - Hunt for local admin access

### AD CS

[ad-cs](https://dudisamarel.gitbook.io/crtp-notes/privilege-escalation/cross-domain-privilege-escalation/ad-cs "mention")&#x20;

### Delegations

[delegations](https://dudisamarel.gitbook.io/crtp-notes/privilege-escalation/domain-privilege-escalation/delegations "mention") - Search for Delegations

### ACL

[acl](https://dudisamarel.gitbook.io/crtp-notes/persistence/acl "mention")&#x20;

abusing ACL can lead&#x20;

* &#x20;[#resource-based-delegation](https://dudisamarel.gitbook.io/crtp-notes/privilege-escalation/domain-privilege-escalation/delegations#resource-based-delegation "mention")
* [dc-sync](https://dudisamarel.gitbook.io/crtp-notes/lateral-movement/dc-sync "mention")
* [security-descriptors](https://dudisamarel.gitbook.io/crtp-notes/persistence/security-descriptors "mention")
* Reset user password

***

## 4. Lateral Movement

### Bypass Defenses

[#0.-defenses](#0.-defenses "mention")

### OPTH

[lsass-dump](https://dudisamarel.gitbook.io/crtp-notes/lateral-movement/lsass-dump "mention") after getting Admin privileges then moving inside the domain using [over-pass-the-hash](https://dudisamarel.gitbook.io/crtp-notes/lateral-movement/over-pass-the-hash "mention")then spawn PowerShell session using [winrm](https://dudisamarel.gitbook.io/crtp-notes/lateral-movement/winrm "mention").

### User Hunting

[#user-hunting](https://dudisamarel.gitbook.io/crtp-notes/ad-enumeration/gnereral#user-hunting "mention") - Hunt for local admin access

***

## 5. Cross Domain Privilege Escalation

### MSSQL

[mssql-servers](https://dudisamarel.gitbook.io/crtp-notes/privilege-escalation/cross-domain-privilege-escalation/mssql-servers "mention")&#x20;

### Inter-Realm TGT

[trusts](https://dudisamarel.gitbook.io/crtp-notes/privilege-escalation/cross-domain-privilege-escalation/trusts "mention") - After abusing Trust keys or krbtgt of trusted domain it is possible to abuse other forest abusing Inter-Realm TGT&#x20;