🛠️
CRTP Notes
  • 🛠️CRTP Notes
  • ⚙️CRTP Methodology
  • 💡Misc
    • PowerShell Basics
    • Bypass defenses
    • Transfer files
  • 🔨Basic enumeration
    • General
    • Network
    • Protection
  • ⛏️AD Enumeration
    • Gnereral
    • ACL
    • Forests and Trusts
  • 🔪Privilege Escalation
    • Local Privilege Escalation
    • Domain Privilege Escalation
      • Kerberoast
      • AS-REP Roasting
      • Delegations
    • Cross Domain Privilege Escalation
      • Trusts
      • AD CS
      • MSSQL Servers
  • 🏎️Lateral Movement
    • WinRM
    • Credentials Dumping
    • DC Sync
    • Over Pass The Hash
    • Runas
  • 🔧Persistence
    • Kerberos
      • Golden Ticket
      • Silver Ticket
      • Diamond Ticket
    • Skeleton Key
    • DSRM
    • Custom SSP
    • AdminSDHolder
    • Security Descriptors
    • ACL
  • 🛡️Mitigations
  • 📚Resources
    • AD attacking overall
    • Rubeus Guide
    • The Hacker Recipes
Powered by GitBook
On this page
  • 0. Defenses
  • Policy language mode
  • Bypass AMSI
  • Bypass Defender
  • Turn off Firewall
  • 1. Local Privilege Escalation
  • 2. Domain Enumeration
  • ACL
  • General
  • Forests and Trusts
  • 3. Domain Privileges Escalation
  • Reverse shell by abusing Jenkins
  • User Hunting
  • AD CS
  • Delegations
  • ACL
  • 4. Lateral Movement
  • Bypass Defenses
  • OPTH
  • User Hunting
  • 5. Cross Domain Privilege Escalation
  • MSSQL
  • Inter-Realm TGT

Was this helpful?

CRTP Methodology

This Methodology is intended to help to stay focus and don't miss anything during the exam.

Last updated 7 months ago

Was this helpful?

Important to know:

CRTP consists on Live Of The Land then no phishing, no exploits, and no CVEs.

The exam environment won't include any tools, but we can add the tools we need to a specific folder in Windows Defender exclusion settings.

What you have learned in the course is everything you need in order to pass the exam.

The exam goal is to execute OS command on 5 targets not matter what privileges the user have

0. Defenses

Policy language mode

Enumerate PS Language Mode -

if the Language is constrained: try to bypass using PS v2 or

Bypass AMSI

Bypass AMSI every new PowerShell session -

Also can be used

Bypass Defender

Turn off Firewall

1. Local Privilege Escalation

check our privileges using whoami /all

  • Unquoted Service

  • Modifiable Service File

  • Modifiable Service

Once we are Local admin use Credentials Dumping to find other users logons

2. Domain Enumeration

ACL

ACL

Better to write down the interesting ACL so they might be useful later

BloodHound is very useful visualizing ACLs

General

Gnereral

Start to build up a mind map for attacking paths

  • Domain

  • Domain Controller

  • Users

  • Computers

  • Domain and Enterprise Administrators

  • OUs

  • GPOs

  • SPNs

Forests and Trusts

Understand trusts and map them between the domains

Forests and Trusts

3. Domain Privileges Escalation

Reverse shell by abusing Jenkins

User Hunting

AD CS

AD CS

Delegations

Delegations - Search for Delegations

ACL

ACL

abusing ACL can lead

  • DC Sync

  • Security Descriptors

  • Reset user password

4. Lateral Movement

Bypass Defenses

CRTP Methodology

OPTH

Credentials Dumping after getting Admin privileges then moving inside the domain using Over Pass The Hashthen spawn PowerShell session using WinRM.

User Hunting

5. Cross Domain Privilege Escalation

MSSQL

MSSQL Servers

Inter-Realm TGT

Trusts - After abusing Trust keys or krbtgt of trusted domain it is possible to abuse other forest abusing Inter-Realm TGT

Use and discover the vectors:

- Hunt for local admin access

- Hunt for local admin access

⚙️
Windows Defender
Firewall
AMSI Bypass
Invisi-Shell
Language Mode
List AppLocker Rules
User Hunting
User Hunting
Resource Based Delegation
PowerUp