Certified Red Team Professional (CRTP) Exam Journey

Add Comment
"The more that you read, the more things you will know. The more that you learn, the more places you’ll go." – Dr.Seus

I recently obtained a Certified Red Team Professional certification from Pentester Academy by taking over 5 box + Gaining Enterprise admin access + Report and would like to share my this entire experience with you all.

TL;DR: I always feel myself a learner considering that before we jump into CRTP I thought to make the ground level post as well in this so that the beginners who want to go for CRTP will understand all the basics. (Section 1) 
Those who are already into pentesting may skip this and start from "About the course" section. (Section 2)

Outcome of all the Hard work in this Course looks like this :-)



Section 1: Basics for Beginners 

1x1 Why organizations opt for Red Team Engagement?

This answer I will explain via giving simple difference between Pentesting vs RedTeaming 

Penetration Testing is a must have for any organization. A pentester is designated to ethically hack and evaluate your environment. In this role, they will be the point of contact and operate as the brains behind your organization’s security. An organization may hire someone specifically for pentesting, or may have pentester as part of their duties.

A Red teaming exercise is basically a penetration testing test, but from a military perspective. The red team expert is an attacker, who assumes there is also a defender in your organization’s IT security group. The primary difference is that a pentesting is scope-based, and that scope may not involve strengthening the organization’s defense. It may also be conducted by a single individual.
Red team, on the other hand, comprises of multiple participants, conduct testing without the knowledge of your staff, and may also operate continuously or routinely.

1x2 But You said Red teaming, is there any other color in it ? What Are the Different Types of Teams?

Yes the answer is Blue Team, Purple Team and wait… read till end to know more about it.
In Simple terms:
Red Teaming Goal is: 
  • Red team member is someone who is playing a role of an attacker/adversary, trying to achieve a single or multiple goal/objective and the ultimate goal is to not to get detected while achieving that particular goal/objective.
  • Red team  focuses on bypassing the existing controls. 

Blue Team:
  • The Blue Team is tasked with detecting adversaries and preventing them from breaking into the organization’s infrastructure.
  • Blue teams can begin to prepare themselves before an attack is taken place by evaluating the environment and hardening the infrastructure wherever needed. 
  • During the attack simulation, their goal is to identify breaches swiftly, limit the spread of infection by confining to the system it entered through, and successfully stop the attack.  
  • In simple term Blue team focuses on detecting the red team activity.
Purple team: 
  • It is called purple as its mixture of Red + Blue.  
  • Purple team is more of collaboration between red and blue team. 
  • Where the idea is to help each other i.e. say red team completes its goal/objective so that they will help blue team to improve or say blue team detects the red team so that they will help red team to know why they  got detected. 
  • So this way both red and blue team works together and helps to improve the organization’s security posture. (This is based on the organization scope)
Note: There is Yellow, Orange, and Green Teams as well. I am not including  their description here as our topic is to give you brief summary of CRTP. But below summary is for your reference
Security Function Colors and their tasks: 
 -  Yellow:Builder   
 -  Red:       Attacker
 -  Blue:      Defender
 -  Green:   Builder learns from defender
 -  Purple:  Defender learns from attacker
 -  Orange: Builder learns from attacker

1x3 Who Needs It?
If you’re a small to midsize businesses, you might think red teaming isn’t for you. “I’m too small to be a target,” you might theorize.
But in fact, this is exactly the line of thinking that puts an organization at a risk. If you were a bad actor, wouldn’t you want to go after the guy who’d never expect it? Hence it is needed by all the organization.

Below are some top reasons why a red team exercise should be conducted:

  • Simulate real attacks from a threat actor’s position
  • Focus on your critical assets
  • Remove internal bias from your scope 
  • Test your detection and response Capability 
  • Be a cost effective way to stress/test your wider organization’s capabilities
  • Combine real world offensive and defensive teams – Red Teamers understand both the attack (red team) and protective (blue team) sides of the coin.

Well now you know what Red Teaming is and why its very important for any organization. So now you know the importance of CRTP Cert :)

Let’s jump into the CRTP

Section 2: Certified Red Team Professional (CRTP) COURSE

About the course

Certified Red Team Professional (CRTP) is the introductory level Active Directory Certification offered by Pentester Academy. The instructor is Nikhil Mittal, who is the author of Nishang and has spoken at both DEFCON and Black Hat conferences.

According to me this course is really well made and covers the basics of both Active Directory and Powershell. So if you ask me then it’s a really good start for the beginners who want to know more about AD Pentesting/ Powershell / Red Teaming.

In this course we are focusing first on Assume breach scenario. Assume Breach is a mindset which limits the trust placed for application, services, identities and networks by treating them all (both internal & external) as not secure and probably already compromised. 

In very simple term, organization accepts the fact that an attacker will succeed at any cost and they build the defenses accordingly. This is the only course which is in affordable price that can teach you how to fully and successfully attack an AD on a realistic scenario.

LAB:
Lab Access Period is 30, 60 and 90 Days. You can select as per your time lines.

Is there any Pre-Requisites ?
To be honest NONE. Because if you are starting  from ground 0 in Powershell or Active Directory knowledge; The course instructor Nikhil will build you up to be competent enough to do what is required for the course.


Course Material:

  1. Entire course PDF
  2. Course videos which are from the same PDF
  3. Learning objectives videos
  4. One certification attempt to obtain Certified Red Team Professional (CRTP)
  5. VPN Connection to connect to the lab.

The course covers number of topics including but not limited to:

  • Powershell basics
  • Bypassing defenses in AD
  • Domain enumeration
  • Local privilege escalation
  • Admin recon
  • Lateral movements
  • Domain privilege escalation
  • Across trust attacks
  • Domain persistence and data exfiltration
  • Detecting attack techniques
  • Defending an Active Directory environment
Let’s jump into the Lab Set-Up


This Source Image may look very frightening for the beginners yes but let me tell you its not once you finish the course. This statement may not be applicable for those who are already into pentesting they know what i mean ;) 

In the lab,  you are provided with a multiple tools such as Mimikatz, PowerView, Bloodhound etc. to help you along with the video and reading material. Initially machine access has a low-privileged account which you must then escalate your privileges and laterally move throughout the domain.

So in this environment if you get NT AUTHORITY\SYSTEM then you still have to move ahead ;)



While learning focus on Recon. Recon with Bloodhound is a GAME changer ;)

Try to spend more time on bloodhound understand how it works etc. This will be really helpful ahead.


EXAM TIME


So if you are done with all the course material, learning objective then let’s jump to the Exam:

During the exam you will receive one email for testing the VPN before the exam takes place say half and hour early which includes the exam start time, but you will not receive another email when the exam actually starts, and this can cause confusion. So be aware of the exam start time or you  tend to lose your time if you expect an email authorizing you to go ahead with the activity.

I feel may be this half hour early details is because you will be provided with access to a machine with no tools on it, so be prepared with your arsenal/tools which you think  you will need so that you don’t have to lose time downloading the tools . So prepare your tool army in the machine so when actually time starts you are good to go.

The exam contains 5 machines that the user must pivot between in order to obtain command execution on each of them. Last but not the least your own machine too :P 

This must be accomplished in 24 hours and another 24 hours to write a professional findings report.

Again, I strongly recommend getting familiar with BloodHound and learning what each node/ edge represents.

Conclusion:

After gaining Enterprise admin access and successfully completing the exam I have wrote in depth detailed report and Submitted. Post that you will obtain your Certified Red Team Professional certification.

This title sounds pretty cool, but I don’t feel like a professional yet because I know there’s still a ton of work and study I have to go through, but this course surely helped me a lot and it was an amazing experience.

I highly recommend CRTP for those like me who have OSCP but feel as though they lack active directory experience OR any beginner in infosec can also take this course.

Hope this helps in your CRTP Journey.

Happy Hunting :-)

Cayin SMP-PRO4 Signage Media Player - Reflected XSS and Insecure Permissions Vulnerability

Add Comment

Hi All,

Recently in one of my internal pentest assessment, I found a Cayin SMP-PRO4 Signage media player installed product and next step you know to hunt for the 0 day  :xD

If you still not sure how to submit/find CVE then you can refer my blog post.

Witting this blog post to support the CVE ID is assigned to above vulnerability will be published in the CVE List

After Reporting both the Issue CVE ID assigned to it is as below:

So lets gets started...

Cayin SMP-PRO4 digital signage player is manufactured with fine quality with worldwide OEM/ODM services to meet ... Zone-Type Digital Signage Media Player, Zone-type fanless digital signage player with AV-in supporting portrait mode, real-time video, playback of image slide show, ticker text, video etc..

I found Two issue in this product which is as below:
  1. Insecure Permissions
  2. Reflected XSS 

1- Insecure Permissions POC

Description:

Users can not view the pre-configured set password under "Content Update Wizard Setting", but while testing the connection string, GET method revels the clear text password of the Wizard Setting.

Vulnerable Endpoint:
http://IP/cgi-bin/media_folder.cgi?apply_mode=ping_server&webuser=administrator&webpass=[cleartextpassword]&ip_addr=IP&group=ra



2- Reflected XSS POC

Due to a lack of input validation from the filename field on Cayin SMP-PRO4 Signage Media Player, it was possible to obtain a Reflected XSS from the URL path, e.g.
http://IPAddr/html/image_preview.html?filename=%22%3E%3Cscript%3Ealert(1)%3C/script%3E

Vulnerable Endpoint:
http://IPAddr/html/image_preview.html?filename=%22%3E%3Cscript%3Ealert(1)%3C/script%3E



CVE Details: