So over my xmas holidays I decided to take some downtime from the day job and undertake the Red Team Ops (RTO) course by ZeroPointSecurity(ZPS).  As of 01/01/2021 I have passed the Certified Red Team Operator(CRTO) exam too which is a nice way to round out the year of 2020!

This post serves as an overview and review of the course materials, lab and a brief of the exam environment(however as it is an exam the details will be light for obvious reasons).

I was surprised at the lack of reviews out there as there are over 600 students signed up to the course, at the time of writing there are several other reviews from folks who took the exam, some are minimal on detail and some are extensive on what is required.

Having read them all, v3ded is for sure the most in depth one that covers the different aspects of the course when they sat the course/exam.

Pre-Requisites

Prior to signing up to the course it is worth noting that there are several hardware and knowledge prerequisites required to enable you to better succeed. From a technical perspective it is useful to have a little understanding of how PowerShell and C# work but neither is a mandatory requirement to enable you to succeed as the course content will enable you to learn more about each better. Also from a technical perspective understanding how to compile C# binaries within Visual Studio is incredibly important( it is explained and you will be doing a lot of it during the course).

From a hardware perspective there are two VMs to download one Kali and one Windows 10 I suggest you get comfortable with both as you will be using both interchangeably within both the course and potentially the exam, therefore the hardware required ideally should be a laptop that can allocate up to 6GB of RAM. I would recommend 16GB to be comfortable but equally you can manage with 8GB, in terms of disk requirements 120GB is the minimum but I would recommend 250GB to account for snapshots(yes I suggest you take snapshots after each flag to enable for easy revert if something breaks).

The required VMs can be downloaded in advance from the following URLs(both are public links so not giving away any course details by giving you the links in advance):

For ease of installation, grab a Windows 10 image from:
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/  

and a Kali Linux image from:
https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/

Within the course material there are two setup scripts for both OSes to download the relevant tooling for each machine. Each script will configure the OS in a way that will work with the correct tooling and enable a seamless transition from a standard install to that required to execute tooling within the lab.

Overview

"Red Team Ops is an online course that teaches the basic principals, tools and techniques, that are synonymous with red teaming.  Students will be granted access to the course material (written and video format) and access to a fully immersive lab, where they will learn and conduct every stage of the attack life cycle  from OSINT to full domain takeover." - ZPS

There are three options when signing up to the course depending on the duration of lab time you would like: 30, 60 and 90 days. As I had a few weeks off I opted for 30 days(and should note if you have the time the lab is do-able within this time easily, obviously this does depend on your experience pre-course and if you do Red Team/Pentesting as a day job). It should be noted that regardless of what option you choose, you get access to the lab, materials and one exam sitting.

It is important to note that when you purchase one of the three you are prompted to enter a start date and time, this triggers an automated process that will email you the details at that exact time. YOU WILL NOT GET ACCESS BEFORE THIS TIME so bear that in mind! You also cannot change the start time, so select carefully!

Once you have signed up you will be sent the materials at(or around) the exact time specified in screenshot above. Note the order will sit as pending till the time you have stated so not to worry(I was confused at this too by Rastamouse confirmed it was all good and expected).

Costings

At the time of writing the costs for the different options were as follows, the site does not show you the final price until you go to pay, so the costs shown are excluding VAT(I've made the handy table below to show you the total cost inc value added tax(VAT)). Additionally as ZPS are a UK company the cost is also in GBP so that may be something to consider if you are signing up from outside UK costs and tax may be higher.

Option Cost(GBP) Cost(Including VAT)
Training Material + 30 Days Lab Access + Exam £399.00 £478.80
Training Material + 60 Days Lab Access + Exam £599.00 £718.80
Training Material + 90 Days Lab Access + Exam £649.00 £778.80

If you require an extension or an exam resit then the costs at time of writing are as follows, once you've signed up you will be provided with information on how to sign up for these. Note a retake is only possible if you have failed, you cannot buy two sittings up front for example.

Option Cost(GBP) Cost(Including VAT)
Red Team Ops Lab Extension - 15 Days £189.00 £226.80
Red Team Ops Lab Extension - 30 Days £309.00 £370.80
Red Team Ops Lab Extension - 45 Days £399.00 £478.80
Red Team Ops Exam Retake £99.00 £118.80

Course: Overview

In general, the Zero Point Security CRTO course was pretty decent, it is aimed at those who have a fundamental understanding of penetration testing and are starting to get to know more about red teaming. A typical learning path for most may be to study for their OSCP then undertake the course and achieve their CRTO, however it is not mandatory to take OSCP first and some may find it easier to just do CRTO instead.

The course covers off the some foundational red team techniques which are the following areas, these are all covered and guided through with examples to enable the student to follow along at their own pace.

  • External Reconnaissance
  • Initial Compromise
  • Host Reconnaissance
  • Persistence
  • Local Privilege Escalation
  • Domain Reconnaissance
  • Credentials & User Impersonation
  • Lateral Movement
  • Session Passing
  • SOCKS Proxies
  • Reverse Port Forwards
  • Data Protection API (DPAPI)
  • Kerberos Abuse
  • Group Policy Abuse
  • MS SQL Server Abuse
  • Domain Dominance
  • Domain & Forest Trusts
  • Bypassing Defences

Course: Platform

The course is hosted on an online platform called canvas which acts as an online learning environment with integrations to badgr where a student can track their progress. The actual content itself has been updated to an active online learning environment(my understanding is that on initial release it was in the form of a PDF early 2020).

It is not mandatory to sign up for badgr but it does enable you to gain virtual achievements for each module you complete and submit the related flag(s) for each assignment.

There are nine badgr badges you can collect in total for just completing the course plus an additional one once all nine are collected for completion of the course:

In addition to completing the course, when you complete the exam(Achieving a minimum score of 75%) and achieve the CRTO badge you will get two additional badges:

The first is for completion of the exam and if you have managed to achieve all of the badges in the lab plus the exam completion you will be awarded the Red Team Ops I red badge below:

The platform also offers automated marking of assessments which makes for easy and enjoyable experience when doing the various assessments throughout the course. What it also means is when you submit your flags for the exam you know within minutes if you have passed or failed rather than waiting for weeks on end.

The various sections of the platform are broken down into each topic in the syllabus, with each having several examples that can be read through.

There is enough content to help you get through but encourages you to learn more with additional notes and tips scattered throughout which are worth exploring. The course and slack access are retained even after your lab time expires, as it is a rolling course the content will be updated at points.

Course: Learning Materials

Overall the different sections are mostly explained pretty well but there are some sections that are very much a case of here is an example, now go do the rest with no additional information.  All of the materials are housed on Canvas which is the learning platform.

I found these a little tough at first but after standing up the issues in my own lab and working out how they work under the hood it made a lot more sense.  Now it is not to say that the way to get through the modules is to replicate issues in your own lab but it did help understanding how the issue is created in order to exploit it, there is a very helpful Slack channel for the course available to all that sign up where you can ask questions.

The course is covered in written examples with some videos to demonstrate functionality of the various techniques on different C2 tools, at the time of writing the two in use were Covenant (Open-Source) and Cobalt Strike (Commercial).

You are welcome to use any C2 you like to progress through but these are the only two that are supported in the material. I went back through the content using PoshC2 and Empire which are both open source C2 frameworks. I did this to enable better understanding of material and how different tools work for different jobs, as the course is updated constantly who knows, maybe Rasta will include the steps required for other C2s.

Each module has several sections in it that explain how a technique works, what tools are required and how to do it per C2, however I found that some sections only had instructions for one or the other but not both. Rastamouse takes you through an example then that example is followed by an assessment(more on the lab structure later). Once you have done an assessment, you will gain a badge(mostly), some assessments require multiple parts to be achieved before the badge will be awarded.

As a course in general it is a good starting point and the material does a good job at explaining core topics required to carry out an engagement. The only thing missing properly is an assessment to gauge time and record keeping which is key when carrying out any red team assessment.

Course: Lab

The lab is one of the better ones I have come across and the material helps you traverse the various hosts, each module has several ways to achieve the objective and as a result there are several hosts in the lab that will enable you to facilitate pwnage!

Rastamouse has done a great job with the lab as it is updated a lot with windows updates and patched frequently to enable you to test your enumeration skillset rather than popping MS08 or EternalBlue you are forced to enumerate different hosts that you land on, the material serves as a great guide in where to look for things.

One of the things I did notice is that Rastalabs (RL) on HTB is a good comparison as it was written by the man himself too, while RL follows a CTF like scenario with no guide, RTO is much more guided and enables you to try different techniques. The machines within the lab are all running Windows 10 and Server 2016 and kept up to date as is similar with RL.

A key difference between the RTO lab and others such as the Offensive Security (OSCP etc) ones is that to gain the different objectives you do not always require to get Administrative privileges on machines, rather it is the techniques and concepts that you go through that enable you to achieve an objective.

Much more similar to that of a real world engagement, also like the real world there is minimal focus on getting domain admin, and more of a focus on achieving specific objectives which are in the form of flags for this example.

Lab: Tradecraft

In terms of traversing the lab, as mentioned earlier there are two supported options for command and control frameworks, for the initial run through of the course I used Cobalt Strike. One of the great things about the course and lab were that the focus was not on a specific framework but more on tooling that can be used flexibly, the tradecraft was very much orientated towards .NET where possible and PowerShell. However, as I wanted to get as much out the lab as possible I opted to use C# and reflective loading where I could.

It also enabled me to play-test Ceri's BOF.NET on Cobalt Strike which is great and worth a look if you use cobalt strike in the day job! It acts as a replacement for execute-assembly and enables easier bypassing of AV checks and similar enabling you to freely operate in memory.

Almost all of the tooling within the lab has a C# variant and thanks to SharpAllTheThings there are plenty of tools out there for you to tweak and compile to your liking to use in the lab and on engagements. An important note when it comes to C# though and something I noticed while in the lab is students dropping binaries left right and centre, one of the most important things to take away from all of this is OPSEC is important so clean up after yourself and try not to drop things to disk if you do not need to.

Community: Slack

In addition to the course material, signing up also grants you access to the ZPS slack which has a few channels but a dedicated channel for the course where people can ask questions about issues they are encountering. I did not use it too much but when I did ask questions there were folks on hand to help out which is lovely.

It also has a general channel and a notifications channel so you can see if your lab instance is rebooting or has been reset(which I used a few times to troubleshoot why my beacons had died!).

Similar to the course material after your lab time expires you still retain access to Slack meaning you can chat to students and learn about all things going on. New updates to the course are sent via email but also notified via slack too.

Exam: I survived 24 Hours of Pain.

One exam sitting is included in the cost of the course, the exam itself is 48 hours long. There are four (4) flags in the exam, which you must capture and submit via the Final Exam Flag Submission Assignment on Canvas. They are named flag1.txt to flag4.txt and are of the format RTO{flag}. To pass the exam and achieve the badge you need to have a minimum of three (3) flags (75%).

The other reviews I have read of the course have said that the exam is easy, some even said it was easier than the course. I can assure you I did not find it easy, there were some parts that were easier than others but a lot of the exam is hardcore enumeration and playing out smaller details from the course materials.

In general I get very stressed with exams and usually fail but thankfully passed this one first time! In terms of the course materials vs the content in the exam, there was not anything in the exam that was not in the course however as some of the examples were light on details in the course the exam content had much more, which saw me googling for hours on end with weird error messages! Which in retrospect feels much like a real world situation.

If you are reading this and thinking about doing the course and exam, one key piece of advice I will give you is TAKE YOUR OWN NOTES and take them down in detail about different techniques. Also when you have an example in the lab try using other tooling as much like in the real world, not every job has just one tool that works, there are multiples to have a go in the lab and you never know it might help you!

The exam itself is all online and unlike OSCP and other exams has no written content, therefore all that is required is the flags in order to pass which takes a load off your stress levels when going through it. Again with most of the reviews I have read so far, the average time for completion is under 24hrs but you have 48 to do it in so plenty of time. It is also open book, so you have access to the internet etc as you would in the real world thankfully.

I cannot give away any details about specifics in the exam but what I will say is although it may feel like a real world exam, there are certain steps that can be taken that you might not do in a real engagement that may help you. Also the following resources really helped me when working through specific scenarios in both the course and the exam.

Conclusion

As my $dayjob consists of Red Teaming and Purple Teaming, the course was great at expanding on some of the topics you do not always get to practice. Also having the addition of a lab to play in is always fun and has given me some ideas of scenarios to run in my own home lab. I hope that the certification gets more recognition within the community and possibly has some pairings with other organisations to bring it up further.

With everything there is always room for where things can be improved, generally speaking the content is great. There are some sections that could be expanded more but if anything they encourage you to go and do your own research to understand topics better which is not a bad thing.

I really enjoyed the course as a whole and while the exam was painful it was a lot of fun, and something I will not forget for a while! In terms of difficulty of RTO vs Rastalabs I'd say RL is harder purely as it does not have a guide along with it. If you have not done either and fancy doing them both then I would recommend doing RTO first to give you some standing to traverse onto the CTF in RL.

Given I was meant to be taking downtime from work over xmas I just spent 30 days doing a course and exam which was really enjoyable. Thank you Rastamouse for a great course and content.

Cheers folks, a great start to 2021!