CRTO Review - 2023

Cover Image for CRTO Review - 2023

Table of Contents


    On the 28th of January, 2023, I successfully overcame the CRTO exam. So, as I did with the preview certs, I will review the CRTO documentation, labs and the exam in today's post.

    What you should expect from the course

    If you are about to buy the course at £365, at the moment of writing this review, you are going to receive the following:

    • Lifetime access to the online course documentation, which sections are constantly being updated.
    • 40 hours of labs at that last 6 months.
    • 1 exam attempt

    However, if you consider that you have the knowledge and the skill, you can also just buy an exam attempt at £99, which is the price of exam re-takes.

    Regarding the course documentation, as you might imagine by the name of the certification, it is between an entry-level to intermediate certification, exploring the tactics, techniques and procedures that threat actors use to become a professional red teamer. It is direct and straight to the point.

    The topics that stand out are Cobalt Strike and Active Directory.

    Cobalt strike is the command-and-control (C2) used for attacking the network without having to purchase a license. You will be taught from the very beginning how to configure your team server, set up listeners, perform lateral movement attacks, extract credentials and execute binaries from memory. Quite incredible

    Regarding the Active directory part of the course, you will learn how to take advantage of some Active Directory features to escalate privileges and propagate over the domain and also how to obtain persistence, which is quite essential not only for real-life scenarios but also for the lab and exam if you plan to take breaks.

    The Lab

    The lab is an active directory infrastructure composed of three forests. The first Forest has a child domain and a root domain, while the remaining forests are configured with inbound and outbound domain Trust, respectively. It is an exact copy of the lab that appears on the documentation, so you can apply what you learnt in the course material.

    This infrastructure is hosted on Snap Labs using Guacamole without any Internet or VPN connection. Furthermore, the copy & paste is unidirectional, from host to guest, so you won't be able to exfiltrate any tool or configuration from the lab. On Firefox, copy & paste from host to guest might not work because Asynchronous Clipboard might be disabled by default; thus, to enable it, you need to follow the link instructions.

    Furthermore, the Snap Labs dashboard provides you access to every machine in the lab, this can be used to avoid obtaining persistence on the machine, modify configurations, restore snapshots, etc.

    By default, the version of the lab is 2.0.4, but I encourage you to ask for updating the lab to the latest version as soon as you get the Snap Labs credentials. So, some bugs are already fixed, but most importantly because upgrading the lab implies that all the progress you have made so far will be deleted, wasting your time to achieve the same point you were at previously.

    Regarding the time, 40 hours is more than enough to resolve the whole lab several times, but the best approach to get the most out of your lab time is to read the whole documentation, solve all your doubts and note anything extra you will want to do on the lab, before tackling it. Moreover, DO NOT FORGET TO TURN OFF THE LAB when you are done for the day. There is no automatic turning off for lack of activity, so do not be like me and do not waste hours. Nonetheless, if you run out of lab time, you can still buy another 40 hours for £20.

    Finally, the lab will prepare you for the exam, allowing you to practice all the techniques you will encounter in your assessment.

    The Exam

    The exam can be booked any day at any time, but If you decide to take the exam on the weekend, take into account that Rasta might not answer your message, so take that into account, actually I asked for help on a bug I encountered during the lab on the discord server and also I DM him, but I never got a response.

    Once booked, On the events section of your Snap dashboard will appear a new event; in this event, there is a "Threat Profile", giving you context about what you have to do.

    The exam is like a Capture The Flag, where you will have to obtain 6 out of 8 flags to pass the exam, so no report is required. Lasting 48 hours, and you can distribute them over four days. This means you can stop it any time and take rests without consuming the exam hours. But take into account that all the beacons will die if no persistence is made.

    Finally, the assessment is pretty straight forward because there are no rabbit holes, and every tool you need will be in the same folder as in the lab; just be patient, enumerate the machines and the domain, and do not get nervous.


    To sum up, the CRTO is a well intermediate penetration tester certificate focused on Active Directory and a good beginner certification for Red Teaming operators, with a fair price due to the always updating documented course, 40 hours of lab and one exam retry.

    If you are interested in Active Directory or want to start your career a Red Team Operator you should give it a chance.