Certified Red Team Operator – Review

What is #RTO?

Red Team Operator is a new course offered by Zero Point Security created by Daniel Duggan, AKA @_RastaMouse . Rasta is well known in the infosec community for the awesome content he has created before, not only other training content but also some great research and blog posts. You can find the complete syllabus for the RTO course here. I will break down the review into 3 sections: the course material, the labs, and the exam itself. I was part of the first batch of students when the course was created so I won’t dive too deep into specific techniques taught as the course is very up to date, therefore when you are reading this it may be very different from when I took it.

Overall I really enjoyed the material, the labs, and the exam too. There were some hiccups here and there, but that’s kind of what I expected being an early adopter. This course is aimed to equip students to be able to hack fully patched modern windows environments. For the current price, I personally think that the value for this course is unbeatable!

Course Material

The course materials delivered were a 172 page PDF , and around 19 videos. The PDF is broken down into 4 different modules and each module contains different techniques and topics as seen in the syllabus. The videos worked like demos for some of the things detailed in the PDF. Personally, I felt like the course content has to be one of my favorites from all the certs/courses I’ve taken so far. As I mentioned above, the material is extremely up to date. I seriously cannot give enough credits to the value I got from the material.

Keep in mind this is a beginner to intermediate course, therefore it does not dive into extremely deep technical details on each topic. However it does give you the necessary information to replicate the results discussed in each module and enough information to get you researching. Additionally everything covered in the PDF is useful to get through the lab environment. If you have taken OSCP and need to learn the ins and outs of hacking Windows Active Directory environments and the current techniques used by red teamers/pentesters, this course will help get you started.

Lab

Part of the package you receive is a “lab guide” which tells you what your mission is for the lab. I won’t spoil it, but I liked this model because it didn’t feel like I was playing a CTF. The lab network environment was built like a real live network with users, workstations, servers, different subnets, and etc. There isn’t 50+ machines to hack like OSCP labs for example, but unlike OSCP it’s not just about trying to pwn everything and get a proof.txt file. As a red teamer you will need to really take into consideration how to move around the network strategically to reach your goal.

As for how much time you will need in the lab, it really depends on your experience and how much time you are willing to put daily. Personally I got only 30 days and I felt like it was not enough, mainly because I could not put that many hours into it daily and did run into some issues. The material uses Covenant C2 to demonstrate the exploitation of most (not all) of the techniques covered. Which was where a lot of the issues I faced came in. However, it kinda forced me to have to invest more time in getting comfortable with impacket, PowerSploit, and MSF named pipes, so at the end it worked out. On another hand, if you are lucky enough to have access to Cobalt Strike, you will probably have a much easier time through it.

Exam

Similar to some of the Offsec certs, the RTO exam was a time limited challenge that really required students to have a good grasp of the course material. I can’t give too much details, but rest assured if you take your time in the lab, and make sure that you are familiar with all the topics taught through the course, you will be fine for the exam. I actually think the lab itself was harder than the exam, which was great because it does a great job preparing you for the exam. Personally, since I didn’t have time to actually go through 100% of the lab , the exam actually served to teach me a thing or two and allowed me to get some hands on practice with some concepts taught in the PDF. Additionally, 48 hours is plenty of time for the challenges. Most of the other folks who passed that I’ve talked to, finished the exam in less than 24 hours as well.

Additional Thoughts…

In conclusion, I would highly recommend the RTO course, even with some of the issues I faced. Rasta seems to be committed to delivering a good user experience, he was even kind enough to offer all of us first users extra lab time for free. The content was great, the lab was fun, and the exam was challenging. Additionally if you do sign up, be sure to join the slack channel, the folks taking the course were always willing to help each other and I met some great folks there like @fuckup_1337 and @w9hax.

Here are some additional reading that helped me during the course.

https://rastamouse.me/2018/10/amsiscanbuffer-bypass-part-1/

http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/

https://en.hackndo.com/kerberos/

http://www.harmj0y.net/blog/redteaming/not-a-security-boundary-breaking-forest-trusts/

https://rastamouse.me/2019/01/gpo-abuse-part-1/

https://www.onsecurity.co.uk/blog/abusing-kerberos-from-linux

https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/

https://www.bordergate.co.uk/lateral-movement-with-named-pipes/

https://posts.specterops.io/kerberosity-killed-the-domain-an-offensive-kerberos-overview-eb04b1402c61