Certification: CRTP

Mike Bond
5 min readAug 21, 2020


After completing the OSCP, I was trying to find the “what’s next” for my educational journey as well as helping my pentesting career. I returned to HackTheBox and started studying with Offshore. However, more than halfway through, I ended up hitting the proverbial “brick wall”. Instead of continuing to ask for help, and not totally understanding some of the attacks, I decided to take PentesterAcadamy’s Attacking and Defending Active Directory course to fill in the gaps.


As I have mentioned in some of my other postings, I have been in the IT field for 24+ years and held positions as a PC Tech, System Admin, Security Admin, Network Admin/Architect/Consultant, UC (Unified Communications) Admin/ Architect/Consultant, Management, and currently a Penetration Tester. I have or had an alphabet’s worth of certifications in that span; including CCIE in UC (#17963) as well as OSCP.

The Course and Labs:

Since my days as a Systems Admin was over a decade ago, I decided to purchase the 60-day lab. Registration was very simple and I was able to use PayPal versus providing a credit card; which is my preference. In addition, I was able to communicate with the Support Team and secure my start date a few days after registering and paying for the course.

Overall, I thought the course content was well constructed and provided details of how/why an attack worked. In total, there were 23 objectives (with multiple tasks) followed by details of how to defend against each of the attacks.

The companion videos, narrated by Nikhil Mittal, were excellent and helped reinforce the material within the course manual. In addition, I really liked how Nikhil explained the content as well as demonstrating how to complete the lab objective(s)

Regarding the lab environment, it consisted of multiple domains and forests with fully patched Windows 2016 servers. In addition, there were two different methods one could use to connect (Web RDP or VPN). For me, I preferred VPN and then connecting to a traditional RDP session.

Figure 1: Lab Environment

Once connected, there were multiple tools waiting on the student machine. Most of the tools were covered within the course content, and as an added bonus, the tools that Nikhil created were present as well. In addition, I used a few other tools within the environment, like Rubeus, to further understand how they functioned as well as comparing against the lab tools.

In total, it took me about 10 days to work through the manual and the labs. However, I spent the next 25+ days going back through each lab to make sure I understood the concepts being taught. In addition, I spent some extra time diving into BloodHound to corollate its findings to what was found with the taught enumeration techniques.

CRTP Exam Attempt #1:

Registering for the exam was an easy process. A quick email to the Support team and they responded with a few dates and times. Exam schedules were about one to two weeks out.

After securing my exam date and time, I was sent a confirmation email with some notes about the exam; which I forgot about when I attempted the exam.

As to the day of the exam, I received an email with connectivity instructions and the VPN configurations files about 30 minutes prior to my exam start time. That was it. So, I tested both Web RDP and VPN, but chose to stick with VPN access.

Not going to deep into the exam, the goal was to compromise 5ea. severs. Like others have noted in their blogs, I believe I hit the wall for about 6–8 hours. However, during this time, I was able to see the attack path, but was having issues getting there.

Around the 10th hour, I decided to get some sleep; which only lasted about 4 or 5 hours. Once returning to the exam, I managed to get past the wall and eventually compromise 5ea. systems while still having 4 hours left for the exam. So, I started checking my work and making sure I had all of my screen shots added to my exam report template. I was able to fully complete and send my exam report to the Lab Support team within an hour after my exam ended.

Within 24 hours, I received the email that I official FAILED since I did not meet the exam objectives. What?!?!

CRTP Post Fail:

I reached out to the Exam Support team for an explanation. They were very accommodating while I was trying to understand what went wrong. As it turned out, I compromised 5ea. systems, but only 4ea. servers. So, the foothold system did not technically count as a compromised server. Furthermore, the mention above regarding that I forgot about the exam registration email. Yeh…that email mentioned that 5ea. servers were required to be compromised during the exam.

After I stopped beating myself up, I was able register for a second attempt. The process was a little different since I had to email the Exam Support team to obtain a link to a pay site.

Once I paid for the exam, and it was validated by the Exam Support team, available exam dates were 4 to 5 weeks out. So, I used the remainder of my 60 day lab time to review and work through topics that I had issues with during my first exam attempt. In addition, I spent a little extra time within BloodHound as well.

CRTP Exam Attempt #2:

One of my recommendations to the Support team was to send a reminder email with regards to the exam objectives. To my surprise, I received that email the morning of my exam.

My second exam attempt began about three hours earlier than my first. And by lunch time, I had compromised all 5 servers. A few hours later I submitted my exam to the Exam Support team for a final grade.

It took nearly 48 hours after my official exam expiration to receive the email that I passed and achieved CRTP.

Lessons Learned:

RTFM! If I had read the original registration email, I would have saved myself a lot of frustration. However, one can’t win them all and I have to draw this up as more of a life lesson learned. Although, one would have thought I would have already figured that out by now.

Recommended Tools and Scripts:

During my time in the lab and exam, I used and tested numerous tools and scripts that were and were not included within the Windows image. I found the following to be the most useful to me:

Shout Out:

Lastly, I wanted to give a shout out to the PentesterAcademy Lab and Exam support staffs. They were very responsive and willing to answer questions and provide guidance during my journey.



Mike Bond

Cyber Security Enthusiast