Certified Red Team Professional (CRTP) Course and Examination Journey


One of our co-founder and consulting manager, Natchaphon Burapanonte (Ice), have just passed Certified Red Team Professional (CRTP) from Pentester Academy. And he would like to share with us his experience, impression and the journey along his path to the certification. The following is his journey in his own words.

     First of all, I have to say that I’m not that new to the cybersecurity certification examination. This is the 7th certification in my record; however, it can be counted as the first one that fully related to Active Directory exploitation and this course teaches you from the very beginning with all the things that you need to know!

     So, this course is for you all! As they (PentesterAcademy) stated on their website
“Whether you are a beginner, a red teamer or penetration tester or a blue teamer, the course and the lab has something for everyone!”

Course Overview

     As I said, this course is for all of you that want to learn the basic Active Directory exploitation technique.

     By “exploitation” I mean exploiting the vulnerability from Domain’s “Misconfiguration” only. So, this means, if you are a penetration tester/security auditor and you finished vulnerability scanning for CVE and found nothing (Even your favourite Eternal Blue :D) , Don’t worry .. you may use the knowledge from this course to gain the access to the Forest Root without any public well-known vulnerability, only take advantage from system administrator’s carelessness.

The whole course’s environment is here:

Ref: https://www.pentesteracademy.com/activedirectorylab


     All of the machines are fully patched realistic Windows environment, but with the misconfiguration. You’ll be assigned as normal user and have to escalated your privilege to Enterprise Administrator!! step by steps by using various techniques within the course.

For the course content, it can be categorized (from my point of view) as

  1. Domain Enumeration (Manual and using Bloodhound)
  2. Local Privilege Escalation
  3. Domain Privilege Escalation
  4. Domain Persistence
  5. Domain Privilege Escalation to Enterprise Administrator
  6. Cross forest Attack
  7. MS SQL Attack
  8. Défense – Monitoring – Bypass

     For each topics, there is a learning objective to re-check whether you understand the topics well enough or not. (Please refer to https://www.pentesteracademy.com/activedirectorylab for in details course outline.)

     If you’ve already be a member of Pentester Academy, you can learn the lecture on “Attacking and Defending Active directory” course first. But in my opinion, I encourage you to purchase the 30 Days Lab and practice it with the course (If you are very beginner, you also have the choice for 60 and 90-Days Labs time), it will help you to see the picture of the course content better and faster.

     I finished the lesson within 1 and a half week and has 2 and a half weeks left to practice on the lab. (If you have some experienced in penetration testing and understand the lecture well, this time frame should be perfectly enough.)

Exam Preparation

These are my 3 important tips for the preparation:

  • Make sure you understand all of the lectures, not only the command but also how it works.
  • Use the cherry tree or another hierarchical notes of your choice to take notes and categorized the command from your understanding. It will help you on the exam.
  • Practice, Practice .. and Practice!! all learning objectives, make sure you can do it without opening the lab guide. Only use your notes to do it. If you haven’t got the notes to use .. go back to bullet 2.

The Examination

     The examination consists of 5 machines that you’ll need to compromise (Not including your own) in the “fully patches” environment like your practice lab but in a different scenario. You’ll have 24 hours to finish and the other 48 hours to write the comprehensive report with full details of your steps and capture screen for compromising each machine and mitigation.

     According to my plan, I planned to start the exam on 3 p.m., in order to have the time to rest for dinning around 6 p.m. and go to bed around 1 a.m. to 5 a.m. then jump back to exam again until 3 p.m. … BUT that was just a plan!! Lol …

     In the real exam, I felt like I was going blank and no idea all the time. I went straight from 3 p.m. to 3 a.m. with only 1 cup of tea 😛 (I don’t recommend this!!). Finally, I’ve got 5 machines with in details screenshots using around 12 hours. Then, I had my dinner (It should be called breakfast lol) around 4 a.m., go to bed and wake up around 9 a.m. because of my real world client’s phone called .. lol

     Go back to exam world again! I wrote my report around 10 a.m. with the captured screenshot, researched for proper recommendation and mitigation, had lunch (with some Netflix :P), finished, rechecked, and submitted around 3.30 pm. And they said they will get back to me in 48 hours.

Surprisingly, Next morning, I receive the exam result as

Congratulations! You have cleared the examination! You are now a
Certified Red Team Professional.


And the next morning with this

crtp certificate

The Final Thought

     Actually, all you need to do is calm down a bit and go enumeration … enumeration and enumeration … then If you learn the course well, you’ll know what to do with the things you’ve found. Sometimes, don’t over think about it … It’s right in front of your nose!!

     The other great thing about this course is their “support team”. You can ask them anything related to course whether it be the technical difficulty issue or the question related to the lesson. They will get back to you very fast!! I appreciate it!!

Trust me, if you fully understand the course, you can do it!!


Natchaphon Burapanonte (Ice)


Co-Founder & Consulting Manager

CYNIUS Cybertech and Consulting Co., Ltd.


Leave a Reply

Your email address will not be published.