Skip to content

CRTP / AD ~ Notes ~ by n3oari

🏠 Home 🏠 Home
Table of contents
🔧 Utils
🔍 Enumeration
🔍 Enumeration
🆙 Privilege Escalation
🆙 Privilege Escalation
- Local privesc
- Feature abuse (Jenkins)
- 📂 Domain Privesc
  📂 Domain Privesc
  - Kerberoasting
  - AS-REP Roasting Attack
  - 📂 Delegations
    📂 Delegations
    
    Unconstrained Deletegation
    
    Constrained Delegetation
    
    RBCD
- 📂 Cross Domain Privesc
  📂 Cross Domain Privesc
➡️Lateral Movement
➡️Lateral Movement
- DCSync
- OverThePass
- NTLM relay
- Runas
🦖 Persistence
🦖 Persistence
🛡️ Bypass defenses
CRTP - Methodology

CRTP / AD ~ Notes

Personal notes for the CRTP exam 2026 and general Active Directory / Windows hacking.

Philosophy

These notes prioritize OPSEC and Living off the Land (LOtL) techniques — favoring native Windows tools and built-in features to blend in with normal admin activity. That said, external tools are used where they provide a real advantage.

~ Look like an admin, not an attacker. ~

What you'll find here

Active Directory enumeration and exploitation
Privilege escalation and lateral movement
Persistence and credential access
Key concepts and theory behind each technique
CRTP-specific methodology

Approach

All techniques are performed from Linux using a mix of tools — native Windows utilities via remote execution, PowerShell, and external tools like BloodHound, NetExec, Impacket and others where needed.

You can find more about me here: