Share
## https://sploitus.com/exploit?id=6988519D-A3AB-5A0B-8F49-72A200D9C1F0
# AD Attack Path Lab

A complete Active Directory attack simulation lab covering enumeration, web exploitation, privilege escalation, Kerberoasting, lateral movement, and domain compromise.

## Lab Architecture

```
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚    KALI     β”‚     β”‚     DC      β”‚     β”‚    WEB      β”‚
β”‚ 192.168.1.  │────▢│ 192.168.1.10│◀────│ 192.168.1.20β”‚
β”‚  (Attacker) β”‚     β”‚   (DC)      β”‚     β”‚   (IIS)     β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                           β”‚                    β”‚
                           β”‚                    β”‚
                    β”Œβ”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”
                    β”‚     SQL     β”‚
                    β”‚ 192.168.1.30β”‚
                    β”‚(SQL Server) β”‚
                    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
```

## Network Configuration

| VM | IP | Hostname | Role |
|----|-----|----------|------|
| DC | 192.168.1.10 | DC | Domain Controller (lab.local) |
| WEB | 192.168.1.20 | WEB | IIS Web Server with vulnerable upload |
| SQL | 192.168.1.30 | SQL | SQL Server 2019 |
| KALI | 192.168.1.100 | kali | Attacker machine |

## Credentials

| Account | Password | Purpose |
|---------|----------|---------|
| svc_web | WebSvc123! | Web service account (Kerberoastable) |
| svc_sql | SQLService123 | SQL service account (Kerberoastable) |
| Administrator | P@ssw0rd | Domain Admin |

## System Requirements

- **RAM:** 16GB minimum (8GB can work with careful resource management)
- **CPU:** 8 cores minimum
- **Disk:** 100GB free space
- **Software:** VirtualBox 7.0+, Vagrant 2.4+

## Quick Start (Vagrant)

### 1. Install Prerequisites

```bash
# Install VirtualBox
# Download from: https://www.virtualbox.org/wiki/Downloads

# Install Vagrant
# Download from: https://www.vagrantup.com/downloads

# Install vagrant-reload plugin (required for Windows provisioning)
vagrant plugin install vagrant-reload
```

### 2. Launch Lab

```bash
cd /path/to/lab
vagrant up
```

This will:
1. Download Windows Server 2019 and Kali Linux base boxes
2. Provision DC with Active Directory
3. Provision WEB server with IIS and vulnerable service
4. Join WEB to domain
5. Provision SQL server
6. Join SQL to domain
7. Launch Kali with tools

**Estimated time:** 30-60 minutes depending on download speeds

### 3. Post-Provisioning (SQL Server)

After vagrant completes, you MUST manually install SQL Server:

1. Connect to SQL VM: `vagrant rdp sql`
2. Download SQL Server 2019 Developer
3. Install with:
   - **Instance:** Default (MSSQLSERVER)
   - **Service Account:** `lab\svc_sql`
   - **Password:** `SQLService123`
   - **Authentication:** Mixed Mode
   - **SA Password:** `SqlAdmin123!`

4. Open SQL Server Management Studio (SSMS)
5. Run:
```sql
CREATE LOGIN [lab\svc_sql] FROM WINDOWS;
EXEC sp_addsrvrolemember 'lab\svc_sql', 'sysadmin';
```

## Manual Setup (Without Vagrant)

### 1. VirtualBox Network Setup

Create a Host-Only Network:
- IP: 192.168.1.1
- Mask: 255.255.255.0
- DHCP: Disabled

### 2. Create VMs

| VM | OS | RAM | CPUs | Network |
|----|-----|-----|------|---------|
| DC | Windows Server 2019 | 2GB | 2 | Host-only |
| WEB | Windows Server 2019 | 2GB | 2 | Host-only |
| SQL | Windows Server 2019 | 4GB | 2 | Host-only |
| KALI | Kali Linux | 2GB | 2 | Host-only |

### 3. Configure DC (run as Administrator)

```powershell
# Install AD DS
Import-Module ServerManager
Add-WindowsFeature AD-Domain-Services -IncludeManagementTools

# Promote to DC
$password = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force
Import-Module ADDSDeployment
Install-ADDSForest -DomainName lab.local -SafeModeAdministratorPassword $password

# After reboot, create service accounts
$svcWebPassword = ConvertTo-SecureString "WebSvc123!" -AsPlainText -Force
$svcSqlPassword = ConvertTo-SecureString "SQLService123" -AsPlainText -Force

New-ADUser -Name svc_web -SamAccountName svc_web -PasswordNeverExpires $true -AccountPassword $svcWebPassword -Enabled $true
New-ADUser -Name svc_sql -SamAccountName svc_sql -PasswordNeverExpires $true -AccountPassword $svcSqlPassword -Enabled $true

# Set SPN for Kerberoasting
setspn -S MSSQLSvc/sql.lab.local:1433 svc_sql
```

### 4. Configure WEB

```powershell
# Join domain
Add-Computer -DomainName lab.local -Credential lab\Administrator

# Install IIS
Add-WindowsFeature Web-Server, Web-Asp-Net45

# Create upload directory
New-Item C:\inetpub\wwwroot\uploads -ItemType Directory

# Create upload.aspx (see tools/cmd.aspx for webshell)
# Create vulnerable service
New-Item C:\ProgramData\WebUpdate -ItemType Directory
icacls C:\ProgramData\WebUpdate /grant "IIS APPPOOL\DefaultAppPool":(OI)(CI)M
sc create WebUpdate binPath= "C:\ProgramData\WebUpdate\update.exe" start= demand obj= "lab\svc_web" password= "WebSvc123!"
```

### 5. Configure SQL

```powershell
# Join domain
Add-Computer -DomainName lab.local -Credential lab\Administrator

# Install SQL Server 2019
# Use svc_sql as service account
# Enable Mixed Mode authentication

# Run in SSMS:
CREATE LOGIN [lab\svc_sql] FROM WINDOWS;
EXEC sp_addsrvrolemember 'lab\svc_sql', 'sysadmin';

# Create admin persistence task
schtasks /create /tn "AdminPersistence" /tr "powershell -NoP -NonI -W Hidden -Command Start-Sleep -Seconds 3600" /sc once /st 00:00 /ru "lab\Administrator" /rp "P@ssw0rd" /f
schtasks /run /tn "AdminPersistence"
```

### 6. Configure Kali

```bash
# Install tools
sudo apt update
sudo apt install -y nmap hashcat python3-pip
pip install impacket

# Download additional tools:
# - Rubeus: https://github.com/r3motecontrol/Ghostpack-CompileBinaries
# - Mimikatz: https://github.com/ParrotSec/mimikatz
# - JuicyPotato: https://github.com/ohpe/juicy-potato
# - PowerView: https://github.com/PowerShellMafia/PowerSploit
```

## Attack Path

See `docs/ATTACK_WALKTHROUGH.md` for complete walkthrough with flags.

```
1. nmap -sV 192.168.1.0/24        β†’ Enumerate network
2. FTP anonymous login            β†’ Get hint
3. Web shell upload               β†’ Initial foothold
4. Service binary replacement     β†’ Privilege escalation to svc_web
5. Kerberoasting                 β†’ Crack svc_sql password
6. SQL Server connection          β†’ Lateral movement
7. JuicyPotato                   β†’ SYSTEM shell
8. Mim Domain Admin hashikatz                      β†’
```

## Tools Included

| Tool | Location | Purpose |
|------|----------|---------|
| cmd.aspx | tools/ | Webshell for command execution |
| PowerView.ps1 | (download) | AD enumeration |
| Rubeus.exe | (download) | Kerberoasting |
| JuicyPotato.exe | (download) | Privilege escalation |
| Mimikatz.exe | (download) | Credential extraction |
| mssqlclient.py | (installed) | SQL client |

## Troubleshooting

### VMs Can't Ping Each Other
```bash
# Check VirtualBox network adapter
# Ensure all VMs use Host-Only adapter (192.168.1.0/24)
# Disable Windows Firewall on all VMs
netsh advfirewall set allprofiles state off
```

### Domain Join Fails
```bash
# Check DNS resolution
nslookup lab.local 192.168.1.10
# Check time sync
w32tm /stripchart /computer:192.168.1.10
```

### SQL Server Connection Fails
```bash
# Verify SQL Server is running
Get-Service -Name MSSQLSERVER
# Check TCP/IP is enabled in SQL Server Configuration Manager
# Enable SQL Server authentication
```

### Kerberoasting Returns No Tickets
```bash
# Verify SPN is set correctly
setspn -L svc_sql
# Check time sync between VMs (max 5 min diff)
```

## Lab Management

### Access VMs
```bash
vagrant ssh kali        # Kali
vagrant rdp dc          # Windows VMs (requires RDP client)
vagrant winrm dc        # Alternative Windows access
```

### Stop Lab
```bash
vagrant halt            # Suspend all VMs
vagrant halt      # Suspend specific VM
```

### Destroy Lab
```bash
vagrant destroy -f     # Delete all VMs
```

### Rebuild Specific VM
```bash
vagrant destroy web -f
vagrant up web --provision
```

## Flags

| Stage | Flag | Location |
|-------|------|----------|
| Initial Access | FLAG{W3b_4cc3ss} | C:\inetpub\wwwroot |
| Service Escalation | FLAG{S3rv1c3_M4n1pul4t10n} | C:\ProgramData |
| Kerberoasting | FLAG{K3rr0br04st1ng} | Crack the hash |
| SQL Access | FLAG{Xp_Cmdsh3ll_4cc3ss} | SQL error logs |
| SYSTEM | FLAG{SYST3M_Pr1v3l3g3} | Mimikatz output |
| Domain Admin | FLAG{D0m41n_Adm1n} | Final objective |

## Cleanup

```bash
# Stop all VMs
vagrant halt

# Destroy all VMs and delete disks
vagrant destroy -f

# Remove downloaded boxes (optional)
vagrant box prune
```

## Security Notes

- **ISOLATE** this lab from production networks
- All passwords are intentionally weak for educational purposes
- Never use these configurations in production
- Lab is designed for authorized security training only

## Support

For issues with:
- **Vagrant/VirtualBox:** Check VirtuaBox documentation
- **Windows provisioning:** Check Windows Server docs
- **Attack techniques:** Review ATTACK_WALKTHROUGH.md

## Files Overview

```
lab/
β”œβ”€β”€ Vagrantfile                    # VM configuration
β”œβ”€β”€ README.md                      # This file
β”œβ”€β”€ scripts/
β”‚   β”œβ”€β”€ provision-dc.ps1          # DC initial setup
β”‚   β”œβ”€β”€ provision-dc-post.ps1     # DC post-reboot setup
β”‚   β”œβ”€β”€ provision-web.ps1         # WEB initial setup
β”‚   β”œβ”€β”€ provision-web-post.ps1    # WEB post-reboot setup
β”‚   β”œβ”€β”€ provision-sql.ps1         # SQL initial setup
β”‚   β”œβ”€β”€ provision-sql-post.ps1    # SQL post-reboot setup
β”‚   └── provision-kali.sh         # Kali tools setup
β”œβ”€β”€ tools/
β”‚   └── cmd.aspx                  # Webshell
└── docs/
    └── ATTACK_WALKTHROUGH.md    # Complete walkthrough
```

---

**Lab Version:** 1.0  
**Created:** 2026  
**Designed for:** Penetration Testing Training, Red Team Practice