Share
## https://sploitus.com/exploit?id=78C0E414-8468-5BC3-889D-30C9AE91CEC2
# DenkAir - Windows AD Pentesting Lab

A comprehensive Windows Active Directory penetration testing lab with realistic attack scenarios.

## Lab Overview

This lab simulates an enterprise Windows environment with multiple security misconfigurations that can be exploited in a realistic attack chain:

```
SQLi โ†’ SSTI โ†’ Privilege Escalation โ†’ Lateral Movement โ†’ Kerberoasting โ†’ Delegation Abuse โ†’ Domain Compromise
```

## Requirements

### Hardware
- **RAM:** 16GB minimum (8GB may work with careful VM management)
- **CPU:** 4 cores minimum
- **Storage:** 100GB free space

### Software
- [Vagrant](https://www.vagrantup.com/downloads) (v2.3+)
- [VirtualBox](https://www.virtualbox.org/wiki/Downloads) (v7.0+)
- Attacker machine (Kali Linux recommended)

## Quick Start

### 1. Clone and Navigate

```bash
cd denkair-lab
```

### 2. Start the Lab

```bash
vagrant up
```

This will:
- Create 3 Windows VMs (DC01, WEB01, WS01)
- Configure Active Directory on DC01
- Deploy vulnerable web application on WEB01
- Join WEB01 and WS01 to the domain

### 3. Wait for Provisioning

**Estimated time: 30-60 minutes** (Windows VM downloads + provisioning)

You can monitor progress with:
```bash
vagrant status
```

### 4. Connect to Lab

| Machine | Access Method | Credentials |
|---------|--------------|-------------|
| DC01 | RDP: localhost:3390 | contoso\Administrator / P@ssw0rd |
| WEB01 | RDP: localhost:3391 / http://localhost:5000 | See below |
| WS01 | RDP: localhost:3392 | contoso\jen.smith / JenPass2024! |

## Network Configuration

All machines are on a private host-only network: `192.168.100.0/24`

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚                  Host Machine                       โ”‚
โ”‚                                                     โ”‚
โ”‚   โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”           โ”‚
โ”‚   โ”‚   DC01  โ”‚  โ”‚  WEB01  โ”‚  โ”‚  WS01   โ”‚           โ”‚
โ”‚   โ”‚  :3390  โ”‚  โ”‚  :3391  โ”‚  โ”‚  :3392  โ”‚           โ”‚
โ”‚   โ”‚        โ”‚  โ”‚ :5000   โ”‚  โ”‚         โ”‚           โ”‚
โ”‚   โ””โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”˜  โ””โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”˜  โ””โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”˜           โ”‚
โ”‚        โ”‚            โ”‚             โ”‚                 โ”‚
โ”‚        โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜                 โ”‚
โ”‚                 192.168.100.0/24                    โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

## Lab Credentials

| Account | Password | Purpose |
|---------|----------|---------|
| Administrator | P@ssw0rd | Domain Admin |
| svc_web | WebSvc123! | Kerberoastable service account |
| jen.smith | JenPass2024! | Local admin on WS01 |

## Attack Path Overview

1. **SQL Injection** - Exploit flight search on WEB01
2. **SSTI** - Gain code execution via template injection
3. **Privilege Escalation** - Exploit unquoted service path
4. **Credential Discovery** - Find plaintext credentials
5. **Lateral Movement** - Move to workstation WS01
6. **BloodHound Analysis** - Enumerate AD attack paths
7. **Kerberoasting** - Crack svc_web password
8. **Constrained Delegation** - Impersonate admin to DC
9. **Silver Ticket** - Persistent access
10. **Domain Compromise** - Full control

See `docs/walkthrough.md` for complete details.

## Using the Lab

### From Attacker Machine (Kali)

1. **Network access:** Ensure you can reach `192.168.100.0/24`

2. **Web application:**
   ```
   http://192.168.100.20:5000
   ```

3. **SMB/WinRM:**
   ```
   crackmapexec winrm 192.168.100.50 -u jen.smith -p 'JenPass2024!'
   ```

### Managing VMs

```bash
# Suspend all VMs
vagrant suspend

# Resume
vagrant resume

# Halt (power off)
vagrant halt

# Destroy and recreate
vagrant destroy -f
vagrant up

# SSH into a VM (via Vagrant)
vagrant ssh dc01
```

## Lab Contents

```
denkair-lab/
โ”œโ”€โ”€ Vagrantfile              # VM configuration
โ”œโ”€โ”€ README.md                # This file
โ”œโ”€โ”€ scripts/
โ”‚   โ”œโ”€โ”€ ad-setup.ps1        # DC01 provisioning (AD setup)
โ”‚   โ”œโ”€โ”€ webapp-setup.ps1    # WEB01 provisioning (vulnerable app)
โ”‚   โ””โ”€โ”€ workstation-setup.ps1  # WS01 provisioning
โ”œโ”€โ”€ web-app/
โ”‚   โ””โ”€โ”€ app.py              # Flask app with SQLi + SSTI
โ””โ”€โ”€ docs/
    โ”œโ”€โ”€ walkthrough.md      # Complete attack walkthrough
    โ””โ”€โ”€ hints.md            # Progressive hints
```

## Vulnerabilities Included

| Vulnerability | Location | Difficulty |
|--------------|----------|------------|
| SQL Injection | WEB01 /search | Easy |
| Server-Side Template Injection | WEB01 /greet | Easy |
| Unquoted Service Path | WEB01 FlightUpdater | Medium |
| Plaintext Credentials | WEB01 C:\backup | Easy |
| Kerberoasting | AD svc_web | Medium |
| Constrained Delegation | AD WEB01 | Hard |
| Credential Reuse | WS01 lateral movement | Easy |

## Troubleshooting

### VMs Won't Start

1. Check VirtualBox is installed correctly
2. Ensure virtualization is enabled in BIOS
3. Try: `vagrant destroy -f && vagrant up`

### Domain Join Fails

The provisioning scripts will fail if DC01 isn't fully set up. Re-run:

```bash
vagrant provision dc01
vagrant provision web01
vagrant provision ws01
```

### Web App Not Working

Connect to WEB01 and check:

```powershell
# Check if Flask is running
Get-Process python

# Restart Flask
cd C:\inetpub\wwwroot\flights
python app.py
```

### Network Connectivity Issues

1. Verify VMs are on host-only network
2. Check Windows Firewall settings
3. Try: `vagrant reload`

## Security Notes

โš ๏ธ **This lab contains intentional vulnerabilities!**

- Do NOT expose to the internet
- Use only in isolated environments
- For authorized testing only

## Cleanup

```bash
# Stop all VMs
vagrant halt

# Destroy all VMs
vagrant destroy -f

# Remove lab directory
cd ..
rm -rf denkair-lab
```

## Additional Resources

- [Attacking Active Directory](https://book.hacktricks.xyz/windows/active-directory-methodology)
- [BloodHound Documentation](https://bloodhound.readthedocs.io/)
- [Rubeus GitHub](https://github.com/GhostPack/Rubeus)
- [Impacket](https://github.com/fortra/impacket)

## Credits

Lab based on enterprise attack chain patterns from real-world pentests.

---

**Happy Hacking!** ๐ŸŽฏ