Share
## https://sploitus.com/exploit?id=78C0E414-8468-5BC3-889D-30C9AE91CEC2
# DenkAir - Windows AD Pentesting Lab
A comprehensive Windows Active Directory penetration testing lab with realistic attack scenarios.
## Lab Overview
This lab simulates an enterprise Windows environment with multiple security misconfigurations that can be exploited in a realistic attack chain:
```
SQLi โ SSTI โ Privilege Escalation โ Lateral Movement โ Kerberoasting โ Delegation Abuse โ Domain Compromise
```
## Requirements
### Hardware
- **RAM:** 16GB minimum (8GB may work with careful VM management)
- **CPU:** 4 cores minimum
- **Storage:** 100GB free space
### Software
- [Vagrant](https://www.vagrantup.com/downloads) (v2.3+)
- [VirtualBox](https://www.virtualbox.org/wiki/Downloads) (v7.0+)
- Attacker machine (Kali Linux recommended)
## Quick Start
### 1. Clone and Navigate
```bash
cd denkair-lab
```
### 2. Start the Lab
```bash
vagrant up
```
This will:
- Create 3 Windows VMs (DC01, WEB01, WS01)
- Configure Active Directory on DC01
- Deploy vulnerable web application on WEB01
- Join WEB01 and WS01 to the domain
### 3. Wait for Provisioning
**Estimated time: 30-60 minutes** (Windows VM downloads + provisioning)
You can monitor progress with:
```bash
vagrant status
```
### 4. Connect to Lab
| Machine | Access Method | Credentials |
|---------|--------------|-------------|
| DC01 | RDP: localhost:3390 | contoso\Administrator / P@ssw0rd |
| WEB01 | RDP: localhost:3391 / http://localhost:5000 | See below |
| WS01 | RDP: localhost:3392 | contoso\jen.smith / JenPass2024! |
## Network Configuration
All machines are on a private host-only network: `192.168.100.0/24`
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Host Machine โ
โ โ
โ โโโโโโโโโโโ โโโโโโโโโโโ โโโโโโโโโโโ โ
โ โ DC01 โ โ WEB01 โ โ WS01 โ โ
โ โ :3390 โ โ :3391 โ โ :3392 โ โ
โ โ โ โ :5000 โ โ โ โ
โ โโโโโโฌโโโโโ โโโโโโฌโโโโโ โโโโโโฌโโโโโ โ
โ โ โ โ โ
โ โโโโโโโโโโโโโโดโโโโโโโโโโโโโโ โ
โ 192.168.100.0/24 โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
## Lab Credentials
| Account | Password | Purpose |
|---------|----------|---------|
| Administrator | P@ssw0rd | Domain Admin |
| svc_web | WebSvc123! | Kerberoastable service account |
| jen.smith | JenPass2024! | Local admin on WS01 |
## Attack Path Overview
1. **SQL Injection** - Exploit flight search on WEB01
2. **SSTI** - Gain code execution via template injection
3. **Privilege Escalation** - Exploit unquoted service path
4. **Credential Discovery** - Find plaintext credentials
5. **Lateral Movement** - Move to workstation WS01
6. **BloodHound Analysis** - Enumerate AD attack paths
7. **Kerberoasting** - Crack svc_web password
8. **Constrained Delegation** - Impersonate admin to DC
9. **Silver Ticket** - Persistent access
10. **Domain Compromise** - Full control
See `docs/walkthrough.md` for complete details.
## Using the Lab
### From Attacker Machine (Kali)
1. **Network access:** Ensure you can reach `192.168.100.0/24`
2. **Web application:**
```
http://192.168.100.20:5000
```
3. **SMB/WinRM:**
```
crackmapexec winrm 192.168.100.50 -u jen.smith -p 'JenPass2024!'
```
### Managing VMs
```bash
# Suspend all VMs
vagrant suspend
# Resume
vagrant resume
# Halt (power off)
vagrant halt
# Destroy and recreate
vagrant destroy -f
vagrant up
# SSH into a VM (via Vagrant)
vagrant ssh dc01
```
## Lab Contents
```
denkair-lab/
โโโ Vagrantfile # VM configuration
โโโ README.md # This file
โโโ scripts/
โ โโโ ad-setup.ps1 # DC01 provisioning (AD setup)
โ โโโ webapp-setup.ps1 # WEB01 provisioning (vulnerable app)
โ โโโ workstation-setup.ps1 # WS01 provisioning
โโโ web-app/
โ โโโ app.py # Flask app with SQLi + SSTI
โโโ docs/
โโโ walkthrough.md # Complete attack walkthrough
โโโ hints.md # Progressive hints
```
## Vulnerabilities Included
| Vulnerability | Location | Difficulty |
|--------------|----------|------------|
| SQL Injection | WEB01 /search | Easy |
| Server-Side Template Injection | WEB01 /greet | Easy |
| Unquoted Service Path | WEB01 FlightUpdater | Medium |
| Plaintext Credentials | WEB01 C:\backup | Easy |
| Kerberoasting | AD svc_web | Medium |
| Constrained Delegation | AD WEB01 | Hard |
| Credential Reuse | WS01 lateral movement | Easy |
## Troubleshooting
### VMs Won't Start
1. Check VirtualBox is installed correctly
2. Ensure virtualization is enabled in BIOS
3. Try: `vagrant destroy -f && vagrant up`
### Domain Join Fails
The provisioning scripts will fail if DC01 isn't fully set up. Re-run:
```bash
vagrant provision dc01
vagrant provision web01
vagrant provision ws01
```
### Web App Not Working
Connect to WEB01 and check:
```powershell
# Check if Flask is running
Get-Process python
# Restart Flask
cd C:\inetpub\wwwroot\flights
python app.py
```
### Network Connectivity Issues
1. Verify VMs are on host-only network
2. Check Windows Firewall settings
3. Try: `vagrant reload`
## Security Notes
โ ๏ธ **This lab contains intentional vulnerabilities!**
- Do NOT expose to the internet
- Use only in isolated environments
- For authorized testing only
## Cleanup
```bash
# Stop all VMs
vagrant halt
# Destroy all VMs
vagrant destroy -f
# Remove lab directory
cd ..
rm -rf denkair-lab
```
## Additional Resources
- [Attacking Active Directory](https://book.hacktricks.xyz/windows/active-directory-methodology)
- [BloodHound Documentation](https://bloodhound.readthedocs.io/)
- [Rubeus GitHub](https://github.com/GhostPack/Rubeus)
- [Impacket](https://github.com/fortra/impacket)
## Credits
Lab based on enterprise attack chain patterns from real-world pentests.
---
**Happy Hacking!** ๐ฏ