AD Lab OffensiveCyberProfessional

Final Active Directory Lab Overview – `corp.local`

Simulate a real enterprise Active Directory environment
Practice enumeration, password attacks, privilege escalation, and lateral movement
Learn to chain together multiple misconfigurations for full domain compromise

Setting	Value
Domain Name	`corp.local`
Domain Controller	Windows Server (GUI version)
Domain Admin Account	`corp\administrator`
Network Adapter Mode	Host-Only or Internal
DNS Role Installed	Yes (used for AD & name resolution)

corp.local
├── HR
├── IT
├── Finance
├── Sales
├── Executives
├── ServiceAccounts
├── Groups
├── Computers

Username	Display Name	Department	Role	Password	Privilege Notes
`jsmith`	John Smith	HR	Assistant	`HRrocks2024!`	Low priv, member of `HR_Admins`
`knguyen`	Kim Nguyen	HR	Manager	`HRmanager2024!`	Higher trust, in `HR_Admins`
`mbrown`	Mary Brown	IT	Admin	`SuperSecure!123`	Added to `Domain Admins`
`rjohnson`	Robert Johnson	IT	Helpdesk	`Helpdesk123`	Low priv, `WriteDACL` on `svc_backup`
`nlee`	Nick Lee	IT	Sec Analyst	`SecAnalyst!`	In `IT_Admins`, RDP rights
`adavis`	Anna Davis	Finance	Accountant	`Finance$Access2024`	Standard user
`bwhite`	Barbara White	Finance	CFO	`FinanceQueen123`	High value target
`tclark`	Tim Clark	Sales	Rep	`Password1`	Weak password, lateral movement target
`jramirez`	Jose Ramirez	Sales	Manager	`Sales123`	Member of `Helpdesk`, weak password
`ajones`	Alice Jones	Executive	CEO	`CEO_StrongPass2024!`	High value target
`svc_backup`	Backup Service	ServiceAccount	Runs backups	`SvcBack!2024`	Has SPN, member of Domain Admins
`svc_webapp`	Web App Service	ServiceAccount	Runs web app	`WebAppUser!`	Has SPN, low priv

Group Name	Members	Purpose
`HR_Admins`	`jsmith`, `knguyen`	HR OU access
`IT_Admins`	`mbrown`, `nlee`	Admins of IT systems
`Finance_Users`	`adavis`, `bwhite`	Finance share access
`Helpdesk`	`rjohnson`, `jramirez`	Password resets, low priv group
`OU_HR_PolicyManagers`	`HR_Admins`	Nested delegation scenario
`Domain Admins`	`administrator`, `mbrown`, `svc_backup`	Full domain access

Technique	Where	How to Exploit
Kerberoasting	`svc_backup`, `svc_webapp`	SPNs assigned, request TGS, crack offline
GPP Password Exposure	`\\corp.local\SYSVOL\...`	`Groups.xml` with `gppPassword123!`
WriteDACL Abuse	`rjohnson` → `svc_backup`	Use PowerView or BloodHound to escalate
Weak Passwords	`tclark`, `jramirez`	Password spraying, brute-force
High Privilege Service	`svc_backup`	Has Domain Admin rights, crack = DA
Group Nesting	`HR_Admins` in `PolicyManagers`	Lateral edge for BloodHound
Dummy Credentials	`creds.txt` on `jsmith`‘s Desktop	Manual discovery / credential reuse
SPNs on Services	`http/webapp`, `backup/corpdc`	Kerberoast via Impacket

Accessible with:

smbclient -L \\dc-ip -U jsmith

Category	Techniques/Tools
🧭 Enumeration	`ldapsearch`, `rpcclient`, `net user`, PowerView, BloodHound
🗝️ Credential Attacks	Kerberoasting, AS-REP Roasting, Password Spraying
🧬 Privilege Escalation	GPP Decryption, ACL abuse, group nesting
🔄 Lateral Movement	Use stolen creds for `PsExec`, `Enter-PSSession`, `RDP`
🔎 Service Enumeration	Enumerate shares, services, logged-in users
🧠 Path Chaining	Low-priv user → ACL abuse → Kerberoast → Domain Admin

Tool	Use Case
PowerView	AD enumeration, ACL abuse
BloodHound	Full AD relationship mapping
Mimikatz	Credential dumping, pass-the-hash
CrackMapExec	Quick AD recon, pwn checks
Impacket tools	`GetUserSPNs.py`, `secretsdump.py`, etc.
SMB tools	`smbclient`, `enum4linux`, `rpcclient`