Skip to content

adip-offensec/AdvExploitLab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
scripts
scripts
 
 
README.md
README.md
 
 
Vagrantfile
Vagrantfile
 
 

Repository files navigation

AdvExploitLab - Active Directory Exploitation Lab

A realistic Active Directory attack simulation lab with a complete attack chain from initial web shell to domain compromise.

Lab Architecture

Hostname OS IP Role
dc01 Windows Server 2022 192.168.56.10 Domain Controller
web01 Ubuntu Server 20.04 192.168.56.20 Web server with vulnerable file upload
client01 Windows 10 192.168.56.30 Workstation with scheduled task misconfiguration

Domain: exploitlab.local
Network: Private host-only 192.168.56.0/24

Credentials

Username Password Purpose
web_svc WebSvc123! Domain user
jdoe Password123 Domain user, local admin on client01
svc_backup Backup123 Service account (Kerberoastable)
Administrator P@ssw0rd! Domain admin

Quick Start

1. Prerequisites

# Install VirtualBox and Vagrant
# Download from:
# - VirtualBox: https://www.virtualbox.org/wiki/Downloads
# - Vagrant: https://www.vagrantup.com/downloads

Requirements:

  • 6-8 GB RAM
  • 60 GB free disk
  • VirtualBox + Vagrant installed

2. Deploy the Lab

cd /home/adip/AdvExploitLab
vagrant up

First boot takes ~15-25 minutes (AD promotion, package installations).

3. Post-Deployment Verification

After vagrant up completes:

a) Verify DNS resolution (from client01):

nslookup dc01.exploitlab.local
# Should return 192.168.56.10

b) Verify delegation settings:

  1. Log into dc01 as EXPLOITLAB\Administrator (password: P@ssw0rd!)
  2. Open Active Directory Users and Computers
  3. Find svc_backup → right-click → Properties → Delegation tab
  4. Confirm "Trust this user for delegation to specified services only" is selected
  5. Verify cifs/dc01.exploitlab.local is listed

c) Test file upload:

# From attacker machine (or Kali VM)
curl http://192.168.56.20/
# Upload test PHP file
curl -F "file=@scripts/payloads/php-reverse-shell.php" http://192.168.56.20/upload.php
# Access it
curl http://192.168.56.20/uploads/php-reverse-shell.php

File Structure

AdvExploitLab/
├── Vagrantfile
└── scripts/
    ├── provision-dc.ps1       # AD DS setup, users, SPN, delegation
    ├── provision-web.sh      # Apache + PHP + MySQL
    ├── setup-web.sh          # Vulnerable file upload page
    ├── provision-client.ps1  # DNS, domain join
    ├── setup-client.ps1      # SMB share, scheduled task
    └── payloads/
        ├── php-reverse-shell.php
        └── powershell-rev.ps1

Troubleshooting

Issue Solution
File upload fails Check /var/www/html/uploads permissions
Scheduled task not running Log into client01 as jdoe once to create profile
DNS issues Run ipconfig /flushdns on client01
Vagrant timeout Increase boot_timeout in Vagrantfile

Clean Up

cd /home/adip/AdvExploitLab
vagrant destroy -f

Warning

This lab contains intentionally vulnerable configurations for educational purposes only. Do not deploy in production environments or on networks connected to the internet.

About

Advanced Active Directory exploitation lab with realistic attack chain from web shell to domain compromise

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages