Active Directory, ctf, Hack the Box, pentest, Prolab

Offshore – A Windows Active Directory Pentesting Lab

Intro

In August ch4p from Hack the Box approached me with an offer to build a CTF for the annual Greek capture the flag event called Panoptis. The idea was to build a unique Active Directory lab environment to challenge CTF competitors by exposing them to a simulated real-world penetration test (pretty rare for a CTF). I spent a bit over a month building the first iteration of the lab and thus Offshore was born.

I flew to Athens, Greece for a week to provide on-site support during the lab. Overall the CTF lab was a hit and very well received by the competitors and others involved with the event.

Afterwards, ch4p offered for me to further build out the lab and eventually offer it as a Pro Lab on the main Hack the Box website. I spent another 3 or so months refining elements within the lab, increasing the overall size and difficulty and causing ch4p a lot of stress by asking for more and more storage, ram and virtual networks.

I spent countless hours with the goal of building a realistic Active Directory based lab that had the feel of a real-world corporate environment made up of many things I have seen during internal/external penetration testing engagements over the years.  My goal was to produce a lab that would be accessible and achievable by junior penetration testers, help mid-level folks improve their skills and even provide a bit of a challenge to seasoned veterans. The lab also serves as a test bed to try out many common and obscure AD attacks that you may read about but either never encounter during a real-world engagement or do not have the proper testing environment to practice and refine the techniques.

The lab went live on September 1, 2018 and has been a hit so far. Of course there were a few issues I had to hammer out after go-live and some lessons learned but overall it has been a success.  This project has been an exciting and humbling experience. I learned a ton while building this and configuring many of the attacks. So far feedback has been positive.

Anyways, lets get into a description of the lab.

Description

You are an agent tasked with exposing money laundering operations in an offshore international bank. Breach the DMZ and pivot through the internal network to locate the bank’s protected databases and a shocking list of international clients. OFFSHORE is designed to simulate a real-world penetration test, starting from an external position on the internet and gaining a foothold inside a simulated corporate Windows Active Directory network. Users will have to pivot and jump across trust boundaries to complete the lab. This lab is intended to expose participants to:

  • Web application attacks
  • Enumeration
  • Exploitation of common and obscure real-world Active Directory flaws
  • Local privilege escalation
  • Lateral movement and crossing trust boundaries
  • Evading endpoint protections
  • Reverse engineering
  • Out-of-the-box thinking

Players will have the opportunity to attack 16 hosts of various operating system types and versions to obtain 29 flags across a realistic Active Directory lab environment with various standalone challenges hidden throughout. The Active Directory lab simulates the look and feel of a real-world corporate network complete with very active simulated users and other elements of a busy enterprise. The lab is designed to start out relatively easy and progress in difficulty throughout.

Users will start from an external perspective and have to penetrate the “DMZ” and then move laterally through the CORP.LOCAL, DEV, ADMIN and CLIENT forests to complete the lab.

Target Audience

I designed Offshore to appeal to a wide variety of users, everyone from junior-level penetration testers to seasoned testers as well as infosec hobbyists and even blue teamers, there is something for everyone. I can pretty much guarantee you will pick up at least a few new tricks which can be immediately applied to your real-world engagements or take back to your organization to  help improve the overall security posture.

Pricing

Please reach out for pricing. Tickets are available for 30, 60, or 90 days of access for individuals. Corporate pricing is also available for larger groups.

Additional Information

Offshore is hosted in conjunction with Hack the Box  (https://www.hackthebox.eu). Participants will receive a VPN key to connect directly to the lab.

Once connected to VPN, the entry point for the lab is 10.10.110.0/24.  *Note* The firewall at 10.10.110.3 is out of scope.

If you have questions or would like to learn more about the lab, feel free to contact me on Twitter or on Mattermost. Participants in the lab will have access to a private Offshore channel on the  Netsecfocus  Mattermost (https://chat.netsecfocus.com/join).