Skip to content

haltacademy/GOAD-Docker-Lab

Repository files navigation

GOAD Docker Lab Banner

GOAD-Docker β€” Game of Active Directory in Docker

A complete, self-contained Active Directory attack lab running purely in Docker.
Inspired by Orange Cyberdefense GOAD. Implemented with Samba AD, Linux containers, MSSQL, and full attack tooling.

Docker Linux & Windows Cybersecurity License


⚠️ Security Warning

Caution

This lab is EXTREMELY VULNERABLE by design.

  • Never expose it to the internet
  • Use only on isolated/private networks
  • Destroy completely when not in use

πŸ—οΈ Architecture

graph TD
    subgraph "sevenkingdoms.local (Forest Root)"
        DC1[DC1: sevenkingdoms.local<br/>10.10.10.10]
        DC2[DC2: north.sevenkingdoms.local<br/>10.10.10.11]
        SQL1[(SQL01: castelblack<br/>10.10.10.20)]
        WEB1[[WEB01: castelblack<br/>10.10.10.30]]
        FS1[[FS01: fileserver<br/>10.10.10.40]]
        
        DC1 <--> |Child Trust| DC2
        SQL1 --- DC1
        WEB1 --- DC1
        FS1 --- DC1
    end

    subgraph "essos.local (External Forest)"
        DC3[DC3: essos.local<br/>10.10.20.10]
        SQL2[(SQL02: braavos<br/>10.10.20.20)]
        FS2[[FS02: fileserver<br/>10.10.20.40]]
        
        SQL2 --- DC3
        FS2 --- DC3
    end

    DC1 <--> |Bidirectional Forest Trust| DC3

    style DC1 fill:#2c3e50,stroke:#f39c12,stroke-width:2px,color:#fff
    style DC2 fill:#2c3e50,stroke:#3498db,stroke-width:2px,color:#fff
    style DC3 fill:#2c3e50,stroke:#e74c3c,stroke-width:2px,color:#fff
Loading

πŸ› οΈ Prerequisites

Requirement Minimum
Docker Engine β‰₯ 24.0
Docker Compose β‰₯ 2.20
RAM 16 GB recommended (8 GB minimum)
Disk 40 GB free space
OS Linux, Windows (WSL2 / Docker Desktop), or macOS

πŸš€ Quick Start

🐧 Linux/macOS users:

# 1. Clone the project
git clone git@github.com:haltacademy/GOAD-Docker-Lab.git
cd GOAD-Docker-Lab

# 2. Deploy (automated)
chmod +x scripts/*.sh
./start.sh

πŸͺŸ Windows users:

# Open PowerShell as Administrator
git clone git@github.com:haltacademy/GOAD-Docker-Lab.git
cd GOAD-Docker-Lab

# Deploy using our custom wrapper!
.\start.ps1

Tip

Run ./scripts/setup-attacker.sh on your local Linux host to install all necessary offensive tools (impacket, bloodhound-python, certipy, etc.) into isolated pipx environments.


🌐 Services & Credentials

Service URL / Address Credentials
BloodHound CE http://localhost:8081 admin@goad.local / BloodH0und!CE
Neo4j Browser http://localhost:7474 neo4j / Neo4j!GOAD123
DVWA http://localhost:8080/dvwa admin / password
Internal Portal http://localhost:8080/portal (Vulnerable β€” try SQLi!)
SQL01 localhost:1433 sa / SqlP@ss!Castle1
SQL02 localhost:1434 sa / SqlP@ss!Essos1

βš”οΈ Attack Scenarios

This lab is packed with real-world Active Directory vulnerabilities. See attack-paths/README.md for 25 fully documented attack chains, including:

Phase Attacks You Will Practice
Initial Access AS-REP Roasting, Password Spraying, Web SQLi, Local File Inclusion (LFI)
Privilege Escalation Kerberoasting, LAPS Abuse, GenericAll, WriteDACL, AddMember
Lateral Movement Pass-the-Hash, SQL Linked Server Abuse, SMB Relay, Trust Abuse
Domain Dominance DCSync, Constrained/Unconstrained Delegation, RBCD, Shadow Credentials

πŸ“‹ Student TODO β€” Progress Tracker

Note

Work through these challenges in order. Each tier builds on the skills from the previous one. Check off tasks as you complete them and track your progress!

🏁 How to Use This Tracker

  • Open a terminal on your Kali Linux attacker machine
  • Connect to the lab network (VPN / Docker host)
  • Use attack-paths/README.md for detailed commands and expected output
  • Mark each task [x] once you have confirmed the expected result

🟒 Tier 1 β€” Initiation (Start Here)

No credentials required. Pure network reconnaissance and initial exploitation.

  • [Path 03] Run a password spray against sevenkingdoms.local β€” confirm guard01:Welcome1 is valid
  • [Path 01] Run AS-REP Roasting with GetNPUsers.py β€” obtain hashes for sansa.stark and bran.stark
  • [Path 01] Crack the AS-REP hashes with hashcat β€” recover plaintext passwords
  • [Path 10] Browse SYSVOL over SMB without credentials β€” find and decrypt the GPP cPassword
  • [Path 14] Use ldapsearch or netexec to find plaintext passwords hidden in AD description fields
  • [Path 23] Exploit the SQL injection on http://10.10.10.30/portal β€” dump the Employees table
  • [Path 24] Exploit the Local File Inclusion (LFI) vulnerability β€” read /etc/passwd from the web server

βœ… Tier 1 Complete when: You have at least 3 valid domain credentials and one set of DA-level creds from the web app.


🟑 Tier 2 β€” Escalation (Building Access)

Requires valid credentials obtained in Tier 1.

  • [Path 02] Kerberoast all SPNs β€” crack svc-sql01:ServiceSQL1234
  • [Path 02] Connect to SQL01 with mssqlclient.py and execute OS commands via xp_cmdshell
  • [Path 12] Use SQL EXECUTE AS impersonation chain β€” elevate from guard01 to sa inside the MSSQL instance
  • [Path 13] Harvest registry hives (SAM + SYSTEM) from SQL01 via xp_cmdshell
  • [Path 06] Set up Responder + ntlmrelayx β€” relay an NTLM auth to LDAP and grant DCSync rights
  • [Path 15] Abuse the LAPS-like description field as jorah.mormont β€” read the backup service account's local admin password
  • [Path 16] Use svc-helpdesk's ForceChangePassword right to reset a guard account and authenticate as it

βœ… Tier 2 Complete when: You can execute OS commands on at least one domain server and have compromised a service account.


πŸ”΄ Tier 3 β€” Domination (AD Control)

Advanced Active Directory attacks requiring elevated access.

  • [Path 07] Run secretsdump.py as svc-deploy β€” dump all NTLM hashes for sevenkingdoms.local
  • [Path 08] Perform Pass-the-Hash with the Administrator hash β€” get a shell on DC1
  • [Path 04] Exploit cersei.lannister's GenericAll ACL β€” add an account to Domain Admins
  • [Path 09] Exploit tyrion.lannister's WriteDACL right β€” grant DCSync privileges to svc-deploy
  • [Path 17] Use WriteOwner as jaime.lannister β€” take ownership of the HouseLannister group and modify its DACL
  • [Path 18] Use bronn.sellsword's AddMember right β€” add an account to HelpDesk and chain to ForceChangePassword
  • [Path 21] Add Shadow Credentials to svc-sql01 as svc-monitoring β€” obtain its NT hash without knowing its password

βœ… Tier 3 Complete when: You have Domain Admin in sevenkingdoms.local and can DCSync the entire domain.


⚫ Tier 4 β€” Mastery (Cross-Forest & Delegation)

Expert-level attacks spanning multiple domains and forests.

  • [Path 05] Compromise svc-web01 and capture a DA TGT via Unconstrained Delegation + printerbug
  • [Path 19] Exploit Constrained Delegation on svc-sql01 β€” impersonate Administrator and access DC1's CIFS share
  • [Path 20] Perform a full RBCD attack on DC2-WINTERFELL β€” use samwell.tarly's write access to become DA on north.sevenkingdoms.local
  • [Path 11] Abuse the SQL linked server β€” run xp_cmdshell on SQL02-BRAAVOS (essos.local) from SQL01
  • [Path 22] Pivot across the forest trust β€” Kerberoast essos.local service accounts from a sevenkingdoms.local DA context
  • [Path 22] Crack dragon.svc ticket β€” fully compromise essos.local

βœ… Tier 4 Complete when: Both forests (sevenkingdoms.local + essos.local) are fully compromised.


πŸ† Bonus β€” Full Kill Chain

Complete the entire lab as one connected, end-to-end attack.

  • [Path 25] Execute the Full Chain (Web β†’ SQL β†’ AD β†’ DA β†’ Cross-Forest) documented in Path 25
    • Step 1: SQLi on web portal β†’ get cersei.lannister credentials
    • Step 2: Exploit GenericAll β†’ add attacker account to Domain Admins
    • Step 3: DCSync sevenkingdoms.local β†’ dump all hashes
    • Step 4: Cross forest trust β†’ Kerberoast essos.local
    • Step 5: Crack dragon.svc β†’ access essos.local
    • Step 6: SQL linked server β†’ xp_cmdshell on SQL02-BRAAVOS
    • Step 7: Recover daenerys.targaryen:DragonQueen#1 β†’ full DA on essos.local
    • Step 8: Both forests fully owned βœ“

πŸ“Š Scoring

Tier Tasks Points Each Max Points
🟒 Tier 1 β€” Initiation 7 tasks 5 pts 35 pts
🟑 Tier 2 β€” Escalation 7 tasks 10 pts 70 pts
πŸ”΄ Tier 3 β€” Domination 7 tasks 15 pts 105 pts
⚫ Tier 4 β€” Mastery 6 tasks 20 pts 120 pts
πŸ† Full Kill Chain 8 steps 5 pts ea 40 pts
Total 370 pts

Tip

Stuck? Use BloodHound CE at http://localhost:8081 with the collection commands in attack-paths/README.md to visually map attack paths.

Important

All activities must be performed only within this lab environment. Never test these techniques on systems you do not own or have explicit written permission to test.


🧹 Cleanup

When you are done with your pentest, destroy the lab completely to free up resources.

Linux:

./stop.sh

Windows:

.\stop.ps1

πŸ“œ Directory Structure

goad-docker-lab/
β”œβ”€β”€ attack-paths/            # 25 documented attack chains
β”œβ”€β”€ bloodhound/              # BloodHound CE config + custom queries
β”œβ”€β”€ docs/images/             # Repository assets
β”œβ”€β”€ fileserver/              # SMB file shares
β”œβ”€β”€ samba/                   # Samba Domain Controller builds
β”œβ”€β”€ scripts/                 # Automated deployment/destruction/tests
β”œβ”€β”€ sql/                     # MSSQL containers + init scripts
β”œβ”€β”€ tests/                   # Automated validation tests
β”œβ”€β”€ web/                     # DVWA + vulnerable portal
β”œβ”€β”€ docker-compose.yml       # Core infrastructure definition
β”œβ”€β”€ start.sh / start.ps1     # One-click start wrappers
└── stop.sh / stop.ps1       # One-click teardown wrappers

Created for educational and authorized penetration testing training only.

About

game of active directory

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors