A complete, self-contained Active Directory attack lab running purely in Docker.
Inspired by Orange Cyberdefense GOAD. Implemented with Samba AD, Linux containers, MSSQL, and full attack tooling.
Caution
This lab is EXTREMELY VULNERABLE by design.
- Never expose it to the internet
- Use only on isolated/private networks
- Destroy completely when not in use
graph TD
subgraph "sevenkingdoms.local (Forest Root)"
DC1[DC1: sevenkingdoms.local<br/>10.10.10.10]
DC2[DC2: north.sevenkingdoms.local<br/>10.10.10.11]
SQL1[(SQL01: castelblack<br/>10.10.10.20)]
WEB1[[WEB01: castelblack<br/>10.10.10.30]]
FS1[[FS01: fileserver<br/>10.10.10.40]]
DC1 <--> |Child Trust| DC2
SQL1 --- DC1
WEB1 --- DC1
FS1 --- DC1
end
subgraph "essos.local (External Forest)"
DC3[DC3: essos.local<br/>10.10.20.10]
SQL2[(SQL02: braavos<br/>10.10.20.20)]
FS2[[FS02: fileserver<br/>10.10.20.40]]
SQL2 --- DC3
FS2 --- DC3
end
DC1 <--> |Bidirectional Forest Trust| DC3
style DC1 fill:#2c3e50,stroke:#f39c12,stroke-width:2px,color:#fff
style DC2 fill:#2c3e50,stroke:#3498db,stroke-width:2px,color:#fff
style DC3 fill:#2c3e50,stroke:#e74c3c,stroke-width:2px,color:#fff
| Requirement | Minimum |
|---|---|
| Docker Engine | β₯ 24.0 |
| Docker Compose | β₯ 2.20 |
| RAM | 16 GB recommended (8 GB minimum) |
| Disk | 40 GB free space |
| OS | Linux, Windows (WSL2 / Docker Desktop), or macOS |
# 1. Clone the project
git clone git@github.com:haltacademy/GOAD-Docker-Lab.git
cd GOAD-Docker-Lab
# 2. Deploy (automated)
chmod +x scripts/*.sh
./start.sh# Open PowerShell as Administrator
git clone git@github.com:haltacademy/GOAD-Docker-Lab.git
cd GOAD-Docker-Lab
# Deploy using our custom wrapper!
.\start.ps1Tip
Run ./scripts/setup-attacker.sh on your local Linux host to install all necessary offensive tools (impacket, bloodhound-python, certipy, etc.) into isolated pipx environments.
| Service | URL / Address | Credentials |
|---|---|---|
| BloodHound CE | http://localhost:8081 | admin@goad.local / BloodH0und!CE |
| Neo4j Browser | http://localhost:7474 | neo4j / Neo4j!GOAD123 |
| DVWA | http://localhost:8080/dvwa | admin / password |
| Internal Portal | http://localhost:8080/portal | (Vulnerable β try SQLi!) |
| SQL01 | localhost:1433 | sa / SqlP@ss!Castle1 |
| SQL02 | localhost:1434 | sa / SqlP@ss!Essos1 |
This lab is packed with real-world Active Directory vulnerabilities. See attack-paths/README.md for 25 fully documented attack chains, including:
| Phase | Attacks You Will Practice |
|---|---|
| Initial Access | AS-REP Roasting, Password Spraying, Web SQLi, Local File Inclusion (LFI) |
| Privilege Escalation | Kerberoasting, LAPS Abuse, GenericAll, WriteDACL, AddMember |
| Lateral Movement | Pass-the-Hash, SQL Linked Server Abuse, SMB Relay, Trust Abuse |
| Domain Dominance | DCSync, Constrained/Unconstrained Delegation, RBCD, Shadow Credentials |
Note
Work through these challenges in order. Each tier builds on the skills from the previous one. Check off tasks as you complete them and track your progress!
- Open a terminal on your Kali Linux attacker machine
- Connect to the lab network (VPN / Docker host)
- Use
attack-paths/README.mdfor detailed commands and expected output - Mark each task
[x]once you have confirmed the expected result
No credentials required. Pure network reconnaissance and initial exploitation.
- [Path 03] Run a password spray against
sevenkingdoms.localβ confirmguard01:Welcome1is valid - [Path 01] Run AS-REP Roasting with
GetNPUsers.pyβ obtain hashes forsansa.starkandbran.stark - [Path 01] Crack the AS-REP hashes with
hashcatβ recover plaintext passwords - [Path 10] Browse SYSVOL over SMB without credentials β find and decrypt the GPP cPassword
- [Path 14] Use
ldapsearchornetexecto find plaintext passwords hidden in AD description fields - [Path 23] Exploit the SQL injection on
http://10.10.10.30/portalβ dump the Employees table - [Path 24] Exploit the Local File Inclusion (LFI) vulnerability β read
/etc/passwdfrom the web server
β Tier 1 Complete when: You have at least 3 valid domain credentials and one set of DA-level creds from the web app.
Requires valid credentials obtained in Tier 1.
- [Path 02] Kerberoast all SPNs β crack
svc-sql01:ServiceSQL1234 - [Path 02] Connect to SQL01 with
mssqlclient.pyand execute OS commands viaxp_cmdshell - [Path 12] Use SQL
EXECUTE ASimpersonation chain β elevate fromguard01tosainside the MSSQL instance - [Path 13] Harvest registry hives (
SAM+SYSTEM) from SQL01 viaxp_cmdshell - [Path 06] Set up
Responder+ntlmrelayxβ relay an NTLM auth to LDAP and grant DCSync rights - [Path 15] Abuse the LAPS-like description field as
jorah.mormontβ read the backup service account's local admin password - [Path 16] Use
svc-helpdesk'sForceChangePasswordright to reset a guard account and authenticate as it
β Tier 2 Complete when: You can execute OS commands on at least one domain server and have compromised a service account.
Advanced Active Directory attacks requiring elevated access.
- [Path 07] Run
secretsdump.pyassvc-deployβ dump all NTLM hashes forsevenkingdoms.local - [Path 08] Perform Pass-the-Hash with the Administrator hash β get a shell on DC1
- [Path 04] Exploit
cersei.lannister'sGenericAllACL β add an account to Domain Admins - [Path 09] Exploit
tyrion.lannister'sWriteDACLright β grant DCSync privileges tosvc-deploy - [Path 17] Use
WriteOwnerasjaime.lannisterβ take ownership of theHouseLannistergroup and modify its DACL - [Path 18] Use
bronn.sellsword'sAddMemberright β add an account toHelpDeskand chain to ForceChangePassword - [Path 21] Add Shadow Credentials to
svc-sql01assvc-monitoringβ obtain its NT hash without knowing its password
β
Tier 3 Complete when: You have Domain Admin in sevenkingdoms.local and can DCSync the entire domain.
Expert-level attacks spanning multiple domains and forests.
- [Path 05] Compromise
svc-web01and capture a DA TGT via Unconstrained Delegation +printerbug - [Path 19] Exploit Constrained Delegation on
svc-sql01β impersonateAdministratorand access DC1's CIFS share - [Path 20] Perform a full RBCD attack on
DC2-WINTERFELLβ usesamwell.tarly's write access to become DA onnorth.sevenkingdoms.local - [Path 11] Abuse the SQL linked server β run
xp_cmdshellonSQL02-BRAAVOS(essos.local) fromSQL01 - [Path 22] Pivot across the forest trust β Kerberoast
essos.localservice accounts from asevenkingdoms.localDA context - [Path 22] Crack
dragon.svcticket β fully compromiseessos.local
β
Tier 4 Complete when: Both forests (sevenkingdoms.local + essos.local) are fully compromised.
Complete the entire lab as one connected, end-to-end attack.
- [Path 25] Execute the Full Chain (Web β SQL β AD β DA β Cross-Forest) documented in Path 25
- Step 1: SQLi on web portal β get
cersei.lannistercredentials - Step 2: Exploit
GenericAllβ add attacker account to Domain Admins - Step 3: DCSync
sevenkingdoms.localβ dump all hashes - Step 4: Cross forest trust β Kerberoast
essos.local - Step 5: Crack
dragon.svcβ accessessos.local - Step 6: SQL linked server β
xp_cmdshellonSQL02-BRAAVOS - Step 7: Recover
daenerys.targaryen:DragonQueen#1β full DA onessos.local - Step 8: Both forests fully owned β
- Step 1: SQLi on web portal β get
| Tier | Tasks | Points Each | Max Points |
|---|---|---|---|
| π’ Tier 1 β Initiation | 7 tasks | 5 pts | 35 pts |
| π‘ Tier 2 β Escalation | 7 tasks | 10 pts | 70 pts |
| π΄ Tier 3 β Domination | 7 tasks | 15 pts | 105 pts |
| β« Tier 4 β Mastery | 6 tasks | 20 pts | 120 pts |
| π Full Kill Chain | 8 steps | 5 pts ea | 40 pts |
| Total | 370 pts |
Tip
Stuck? Use BloodHound CE at http://localhost:8081 with the collection commands in attack-paths/README.md to visually map attack paths.
Important
All activities must be performed only within this lab environment. Never test these techniques on systems you do not own or have explicit written permission to test.
When you are done with your pentest, destroy the lab completely to free up resources.
Linux:
./stop.shWindows:
.\stop.ps1goad-docker-lab/
βββ attack-paths/ # 25 documented attack chains
βββ bloodhound/ # BloodHound CE config + custom queries
βββ docs/images/ # Repository assets
βββ fileserver/ # SMB file shares
βββ samba/ # Samba Domain Controller builds
βββ scripts/ # Automated deployment/destruction/tests
βββ sql/ # MSSQL containers + init scripts
βββ tests/ # Automated validation tests
βββ web/ # DVWA + vulnerable portal
βββ docker-compose.yml # Core infrastructure definition
βββ start.sh / start.ps1 # One-click start wrappers
βββ stop.sh / stop.ps1 # One-click teardown wrappers