Skip to main content

BarbHack CTF 2024 (Gotham City - Active Directory Lab)

Props!

Huge shout out to @ladhaAleem converting the "BarbHack CTF 2024 (Gotham City - Active Directory Lab)" workshop created by @mpgn_x64 to an ansible playbook and making it work with Ludus as well!

Description from BarbHack CTF 2024

Welcome to the NetExec Active Directory Lab! This lab is designed to teach you how to exploit Active Directory (AD) environments using the powerful tool NetExec.

Originally featured in the Barbhack 2024 CTF, this lab is now available for free to everyone! In this lab, you’ll explore how to use the powerful tool NetExec to efficiently compromise an Active Directory domain during an internal pentest.

The ultimate goal? Become Domain Administrator by following various attack paths, using nothing but NetExec! and Maybe BloodHound (Why not?)

Obviously do not cheat by looking at the passwords and flags in the recipe files, the lab must start without user to full compromise.

note

Use nothing but NetExec! and Maybe BloodHound (Why not?)

Have fun !

Deployment

1. Deploy VMs

Set and deploy the configuration for the lab.

git clone https://github.com/Pennyw0rth/NetExec-Lab
ludus range config set -f NetExec-Lab/BARBHACK-2024/ad/BARBHACK/providers/ludus/config.yml
ludus range deploy
# Wait for the range to successfully deploy
# You can watch the logs with `ludus range logs -f`
# Or check the status with `ludus range status`

2. Install requirements

warning

If you are running this guide on the Ludus host you can skip this step, it already has all the requirements.

Install ansible and its requirements for the BarbHack lab on your local machine.

# You can use a virtualenv here if you would like
python3 -m pip install ansible-core
python3 -m pip install pywinrm
cd NetExec-Lab/BARBHACK-2024/ansible
ansible-galaxy install -r requirements.yml

4. Setup the inventory files

The inventory file is already present in the providers folder and replace RANGENUMBER with your range number with sed (commands provided below)

cd NetExec-Lab/BARBHACK-2024/ansible
# go the the ansible directory as above
export RANGENUMBER=$(ludus range list --json | jq '.rangeNumber')
# `sudo apt install jq` if you don't have jq
sed -i "s/RANGENUMBER/$RANGENUMBER/g" ../ad/BARBHACK/providers/ludus/inventory.yml
sed -i "s/RANGENUMBER/$RANGENUMBER/g" ../ad/BARBHACK/providers/ludus/inventory_disableludus.yml

5. Deploy the BarbHack Workshop

note

If not running on the Ludus host, you must be connected to your Ludus wireguard VPN for these commands to work

# in the ansible folder perform the following
export ANSIBLE_COMMAND="ansible-playbook -i ../ad/BARBHACK/data/inventory -i ../ad/BARBHACK/providers/ludus/inventory.yml"
export LAB="BARBHACK"
chmod +x ../scripts/provisionning.sh
../scripts/provisionning.sh

Now you wait. [WARNING] lines are ok, and some steps may take a long time, don't panic!

This will take a few hours. You'll know it is done when you see:

Gotham needs you! A villain is still at large in the shadows. It's your mission to track them down!

5. Disable localuser

Once install has finished disable localuser user to avoid using it and avoid unintended secrets stored (I'm looking at you Lsassy).

note

If not running on the Ludus host, you must be connected to your Ludus wireguard VPN for this command to work

# Still in the BARBHACK-2024/ansible directory
ansible-playbook -i ../ad/BARBHACK/providers/ludus/inventory_disableludus.yml disable_localuser.yml reboot.yml

5. Snapshot VMs

Take snapshots via the proxmox web UI or run the following ludus command

ludus snapshot create clean-setup -d "Clean BarbHack Lab setup after ansible run"

6. Hack!

Access your Kali machine at https://10.RANGENUMBER.10.99:8444 using the creds kali:password (sudo password is kali).

If you want a challange and want to do the lab with defender enabled, edit the ad/BARBHACK/data/inventory file and change the last part to look like this

; allow defender
; usage : security.yml
[defender_on]
dc01
srv01
srv02

; disable defender
; usage : security.yml
[defender_off]