On GOAD v3 Update: A New Addition appear : EXCHANGE! Huge thanks to aleemladha for his pull request and invaluable help in integrating Exchange into the GOAD lab! I’ve been wanting to write an ...

In the previous blog post on ADCS (Goad Pwning Part 6), ESC1, ESC2, ESC3, ESC4, ESC6, and ESC8 were exploited. This post examines additional ESC vulnerabilities within the domains. Several mo...

Full view and regulary updated Active Directory Pentest mindmap is available on orange cyberdefense mindmap site : https://orange-cyberdefense.github.io/ocd-mindmaps/img/mindmap_ad_dark_classic_202...

On the previous post (SCCM LAB part 0x2) we have done SCCM exploitation with a low privilege user. On this part we will exploit SCCM with an admin access on one vm. On part 0x1 we discovered the c...

On the previous post (SCCM LAB part 0x1) we started the recon and exploit the PXE feature. On this part we will start SCCM exploitation with low user credentials. Exploit with low user Takeover 1 ...

On the previous post (SCCM LAB part 0x0) we setup an environment to play with SCCM. If all is going well you should get something like that : Ok so let’s try this out :) Recon Recon without u...

Some time ago i discovered the work of some researchers about SCCM, i was very interested by their research and as i reading i thought that i really need a lab to test all these cool attacks ! Tha...

On the previous post (Goad pwning part12) we had fun with with the domains trusts. I know, i said the 12 part will be the last, but some of the technics presented here are quite fun i wanted to doc...

Now our lab is up and running, but we need to make an easy access on it. Like a lot of ctf with active directory we will create a VPN access to our lab. To do that we will create an openvpn access...

If you followed the 3 previous part, you should have a running proxmox instance with the 5 windows vm in it. On part 4 we will setup all the GOAD configuration with ansible. An inventory file i...