End-to-end scenarios
End-to-end compromise walkthroughs built from real techniques. Each path is the kind of narrative an interviewer wants to hear or a pentest report needs to contain: what you did, why it worked, and what should have stopped you.
From weak password policy to full domain compromise — the most common real-world AD attack chain.
A single service account SPN can lead to domain-wide compromise through offline ticket cracking.
Intercepted network authentication cascades into credential harvesting, lateral movement, and full domain control.
Misconfigured permissions create invisible privilege paths — from BloodHound recon to shadow credentials and domain compromise.
Control over a Group Policy Object gives an attacker code execution across every host in the OU — and a direct path to domain compromise.
A single misconfigured delegation setting hands an attacker a domain controller's TGT — bypassing the entire credential-harvesting chain.
A misconfigured certificate template lets a low-privilege user request a certificate as a domain admin — opening the door to full domain compromise and persistent golden-certificate access.
Coerced NTLM authentication relayed through AD CS web enrollment produces a machine certificate — and a direct path to domain compromise.
Write access to a certificate template is all it takes — modify it, abuse it, and compromise the domain in a two-stage AD CS attack.