AD FOR OSCP (Active Directory Guide)

Abhishekgk
5 min readMar 6, 2023

--

Hello, hope you are having a great day. This blog guides beginners who are trying to prepare for oscp, or for people who are worried about AD part in the exam.

When i bought the lab for OSCP, the exam did not include AD, but had bof. So, i ignored AD completely. But, when they added AD set in the exam, my lab time was completed, and I had no idea on how to prepare for it. Active Directory was a completely foreign concept to me, even after reading the course material I did not understand anything related to it. I did not want to buy another lab extension, so i tried to look for free resources to prepare for it.

Here, i am going to share the resources I used to prepare for Active Directory Pentesting, which helped me solve entire AD set in less than 40 minutes after I got the initial access. I actually read and prepared a lot more than what is required for OSCP, which helped me solve it easily. Sincee I did not know what to expect in the exam, i looked at offsec’s FAQ’s and reddit posts, youtube videos and etc to gain the info about AD set. From my research on this, i came to focus on these points:

  1. We get 3 machines (1 Domain Controller, 2 Client machines)
  2. We might need pivoting/tunneling to gain access to other machines
  3. We need to fully compromise ad set, no partial points are awarded.

With these in mind, I went to youtube to look for labs to practice for AD, and everyone suggested to build a home lab, i even watched cybermentor, and john hammonds set up videos, but my laptop cannot bear all those VM’s. So, I decided to look for videos on YT, which will help me understand AD for pentesting. I started here:

If you have no idea still what AD is and what are groups, users, policies and all the other AD objects, this is the recommended guide that i would suggest you start.

Then i decided to make a notes with only the commands i need to run for AD set seperately. I started with :

This is a bit overkill for OSCP, but still noting down all the commands from here and knowing where to use it, helped me gain confidence for the exam, as i have commands and tools ready for any kind of situation.

NOW, the next thing is the machines to practice on. I did not know how pwk AD labs are built, so i wanted to practice as many AD boxes available on the internet as possible. If I did not had the time to practice i would watch its walkthrough videos on youtube and some writeups on medium.

Now, these are the boxes I practiced my AD skills, as these were recommended to me in all the blogs and writeups available online to gain more confidence on the OSCP exam machines.

PROVING GROUNDS:

HEIST

HUTCH

VAULT

RESOURCED

HACK THE BOX:

FOREST

SAUNA

MONTEVERDE

MULTIMASTER

CASCADE

SIZZLE

These are the boxes i did my hands on practice. But still, i needed to see and learn walkthroughs of more machines. Then I came across this playlist:

This entire playlist helped me to understand different privesc techniques in easy way. I definitely recommend visiting his channel, as his content is very easy to understand for people with all skill levels.

I also watched IPPSec’s AD playlist of machines:

This playlist is completely insane, as he goes through different privesc paths in gaining domain controller access, in very interesting ways.

Finally my notes was very large, I used obsidian and excel to take these notes. It was not organized properly, but since it is prepared completely by me, i was able to navigate on it very easily. So, it is better to prepare your notes on your own, then following others cheatsheets.

Finally, i again went back to the course materials and now i was able to understand everything they tried to teach, as now i had good basic knowledge on it.

PIVOTING/TUNNELING

Now, I was clear with AD concepts and All the different Privesc methods. But, the only thing left to learn was Lateral movement methods. I had no idea how to do that. I was not satisfied by watching any online videos for this concept, as i wanted to do it practically on machines.

This room in Tryhackme helped me a lot on this. I had many different lateral movement techniques in my hand for different scenarios, if needed.

But for tunneling i did not know what should i follow. If there is ssh on the box, it is very to perform this, but if it is not there, i might need to find other options on how to do that. I came across plink.exe but this does not work for me at all. I did not know how to use it properly. Then i came across this video about the tool chisel:

If you are struck with what commands to run with chisel, this blog will help you, and it also helped me, so have a look at it:

https://notes.benheater.com/books/network-pivoting/page/port-forwarding-with-chisel

FINAL TIPS

Entire AD pentesting depends on enumeration. After i did my recon on the exam, i knew i had a path to gain initial access, but i did not rush into that. I set a timer for 40 minutes, where no matter what information i get, i enumerate each and every port from the nmap scan, and make sure i ran all the allowed tools and commands on those ports. And Later i ran autorecon on those ports. Finally after 40 minutes, when i felt i did all the recon and enumeration, I wrote down what i need to do in the following hours, and then took a 30 minutes break to get my mind relaxed, as i have the path infront of me. And everything went as I planned, although with few issues with some tools.

The Only tools which needs more and more focus from your side are :
MIMIKATZ

CRACKMAPEXEC

IMPACKET-PSEXEC

IMPACKET-SECRETSDUMP

OTHER IMPACKET TOOLS

Know these tools usage in all the manner possible. Learn to use mimikatz in lab environments, to get all the hashes and all kinds of hashes, for more proper usage of mimikatz, i recommend watching Offensive security’s official walkthrouh of AD LAB SET on their Youtube channel.

That is all the resource and tips i can share from my side. Infact a lot of the things i mentioned above and I practiced are a bit extra then what is required for the OSCP AD set, so , if you feel nervous about not being able to solve all the above machines, no need to worry, but make sure you know the required commands, and where to locate it in your notes, and the core concepts of whatever you are doing. All the best.

--

--