Prancer Blog / GOAD Challenge: Swarmhack AD pentesting

Build a Real Active Directory Hacking Lab with GOAD

Stand up Orange Cyberdefense's GOAD — a real Windows Server 2019 AD range with kerberoastable SPNs, AS-REP roasting, ACL chains, ADCS ESC1, LAPS and gMSA.

SwarmHack Team · 2026-05-11 · 9 min

TL;DR

A real Windows Server 2019 Active Directory lab built with Orange Cyberdefense's GOAD — 7.8k stars, the community-standard AD attack range
Three sized labs you can pick from based on your hardware: MINILAB, GOAD-Mini, and GOAD-Light
A vulnerable directory pre-seeded with kerberoastable SPNs, AS-REP-roastable users, ACL chains, ADCS ESC1, LAPS, and gMSA — exactly the misconfigurations real enterprises ship to production
Everything you need to follow Part 2 where SwarmHack walks the kill chain to Domain Admin

This is Part 1 of 3 in a hands-on series on autonomous Active Directory pentesting. By the end of this post you'll have a real Windows AD lab running locally — the same one Orange Cyberdefense maintains for AD attack training, and the same one we used to validate SwarmHack's AD agent suite end-to-end on 2026-05-09.

Series roadmap:

- Part 1 — Build the GOAD lab (you are here)

- Part 2 — Run the engagement (one command, anonymous bind → Domain Admin)

- Part 3 — Under the hood (22 native AD agents, no impacket)

1. Why GOAD?

Most "AD lab" projects fall into one of two traps: they're either a single Windows VM with one user account (great for screenshots, useless for chains), or they're a 90-page Terraform monster that takes a weekend to debug.

GOAD (Game Of Active Directory) by Orange Cyberdefense is neither. It's:

Real Microsoft AD on Windows Server 2019 — not a Python LDAP simulator
Vagrant + Ansible automation that brings up a complete forest with one command
Seeded with the misconfigurations every senior pentester sees in the wild — kerberoastable service accounts (MSSQLSvc, HTTP, cifs, ldap SPNs), AS-REP-roastable users (DONT_REQ_PREAUTH UAC bit), ACL chains (Domain Admins → Domain Controllers WriteDACL, ForceChangePassword paths, AddKeyCredentialLink victims), ADCS templates with ESC1, LAPS, gMSA, GPP cpassword leaks in SYSVOL
Themed after Game of Thrones — the DC is kingslanding.sevenkingdoms.local, the child domain is essos.local. The banner reads *"Pwning is coming"* and it's earned.

When someone says "we tested against the same conditions every AD pentester encounters in the wild," they almost always mean GOAD.

2. Pick your variant

GOAD ships seven variants. Here are the three that matter for a hands-on follow-along, in order of footprint:

                   VMs   Domains  Coverage          Practical for
─────────────────────────────────────────────────────────────────
MINILAB             2     1       basics + lateral  16 GB host
GOAD-Mini           1     1       single-DC + ADCS  16 GB host
GOAD-Light          3     2       parent + child    32 GB host
─────────────────────────────────────────────────────────────────
GOAD (Full)         5     3       full GoT lab      ≥ 64 GB / cloud
SCCM                6     1       SCCM scenarios    ≥ 64 GB / cloud
NHA                 5     2       Defender on       challenge
DRACARYS            3     1       no vagrant cred   challenge

</diagram>

For this series we'll use GOAD-Mini as the primary (smallest viable lab that still includes ADCS ESC1 and an ACL chain). If you have 32 GB of RAM, jump straight to GOAD-Light to also play with parent/child trusts. MINILAB is the workstation-lateral-movement scenario.

The four bigger variants (Full / SCCM / NHA / DRACARYS) are great targets but need either ≥ 64 GB RAM or cloud-provisioned ESXi/Proxmox.

3. Hardware & prerequisites

CPU: x86_64 (Intel/AMD) — AD-on-ARM is fragile, prefer Intel
RAM: 16 GB for GOAD-Mini / MINILAB · 32 GB for GOAD-Light
Disk: ~40 GB free (Windows Server 2019 base box is heavy)
OS: macOS, Linux, or Windows
Virtualization: VirtualBox 7.x or VMware Fusion / Workstation or Proxmox / ESXi
Tools: Vagrant ≥ 2.4, Ansible ≥ 2.15, Python 3.10+, Git

The Windows Server 2019 base box is a legal evaluation image valid for 180 days. Plenty for a lab — just rebuild when it expires.

4. Install GOAD

GOAD now ships a guided installer (goad.sh) that handles dependency checks, base-box downloads, Vagrant orchestration, and the full Ansible play chain. From a fresh terminal:

# 1. Clone the repo
git clone https://github.com/Orange-Cyberdefense/GOAD.git
cd GOAD

# 2. Launch the interactive shell
./goad.sh

# Inside the goad shell:
goad> set_lab GOAD-Mini          # or MINILAB / GOAD-Light
goad> set_provider virtualbox    # or vmware / proxmox
goad> install

That last install command is the work. It will:

1. Pull the Windows Server 2019 Vagrant box (~9 GB) 2. Boot the VM(s) with the right network and IP layout 3. Run 22 Ansible plays in order — build.yml → Prepare servers → Main DC AD configuration → Child DC AD configuration (Light only) → Trusts configuration (Light only) → DCs AD data configuration → GMSA inside AD → LAPS → Adjust rights configuration → cross domain groups → ADCS → ACL inside AD → Install IIS / MSSQL / SSMS / SQL Server reporting / Webdav → Setup disable defender → Setup vulnerabilities with tasks

Expect ~30–45 minutes for GOAD-Mini, ~60–90 minutes for GOAD-Light. Get coffee.

GOAD is *deliberately* a vulnerable AD environment. Run it on a host network you control. Do not expose the lab subnet (default 192.168.56.0/24) to your corporate LAN or to the internet.

5. What just got built

When goad.sh install finishes, you have:

| --------- | ---------- | ---------------- | -------- |

The provisioned vulnerabilities you should expect to see flagged in Part 2:

Anonymous LDAP bind allowed (naming contexts disclosed)
vagrant:vagrant SMB account on every box (the Vagrant baseline cred)
Kerberoastable SPNs: MSSQLSvc/..., HTTP/..., etc. on user accounts
AS-REP-roastable users with DONT_REQ_PREAUTH set
ACL chains — seven WriteDACL / GenericAll / ForceChangePassword / AddKeyCredentialLink paths terminating at the Domain Controllers container
ADCS ESC1 — vulnerable certificate template ESC1 on CA SEVENKINGDOMS-CA (Mini + Light)
LAPS managed local-admin passwords readable by the wrong principals
gMSA managed-password blob readable by the wrong principals
Unconstrained delegation on at least one machine account

Every one of these is a real misconfiguration we still find in production AD environments in 2026.

6. Sanity-check the lab

Before you fire SwarmHack at it in Part 2, confirm the DC is alive:

# LDAP up?
nc -zv 192.168.56.10 389

# Kerberos up?
nc -zv 192.168.56.10 88

# SMB up?
nc -zv 192.168.56.10 445

# ADCS web enrollment up? (Mini / Light)
curl -k -o /dev/null -s -w "%{http_code}\n" https://192.168.56.10/certsrv/

# Anonymous LDAP bind — should return the rootDSE
ldapsearch -x -H ldap://192.168.56.10 -s base -b "" "(objectclass=*)"

If you see LDAPv3 rootDSE attributes coming back from that last one with no credentials, your "anonymous bind" misconfiguration is in place — and you have your first finding before doing anything else.

7. Tear it down (or pause it)

# In the goad shell:
goad> destroy        # nuke the VMs and their disks

# Or just power them off:
cd ad/GOAD-Mini/providers/virtualbox && vagrant halt

Vagrant snapshots are also a great way to checkpoint the lab right after install, so you can re-run Part 2 from a clean state in seconds.

What's next

In Part 2 — Run the Engagement we'll point a single swarmhack spawn --target 192.168.56.10 at the lab you just built and watch:

1. LDAP enumeration via anonymous bind (149 accounts, all the SPN-bearing service users, every adminCount=1 principal) 2. SMB credential sweep that lands vagrant:vagrant and bridges it into the AD context 3. Kerberoast + AS-REP-roast on every eligible principal — hashes queued straight into hashcat 4. ACL graph walk that traces seven escalation edges from a low-privilege user to a Domain Controllers WriteDACL 5. ADCS ESC1 template detection and autonomous certificate enrollment as [email protected] against SEVENKINGDOMS-CA — captured as administrator.pfx 6. LAPS / gMSA cleartext password reads for the local-admin and managed service accounts

The validated numbers from our run:

GOAD-Mini — 15 findings, 11 crown jewels, 10m 10s
MINILAB — 14 findings, 10 crown jewels
GOAD-Light — 15 findings, 11 crown jewels, 9m 9s against a fully fresh-provisioned lab
DRACARYS — 8 findings, 3 crown jewels, 7m 44s

One command. No --agents filter. No operator credentials supplied. *Pwning is coming.* See you in Part 2.