BloodHound

Initial Reconnaissance Port Scanning 1 nmap -Pn -p- -sC -sV $TARGET --open -oA nmap/scan --min-rate 3000 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 Starting Nmap 7.93 ( https://nmap.org ) at 2026-02-05 10:06 EST Nmap scan report for 10.1.98.36 Host is up (0.026s latency). Not shown: 65525 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP 3389/tcp open ms-wbt-server Microsoft Terminal Services Service Info: Host: DC-404; OS: Windows Key Services Identified: ...

Objective / Scope StellarComms has recently onboarded a new junior analyst to support satellite operations monitoring. As part of standard security procedures, a comprehensive internal access assessment must be conducted to validate that the new user account maintains appropriate privilege boundaries and cannot be leveraged for unauthorized escalation. This lab started with just a username - junior.analyst - and no password. The challenge was to figure out how a brand new, low-privileged account could potentially escalate all the way to domain administrator. Spoiler alert: turns out there were quite a few misconfigurations to exploit along the way. ...

Objective / Scope Lumon Industries will soon be integrating a high-value employee into the organization. In accordance with internal security protocols, a comprehensive penetration test and internal access verification must be conducted prior to full onboarding. For this assessment, valid credentials were provided for a standard domain user. The goal was to understand what level of access this account truly had, identify any escalation paths, and determine whether internal controls would prevent an attacker from moving laterally or escalating privileges. ...