Active Directory Is a Haunted House

Web app security is a city. You walk the streets, try the doors, find the one shop with the unlocked back entrance. Active Directory is not a city. Active Directory is a haunted house: built in 1999, nobody who understands the wiring still works here, and every room connects to every other room through doors you cannot see.

Going internal means standing up GOAD, the Game of Active Directory lab: a full vulnerable Windows domain you run yourself, and provisioning it is its own rite of passage. I ran goad.sh, went for a walk, came back, it was still going, went for another walk. Two and a half hours later I had a domain controller, a couple of servers, and a fistful of misconfigurations on an isolated network with no way out.

Then I snapshotted everything, because that lesson is permanent.

The mental shift from web to AD is the whole game. On the web, a vulnerability is usually one bug in one app. In AD, the vulnerabilities are relationships. This user can be impersonated by that service. That service runs as an account that can reset this other user’s password. This group has rights nobody remembers granting. No single thing is broken. The whole structure is one enormous pile of trust, and somewhere in that pile is a path from “random low-privilege account” to “owns the entire domain.” The job is to find it.

The work starts with enumeration: reading the structure, using NetExec to ask the domain polite questions and writing down the answers. It feels like walking a haunted house with a candle, mapping rooms, working out which floorboard is the one that drops you somewhere interesting.

But the house has a logic. Haunted does not mean random. And once you know where the hidden doors are, a haunted house is just a house.