ticket using the Impacket GetTGT module, the command
impacket-getTGT xyz.com/Administrator -has
hes LMHASH:NTHASH is used. Lastly, there is the need
to export the KRB5CCNAME environment variable with the
path of the TGT ticket and use Impacket’s WMIExec module
to get an Administrator shell on the Domain Controller using
the Pass the Ticket attack. The trainee can also use Impacket’s
SMBClient module to access the internal network share and
grab the secret flag. This is the intended solution for solving
the challenge.
The unintended solution uses PsExec to perform Local Priv-
ilege Escalation, which allows a non-admin process to escalate
to SYSTEM if running PsExec with .\PsExec64.exe
-accept eula \\dc01 -s cmd using the local adminis-
trator account on a Remote Desktop session. Lastly, the trainee
should change the directory into the internal network share
folder and print out the flag.
To perform the Golden Ticket attack, the trainee
first grabs the NT hashes using Impacket’s Secrets
Dump module, as before, and the domain SID with
crackmapexec ldap dc01.xyz.com -u USERNAME
-p PASSWORD --get-sid. Then it can get a re-
mote session using the local administrator account in
the Domain Controller and, using Mimikatz in the re-
mote machine, dump the KRBTGT account hashes by
performing a DCSync attack with lsadump::dcsync
/domain:xyz.com /user:krbtgt. Then, to craft the
Golden Ticket, it needs the obtained Domain SID and the
KRBTGT NT hash. With not just a Domain Controller but
also workstations, the trainee should be able to run the attack
and get administrator privileges in the Domain Controller.
Lastly, a DLL injection attack can be performed using a
vulnerable AD account belonging to the DNSAdmins group.
Essentially, this DLL is a reverse shell that connects to the
attacker machine, and the threat actor should be able to obtain
SYSTEM privileges on the Domain Controller machine.
The Domain Controller is vulnerable to a wide range of
attacks. Some of them were presented above, but many others
can be used to target the domain. As mentioned before, this
scenario reveals itself as extremely useful as a way to provide
the trainee with hands-on experiments for all the possible
attacks.
VII. IMPORTED SCENARIOS
By now, the inner workings of the scenario construction
process should be clear. The most complex scenarios were
detailed in Section VI, but the project supports the addition of
already existing scenarios. To keep the same logic followed so
far was taken into consideration. As such, the final decision
was to pick scenarios that were already based in Docker.
Through profound research using platforms like CTFtime, sev-
eral scenarios from the 2023 DiceCTF competition available
on GitHub were chosen. A total of 23 challenges from the
2023 DiceCTF edition were imported. To enable this, a Python
script was created to convert the scenarios from the format
they were published on GitHub to the one the framework
understands.
Every imported DiceCTF scenario typically has a YAML
file that is core to understanding the challenge. There, one
can find information on the challenge’s name, author, a
short description, where to find the secret flag, the files
that should be provided to the trainee so he can have a
deeper understanding of the presented code, and the ports
that the scenario’s containers should expose to the exterior.
With all this information in place, it was time to organize
the folder structure for each scenario. The Python script first
pulls the DiceCTF’s GitHub repository and recursively looks
for the challenges that use Docker. The ones that do not
use it are, therefore, excluded. Other specific checks are also
performed in this sense, for instance, challenges pinpointed
to be excluded because their Docker setup is incompatible
with the framework’s setup, simply because they use Docker
images that do not support the installation of python3 and
iproute2 packages. Both these packages are required. The
former is to be able to run Ansible playbooks and the latter
to configure static routes between containers. Then, the script
goes through the challenge mentioned above’s YAML file and
starts creating the scenario’s variables file. As before, each sce-
nario’s vulnerable container is exposed via a domain, and the
format followed by DiceCTF is CHALLENGE_NAME.mc.ax.
In the variable’s file, the necessary configurations in the DNS
server are created, reverse proxy, and the edge router’s port
forwarding. As each scenario is attack-oriented, one must
include the attacker machine in the external network of the
setup. This will be the machine in control of the trainee.
The following tasks involve setting up the custom scenario’s
structure, which is very similar for each scenario. The only
things that change are the created containers and the domain of
the exposed service. If the scenario has two or more containers,
the container’s names are mapped via the DNS server, as
usually happens in Docker. For instance, if a scenario deploys
containers app and mongo, the app container may attempt
to access the database using the mongo domain. As such, the
mongo string must be mapped to the mongo container’s IP
address.
VIII. SCENARIO EXTENSIBILITY
This topic intends to address the scenario extensibility
theme. This topic is essential because it ensures the project’s
continuity regarding future updates. Scenario extensibility is
closely related to what was presented in Section V-E. For
this framework to support new scenarios, developers must
understand the project’s inner workings. This encompasses
variable declarations for each scenario, namely DNS con-
figurations for new domains, port forwarding issues, entry
point setup, and representation of custom machines. Given
the knowledge obtained so far, adding new scenarios to the
current configuration should be relatively straightforward.
A new folder inside the scenarios folder should be cre-
ated for each scenario. Then, a file named challenge
vars.yml
should store the custom variables of the scenario. The rest
18
Journal of Cybersecurity Education, Research and Practice, Vol. 2024, No. 1 [2023], Art. 5
https://digitalcommons.kennesaw.edu/jcerp/vol2024/iss1/5
DOI: 10.32727/8.2023.30