Pro Lab / Offshore

by Ben Rollin

Description

Offshore is a virtual simulated Active Directory network environment with the goal of helping users both develop and enhance their skills in network penetration testing.

The lab simulates a real-world engagement in which a tester is tasked with assessing the external perimeter, gaining an internal foothold and pivoting across multiple hosts and forests.

To track progress, there are multiple flags planted along the way as well as a few side challenges not required to advance within the Active Directory environment. Players can submit flags to earn a place in the Offshore Hall of Fame and receive badges for various stages of completion.

Architecture

Offshore is designed to mimic a large corporate Active Directory network with a mix of Microsoft Windows operating system versions. The lab includes both Windows workstations and servers as well as components such as Internet Information Services (IIS), and Microsoft SQL Server (MSSQL), among others.

The network consists of multiple domains and forests which only become reachable after compromising certain hosts.

The lab also contains elements of a busy corporate network such as simulated users whose actions can be manipulated and leveraged to further access within the environment.

Target Audience

Offshore was design to appeal to a wide variety of users, everyone from junior-level penetration testers to seasoned testers as well as infosec hobbyists and even blue teamers, there is something for everyone. Players will pick up at least a few new tricks which can be immediately applied to real-world engagements or taken back to their organizations to  help improve the overall security posture.

Prerequisites

  • Familiarity with modern tools and techniques used to perform penetration testing engagements
  • Working knowledge of networking and web application attacks
  • A working knowledge of Linux and Windows operating systems and Active Directory
  • Learning Goals

  • Web application attacks
  • Enumeration
  • Exploitation of obscure and real-world Active Directory flaws
  • Local privilege escalation
  • Lateral movement and crossing trust boundaries
  • Evading endpoint protections
  • Reverse engineering
  • Out-of-the-box thinking
  • The Game

    Narrative

    You are an agent tasked with exposing money laundering operations in an offshore international bank. Breach the DMZ and pivot through the internal network to locate the bank’s protected databases and a shocking list of international clients. OFFSHORE is designed to simulate a real-world penetration test, starting from an external position on the internet and gaining a foothold inside a simulated corporate Windows Active Directory network. Users will have to pivot and jump across trust boundaries to complete the lab.

    In-Scope

    The entry point for the lab is 10.10.110.0/24 once connected to the VPN. Users will start from an external perspective and have to penetrate the “DMZ” and then move laterally through the CORP.LOCAL, DEV, ADMIN and CLIENT forests to complete the lab.

    Out-of-Scope

    The firewall at 10.10.110.3 is out-of-scope.

    Rules/Restrictions

  • Destructive actions such as:
  • Changing group membership of accounts or changing account passwords unless these actions are clearly required as part of the scenario
  • Modifying/removing flags
  • Killing processes you don't own
  • Any sort of DOS against the firewall or any other lab hosts
  • Try not to leave enumeration data / tools lying around for other players to find. Use a subtle area on disk (e.g. %AppData%) and remove once you've finished.
  • Be mindful of how and where you use Kerberos (silver/golden) tickets, as these will impact other players who have shells in the lab.
  • Note that extensive password cracking is not necessary to complete this lab (i.e. any password hashes required to proceed are crack-able with common word-lists using CPU. A GPU cracking rig is not required.)