An easy-rated Windows box involving default credentials for initial access into Apache Tomcat, and creating an application with a JSP webshell to obtain code execution as SYSTEM.

A medium-rated active directory box which involves chaining rights abuses to compromise users, gain access to FTP to discover a Password Safe file and execute a targeted Kerberoast and DCSync attack to compromise the domain.

An easy-rated active directory box involving LDAP and plaintext credentials for initial access, and abusing services to run a malicious image and obtain a SYSTEM shell.

An easy-rated Active Directory box involving SMB enumeration, hardcoded credentials and user enumeration for initial access, ending with SeBackupPrivilege abuse to dump NTLM hashes and gain administrator access.

An easy-rated Active Directory box involving web enumeration and AS-REP roasting for initial access, AutoLogon credentials for lateral movement, and abusing rights to achieve DCSync - leading to full domain compromise.

An easy-rated Active Directory box involving AS-REP roasting for initial access, and abusing transitive group memberships with WriteDacl to achieve DCSync and full domain compromise.

An easy-rated Active Directory box involving SMB enumeration and GPP passwords for initial access, and kerberoasting to obtain administrator access.

This lab demonstrates exploiting a remote code execution vulnerability in SmarterMail build 6985 to gain SYSTEM-level access on a Windows server. Learners will identify the application version, leverage an RCE exploit, and use a reverse shell payload to compromise the target. This lab emphasizes web application exploitation and highlights the risks of unpatched software.