Active Directory Security Workshop – Mushroom Kingdom Lab Walkthrough

Sun, 17 May 2026 00:00:00 +0000

Overview

On 11/06/2026, I attended an Active Directory security workshop organized by Acen and HOWEST Hogeschool West-Vlaanderen.

The session covered both offensive and defensive aspects of Active Directory security, focusing on how real-world attack paths are constructed and how common misconfigurations can be exploited in enterprise environments.

The morning focused on theory, while the afternoon was dedicated to a hands-on lab environment called Mushroom Kingdom, where we simulated a full attack chain from initial access to domain compromise.

Topics Covered

The theoretical part of the workshop included:

Kerberos authentication and abuse scenarios
Credential-based attacks (NTLM, password reuse, hashes)
BloodHound attack path mapping
Privilege escalation techniques in Windows environments
Ticket-based attacks (Kerberoasting, Pass-the-Hash, Pass-the-Ticket)
Active Directory Certificate Services (AD CS) misconfigurations

This helped connect AD internals with real attacker behaviour in enterprise environments.

Mushroom Kingdom Lab

The lab simulated a small enterprise Active Directory environment:

Domain Controller
Member server
Workstation with low-privileged user access

The goal was full domain compromise starting from a basic user account.

Initial Access & Privilege Escalation

The first foothold came from a low-privileged workstation user.

Enumeration revealed an unquoted service path vulnerability in a misconfigured Windows service. Because the service path was not properly quoted and write permissions existed in a parent directory, it was possible to hijack execution and escalate privileges to SYSTEM.

After exploitation, a fresh session was required to properly apply the new local administrator group membership.

Credential Access

With local admin access, LSASS memory was accessed to extract credentials from active sessions.

This revealed a domain user session, allowing pass-the-hash authentication instead of password cracking.

At this point, the key concept is separation between:

Local identity
Domain authentication

Even if your local privileges increase, domain access depends entirely on valid credentials or tokens.

Enumeration

Using SharpHound and BloodHound, the domain was mapped.

The graph revealed:

Kerberoastable accounts
Privileged session paths
Delegation misconfigurations
Active Domain Admin sessions on member servers

This step was essential to identify the shortest attack path instead of guessing.

Lateral Movement

Multiple techniques were used:

Accessing SMB shares containing scripts and credentials
Kerberoasting service accounts and cracking tickets offline
Using machine account access for data discovery

These paths led to service credential recovery and access to a member server.

Domain Compromise

On the member server, LSASS dumping revealed a Domain Admin NTLM hash.

Using pass-the-hash techniques, full domain administrator access was obtained.

A DCSync attack was then used to replicate domain credentials, including krbtgt.

This enabled the creation of a Golden Ticket, providing persistent domain access.

Key Takeaways

This lab showed how small misconfigurations chain into full domain compromise.

Important defensive lessons:

Proper service path configuration
LSASS protection (Credential Guard)
Monitoring privileged sessions
Hardening SMB shares
Detecting DCSync activity
Regular krbtgt rotation

Conclusion

The Mushroom Kingdom lab clearly demonstrates that Active Directory security is about attack chains, not single vulnerabilities.

Understanding how each step connects is critical for both offensive and defensive security work.

CEH Exam Experience: What Helped Me Prepare

Sun, 15 Feb 2026 00:00:00 +0000

The Certified Ethical Hacker (CEH) certification was an interesting experience because the exam focuses much more on practical thinking and attack scenarios than many people expect.

Going into the certification, I initially thought the preparation would mostly involve memorizing concepts, protocols, and terminology. While theory is important, the biggest difference-maker for me was working through example questions and understanding how the exam frames situations.

Scenario-Based Thinking Matters

A large part of the CEH exam revolves around scenarios. Instead of simply asking what a tool does, questions often describe a situation and expect you to identify the most appropriate technique, methodology, or tool for that phase of an assessment.

That changes the way you need to study.

Reading slides or definitions alone is not enough. What helped me most was practicing how different attack paths fit together:

Enumeration
Privilege escalation
Web attacks
Wireless attacks
Pivoting
Post-exploitation
Persistence
Defensive countermeasures

Understanding why a technique is used is much more valuable than only recognizing the name.

Learning the Tools

One thing I noticed quickly during preparation is how important tool recognition becomes.

Knowing the names of tools alone is not sufficient — it helps to understand:

what they are designed for,
when they are typically used,
and what type of output or functionality they provide.

For example, understanding the difference between reconnaissance tooling, exploitation frameworks, password auditing tools, or web application scanners makes scenario questions much easier to reason through.

Even topics that are not directly tested still improve your overall understanding and make the certification preparation more useful beyond the exam itself.

Practice Questions Helped the Most

The most effective study method for me was reviewing example questions and breaking down why answers were correct or incorrect.

That process helps you:

recognize patterns in questions,
identify keywords,
understand attack methodology,
and think more practically instead of purely theoretically.

In many cases, the reasoning behind an answer mattered more than memorizing isolated facts.

Final Thoughts

Overall, I found the CEH certification to be a good exercise in structured security thinking.

The exam pushes you to connect concepts together instead of viewing topics individually, which makes it more valuable than simply memorizing definitions.

For anyone preparing for CEH, my biggest advice would be:

focus on understanding scenarios,
practice with example questions,
and learn what tools are actually used for in real environments.

That approach helped me much more than trying to memorize everything mechanically.

Pentesting on Aaron Deceuninck Portfolio