Active Directory Security Workshop – Mushroom Kingdom Lab Walkthrough

Sun, 17 May 2026 00:00:00 +0000

Overview

On 11/06/2026, I attended an Active Directory security workshop organized by Acen and HOWEST Hogeschool West-Vlaanderen.

The session covered both offensive and defensive aspects of Active Directory security, focusing on how real-world attack paths are constructed and how common misconfigurations can be exploited in enterprise environments.

The morning focused on theory, while the afternoon was dedicated to a hands-on lab environment called Mushroom Kingdom, where we simulated a full attack chain from initial access to domain compromise.

Topics Covered

The theoretical part of the workshop included:

Kerberos authentication and abuse scenarios
Credential-based attacks (NTLM, password reuse, hashes)
BloodHound attack path mapping
Privilege escalation techniques in Windows environments
Ticket-based attacks (Kerberoasting, Pass-the-Hash, Pass-the-Ticket)
Active Directory Certificate Services (AD CS) misconfigurations

This helped connect AD internals with real attacker behaviour in enterprise environments.

Mushroom Kingdom Lab

The lab simulated a small enterprise Active Directory environment:

Domain Controller
Member server
Workstation with low-privileged user access

The goal was full domain compromise starting from a basic user account.

Initial Access & Privilege Escalation

The first foothold came from a low-privileged workstation user.

Enumeration revealed an unquoted service path vulnerability in a misconfigured Windows service. Because the service path was not properly quoted and write permissions existed in a parent directory, it was possible to hijack execution and escalate privileges to SYSTEM.

After exploitation, a fresh session was required to properly apply the new local administrator group membership.

Credential Access

With local admin access, LSASS memory was accessed to extract credentials from active sessions.

This revealed a domain user session, allowing pass-the-hash authentication instead of password cracking.

At this point, the key concept is separation between:

Local identity
Domain authentication

Even if your local privileges increase, domain access depends entirely on valid credentials or tokens.

Enumeration

Using SharpHound and BloodHound, the domain was mapped.

The graph revealed:

Kerberoastable accounts
Privileged session paths
Delegation misconfigurations
Active Domain Admin sessions on member servers

This step was essential to identify the shortest attack path instead of guessing.

Lateral Movement

Multiple techniques were used:

Accessing SMB shares containing scripts and credentials
Kerberoasting service accounts and cracking tickets offline
Using machine account access for data discovery

These paths led to service credential recovery and access to a member server.

Domain Compromise

On the member server, LSASS dumping revealed a Domain Admin NTLM hash.

Using pass-the-hash techniques, full domain administrator access was obtained.

A DCSync attack was then used to replicate domain credentials, including krbtgt.

This enabled the creation of a Golden Ticket, providing persistent domain access.

Key Takeaways

This lab showed how small misconfigurations chain into full domain compromise.

Important defensive lessons:

Proper service path configuration
LSASS protection (Credential Guard)
Monitoring privileged sessions
Hardening SMB shares
Detecting DCSync activity
Regular krbtgt rotation

Conclusion

The Mushroom Kingdom lab clearly demonstrates that Active Directory security is about attack chains, not single vulnerabilities.

Understanding how each step connects is critical for both offensive and defensive security work.

Windows on Aaron Deceuninck Portfolio