PingPong is a brutally complex Insane-rated Windows box featuring a bidirectional forest trust, cross-realm Kerberos pivoting through a Hyper-V internal network, JEA ConstrainedLanguage bypass via XmlDocument XXE, and a multi-stage AD CS certificate abuse chain spanning two domains.
Logging is a Windows Domain Controller box that chains credential recovery, shadow credentials, a DLL hijack scheduled task, and a full ESC17 WSUS MITM attack to achieve Domain Admin — all while navigating Protected Users restrictions and a disabled Update Orchestrator service.
Garfield is a fiendishly complex Active Directory box that chains a hidden scriptPath ACE, logon script hijacking, RBCD against an RODC, and a forged RODC golden ticket to compromise a full Windows domain. If you want to understand how Read-Only Domain Controllers can be weaponized, this is the box for you.