Eighteen is a Windows Server 2025 Domain Controller box that chains MSSQL impersonation, Werkzeug hash cracking, and the newly-disclosed BadSuccessor vulnerability (CVE-2025-53779) to achieve full domain compromise — a rare chance to exploit a live DC in a lab environment.
Pirate is a brutal Hard-rated Windows Domain Controller that chains together gMSA password extraction, ADFS internals abuse, NTLM relay over a Hyper-V double-pivot, and SPN hijacking to reach Domain Admin — a genuine enterprise attack simulation.
A deceptively instructive box that chains LFI with NTLM hash theft — Responder shows how a single vulnerable parameter on a Windows web server can hand you administrator credentials.
Archetype shows how a single misconfigured SMB share cascades into full domain compromise — SSIS config files, xp_cmdshell, and PowerShell history all play a role.
Dancing is a beginner-friendly Windows box that teaches the fundamentals of SMB enumeration. A misconfigured file share with anonymous access is all you need to grab the flag.