Garfield is a fiendishly complex Active Directory box that chains a hidden scriptPath ACE, logon script hijacking, RBCD against an RODC, and a forged RODC golden ticket to compromise a full Windows domain. If you want to understand how Read-Only Domain Controllers can be weaponized, this is the box for you.
Eighteen is a Windows Server 2025 Domain Controller box that chains MSSQL impersonation, Werkzeug hash cracking, and the newly-disclosed BadSuccessor vulnerability (CVE-2025-53779) to achieve full domain compromise — a rare chance to exploit a live DC in a lab environment.
Pirate is a brutal Hard-rated Windows Domain Controller that chains together gMSA password extraction, ADFS internals abuse, NTLM relay over a Hyper-V double-pivot, and SPN hijacking to reach Domain Admin — a genuine enterprise attack simulation.
MonitorsFour chains a fresh Cacti RCE vulnerability with an exposed Docker API to go from web login to full Windows host compromise — a great lesson in container escape methodology.
A deceptively instructive box that chains LFI with NTLM hash theft — Responder shows how a single vulnerable parameter on a Windows web server can hand you administrator credentials.
Archetype shows how a single misconfigured SMB share cascades into full domain compromise — SSIS config files, xp_cmdshell, and PowerShell history all play a role.
Dancing is a beginner-friendly Windows box that teaches the fundamentals of SMB enumeration. A misconfigured file share with anonymous access is all you need to grab the flag.
Overwatch chains MSSQL linked server credential capture via DNS poisoning with a WCF service PowerShell injection to go from unauthenticated to Domain Admin on a Windows Server 2022 DC.
An Insane-rated Windows box chaining AngularJS CSTI, a subtle OAuth logical flaw, SQLite’s load_extension for DLL-based RCE, Edge DPAPI credential decryption, and .NET AppDomainManager injection to reach SYSTEM.
Fries is a Hard Windows box that takes you through a dense multi-layer attack chain: credential leaks in Gitea, authenticated RCE in pgAdmin, Docker CA key theft, LDAP credential poisoning, and finally ADCS certificate abuse to own the domain.