Day 2 — The Pentesting Process and Building My First AD Lab

Day 2 of the grind. Two big things happened today: I launched my first Active Directory environment from scratch, and I worked through the Penetration Testing Process module on HTB Academy

The AD lab#

Spun up a Windows Server 2025 VM on my Proxmox host and turned it into a domain controller for corp.local.

Promoting to a DC#

After the install I set a static IP and had Claude help me with the rest of the setup:

1. Add the Active Directory Domain Services role through Server Manager
2. Promote the server to a domain controller
3. New forest, root domain corp.local
4. Forest functional level: Windows Server 2025
5. Reboot

After the reboot, logged in as CORP\Administrator with a working DC.

Seeding the lab with attack targets#

The point of building this is to attack it later, so I needed to create targets.

I made five users with intentional vulnerabilities:

• Three regular domain users with varying password strength (bsmith, ajones, cdavis)
• One service account (sqlsvc) with a Service Principal Name registered (MSSQLSvc/sql01.corp.local:1433), making it Kerberoastable
• One legacy account (legacyapp) with Kerberos pre-authentication disabled, making it AS-REP roastable
• One secondary Domain Admin (da2) to simulate the lateral-movement target

Snapshot taken, every time I break the DC during attack practice I can roll back.

The pentesting process#

HTB Academy’s Penetration Testing Process module walks through the structure of a real engagement, “what phase am I in and why.”

The phases:

Pre-engagement — paperwork, scoping, NDAs.

Information gathering — open-source intel, infrastructure enumeration, service enumeration, host enumeration

Vulnerability assessment — taking the information output and identifying weaknesses.

Exploitation — actually using the weaknesses to get a foothold.

Post-exploitation — pillaging, persistence, privilege escalation, data exfiltration.

Lateral movement — moving from the foothold to other systems.

Reporting — the part that determines whether the engagement was worth anything.

The module also had a preparation prescription:

• 2 modules
• 3 retired machines
• 5 active machines
• 1 Pro Lab / Endgame

Connecting the two#

Building the lab and reading about the process at the same time proved extremely useful. I now have a target environment that I’ll move through the entire process against

That’s the next several weeks of content for this blog.

What’s next#

Tomorrow: deploying GOAD on top of the existing DC. GOAD is a multi-domain vulnerable AD environment with a bunch of pre-built attack paths. It’s the standard practice ground for serious AD attack training. Bigger lab, more targets, more chances to break things.

OSCP is still the goal for August. AD attacks are something like 40% of that exam. Building my own targets means I’ll have hit the same techniques 50+ times in my own environment before I see them on the test.

Two days down!