This repository is a fast forward deploy of the PNPT Active Directory Lab using Ludus.
VPN setup for attacking the lab with Exegol is also covered.
Automating this setup is convenient, but it’s highly recommended to perform the entire process manually at least once to fully understand and practice the lab.
A ready to go Proxmox or Debian host with Ludus installed.
Feel free to check: https://docs.ludus.cloud/docs/quick-start/install-ludus
Before deploying the PNPT lab, Ludus needs two Windows templates:
- Windows Server 2022
(win2022-server-x64-template) - Windows 10 Enterprise 22H2
(win10-22h2-x64-enterprise)
Ludus already includes the Server 2022 template by default, but Windows 10 Enterprise must be added manually.
git clone https://gitlab.com/badsectorlabs/ludus
cd ludus/templatesludus templates add -d win10-22h2-x64-enterpriseThis registers the Windows 10 Enterprise template in Ludus.
ludus templates buildIf this is your first time using Ludus, this will also build all default templates, including the required Windows Server 2022 template.
Create a Ludus user for the PNPT lab range with admin rights:
ludus user add --name "PNPT Range" --userid PNPT --admin --url https://127.0.0.1:8081git clone https://github.com/Kyrd0x/pnpt-ludus-exegol-setup
cd pnpt-ludus-exegol-setup/Register the included Ansible roles with Ludus:
ludus ansible role add -d ./roles/hydra-dc --user PNPT
ludus ansible role add -d ./roles/spiderman --user PNPT
ludus ansible role add -d ./roles/thepunisher --user PNPTThe default configuration uses 16 GB RAM (8 for DC, 4 each W10).
You can customize RAM and CPU by editing those lines in pnpt_range.yml file:
ram_gb: 8
cpus: 4Apply the configuration and start deployment:
ludus range config set -f ./pnpt_range.yml --user PNPT
ludus range deploy --user PNPTYou can follow deployment progress with:
ludus range logs -f --user PNPTOnce your Ludus range is deployed, you can prepare your attacking machine using Exegol.
If you haven’t installed Exegol yet, follow the official installation guide: https://exegol.com/install
Installation steps are out of scope here — just make sure Exegol is operational before continuing.
Now let's setup Exegol on our personnal machine.
Exegol installation instructions are here.
Out of scope here, feel free to check their doc and come back to follow along.
Ludus provides a ready-to-use WireGuard configuration for each user.
Retrieve it by running on your Ludus host:
ludus user wireguard --user PNPTThis outputs a WireGuard client configuration.
Copy that content into a file on your attacking machine, for example:
ludus.confExegol can directly use the WireGuard file you just created.
To create and start your container connected to the PNPT lab:
exegol start pnpt free --vpn ludus.confEnjoy !
| Type | Username | Password | Local Admin | Domain Admin | Remarks |
|---|---|---|---|---|---|
| Local User | frankcastle | Password1 | Yes | No | THEPUNISHER local admin |
| Local User | peterparker | Password1 | Yes | No | SPIDERMAN local admin |
| Domain User | fcastle@MARVEL.local | Password1 | Yes | No | Used locally as admin |
| Domain User | pparker@MARVEL.local | Password2 | Yes | No | Used locally as admin |
| Domain User | Administrator@MARVEL.local | P@$$w0rd! | Yes | Yes | Default Domain Admin |
| Domain User | Tony Stark (tstark@MARVEL.local) | Password12345! | No | Yes | Domain Admin + Enterprise Admin |
| Domain User | SQL Service (sqlservice@MARVEL.local) | MYpassword123# | No | Yes | Domain Admin + specific SPN |
| Domain User | Frank Castle (fcastle@MARVEL.local) | Password1 | No | No | Standard domain user |
| Domain User | Peter Parker (pparker@MARVEL.local) | Password2 | No | No | Standard domain user |
You can just ignore the localuser accounts, needed by Ansible.
| Machine | IP | OS |
|---|---|---|
| HYDRA-DC | 10.x.138.136 | Windows Server 2022 |
| SPIDERMAN | 10.x.138.138 | Windows 10 Enterprise |
| THEPUNISHER | 10.x.138.137 | Windows 10 Enterprise |
You check deployed IPs using:
ludus range status --user PNPT- Add standalone public machines of the course in the range