Skip to content

Vulnerabilities Plugins

Vulnerability plugins plant deliberate weaknesses for students to discover and exploit. Use them to seed a lab with intentional attack paths — a Kerberoastable account, an unquoted service path, a vulnerable web service — without hand-configuring every detail.

PluginWhat it doesParamsUses
Make Account KerberoastableConfigures an AD user account with a Service Principal Name (SPN) so it can be Kerberoasted.samaccountname domainFQDN121
Install Vulnerable Nostromo Web (RCE)Installs a vulnerable Nostromo web server (RCE-ready) on Linux on a chosen port.DesiredPort13
Unquoted Service PathCreates a Windows service with an unquoted binary path containing spaces and a parent directory writable by Everyone — a classic privilege-escalation primitive. Caller must drop the binary at BinPath via a preceding File Copy.ServiceName BinPath ServiceDescription12
Vulnerable VSFTP (RCE)Installs a vulnerable VSFTP server on Linux. Trigger the RCE via ftp login with the username x:), then connect to port 6200.DesiredPort8
Enable Pass-the-Hash RDPEnables Restricted Admin mode for RDP so attackers can authenticate with a password hash (Pass-the-Hash) instead of a plaintext password.6
Tomcat VulnerabilityInstalls Apache Tomcat with intentionally weak manager credentials so students can practice WAR-file deployment for RCE.portlistening6
Create Vulnerable Service (Editable Service Config)Creates a Windows service with an intentionally weak DACL — any authenticated user can modify the service config, including changing the binary path to point to a malicious executable. Caller must drop the binary via a preceding File Copy.Binpath ServiceName ServiceDescription5
Enable PSRemoting (Lateral Movement)Enables PowerShell Remoting and disables UAC token filtering for local accounts (LocalAccountTokenFilterPolicy=1) — opens the door to Pass-the-Hash via WinRM.4
Make Account AS-REP RoastableDisables Kerberos pre-authentication on an AD user (DONT_REQUIRE_PREAUTH) so attackers can request an AS-REP for the account and crack it offline.SamAccountName4
Weak Service Binary PermissionsCreates a Windows service where any user has Full Control over both the service binary and its parent directory. Drop a malicious EXE and wait for the service to restart.ServiceName ServiceDescription BinPath3
Install ADCSInstalls Active Directory Certificate Services with configurable ESC1–ESC16 vulnerable templates and CA settings for cert-abuse exercises.ADCSCAName Hostname DomainNameFQDN DomainOUPath Description ADCSCAESCs ADCSTemplateESCs2
Constrained DelegationConfigures a Windows computer for Constrained Delegation by adding CIFS/LDAP SPNs to msDS-AllowedToDelegateTo and enabling trusted delegation.workstationName domainName machineFQDN1
Rejetto HTTP File Server HFS (RCE)Installs a vulnerable build of Rejetto HFS (HTTP File Server) on Windows, exploitable for unauthenticated remote command execution — useful for web-RCE training scenarios.0