Overview
Oracle Cloud Free Tier is generous enough to run two decent machines without paying anything. We used it to add the second tier of the lab — a child domain controller (VOUGHT-HQ) and an AD-joined Linux box (BATCAVE). Both connect back to DC01 on Vultr through WireGuard.
Child DC · DNS
vought.hq.apex-corp.xyz
10.10.0.2"] LX01["BATCAVE (LINUX01)
AD-joined Ubuntu
domain: vought.hq.apex-corp.xyz
10.10.0.3"] end subgraph VULTR ["☁️ Vultr — Main Hub"] HUB["STARK-TOWER (DC01)
Root DC
hq.apex-corp.xyz
10.10.0.1"] end LX01 ---|"Oracle VPC internal"| DC02 DC02 -->|"WireGuard Mesh"| HUB style HUB fill:#1a3a1a,stroke:#a4ff91,color:#fff style DC02 fill:#3a2a1a,stroke:#ffaa44,color:#fff style LX01 fill:#3a2a1a,stroke:#ffaa44,color:#fff
Step 1 — Deploy Windows Server (VOUGHT-HQ)
Logged into Oracle Cloud, went to Compute → Instances → Create Instance. Changed the default image to Windows Server 2022 Standard.
Selected shape: VM.Standard.E4.Flex with 2 vCPU and 32 GB RAM.
For networking, created a new VCN called APEXnet and set the primary VNIC to use it.
Step 2 — Deploy Ubuntu Linux (BATCAVE)
Created a second instance in the same VCN. This one runs Ubuntu 22.04 and is the AD-joined Linux box named BATCAVE.
Generated a new SSH key pair and downloaded the private key — you need this to SSH into the machine.
After both instances were ready, the Instances page showed both machines with their public and private IPs.
Step 3 — Open Firewall Ports in Oracle Security Lists
Oracle blocks all inbound traffic by default. Before RDP could work, the security list needed inbound rules added.
Tried RDP right after provisioning — it did not connect:
Went to Networking → Virtual Cloud Networks → APEXnet → Security Lists → Default Security List. Added ingress rules:
Added RDP (TCP 3389) with source CIDR 0.0.0.0/0:
Final ingress rules list after adding all required rules:
To apply a security list to an instance: go to the instance → find which subnet it uses → click the subnet → go to the Security tab → select the security list. The rule applies to all instances in that subnet.
Step 4 — Rename and Initial Setup on Windows
After RDP was working, connected to the Windows machine and renamed it to VOUGHT:
PS> Rename-Computer -NewName "VOUGHT" -Restart
After reboot, set the DNS to point at DC01's WireGuard IP so the machine can resolve the AD domain:
Step 5 — Install AD Roles on Windows
Opened Server Manager → Add Roles and Features. Selected Active Directory Domain Services, File and Storage Services, and Web Server (IIS).
After installation, a flag appeared in Server Manager — "Promote this server to a domain controller":
Step 6 — Promote as Child Domain Controller
Clicked the flag to open the AD DS Configuration Wizard. Selected "Add a new domain to an existing forest" and specified the child domain details:
- Parent domain:
hq.apex-corp.xyz - New domain name:
vought(full:vought.hq.apex-corp.xyz) - Credentials: Tony Stark (
t.stark) from the parent domain
The promotion wizard refused to continue because the default Oracle administrator password was too weak. Fix it first:
C:\> net user administrator YourStrongPassword123!
In the Domain Controller Options tab: functional level Windows Server 2016, Global Catalog enabled, DNS enabled, DSRM password set.
NetBIOS name set to VOUGHT:
Prerequisites check passed:
Step 7 — Verify Domain Trust
After reboot, ran Get-ADTrust to confirm the forest trust between parent and child domains:
PS> Get-ADTrust -Filter *
Opened File Explorer on VOUGHT and navigated to Network — could see the shares from the parent domain DC (STARK-TOWER). That confirms the cross-domain trust is working.
Step 8 — Intentional Misconfigurations
Several vulnerabilities were planted on the child domain to create a realistic attack surface.
SPN on a User (Kerberoasting Target)
Opened Active Directory Users and Computers on the child domain, navigated to VOUGHT Studios OU, opened a user's Attribute Editor, and added a Service Principal Name — this makes the account Kerberoastable.
AS-REPRoastable Account
On another user, opened Properties → Account tab → checked "Do not require Kerberos preauthentication". Also added the password in the Description field — bad practice that admins actually do.
Group Permission Misconfiguration
Added Sister Sage as a member of the D7 group with explicit write permissions — this creates a GenericWrite-type misconfiguration that can be abused for privilege escalation.
Homelander as Domain Admin on Child Domain
Added Homelander (john.gillman) to the Domain Admins group on the child domain. This is the main misconfiguration in the attack path:
PS> Get-ADGroupMember -Identity "Domain Admins" -Recursive
Step 9 — Join Linux to the Child Domain
SSH'd into BATCAVE using the private key from Oracle:
$ ssh -i oracle-key.pem ubuntu@<BATCAVE-PUBLIC-IP>
Added a security rule to allow all traffic within the private subnet so Linux and Windows can talk to each other:
Installed the required packages for domain join:
sudo apt install -y realmd sssd sssd-tools adcli krb5-user samba-common-bin
During krb5-user installation, Linux shows a curses dialog asking for the Kerberos realm. Entered VOUGHT.HQ.APEX-CORP.XYZ in uppercase — Kerberos realm names are case sensitive:
Discovered the realm:
$ realm discover vought.hq.apex-corp.xyz
Set the hostname and added a DNS entry for the VOUGHT Windows machine:
sudo hostnamectl set-hostname cyborg.vought.hq.apex-corp.xyz
echo "<VOUGHT-WINDOWS-PRIVATE-IP> vought.hq.apex-corp.xyz" | sudo tee -a /etc/hosts
First Attempt — Failed (Reverse DNS Issue)
First try to join the domain failed with "insufficient permissions". This is a misleading error — the real problem is that Linux was trying to do a reverse DNS lookup on the DC IP to validate the server identity, and that lookup was failing.
Fix — Disable Reverse DNS in Kerberos
The fix is adding rdns = false to /etc/krb5.conf. This tells Kerberos to not do reverse DNS validation on the server:
[libdefaults]
rdns = false
Second Attempt — Success
$ sudo realm join vought.hq.apex-corp.xyz -U homelander
Verified with a Kerberos ticket:
$ kinit [email protected]
$ klist
Logged in as a domain user from the Linux command line:
Step 10 — Connect Linux to DC01 via WireGuard
Added the Oracle Linux machine as a peer on DC01 with WireGuard IP 10.10.0.3:
On BATCAVE, installed WireGuard and created the config:
sudo apt install -y wireguard
sudo nano /etc/wireguard/wg0.conf
[Interface]
PrivateKey = <LINUX-PRIVATE-KEY>
Address = 10.10.0.3/24
ListenPort = 51820
[Peer]
PublicKey = /qe58vBz5fDxhCmq9OQ3Nc+CjVHWluCsD7IQfb+UsAc=
AllowedIPs = 10.10.0.0/24
Endpoint = <DC01-VULTR-PUBLIC-IP>:51820
PersistentKeepalive = 25
$ sudo systemctl enable wg-quick@wg0
$ sudo systemctl start wg-quick@wg0
$ ping -c 3 10.10.0.1
Step 11 — Verify Cross-Domain SSH and SMB Access
Logged into BATCAVE via SSH using Tony Stark's account (who lives on the parent domain) and Homelander (child domain). Both worked:
Tested SMB access from Linux to the DC:
$ smbclient //stark-tower.hq.apex-corp.xyz -U t.stark
Ran nslookup tests to confirm DNS resolution from Linux:
type: kerberos
realm-name: VOUGHT.HQ.APEX-CORP.XYZ
domain-name: vought.hq.apex-corp.xyz
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: adcli
required-package: realmd
login-formats: %[email protected]
Deployment Checklist
- Oracle Cloud account with free tier credits verified
- Windows Server 2022 instance deployed and RDP accessible
- WireGuard installed and connected to hub (10.10.0.2)
- AD DS role installed and child domain promoted
- Ubuntu 24.04 instance deployed with WireGuard (10.10.0.3)
rdns = falseset in/etc/krb5.confbefore domain join- Both machines resolvable via DC01 DNS