Skip to content
ADscan Docs
🎯 CTF Labs

🧪 HTB Active Directory Labs (Auto-Pwn Benchmarks)

Auto-pwn retired HTB AD machines in 2–5 minutes with ADscan LITE. Use these walkthroughs to learn real attack chains and compare manual vs automated timings.

Why These HTB Labs Matter

If you practice AD labs regularly, you already know the hidden tax:

  • DNS/NTP/tooling setup
  • copy/paste between BloodHound, nxc, certipy, and notes
  • re-typing creds and losing track of evidence

These labs are meant to remove that friction so you can focus on learning the attack chain.

Benchmark disclaimer

The timings below are lab benchmarks, not a guarantee for real networks. In real internal engagements, the goal is to validate time saved and outcomes in a free POV with a defined baseline.

Choose Your Path

🎓 Individual pentesters

If you want to learn AD attack chains faster, start with ADscan LITE and follow the walkthroughs.

👉 Install ADscan LITE or view the GitHub repo

💼 Security consultants (internal AD engagements)

If your consultancy runs 2+ internal AD engagements/year, you can request PRO beta access to validate the full reporting workflow on a real engagement:

  • Time saved vs your baseline (target: ≥1 full day)
  • Time to first usable credential (TTFC) and repeatability
  • Client-ready PDF in 90 seconds from scan completion

👉 Request PRO beta access

Retired HTB Machines

These walkthroughs cover retired Hack The Box machines that can be automatically compromised using ADscan. All machines are officially retired and approved for public writeups.

Forest

Easy - AS-REP Roasting + Exchange Permissions. ~3 min auto-pwn.

Active

Easy - GPP Passwords + Kerberoasting. ~2 min auto-pwn.

Cicada

Easy - SMB share spidering + password spraying + DCSync. ~5 min auto-pwn.

Quick Reference

MachineDifficultyPrimary TechniqueADscan TimeManual Time
ActiveEasyGPP + Kerberoasting~2-3 min15-30 min
ForestEasyAS-REP + WriteDacl~3 min30-60 min
CicadaEasyMulti-stage credentials~5 min60-120 min

Getting Started with HTB

Prerequisites

  1. Hack The Box account - Sign up at hackthebox.com
  2. VIP subscription (optional) - For instant access to retired machines
  3. VPN connection - Download and connect via HTB VPN
  4. ADscan installed - See Installation Guide

Typical Workflow

# 1. Connect to HTB VPN
sudo openvpn lab_username.ovpn

# 2. Start ADscan
adscan start -v

# 3. Create workspace for the machine
workspace create htb_<machine_name>

# 4. Configure target
set iface tun0
set hosts <machine_ip>
set auto True

# 5. Launch attack
start_unauth

# 6. Wait for auto-pwn completion
# ADscan will automatically escalate to Domain Admin

Techniques by Machine

Initial Access

Credential Harvesting

  • GPP Passwords - Active
  • LDAP Attributes / Descriptions - Cicada
  • Password Spraying Chains - Cicada

Privilege Escalation

Learning Path

Beginner Path

  1. Start with Active - Introduces GPP exploitation and Kerberoasting
  2. Move to Forest - Learn AS-REP roasting and BloodHound analysis
  3. Challenge yourself with Cicada - Multi-stage attack chain

Exam Preparation

These machines provide excellent practice for:

  • OSCP - Active and Forest demonstrate common AD exam scenarios
  • CRTP - All three cover core AD enumeration and exploitation
  • PNPT - Real-world credential hunting and privilege escalation

Speed Running

Competition Times

Share your auto-pwn times in the ADscan Discord:

Current records (automatic mode):

  • Active: TBD
  • Forest: TBD
  • Cicada: TBD

Optimization Tips

  1. Pre-configure wordlists in ADscan settings
  2. Use automatic mode for fastest times
  3. Ensure proper network connectivity to minimize timeouts
  4. Run BloodHound CE locally for faster analysis

Common Issues

VPN Connection

# Verify tun0 interface
ip addr show tun0

# Test connectivity to machine
ping <machine_ip>

# Check routing
ip route | grep tun0

IP Address Changes

HTB assigns dynamic IPs. Update ADscan target:

set hosts <new_ip>

Next Steps

Start with Active

Easiest machine - GPP passwords and Kerberoasting

Try Forest

Learn AS-REP roasting and BloodHound automation

Challenge: Cicada

Multi-stage credential hunting adventure

🎯 Stop Wasting 30–60 Minutes Per Lab on DNS, Tooling & Copy/Paste

Auto-pwn HTB Active Directory labs in 2–5 minutes with ADscan LITE. Forest, Active & Cicada walkthroughs with baseline vs automated time comparisons.

⚡ Active - Auto-Pwn Walkthrough

Automatically compromise HTB Active using ADscan through GPP password exploitation and Kerberoasting

On this page

Why These HTB Labs MatterChoose Your Path🎓 Individual pentesters💼 Security consultants (internal AD engagements)Retired HTB MachinesQuick ReferenceGetting Started with HTBPrerequisitesTypical WorkflowTechniques by MachineInitial AccessCredential HarvestingPrivilege EscalationLearning PathBeginner PathExam PreparationSpeed RunningCompetition TimesOptimization TipsCommon IssuesVPN ConnectionIP Address ChangesRelated ResourcesNext Steps
Find this useful?
Pass it to the next pentester running an AD engagement
Running 2+ AD engagements/year?
Get PRO free — beta access·Free in exchange for feedback
Automated PDF reports. Save ≥1 day per engagement.

ADscan — AD pentest automation for security consultants

🧪 HTB Active Directory Labs (Auto-Pwn Benchmarks) | ADscan