Vulnerabilities Plugins
Vulnerability plugins plant deliberate weaknesses for students to discover and exploit. Use them to seed a lab with intentional attack paths — a Kerberoastable account, an unquoted service path, a vulnerable web service — without hand-configuring every detail.
Available plugins
Section titled “Available plugins”| Plugin | What it does | Params | Uses |
|---|---|---|---|
| Make Account Kerberoastable | Configures an AD user account with a Service Principal Name (SPN) so it can be Kerberoasted. | samaccountname domainFQDN | 121 |
| Install Vulnerable Nostromo Web (RCE) | Installs a vulnerable Nostromo web server (RCE-ready) on Linux on a chosen port. | DesiredPort | 13 |
| Unquoted Service Path | Creates a Windows service with an unquoted binary path containing spaces and a parent directory writable by Everyone — a classic privilege-escalation primitive. Caller must drop the binary at BinPath via a preceding File Copy. | ServiceName BinPath ServiceDescription | 12 |
| Vulnerable VSFTP (RCE) | Installs a vulnerable VSFTP server on Linux. Trigger the RCE via ftp login with the username x:), then connect to port 6200. | DesiredPort | 8 |
| Enable Pass-the-Hash RDP | Enables Restricted Admin mode for RDP so attackers can authenticate with a password hash (Pass-the-Hash) instead of a plaintext password. | — | 6 |
| Tomcat Vulnerability | Installs Apache Tomcat with intentionally weak manager credentials so students can practice WAR-file deployment for RCE. | portlistening | 6 |
| Create Vulnerable Service (Editable Service Config) | Creates a Windows service with an intentionally weak DACL — any authenticated user can modify the service config, including changing the binary path to point to a malicious executable. Caller must drop the binary via a preceding File Copy. | Binpath ServiceName ServiceDescription | 5 |
| Enable PSRemoting (Lateral Movement) | Enables PowerShell Remoting and disables UAC token filtering for local accounts (LocalAccountTokenFilterPolicy=1) — opens the door to Pass-the-Hash via WinRM. | — | 4 |
| Make Account AS-REP Roastable | Disables Kerberos pre-authentication on an AD user (DONT_REQUIRE_PREAUTH) so attackers can request an AS-REP for the account and crack it offline. | SamAccountName | 4 |
| Weak Service Binary Permissions | Creates a Windows service where any user has Full Control over both the service binary and its parent directory. Drop a malicious EXE and wait for the service to restart. | ServiceName ServiceDescription BinPath | 3 |
| Install ADCS | Installs Active Directory Certificate Services with configurable ESC1–ESC16 vulnerable templates and CA settings for cert-abuse exercises. | ADCSCAName Hostname DomainNameFQDN DomainOUPath Description ADCSCAESCs ADCSTemplateESCs | 2 |
| Constrained Delegation | Configures a Windows computer for Constrained Delegation by adding CIFS/LDAP SPNs to msDS-AllowedToDelegateTo and enabling trusted delegation. | workstationName domainName machineFQDN | 1 |
| Rejetto HTTP File Server HFS (RCE) | Installs a vulnerable build of Rejetto HFS (HTTP File Server) on Windows, exploitable for unauthenticated remote command execution — useful for web-RCE training scenarios. | — | 0 |