# GOAD

This is my internal notes for getting GOAD - Game of Active Directory up and running on Proxmox.

# Install the essentials

apt update && apt install curl sudo tmux -y
curl -s https://ludus.cloud/install | bash

Server may reboot a few times and you'll lose SSH connectivity temporarily.

# Check install status

ludus-install-status

At the end of the install you'll get an API key. Write it down! You'll need it for the next step.

# Make an admin user

export LUDUS_API_KEY='ROOT.xxx'
ludus user add --name "Brian Johnson" --userid brian --admin --url https://127.0.0.1:8081

# Get that user's Proxmox creds

export LUDUS_API_KEY='brian.xxx'
ludus user creds get

# Download GOAD

sudo apt install python3.11-venv  
export LUDUS_API_KEY='brian.123@xxxx'
git clone https://github.com/Orange-Cyberdefense/GOAD.git ~/GOAD

# Install Ludus

git clone https://gitlab.com/badsectorlabs/ludus ~/ludus
cd ~/ludus/templates

# Build VM templates - 4 at a time

Note: before you do, edit ~/GOAD/extensions/ws01/providers/ludus/config.yml and put win10-22h2-x64-enterprise-template as the extension instead of the Win10 template name that comes by default.

ludus templates add -d ubuntu-22.04-x64-server
ludus templates add -d win10-22h2-x64-enterprise
ludus templates add -d win2016-server-x64
ludus templates add -d win2019-server-x64
ludus templates build -p 4

Note: normally you can run ludus templates status to check status of the template install, but this will fail if you're building multiple templates at once with the -p flag.

# Run GOAD

cd ~/GOAD
./goad.sh -p ludus 
check  
set_lab GOAD 
# GOAD/GOAD-Light/NHA/SCCM/etc  
install

# Install the GOAD extensions (optional)

install_extension elk
install_extension exchange
install_extension ws01
install_extension wazuh

# Snapshot VMs (optional)

See this guide, but in general you could snapshot the whole range with:

ludus snapshots create <snapshot-name>

# Redeploy a range

# Troubleshooting

# Elasticsearch reset

I had an issue where Elasticsearch dashboard was all jacked up with messages like:

“Failed to retrieve privileges”
“License is not available”
“Kibana server is not ready yet”

# Reset Elasticsearch passwords

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

# Test the new password

curl -u elastic:NewPass2026!!! http://10.3.10.50:9200

# Update Kibana config

In /etc/kibana/kibana.yml add:

elasticsearch.hosts: ["http://10.3.10.50:9200"]
elasticsearch.username: "elastic"
elasticsearch.password: "NewPass2026!!!"

# Restart services

sudo systemctl restart elasticsearch
sudo systemctl restart kibana

# Monitor logs

sudo journalctl -u kibana -f

# Check that dashboard are actually working

Elasticsearch accessible at http://10.3.10.50:9200
Kibana working at http://10.3.10.50:5601

# Reinstalling just certain parts of a GOAD install

From the author:

Yes you can retry certain parts. Use `>provision_extension wazuh` to relaunch only wazuh provision once instance is selected.

# Wazuh install

invoke-webrequest https://packages.wazuh.com/4.x/windows/wazuh-agent-4.8.2-1.msi -outfile c:\tmp\wazuh-agent
msiexec.exe /i c:\tmp\wazuh-agent /q WAZUH_MANAGER=ip.of.wazuh.box WAZUH_REGISTRATION_SERVER=ip.of.wazuh.box

# Winlogbeat install

Sometimes Windows systems don't get the winlogbeat.zip properly so I manually visit them from VNC console and install via PowerShell:

invoke-webrequest https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.17.6-windows-x86_64.zip -outfile "c:\program files\elastic\winlogbeat\winlogbeat.zip"