# GOAD

This is my internal notes for getting GOAD - Game of Active Directory up and running on Proxmox.

# Install the essentials

apt update && apt install curl sudo tmux -y
curl -s https://ludus.cloud/install | bash

Server may reboot a few times and you'll lose SSH connectivity temporarily.

# Check install status

ludus-install-status

At the end of the install you'll get an API key. Write it down! You'll need it for the next step.

# Make an admin user

export LUDUS_API_KEY='ROOT.xxx'
ludus user add --name "Brian Johnson" --userid brian --admin --url https://127.0.0.1:8081

# Get that user's Proxmox creds

export LUDUS_API_KEY='brian.xxx'
ludus user creds get

# Download GOAD

sudo apt install python3.11-venv  
export LUDUS_API_KEY='brian.123@xxxx'
git clone https://github.com/Orange-Cyberdefense/GOAD.git ~/GOAD

# Install Ludus

git clone https://gitlab.com/badsectorlabs/ludus ~/ludus
cd ~/ludus/templates

# Build VM templates - 4 at a time

Note: before you do, edit ~/GOAD/extensions/ws01/providers/ludus/config.yml and put win10-22h2-x64-enterprise-template as the extension instead of the Win10 template name that comes by default. Here's what the file will then look like:

- vm_name: "-GOAD-WS01"
    hostname: "-WS01"
    template: win10-22h2-x64-enterprise-template
    vlan: 10
    ip_last_octet: 31
    ram_gb: 4
    cpus: 2
    windows:
      sysprep: true

Now you can build the templates:

# Add the templates you need for a full GOAD load:
cd ~/ludus/templates
ludus templates add -d ubuntu-22.04-x64-server
ludus templates add -d win10-22h2-x64-enterprise
ludus templates add -d win2016-server-x64
ludus templates add -d win2019-server-x64
ludus templates build -p 4

# Check the template list
ludus templates list

# Example output of templates list
+------------------------------------+-------+
|              TEMPLATE              | BUILT |
+------------------------------------+-------+
| debian-11-x64-server-template      | TRUE  |
| debian-12-x64-server-template      | TRUE  |
| kali-x64-desktop-template          | TRUE  |
| win11-22h2-x64-enterprise-template | TRUE  |
| win2022-server-x64-template        | TRUE  |
| ubuntu-22.04-x64-server-template   | TRUE  |
| win10-22h2-x64-enterprise-template | TRUE  |
| win2016-server-x64-template        | TRUE  |
| win2019-server-x64-template        | TRUE  |
+------------------------------------+-------+

Note: normally you can run ludus templates status to check status of the template install, but this will fail if you're building multiple templates at once with the -p flag.

# Install GOAD

cd ~/GOAD
./goad.sh -p ludus 

# Check the install
check

# Set lab to GOAD/GOAD-Light/NHA/SCCM/etc  
set_lab GOAD

# Set the first three octets of the range (optional)
set_ip_range 10.3.10

# Install
install

# Install the GOAD extensions (optional)

install_extension elk
install_extension exchange
install_extension ws01
install_extension wazuh

# Check range status

ludus range config get
ludus range status --user GOAD[plus numbers/digits that appear after the VMs in your lab

# Snapshot VMs (optional)

See this guide, but in general you could snapshot the whole range with:

ludus snapshots create <snapshot-name>

# Redeploy a range

You can follow these steps to redeploy a range:

# Redeploy just a specific VM

...one that might be having license issues (where 180 count is not resetting, for example):

ludus range deploy --limit GOAD0ffddd-GOAD-SRV01 --user GOAD0ffddd-GOAD-SRV01

Watch logs:

ludus range logs -f --user GOAD0ffddd 

More information about adding a single VM to a range here

# Redeploy the WHOLE range

# Run GOAD shell and specify Ludus as provider
cd ~/GOAD
./goad.sh -p ludus

# List instances
list

# "Use" the one that needs redeployment
load xxx-goad-ludus (whatever the range name is)

# Kill it with fire (you'll be asked to confirm the destruction)!
destroy

# Keep tabs on its death
status

After "death" I found a problem (discussed here where even after rebuilding the range, the Windows VMs thought they only had a few days left of licensing (despite doing slmgr /rearm and rebooting).

So I trashed all the templates with:

ludus templates rm -n debian-11-x64-server-template
ludus templates rm -n debian-12-x64-server-template
ludus templates rm -n kali-x64-desktop-template
ludus templates rm -n win11-22h2-x64-enterprise-template
ludus templates rm -n win2022-server-x64-template
ludus templates rm -n ubuntu-22.04-x64-server-template
ludus templates rm -n win10-22h2-x64-enterprise-template
ludus templates rm -n win2016-server-x64-template
ludus templates rm -n win2019-server-x64-template

Then rebuild the templates:

# Readd the templates (sanity check)
cd ~/ludus/templates
ludus templates add -d ubuntu-22.04-x64-server
ludus templates add -d win10-22h2-x64-enterprise
ludus templates add -d win2016-server-x64
ludus templates add -d win2019-server-x64

# Build the templates
ludus templates build -p 4

# Check status on builds
ludus templates list

Before redeploying, I've found that the /root/.ssh/known_hosts file needs to have its previous GOAD hosts cleared out so that you don't get SSH key/security issues on next deployment. In those cases, I do this (assuming 10.3.10.x is my old subnet):

# Backup first just in case
cp /root/.ssh/known_hosts /root/.ssh/known_hosts.bak

# Remove all offending entries
for ip in $(seq 1 254); do
  ssh-keygen -f "/root/.ssh/known_hosts" -R "10.3.10.$ip"
done

# Troubleshooting

# Elasticsearch reset

I had an issue where Elasticsearch dashboard was all jacked up with messages like:

“Failed to retrieve privileges”
“License is not available”
“Kibana server is not ready yet”

# Reset Elasticsearch passwords

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

# Test the new password

curl -u elastic:NewPass2026!!! http://10.3.10.50:9200

# Update Kibana config

In /etc/kibana/kibana.yml add:

elasticsearch.hosts: ["http://10.3.10.50:9200"]
elasticsearch.username: "elastic"
elasticsearch.password: "NewPass2026!!!"

# Restart services

sudo systemctl restart elasticsearch
sudo systemctl restart kibana

# Monitor logs

sudo journalctl -u kibana -f

# Check that dashboard are actually working

Elasticsearch accessible at http://10.3.10.50:9200
Kibana working at http://10.3.10.50:5601

# Installing/reinstalling just certain parts of a GOAD install

From the author:

Yes you can retry certain parts. Use `>provision_extension wazuh` to relaunch only wazuh provision once instance is selected.

# Wazuh manual agent install

Sometimes when installing/reinstalling goad, one or more servers complain that the Wazuh installation fails (typically SRV01). So I'll jump into that machine's VNC console in Proxmox and do this:

invoke-webrequest https://packages.wazuh.com/4.x/windows/wazuh-agent-4.8.2-1.msi -outfile c:\tmp\wazuh-agent

Then I just run the GOAD install command again:

install

There was also one time I had to do the next step, which is complete the manual install:

msiexec.exe /i c:\tmp\wazuh-agent /q WAZUH_MANAGER=ip.of.wazuh.box WAZUH_REGISTRATION_SERVER=ip.of.wazuh.box

# Wazuh server default password

Per this issue, if you need to get the various Wazuh passwords, login at the console (username: localuser, password: password) and then check the end of this file for the default Wazuh install password:

/opt/wazuh/wazuh-install-output.txt

# Winlogbeat install

Sometimes Windows systems don't get the winlogbeat.zip properly so I manually visit them from VNC console and install via PowerShell:

invoke-webrequest https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.17.6-windows-x86_64.zip -outfile "c:\program files\elastic\winlogbeat\winlogbeat.zip"

# Debian router config

# iptables rules

I use a Hetzner server to setup two networks in my GOAD environment. One is configured with an extra external IP where the firewall terminates, and that LAN is 192.168.1.x. So in order to then have an Apache Guacamole server traverse from 192.168.1.x I like to back up the current iptables config and then modify a rule to allow traffic:

# Update and install iptables-persistent module
sudo apt update
sudo apt install iptables-persistent

# Backup current config
sudo iptables-save > 2025-xx-xx-iptables.original

# Punch in rules to allow 192.168.1.x to talk to the GOAD network of 10.3.10.x
sudo iptables -I LUDUS_DEFAULTS 2 -s 192.168.1.111/32 -d 10.3.0.0/16 -m comment --comment "192.168.1.111/32 IP to range forward rule" -j ACCEPT
sudo iptables -I LUDUS_DEFAULTS 3 -s 192.0.2.49/32 -d 10.3.0.0/16 -m comment --comment "opnsense to range forward rule" -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.3.10.0/24 ! -d 198.51.100.0/24 -o ens18 -j MASQUERADE

# Make rules persistent
sudo netfilter-persistent save

# Save the rules one more time
sudo iptables-save > 2025-xx-xx-iptables.golden

# Block LAN to WAN traffic

I had a few instances where Hetzner was complaining about scanning activity from inside my GOAD network. I could never figure out if it was indeed coming from students, but had this rule ready to block all GOAD-to-Internet traffic with this iptables rule if necessary:

# Block 10.3.10.x from hitting the Internet
sudo iptables -I LUDUS_USER_RULES 1 -s 10.3.10.0/24 -j DROP

# Remove rule when the coast is clear
sudo iptables -D LUDUS_USER_RULES -s 10.3.10.0/24 -j DROP

# Extend Windows licenses

You can extend them (I think) up to 3 times for a total of 540 days. When the countdown is running low on a Windows system, do this from cmd prompt:

slmgr /rearm

Check license expiration:

slmgr /xpr

More information about the technical bits behind license re-arm procedures, read this.