OSEP DeHospital Walkthrough Part 2: Active Directory Escalation
OSEP DeHospital Walkthrough Part 2: Active Directory Escalation
Once you establish your initial foothold in the DeHospital network, the real PEN-300 challenge begins. The internal Active Directory environment of this simulated hospital is riddled with complex permissions and hidden escalation paths. Local privilege escalation is not enough; you must dominate the domain.
⚠️ Skip the Guesswork: AD enumeration in DeHospital can take days if you map it wrong. Accelerate your learning with our verified OSEP DeHospital Exam Guide.
Weaponizing BloodHound in DeHospital
Operating blindly in the DeHospital AD forest is a guaranteed failure. You must deploy SharpHound securely, ensuring your collection methods evade internal monitoring.
- Kerberoasting the Medical Staff: Look closely at the service accounts managing internal hospital applications. Many of these utilize weak Service Principal Names (SPNs) that can be Kerberoasted and cracked offline.
- AMSI Bypass for AD Enumeration: Before running your PowerShell AD enumeration scripts, you must patch AMSI in memory. Without this, your enumeration attempts will be blocked and logged.
Master the DeHospital AD Forest
Get the exact exploitation chains for every Active Directory flaw hidden in the DeHospital lab.