InfoSec LAB

Cascade_BloodHound

Created: 2 min read

BloodHound

Ingestion must be performed in order to pull the domain data out of the target domain. I’ll be using bloodhound-python

Ingestion

┌──(kali㉿kali)-[~/…/htb/labs/cascade/bloodhound]
└─$ KRB5CCNAME=../r.thompson.ccache bloodhound-python -u r.thompson -d CASCADE.LOCAL -k -ns $IP -dc casc-dc1.cascade.local --dns-tcp --zip -no-pass -c All 
Password: 
INFO: Found AD domain: cascade.local
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: casc-dc1.cascade.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: casc-dc1.cascade.local
INFO: Found 18 users
INFO: Found 53 groups
INFO: Found 7 gpos
INFO: Found 6 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: CASC-DC1.cascade.local
INFO: User ANONYMOUS LOGON is logged in on CASC-DC1.cascade.local from 10.10.14.2
WARNING: Failed to resolve SAM name ANONYMOUS LOGON in current forest
INFO: Done in 00M 18S
INFO: Compressing output into 20230626060450_bloodhound.zip

Using the TGT of the r.thompson user, I am able to authenticate to the target KDC to run the ingestor for bloodhound Although bloodhound-python prompted me for password, I did not provide any, and it worked out just fine. Additionally, the -no-pass flag of bloodhound-python doesn’t seem to be functional

BloodHound

┌──(kali㉿kali)-[~/…/htb/labs/cascade/bloodhound]
└─$ sudo neo4j console
[sudo] password for kali: 
directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /usr/share/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /usr/share/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /usr/share/neo4j/run
Starting Neo4j.
 
┌──(kali㉿kali)-[~/…/htb/labs/cascade/bloodh┌──(kali㉿kali)-[~/…/htb/labs/cascade/bloodhound]
└─$ bloodhound

Firing up both neo4j and bloodhound

Ingested data upload complete

r.thompson

s.smith

arksvc

Interactive Graph View

Backlinks