BloodHound
BloodHound is a powerful tool used by adversaries to visualize and analyze Active Directory relationships, allowing them to quickly identify and exploit potential attack paths and privilege escalation opportunities within a network. It automates the reconnaissance phase of an attack, helping attackers pinpoint weak points and ultimately compromise Active Directory environments.
Ingestion
The ingestion has already been made by PEAS’s built-in SharpHound
*Evil-WinRM* PS C:\tmp> download cerberus.local_20240117101133_BloodHound.zip
Info: Downloading C:\tmp\cerberus.local_20240117101133_BloodHound.zip to cerberus.local_20240117101133_BloodHound.zip
Info: Download successful!Downloading the ingested domain data to Kali
Prep
┌──(kali㉿kali)-[~/…/htb/labs/cerberus/bloodhound]
└─$ sudo neo4j console
directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /usr/share/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /usr/share/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /usr/share/neo4j/run
Starting Neo4j.
┌──(kali㉿kali)-[~/…/htb/labs/cerberus/bloodhound]
└─$ bloodhoundFiring up neo4j and bloodhound
Ingested domain data uploaded
Kerberoast-able Accounts
adfs_svc$ is a kerberoast-able account
adfs_svc$
adfs_svc$ is a Group-Managed-Service-Account(gMSA)
It’s also considered a computer object
Interestingly, its gMSA password can be read by the computer object of the dc.cerberus.local host