InfoSec LAB

Cicada_BloodHound

Created: 2 min read

BloodHound

BloodHound is a powerful tool used by adversaries to visualize and analyze Active Directory relationships, allowing them to quickly identify and exploit potential attack paths and privilege escalation opportunities within a network. It automates the reconnaissance phase of an attack, helping attackers pinpoint weak points and ultimately compromise Active Directory environments.

Ingestion

┌──(kali㉿kali)-[~/…/htb/labs/cicada/bloodhound]
└─$ KRB5CCNAME=../michael.wrightson@cicada-dc.cicada.htb.ccache bloodhound-python -d CICADA.HTB -u michael.wrightson -k -no-pass --auth-method kerberos -ns $IP -dc cicada-dc.cicada.htb --zip -c ALL
Password: 
INFO: Found AD domain: cicada.htb
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: cicada-dc.cicada.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: cicada-dc.cicada.htb
INFO: Found 9 users
INFO: Found 54 groups
INFO: Found 3 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: CICADA-DC.cicada.htb
INFO: Done in 00M 04S
INFO: Compressing output into 20240929054421_bloodhound.zip

Using the TGT of the michael.wrightson account, the entire domain data can be ingested through bloodhound-python

Preps

┌──(kali㉿kali)-[~/…/htb/labs/cicada/bloodhound]
└─$ neo4j_kickstart                                 
2024-09-29 03:45:50.726+0000 INFO  Starting...
2024-09-29 03:45:51.167+0000 INFO  This instance is ServerId{823c0986} (823c0986-8860-45ad-af0e-a0f1316bef16)
2024-09-29 03:45:52.176+0000 INFO  ======== Neo4j 4.4.37 ========
2024-09-29 03:45:52.993+0000 INFO  Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2024-09-29 03:45:52.993+0000 INFO  Updating the initial password in component 'security-users'
2024-09-29 03:45:53.737+0000 INFO  Bolt enabled on localhost:7687.
2024-09-29 03:45:54.472+0000 INFO  Remote interface available at http://localhost:7474/
2024-09-29 03:45:54.475+0000 INFO  id: F22BE6505A50EE3B6AE80482B39DD2B6A7082E68C916A87DF6F1CD7ECA4DD942
2024-09-29 03:45:54.476+0000 INFO  name: system
2024-09-29 03:45:54.476+0000 INFO  creationDate: 2024-09-01T10:39:20.089Z
2024-09-29 03:45:54.476+0000 INFO  Started.
 
┌──(kali㉿kali)-[~/…/htb/labs/cicada/bloodhound]
└─$ bloodhound

Firing up neo4j and bloodhound

Uploading the ingested domain data

Domain

michael.wrightson

david.orelious

There is the password disclosure in the description field. This was initially found from LDAPDomainDump

emily.oscars

The user is part of both Remote Management Users and Backup Operators groups

Interactive Graph View

Backlinks