BloodHound
Using the TGT of the sql_svc user, dumping domain information with bloodhound
┌──(kali㉿kali)-[~/…/htb/labs/escape/bloodhound]
└─$ KRB5CCNAME=../sql_svc.ccache bloodhound-python -d SEQUEL.HTB -u sql_svc -k -no-pass -dc dc.sequel.htb --dns-tcp -ns $IP --zip -c All
info: Found AD domain: sequel.htb
info: Using TGT from cache
info: Found TGT with correct principal in ccache file.
info: Connecting to LDAP server: dc.sequel.htb
warning: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
info: Found 1 domains
info: Found 1 domains in the forest
info: Found 1 computers
info: Connecting to LDAP server: dc.sequel.htb
warning: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
info: Found 10 users
info: Found 53 groups
info: Found 0 trusts
info: Starting computer enumeration with 10 workers
info: Querying computer: dc.sequel.htb
info: Ignoring host dc.sequel.htb since its reported name does not match
info: Done in 00M 07S
info: Compressing output into 20230813071146_bloodhound.zipIngestion complete
this fork of the original ingestor provides a much more reliable Kerberos authentication with TGT.
┌──(kali㉿kali)-[~/…/htb/labs/escape/bloodhound]
└─$ sudo neo4j console
[sudo] password for kali:
directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /usr/share/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /usr/share/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /usr/share/neo4j/run
Starting Neo4j.
┌──(kali㉿kali)-[~/…/htb/labs/escape/bloodhound]
└─$ bloodhoundFiring up neo4j and bloodhound
Upload complete
Unable to evaluate the potential attack path with bloodhound