Bloodhound
┌──(kali㉿kali)-[~/…/htb/labs/forest/bloodhound]
└─$ bloodhound-python -u svc-alfresco@htb.local -p s3rvice -d htb.local -dc forest.htb.local -ns $IP --zip -c All
info: Found AD domain: htb.local
info: Connecting to LDAP server: forest.htb.local
info: Found 1 domains
info: Found 1 domains in the forest
info: Found 2 computers
info: Connecting to LDAP server: forest.htb.local
info: Found 32 users
info: Found 76 groups
info: Found 0 trusts
info: Starting computer enumeration with 10 workers
info: Querying computer: EXCH01.htb.local
info: Querying computer: FOREST.htb.local
info: Done in 00M 08S
info: Compressing output into 20230122150009_bloodhound.zipbloodhound-python is a Python implementation of BloodHound ingestor that can be used remotely. Let’s fire up the neo4j and load up the data to BloodHound
┌──(kali㉿kali)-[~/…/htb/labs/forest/bloo┌──(kali㉿kali)-[~/…/htb/labs/forest/bloodhound]
└─$ sudo neo4j console
[sudo] password for kali:
directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /usr/share/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /usr/share/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /usr/share/neo4j/run
Starting Neo4j.
2023-01-22 13:57:02.390+0000 INFO Starting...
2023-01-22 13:57:03.516+0000 INFO This instance is ServerId{11a3e7a2} (11a3e7a2-c1fa-46ea-9d66-f9c0305785d4)
2023-01-22 13:57:04.957+0000 INFO ======== Neo4j 4.4.7 ========neo4j started. the db is running on the localhost:7687
┌──(kali㉿kali)-[~/…/htb/labs/forest/bloodhound]
└─$ bloodhound
Upload Complete
WinRM
It would appear that the svc-alfresco user is able to WinRM to the forest host
Exchange Server
The svc-alfresco user has a transitive group membership to the account operators group, which then has the GenericAll privileges over the exch01 host
being part of the exchange trusted subsystem group provide:
- a transitive group membership to the
Exchange Windows PermissionsGroup, which has theWriteDACLprivileges over the domain - the
WriteDACLprivileges over theExchange Windows PermissionsGroup, which has theWriteDACLprivileges over the domain - the
AddMemberprivileges over theExchange Windows PermissionsGroup, which has theWriteDACLprivileges over the domain
or a more quicker route
Shortcut
Being part of the Account Operators group provides the GenericAll privilege over the Exchange Windows Permissions group.
The Exchange Windows Permissions group then has the WriteDACL privileges over the entire domain
Shadow Credentials
The svc-alfresco user’s reach extends even further
Being part of the Account Operators group allows the user the GenericAll privilege over the Key Admins and Enterprise Key Admins group.
Those two groups then have the AddKeyCredentialLink privilege over the forest host.