Bloodhound
┌──(kali㉿kali)-[~/…/htb/labs/fuse/bloodhound]
└─$ bloodhound-python -u bnielson@fabricorp.local -p Qwer1234 -ns $IP -d FABRICORP.LOCAL -dc fuse.fabricorp.local --zip -c All
info: Found AD domain: fabricorp.local
info: Connecting to LDAP server: fuse.fabricorp.local
info: Found 1 domains
info: Found 1 domains in the forest
info: Found 1 computers
info: Connecting to LDAP server: fuse.fabricorp.local
info: Found 16 users
info: Found 54 groups
info: Found 0 trusts
info: Starting computer enumeration with 10 workers
info: Querying computer: Fuse.fabricorp.local
info: Done in 00M 06S
info: Compressing output into 20230202160051_bloodhound.zipUsing valid domain credentials from multiple sources, I can authenticate and perform Bloodhound Ingestion
┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ sudo neo4j console
directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /usr/share/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /usr/share/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /usr/share/neo4j/run
Starting Neo4j.
2023-02-02 14:59:26.532+0000 INFO Starting...
┌──(kali㉿kali)-[~/archive/htb/labs/fuse]
└─$ bloodhoundFiring up neo4j and bloodhound
Upload complete
Kerberoasting
Only Kerberoast-able account is KRBTGT which is disabled and set by default, so no use
sthompson
The sthompson user is also part of the Domain Admins group and has DC SYNC privilege over the whole domain
svc-print
The svc-print user has an extensive transitive group membership that allows the user to PSRemote to the target system.
Thankfully, the CLEARTEXT password extracted from the printer belongs to the svc-print user