InfoSec LAB

Ghost_BloodHound

Created: 2 min read

BloodHound

BloodHound is a powerful tool used by adversaries to visualize and analyze Active Directory relationships, allowing them to quickly identify and exploit potential attack paths and privilege escalation opportunities within a network. It automates the reconnaissance phase of an attack, helping attackers pinpoint weak points and ultimately compromise Active Directory environments.

ingestion

┌──(kali㉿kali)-[~/…/htb/labs/ghost/bloodhound]
└─$ KRB5CCNAME=../florence.ramirez@dc01.ghost.htb.ccache bloodhound-python -d GHOST.HTB -u florence.ramirez -k -no-pass -dc dc01.ghost.htb --dns-tcp --auth-method kerberos -ns $IP --zip -c All       
Password: 
INFO: Found AD domain: ghost.htb
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: dc01.ghost.htb
INFO: Found 1 domains
INFO: Found 2 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc01.ghost.htb
INFO: Found 16 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 20 containers
INFO: Found 1 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: linux-dev-ws01.ghost.htb
INFO: Querying computer: DC01.ghost.htb
WARNING: Could not resolve: linux-dev-ws01.ghost.htb: The DNS query name does not exist: linux-dev-ws01.ghost.htb.
INFO: Done in 00M 05S
INFO: Compressing output into 20240716132539_bloodhound.zip

Using the TGT of the florence.ramirez account, the entire domain data can be ingested through bloodhound-python

Prep

┌──(kali㉿kali)-[~/…/htb/labs/ghost/bloodhound]
└─$ sudo neo4j console             
[sudo] password for kali: 
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /usr/share/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /usr/share/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /usr/share/neo4j/run
Starting Neo4j.

Firing up neo4j and bloodhound

Uploading the ingested domain data

Domain

Domain Trust

Bidirectional

Machines

justin.bradley

The justin.bradley user has memberships to the following groups;

  • Remote Management Users
  • IT
  • Domain Users

WinRM

The user is able to WinRM to the dc01.ghost.htb host due to the membership to the Remote Management Users group

ReadGMSAPassword

Interestingly, the justin.bradley user has ReadGMSAPassword privilege of the ADFS_GMSA$ account

ADFS_GMSA$

The ADFS_GMSA$ account is a managed service account with a group membership to the Remote Management Users group, allowing PSRemote directly to the dc01.ghost.htb host It has an SPN of host/federation.ghost.htb

The account is likely linked to the ad federation service

Interactive Graph View

Backlinks