InfoSec LAB

Intelligence_BloodHound

Created: 2 min read

BloodHound

the earlier password spraying attack revealed the owner of the default domain password; tiffany.molina:NewIntelligenceCorpUser9876 It was later validated to the target KDC by requesting a TGT

Here, I will get bloodhound going to understand the target domain better

Ingestion

┌──(kali㉿kali)-[~/…/htb/labs/intelligence/bloodhound]
└─$ KRB5CCNAME=../tiffany.molina@dc.intelligence.htb.ccache bloodhound-python -d INTELLIGENCE.HTB -u tiffany.molina -no-pass -k -dc dc.intelligence.htb --dns-tcp -ns $IP --zip -c All       
INFO: Found AD domain: intelligence.htb
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc.intelligence.htb
INFO: Found 43 users
INFO: Found 55 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: svc_int.intelligence.htb
INFO: Querying computer: dc.intelligence.htb
WARNING: Could not resolve: svc_int.intelligence.htb: The DNS query name does not exist: svc_int.intelligence.htb.
INFO: Ignoring host dc.intelligence.htb since its reported name  does not match
INFO: Done in 00M 14S
INFO: Compressing output into 20230927023637_bloodhound.zip

Using the TGT of the tiffany.molina user, I am able to authenticate to the target KDC to run the Python ingestor for bloodhound

Prep

┌──(kali㉿kali)-[~/…/htb/labs/intelligence/bloodhound]
└─$ sudo neo4j console  
[sudo] password for kali: 
directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /usr/share/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /usr/share/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /usr/share/neo4j/run
Starting Neo4j.
 
┌──(kali㉿kali)-[~/…/htb/labs/intelligence/bloodhound]
└─$ bloodhound

Starting neo4j and bloodhound

Ingested data uploaded

Ted.Graves

The ted.graves user has the ReadGMSAPassword access configured over the machine account, svc_int$

Laura.Lee

the laura.lee user also has the readgmsapassword access configured over the machine account, svc_int$

svc_int$

The machine account, svc_int$ is allowed to delegate to the WWW/dc.intelligence.htb SPN

Interactive Graph View

Backlinks