InfoSec LAB

Outdated_BloodHound

Created: 2 min read

BloodHound

BloodHound is a powerful tool used by adversaries to visualize and analyze Active Directory relationships, allowing them to quickly identify and exploit potential attack paths and privilege escalation opportunities within a network. It automates the reconnaissance phase of an attack, helping attackers pinpoint weak points and ultimately compromise Active Directory environments.

Ingestion

Ingestion has already been made via the embedded SharpHound

PS C:\Users\btables\Documents> copy .\outdated.htb_20240105145344_BloodHound.zip \\10.10.14.23\smb\

Transfer complete over SMB

Prep

┌──(kali㉿kali)-[~/…/htb/labs/outdated/bloodhound]
└─$ sudo neo4j console
directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /usr/share/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /usr/share/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /usr/share/neo4j/run
Starting Neo4j.
 
┌──(kali㉿kali)-[~/…/htb/labs/outdated/bloodhound]
└─$ bloodhound

Starting neo4j and bloodhound

Upload complete

Domain

btables

the btables user has the transitive addkeycredentiallink privilege over the sflowers user from the group membership to the ITStaff group

sflowers

The sflowers user is part of

  • Remote Management Users group that allows the user to WinRM to the DC host
  • WSUS Administrators group that requires further investigation

WSUS Administrators

the wsus administrators group in windows is a special group created during the installation of windows server update services (WSUS). Members of this group are granted administrative privileges specifically related to managing and configuring WSUS settings. These administrators have the authority to control the WSUS server, approve or decline updates, and configure update policies for the network.

This explains the WSUS related shares present in the SMB server. The target domain has a WSUS server installed and configured for pushing updates. Given the sflowers user is part of this group, it may be leveraged for privilege escalation

Interactive Graph View

Backlinks