InfoSec LAB

BloodHound

Using the [[Rebound_Kerberoasting_with_no_preauth#|TGT]] of the ldap_monitor account, I am able to authenticate to the target KDC to run the ingestor for bloodhound

Ingestion

┌──(kali㉿kali)-[~/…/htb/labs/rebound/bloodhound]
└─$ KRB5CCNAME=../ldap_monitor@dc01.rebound.htb.ccache bloodhound-python -d REBOUND.HTB -u ldap_monitor -k -no-pass -dc dc01.rebound.htb --dns-tcp -ns $IP --zip -c All
INFO: Found AD domain: rebound.htb
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc01.rebound.htb
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 16 users
INFO: Found 53 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: gmsa.rebound.htb
INFO: Querying computer: dc01.rebound.htb
WARNING: Could not resolve: gmsa.rebound.htb: The DNS query name does not exist: gmsa.rebound.htb.
INFO: Ignoring host dc01.rebound.htb since its reported name  does not match
INFO: Done in 00M 02S
INFO: Compressing output into 20230911082339_bloodhound.zip

Ingestion complete

Startup

┌──(kali㉿kali)-[~/…/htb/labs/rebound/bloodhound]
└─$ sudo neo4j console
[sudo] password for kali: 
directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /usr/share/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /usr/share/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /usr/share/neo4j/run
Starting Neo4j.
 
┌──(kali㉿kali)-[~/…/htb/labs/rebound/bloodhound]
└─$ bloodhound