InfoSec LAB

Return_BloodHound

Created: 2 min read

BloodHound

A misconfigured web application for administering printer/s resulted in exposing a CLEARTEXT credential for what appears to be a service account for printer/s. The credential was later validated and used to request for a TGT

Here, I will get bloodhound going to understand the target domain better

Ingestion

┌──(kali㉿kali)-[~/…/htb/labs/return/bloodhound]
└─$ KRB5CCNAME=../svc-printer.ccache bloodhound-python -u svc-printer -d RETURN.LOCAL -k -ns $IP -dc printer.return.local --dns-tcp --zip -no-pass -c All 
Password: 
INFO: Found AD domain: return.local
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: printer.return.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: printer.return.local
INFO: Found 5 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: printer.return.local
INFO: Done in 00M 06S
INFO: Compressing output into 20230323123044_bloodhound.zip

I had some trials & errors attempting to get bloodhound-python working through the target KDC using the TGT Although bloodhound-python prompted me for password, I did not provide any, and it worked out just fine.

BloodHound

┌──(kali㉿kali)-[~/…/htb/labs/return/bloodhound]
└─$ sudo neo4j console  
[sudo] password for kali: 
directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /usr/share/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /usr/share/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /usr/share/neo4j/run
Starting Neo4j.
 
┌──(kali㉿kali)-[~/…/htb/labs/return/bloodhound]
└─$ bloodhound

Firing up neo4j and bloodhound

Upload complete

svc-printer

The svc-printer user has the memberships shown above While this information has already been enumerated through ldapdomaindump, it’s refreshing to see it in a nice graphical view

Interactive Graph View

Backlinks