InfoSec LAB

Scrambled_BloodHound

Created: 2 min read

BloodHound

BloodHound is a powerful tool used by adversaries to visualize and analyze Active Directory relationships, allowing them to quickly identify and exploit potential attack paths and privilege escalation opportunities within a network. It automates the reconnaissance phase of an attack, helping attackers pinpoint weak points and ultimately compromise Active Directory environments.

Ingestion

┌──(kali㉿kali)-[~/…/htb/labs/scrambled/bloodhound]
└─$ KRB5CCNAME=../ksimpson@dc1.scrm.local.ccache bloodhound-python -d SCRM.LOCAL -u ksimpson -k -no-pass -dc dc1.scrm.local --dns-tcp -ns $IP --zip -c All
INFO: Found AD domain: scrm.local
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: dc1.scrm.local
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc1.scrm.local
WARNING: LDAP Authentication is refused because LDAP signing is enabled. Trying to connect over LDAPS instead...
INFO: Found 16 users
INFO: Found 62 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: WS01.scrm.local
INFO: Querying computer: DC1.scrm.local
INFO: Ignoring host DC1.scrm.local since its reported name  does not match
INFO: Done in 00M 18S
INFO: Compressing output into 20231117183321_bloodhound.zip

Using the TGT of the ksimpson user, the entire domain data can be ingested through bloodhound-python

Prep

┌──(kali㉿kali)-[~/…/htb/labs/scrambled/bloodhound]
└─$ sudo neo4j console
directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /usr/share/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /usr/share/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /usr/share/neo4j/run
Starting Neo4j.
 
┌──(kali㉿kali)-[~/…/htb/labs/scrambled/bloodhound]
└─$ bloodhound

Firing up neo4j and bloodhound

Ingested domain data upload complete

Domain

Kerberoast-able

Besides the default krbtgt account, the sqlsvc account is kerberoast-able

sqlsvc

The sqlsvc account is a service account for the target MSSQL instance The SPNs are; MSSQLSvc/dc1.scrm.local:1433 and MSSQLSvc/dc1.scrm.local

The sqlsvc account has a membership to the noaccess group The account is the sole user to the group, and the group itself doesn’t appear to have much going on

miscsvc

miscsvc appears to be another service account with an interesting group membership The account is able to WinRM to the target system due to its transitive group membership to the Remote Management Users group

Interactive Graph View

Backlinks