InfoSec LAB

Search_BloodHound

Created: 12 min read

BloodHound

BloodHound is a powerful tool used by adversaries to visualize and analyze Active Directory relationships, allowing them to quickly identify and exploit potential attack paths and privilege escalation opportunities within a network. It automates the reconnaissance phase of an attack, helping attackers pinpoint weak points and ultimately compromise Active Directory environments.

Ingestion

┌──(kali㉿kali)-[~/…/htb/labs/search/bloodhound]
└─$ KRB5CCNAME=../hope.sharp@research.search.htb.ccache bloodhound-python -d SEARCH.HTB -u hope.sharp -k -no-pass --auth-method kerberos -ns $IP -dc research.search.htb --zip -c ALL
INFO: Found AD domain: search.htb
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: research.search.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 112 computers
INFO: Connecting to LDAP server: research.search.htb
INFO: Found 107 users
INFO: Found 64 groups
INFO: Found 6 gpos
INFO: Found 27 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: Windows-100.search.htb
INFO: Querying computer: Windows-99.search.htb
INFO: Querying computer: Windows-98.search.htb
INFO: Querying computer: Windows-97.search.htb
INFO: Querying computer: Windows-96.search.htb
INFO: Querying computer: Windows-95.search.htb
INFO: Querying computer: Windows-94.search.htb
INFO: Querying computer: Windows-93.search.htb
INFO: Querying computer: Windows-92.search.htb
INFO: Querying computer: Windows-91.search.htb
INFO: Querying computer: Windows-90.search.htb
INFO: Querying computer: Windows-89.search.htb
WARNING: Could not resolve: Windows-100.search.htb: The DNS query name does not exist: Windows-100.search.htb.
WARNING: Could not resolve: Windows-99.search.htb: The DNS query name does not exist: Windows-99.search.htb.
WARNING: Could not resolve: Windows-97.search.htb: The DNS query name does not exist: Windows-97.search.htb.
WARNING: Could not resolve: Windows-92.search.htb: The DNS query name does not exist: Windows-92.search.htb.
WARNING: Could not resolve: Windows-96.search.htb: The DNS query name does not exist: Windows-96.search.htb.
WARNING: Could not resolve: Windows-98.search.htb: The DNS query name does not exist: Windows-98.search.htb.
WARNING: Could not resolve: Windows-94.search.htb: The DNS query name does not exist: Windows-94.search.htb.
WARNING: Could not resolve: Windows-95.search.htb: The DNS query name does not exist: Windows-95.search.htb.
WARNING: Could not resolve: Windows-93.search.htb: The DNS query name does not exist: Windows-93.search.htb.
INFO: Querying computer: Windows-88.search.htb
WARNING: Could not resolve: Windows-91.search.htb: The DNS query name does not exist: Windows-91.search.htb.
INFO: Querying computer: Windows-87.search.htb
INFO: Querying computer: Windows-86.search.htb
INFO: Querying computer: Windows-85.search.htb
INFO: Querying computer: Windows-84.search.htb
INFO: Querying computer: Windows-83.search.htb
INFO: Querying computer: Windows-82.search.htb
INFO: Querying computer: Windows-81.search.htb
WARNING: Could not resolve: Windows-90.search.htb: The DNS query name does not exist: Windows-90.search.htb.
INFO: Querying computer: Windows-80.search.htb
WARNING: Could not resolve: Windows-89.search.htb: The DNS query name does not exist: Windows-89.search.htb.
INFO: Querying computer: Windows-79.search.htb
WARNING: Could not resolve: Windows-88.search.htb: The DNS query name does not exist: Windows-88.search.htb.
WARNING: Could not resolve: Windows-84.search.htb: The DNS query name does not exist: Windows-84.search.htb.
WARNING: Could not resolve: Windows-87.search.htb: The DNS query name does not exist: Windows-87.search.htb.
WARNING: Could not resolve: Windows-81.search.htb: The DNS query name does not exist: Windows-81.search.htb.
WARNING: Could not resolve: Windows-83.search.htb: The DNS query name does not exist: Windows-83.search.htb.
WARNING: Could not resolve: Windows-86.search.htb: The DNS query name does not exist: Windows-86.search.htb.
WARNING: Could not resolve: Windows-85.search.htb: The DNS query name does not exist: Windows-85.search.htb.
INFO: Querying computer: Windows-78.search.htb
WARNING: Could not resolve: Windows-82.search.htb: The DNS query name does not exist: Windows-82.search.htb.
INFO: Querying computer: Windows-77.search.htb
INFO: Querying computer: Windows-76.search.htb
INFO: Querying computer: Windows-75.search.htb
WARNING: Could not resolve: Windows-80.search.htb: The DNS query name does not exist: Windows-80.search.htb.
INFO: Querying computer: Windows-74.search.htb
INFO: Querying computer: Windows-73.search.htb
INFO: Querying computer: Windows-72.search.htb
INFO: Querying computer: Windows-71.search.htb
WARNING: Could not resolve: Windows-79.search.htb: The DNS query name does not exist: Windows-79.search.htb.
INFO: Querying computer: Windows-70.search.htb
INFO: Querying computer: Windows-69.search.htb
WARNING: Could not resolve: Windows-75.search.htb: The DNS query name does not exist: Windows-75.search.htb.
WARNING: Could not resolve: Windows-78.search.htb: The DNS query name does not exist: Windows-78.search.htb.
WARNING: Could not resolve: Windows-77.search.htb: The DNS query name does not exist: Windows-77.search.htb.
WARNING: Could not resolve: Windows-73.search.htb: The DNS query name does not exist: Windows-73.search.htb.
WARNING: Could not resolve: Windows-76.search.htb: The DNS query name does not exist: Windows-76.search.htb.
WARNING: Could not resolve: Windows-72.search.htb: The DNS query name does not exist: Windows-72.search.htb.
WARNING: Could not resolve: Windows-74.search.htb: The DNS query name does not exist: Windows-74.search.htb.
WARNING: Could not resolve: Windows-71.search.htb: The DNS query name does not exist: Windows-71.search.htb.
INFO: Querying computer: Windows-68.search.htb
WARNING: Could not resolve: Windows-70.search.htb: The DNS query name does not exist: Windows-70.search.htb.
WARNING: Could not resolve: Windows-69.search.htb: The DNS query name does not exist: Windows-69.search.htb.
INFO: Querying computer: Windows-67.search.htb
INFO: Querying computer: Windows-66.search.htb
INFO: Querying computer: Windows-65.search.htb
INFO: Querying computer: Windows-64.search.htb
INFO: Querying computer: Windows-63.search.htb
INFO: Querying computer: Windows-62.search.htb
INFO: Querying computer: Windows-61.search.htb
INFO: Querying computer: Windows-60.search.htb
INFO: Querying computer: Windows-59.search.htb
WARNING: Could not resolve: Windows-68.search.htb: The DNS query name does not exist: Windows-68.search.htb.
INFO: Querying computer: Windows-58.search.htb
WARNING: Could not resolve: Windows-65.search.htb: The DNS query name does not exist: Windows-65.search.htb.
WARNING: Could not resolve: Windows-61.search.htb: The DNS query name does not exist: Windows-61.search.htb.
WARNING: Could not resolve: Windows-66.search.htb: The DNS query name does not exist: Windows-66.search.htb.
WARNING: Could not resolve: Windows-67.search.htb: The DNS query name does not exist: Windows-67.search.htb.
WARNING: Could not resolve: Windows-59.search.htb: The DNS query name does not exist: Windows-59.search.htb.
WARNING: Could not resolve: Windows-64.search.htb: The DNS query name does not exist: Windows-64.search.htb.
WARNING: Could not resolve: Windows-62.search.htb: The DNS query name does not exist: Windows-62.search.htb.
WARNING: Could not resolve: Windows-63.search.htb: The DNS query name does not exist: Windows-63.search.htb.
WARNING: Could not resolve: Windows-60.search.htb: The DNS query name does not exist: Windows-60.search.htb.
INFO: Querying computer: Windows-57.search.htb
INFO: Querying computer: Windows-56.search.htb
INFO: Querying computer: Windows-55.search.htb
INFO: Querying computer: Windows-54.search.htb
INFO: Querying computer: Windows-53.search.htb
INFO: Querying computer: Windows-52.search.htb
INFO: Querying computer: Windows-51.search.htb
INFO: Querying computer: Windows-50.search.htb
INFO: Querying computer: Windows-49.search.htb
WARNING: Could not resolve: Windows-58.search.htb: The DNS query name does not exist: Windows-58.search.htb.
INFO: Querying computer: Windows-48.search.htb
WARNING: Could not resolve: Windows-57.search.htb: The DNS query name does not exist: Windows-57.search.htb.
INFO: Querying computer: Windows-47.search.htb
WARNING: Could not resolve: Windows-54.search.htb: The DNS query name does not exist: Windows-54.search.htb.
INFO: Querying computer: Windows-46.search.htb
WARNING: Could not resolve: Windows-52.search.htb: The DNS query name does not exist: Windows-52.search.htb.
INFO: Querying computer: Windows-45.search.htb
WARNING: Could not resolve: Windows-55.search.htb: The DNS query name does not exist: Windows-55.search.htb.
INFO: Querying computer: Windows-44.search.htb
WARNING: Could not resolve: Windows-50.search.htb: The DNS query name does not exist: Windows-50.search.htb.
INFO: Querying computer: Windows-43.search.htb
WARNING: Could not resolve: Windows-49.search.htb: The DNS query name does not exist: Windows-49.search.htb.
WARNING: Could not resolve: Windows-48.search.htb: The DNS query name does not exist: Windows-48.search.htb.
WARNING: Could not resolve: Windows-53.search.htb: The DNS query name does not exist: Windows-53.search.htb.
WARNING: Could not resolve: Windows-56.search.htb: The DNS query name does not exist: Windows-56.search.htb.
WARNING: Could not resolve: Windows-51.search.htb: The DNS query name does not exist: Windows-51.search.htb.
INFO: Querying computer: Windows-42.search.htb
INFO: Querying computer: Windows-41.search.htb
INFO: Querying computer: Windows-40.search.htb
INFO: Querying computer: Windows-39.search.htb
INFO: Querying computer: Windows-38.search.htb
WARNING: Could not resolve: Windows-47.search.htb: The DNS query name does not exist: Windows-47.search.htb.
INFO: Querying computer: Windows-37.search.htb
WARNING: Could not resolve: Windows-44.search.htb: The DNS query name does not exist: Windows-44.search.htb.
WARNING: Could not resolve: Windows-45.search.htb: The DNS query name does not exist: Windows-45.search.htb.
WARNING: Could not resolve: Windows-46.search.htb: The DNS query name does not exist: Windows-46.search.htb.
INFO: Querying computer: Windows-36.search.htb
INFO: Querying computer: Windows-35.search.htb
INFO: Querying computer: Windows-34.search.htb
WARNING: Could not resolve: Windows-43.search.htb: The DNS query name does not exist: Windows-43.search.htb.
INFO: Querying computer: Windows-33.search.htb
WARNING: Could not resolve: Windows-39.search.htb: The DNS query name does not exist: Windows-39.search.htb.
INFO: Querying computer: Windows-32.search.htb
WARNING: Could not resolve: Windows-38.search.htb: The DNS query name does not exist: Windows-38.search.htb.
WARNING: Could not resolve: Windows-37.search.htb: The DNS query name does not exist: Windows-37.search.htb.
WARNING: Could not resolve: Windows-41.search.htb: The DNS query name does not exist: Windows-41.search.htb.
WARNING: Could not resolve: Windows-40.search.htb: The DNS query name does not exist: Windows-40.search.htb.
WARNING: Could not resolve: Windows-42.search.htb: The DNS query name does not exist: Windows-42.search.htb.
INFO: Querying computer: Windows-31.search.htb
INFO: Querying computer: Windows-30.search.htb
INFO: Querying computer: Windows-29.search.htb
INFO: Querying computer: Windows-28.search.htb
INFO: Querying computer: Windows-27.search.htb
WARNING: Could not resolve: Windows-35.search.htb: The DNS query name does not exist: Windows-35.search.htb.
WARNING: Could not resolve: Windows-33.search.htb: The DNS query name does not exist: Windows-33.search.htb.
WARNING: Could not resolve: Windows-36.search.htb: The DNS query name does not exist: Windows-36.search.htb.
WARNING: Could not resolve: Windows-34.search.htb: The DNS query name does not exist: Windows-34.search.htb.
INFO: Querying computer: Windows-26.search.htb
INFO: Querying computer: Windows-25.search.htb
INFO: Querying computer: Windows-24.search.htb
INFO: Querying computer: Windows-23.search.htb
WARNING: Could not resolve: Windows-32.search.htb: The DNS query name does not exist: Windows-32.search.htb.
INFO: Querying computer: Windows-22.search.htb
WARNING: Could not resolve: Windows-30.search.htb: The DNS query name does not exist: Windows-30.search.htb.
INFO: Querying computer: Windows-21.search.htb
WARNING: Could not resolve: Windows-27.search.htb: The DNS query name does not exist: Windows-27.search.htb.
INFO: Querying computer: Windows-20.search.htb
WARNING: Could not resolve: Windows-31.search.htb: The DNS query name does not exist: Windows-31.search.htb.
WARNING: Could not resolve: Windows-28.search.htb: The DNS query name does not exist: Windows-28.search.htb.
INFO: Querying computer: Windows-19.search.htb
WARNING: Could not resolve: Windows-29.search.htb: The DNS query name does not exist: Windows-29.search.htb.
INFO: Querying computer: Windows-18.search.htb
INFO: Querying computer: Windows-17.search.htb
WARNING: Could not resolve: Windows-25.search.htb: The DNS query name does not exist: Windows-25.search.htb.
INFO: Querying computer: Windows-16.search.htb
WARNING: Could not resolve: Windows-24.search.htb: The DNS query name does not exist: Windows-24.search.htb.
INFO: Querying computer: Windows-15.search.htb
WARNING: Could not resolve: Windows-22.search.htb: The DNS query name does not exist: Windows-22.search.htb.
INFO: Querying computer: Windows-14.search.htb
WARNING: Could not resolve: Windows-26.search.htb: The DNS query name does not exist: Windows-26.search.htb.
INFO: Querying computer: Windows-13.search.htb
WARNING: Could not resolve: Windows-23.search.htb: The DNS query name does not exist: Windows-23.search.htb.
INFO: Querying computer: Windows-12.search.htb
WARNING: Could not resolve: Windows-21.search.htb: The DNS query name does not exist: Windows-21.search.htb.
INFO: Querying computer: Windows-11.search.htb
WARNING: Could not resolve: Windows-20.search.htb: The DNS query name does not exist: Windows-20.search.htb.
INFO: Querying computer: Windows-10.search.htb
WARNING: Could not resolve: Windows-17.search.htb: The DNS query name does not exist: Windows-17.search.htb.
WARNING: Could not resolve: Windows-19.search.htb: The DNS query name does not exist: Windows-19.search.htb.
INFO: Querying computer: Windows-09.search.htb
INFO: Querying computer: Windows-08.search.htb
WARNING: Could not resolve: Windows-16.search.htb: The DNS query name does not exist: Windows-16.search.htb.
INFO: Querying computer: Windows-07.search.htb
WARNING: Could not resolve: Windows-15.search.htb: The DNS query name does not exist: Windows-15.search.htb.
WARNING: Could not resolve: Windows-13.search.htb: The DNS query name does not exist: Windows-13.search.htb.
INFO: Querying computer: Windows-06.search.htb
WARNING: Could not resolve: Windows-12.search.htb: The DNS query name does not exist: Windows-12.search.htb.
WARNING: Could not resolve: Windows-14.search.htb: The DNS query name does not exist: Windows-14.search.htb.
INFO: Querying computer: Windows-05.search.htb
WARNING: Could not resolve: Windows-18.search.htb: The DNS query name does not exist: Windows-18.search.htb.
INFO: Querying computer: Windows-04.search.htb
INFO: Querying computer: Windows-03.search.htb
INFO: Querying computer: Windows-02.search.htb
WARNING: Could not resolve: Windows-10.search.htb: The DNS query name does not exist: Windows-10.search.htb.
INFO: Querying computer: Windows-01.search.htb
WARNING: Could not resolve: Windows-11.search.htb: The DNS query name does not exist: Windows-11.search.htb.
WARNING: Could not resolve: Windows-01.search.htb: The DNS query name does not exist: Windows-01.search.htb.
INFO: Querying computer: 
INFO: Querying computer: 
WARNING: Could not resolve: Windows-02.search.htb: The DNS query name does not exist: Windows-02.search.htb.
INFO: Querying computer: 
INFO: Querying computer: 
WARNING: Could not resolve: Windows-03.search.htb: The DNS query name does not exist: Windows-03.search.htb.
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
INFO: Querying computer: 
WARNING: Could not resolve: Windows-05.search.htb: The DNS query name does not exist: Windows-05.search.htb.
INFO: Querying computer: Covid.search.htb
WARNING: Could not resolve: Windows-09.search.htb: The DNS query name does not exist: Windows-09.search.htb.
INFO: Querying computer: Research.search.htb
WARNING: Could not resolve: Windows-07.search.htb: The DNS query name does not exist: Windows-07.search.htb.
WARNING: Could not resolve: Windows-04.search.htb: The DNS query name does not exist: Windows-04.search.htb.
WARNING: Could not resolve: Windows-08.search.htb: The DNS query name does not exist: Windows-08.search.htb.
WARNING: Could not resolve: Windows-06.search.htb: The DNS query name does not exist: Windows-06.search.htb.
INFO: Done in 00M 07S
INFO: Compressing output into 20240130160229_bloodhound.zip

Using the TGT of the compromised hope.sharp user, the entire domain data can be ingested through bloodhound-python The ingestor showed warning as it could not resolve all those dead and arbitrary computer accounts But everything else seems to be fetched well

Prep

┌──(kali㉿kali)-[~/…/htb/labs/search/bloodhound]
└─$ sudo neo4j console
directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /usr/share/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /usr/share/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /usr/share/neo4j/run
Starting Neo4j.
 
┌──(kali㉿kali)-[~/…/htb/labs/search/bloodhound]
└─$ bloodhound

Firing up neo4j and bloodhound

Ingested Data uploaded and processed

Domain

hope.sharp

The hope.sharp user does appear to have any special access or privileges

Remote Management Users

A total of 5 domain users has transitive group membership to the Remote Management Users group via the ITSec group

Kerberoast-able Accounts

The web_svc account is vulnerable to Kerberoasting

web_svc

The web_svc account also appears to be a service account with the SPN of RESEARCH/web_svc.search.htb:60001

edgar.jacobs

The edgar.jacobs user, on the other hand, has a transitive membership to the HelpDesk group from the London-HelpDesk group. While memberships alone have already been enumerated, privileges and accesses have yet to be discovered

However, considering that there is a SMB share named, helpdesk, and I have not been able to access it with any of the credentials that I have, I would assume that the membership to the HelpDesk group would likely grant access to the helpdesk SMB share

sierra.frye

The sierra.frye user has a membership to the privileged group, ITSEC, granting WinRM access to the DC host although WinRM service is not available

Due to the membership to the ITSEC group, the user is also has ReadGMSAPassword access over the BIR-ADFS-GMSA$ account , which may be further leveraged

BIR-ADFS-GMSA$

the bir-adfs-gmsa$ account is a machine account likely linked to the ad federation service

the account has genericall access over the tristan.davies user

tristan.davies

Lastly, the tristan.davies user is a DA

Interactive Graph View

Backlinks