InfoSec LAB

University_BloodHound

Created: 2 min read

BloodHound

BloodHound is a powerful tool used by adversaries to visualize and analyze Active Directory relationships, allowing them to quickly identify and exploit potential attack paths and privilege escalation opportunities within a network. It automates the reconnaissance phase of an attack, helping attackers pinpoint weak points and ultimately compromise Active Directory environments.

Ingestion

Ingestion has been already made through adPEAS

Downloading the ingested domain data using the established WinRM session

Preps

┌──(kali㉿kali)-[~/…/htb/labs/university/bloodhound]
└─$ neo4j_kickstart
2024-10-27 11:05:10.079+0000 INFO  Starting...
2024-10-27 11:05:10.675+0000 INFO  This instance is ServerId{823c0986} (823c0986-8860-45ad-af0e-a0f1316bef16)
2024-10-27 11:05:12.109+0000 INFO  ======== Neo4j 4.4.38 ========
2024-10-27 11:05:13.322+0000 INFO  Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2024-10-27 11:05:13.322+0000 INFO  Updating the initial password in component 'security-users'
2024-10-27 11:05:14.273+0000 INFO  Bolt enabled on localhost:7687.
2024-10-27 11:05:15.179+0000 INFO  Remote interface available at http://localhost:7474/
2024-10-27 11:05:15.188+0000 INFO  id: F22BE6505A50EE3B6AE80482B39DD2B6A7082E68C916A87DF6F1CD7ECA4DD942
2024-10-27 11:05:15.188+0000 INFO  name: system
2024-10-27 11:05:15.188+0000 INFO  creationDate: 2024-09-01T10:39:20.089Z
2024-10-27 11:05:15.188+0000 INFO  Started.
 
┌──(kali㉿kali)-[~/…/htb/labs/university/bloodhound]
└─$ bloodhound

Starting neo4j and bloodhound

Uploading ingested domain data

Domain

Computers

ws-3.university

lab-2.university.htb

The lab-2.university.htb host a Linux host

gmsa-pclient01$

wao

The wao user is part of both Web Developers and Remote Management Users groups This was already enumerated manually and by LDAPDomainDump

The Web Developer group doesn’t have any notable rights

hana

The hana user is part of the Server Operators group

brose.w

The brose.w user is part of both Help Desk and Backup Operators groups

Help Desk

The Help Desk is part of both Account Operators and Remote Management Users group

martin.t

The martin.t user is part of both Content Evaluators and Research % Development groups However, those memberships lead to nowhere

gmsa-pclient01$

gmsa-pclient01$ is a group managed service account for a Prometheus serve prometheus.university.htb

choco.l


The choco.l user is a DA

That can perform DCSync against the domain

Interactive Graph View

Backlinks