InfoSec LAB

Hokkaido_BloodHound

Created: 3 min read

BloodHound

BloodHound is a powerful tool used by adversaries to visualize and analyze Active Directory relationships, allowing them to quickly identify and exploit potential attack paths and privilege escalation opportunities within a network. It automates the reconnaissance phase of an attack, helping attackers pinpoint weak points and ultimately compromise Active Directory environments.

Ingestion

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido/bloodhound]
└─$ KRB5CCNAME=../info@dc.hokkaido-aerospace.com.ccache bloodhound-python -d HOKKAIDO-AEROSPACE.COM -u info -k -no-pass --auth-method kerberos -ns $IP -dc dc.hokkaido-aerospace.com --zip -c Experimental,LoggedOn,All -op python_            
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: hokkaido-aerospace.com
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: dc.hokkaido-aerospace.com
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc.hokkaido-aerospace.com
INFO: Found 34 users
INFO: Found 62 groups
INFO: Found 2 gpos
INFO: Found 6 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: 
INFO: Querying computer: dc.hokkaido-aerospace.com
INFO: Done in 00M 07S
INFO: Compressing output into 20250425151107_bloodhound.zip

Using the TGT of the compromised info account, domain ingestion complete

Preps

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido/bloodhound]
└─$ neo4j_kickstart           
2025-04-25 13:12:12.124+0000 INFO  Starting...
2025-04-25 13:12:12.617+0000 INFO  This instance is ServerId{823c0986} (823c0986-8860-45ad-af0e-a0f1316bef16)
2025-04-25 13:12:13.658+0000 INFO  ======== Neo4j 4.4.26 ========
2025-04-25 13:12:14.637+0000 INFO  Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2025-04-25 13:12:14.637+0000 INFO  Updating the initial password in component 'security-users'
2025-04-25 13:12:15.627+0000 INFO  Bolt enabled on localhost:7687.
2025-04-25 13:12:16.363+0000 INFO  Remote interface available at http://localhost:7474/
2025-04-25 13:12:16.367+0000 INFO  id: F22BE6505A50EE3B6AE80482B39DD2B6A7082E68C916A87DF6F1CD7ECA4DD942
2025-04-25 13:12:16.367+0000 INFO  name: system
2025-04-25 13:12:16.367+0000 INFO  creationDate: 2024-09-01T10:39:20.089Z
2025-04-25 13:12:16.367+0000 INFO  Started.
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido/bloodhound]
└─$ bloodhound

Starting neo4j and bloodhound

Uploading the ingested domain data

Domain

info User

Not much going on for the compromised info account This was already enumerated

discovery User

The compromised discovery account appears to be a service account as it has a SPN; discover/dc.hokkaido-aerospace.com It’s also part of the services group

Kerberoast-able Accounts

Besides the compromised discovery account, the maintenance account is kerberoast-able

hrapp-service User

While the hrapp-service account appears to be a service account given its name and membership to the services group, it does not have any SPN configured to it On the other hand, the account has GenericWrite access over the hazel.green user

hazel.green User

The hazel.green user is part of both it and tier2-admins groups. The user has the transitive ForceChangePassword access over the molly.smith user via a membership to the tier2-admins group

molly.smith User

The molly.smith user is part of both it and tier1-admins group. Membership to the tier1-admins group allows the user to RDP into the dc.hokkaido-aerospace.com host

tier1-admins Group

The tier1-admins group has memberships to the following groups;

  • wsus reporters
  • wsus administrators
  • server operators
  • remote desktop users

tier2-admins Group

N/A

it Group

N/A

Interactive Graph View

Backlinks