BloodHound
/Practice/Nagoya/3-Exploitation/attachments/Pasted-image-20250423190749.png)
BloodHound is a powerful tool used by adversaries to visualize and analyze Active Directory relationships, allowing them to quickly identify and exploit potential attack paths and privilege escalation opportunities within a network. It automates the reconnaissance phase of an attack, helping attackers pinpoint weak points and ultimately compromise Active Directory environments.
Ingestion
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya/bloodhound]
└─$ KRB5CCNAME=../andrea.hayes@nagoya.nagoya-industries.com.ccache bloodhound-python -d NAGOYA-INDUSTRIES.COM -u andrea.hayes -k -no-pass --auth-method kerberos -ns $IP -dc nagoya.nagoya-industries.com --zip -c Experimental,LoggedOn,All -op python_
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: nagoya-industries.com
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: nagoya.nagoya-industries.com
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: nagoya.nagoya-industries.com
INFO: Found 36 users
INFO: Found 56 groups
INFO: Found 2 gpos
INFO: Found 4 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: nagoya.nagoya-industries.com
INFO: User with SID S-1-5-21-1969309164-1513403977-1686805993-1136 is logged in on nagoya.nagoya-industries.com
INFO: Done in 00M 08S
INFO: Compressing output into 20250423183454_bloodhound.zipUsing one of the TGTs, ingestion complete
Preps
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya/bloodhound]
└─$ neo4j_kickstart
2025-04-23 16:36:16.830+0000 INFO Starting...
2025-04-23 16:36:17.289+0000 INFO This instance is ServerId{823c0986} (823c0986-8860-45ad-af0e-a0f1316bef16)
2025-04-23 16:36:18.256+0000 INFO ======== Neo4j 4.4.26 ========
2025-04-23 16:36:19.130+0000 INFO Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2025-04-23 16:36:19.130+0000 INFO Updating the initial password in component 'security-users'
2025-04-23 16:36:19.937+0000 INFO Bolt enabled on localhost:7687.
2025-04-23 16:36:20.651+0000 INFO Remote interface available at http://localhost:7474/
2025-04-23 16:36:20.658+0000 INFO id: F22BE6505A50EE3B6AE80482B39DD2B6A7082E68C916A87DF6F1CD7ECA4DD942
2025-04-23 16:36:20.658+0000 INFO name: system
2025-04-23 16:36:20.658+0000 INFO creationDate: 2024-09-01T10:39:20.089Z
2025-04-23 16:36:20.658+0000 INFO Started.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nagoya/bloodhound]
└─$ bloodhoundStarting neo4j and bloodhound
/Practice/Nagoya/3-Exploitation/attachments/{E3C45BE6-CF28-42ED-BBC3-DA0F92AEB165}.png)
Successfully uploaded the ingested domain data
Domain
/Practice/Nagoya/3-Exploitation/attachments/{525A4583-5953-4464-8F46-8ED529EB704B}.png)
/Practice/Nagoya/3-Exploitation/attachments/{D455682B-3963-404D-B78F-F05AAF68A24F}.png)
/Practice/Nagoya/3-Exploitation/attachments/{DFBA86B7-FBF7-4E22-97AC-B99B694AECF7}.png)
Kerberoast-able
/Practice/Nagoya/3-Exploitation/attachments/{94FECB38-0CBE-4D42-85D8-537094A1288E}.png)
Both svc_helpdesk and svc_mssql are kerberoast-able
svc_mssql User
/Practice/Nagoya/3-Exploitation/attachments/{BA42E6D2-57AC-4DDF-8E1F-12DA59A7B054}.png)
/Practice/Nagoya/3-Exploitation/attachments/{46F17D54-629D-4335-94F9-25147D17B925}.png)
/Practice/Nagoya/3-Exploitation/attachments/{B5EF1B61-5C61-47AE-A8B8-32834A4D28E0}.png)
The svc_mssql account is likely a service account tied to a possible internal MSSQL instance
SPN is configured to MSSQL/nagoya.nagoya-industries.com
andrea.hayes User
/Practice/Nagoya/3-Exploitation/attachments/{6BEF2640-B9FE-4D48-AF36-7032DB56DB91}.png)
/Practice/Nagoya/3-Exploitation/attachments/{85163E75-6402-4AEE-8646-4CD7B0EB4511}.png)
/Practice/Nagoya/3-Exploitation/attachments/{3797BEA7-EFAE-4B06-8579-DD6FB2F6BA81}.png)
/Practice/Nagoya/3-Exploitation/attachments/{E9248004-80A6-41D7-8B69-601FC4E4A6DF}.png)
The andrea.hayes user being part of the employees group grants the GenericAll access to the following users;
bethan.websterjoanna.woodiain.whitesvc_helpdesk
fiona.clark User
/Practice/Nagoya/3-Exploitation/attachments/{7311C6A4-A23E-4A6B-9BE1-1EE3CD920386}.png)
/Practice/Nagoya/3-Exploitation/attachments/{F7683D9E-7AE5-4B7C-A2E4-FFBC9AB57535}.png)
/Practice/Nagoya/3-Exploitation/attachments/{A2D9DDAF-488D-4A12-AD4D-B7A61C601E9F}.png)
/Practice/Nagoya/3-Exploitation/attachments/{D1B7DE64-7807-4288-9290-AA92759FFA8C}.png)
Much like the andrea.hayes user above, the fiona.clark user being part of the employees group grants the GenericAll access to the following users;
bethan.websterjoanna.woodiain.whitesvc_helpdesk
craig.carr User
/Practice/Nagoya/3-Exploitation/attachments/{BCADEBA2-B22D-4745-BE7F-2BD891F368C1}.png)
/Practice/Nagoya/3-Exploitation/attachments/{303FAA6C-C1AD-47FA-9CD0-CC8AF0D0F23A}.png)
/Practice/Nagoya/3-Exploitation/attachments/{16DE7CC6-1145-477F-B765-0B9E64E7AAD9}.png)
/Practice/Nagoya/3-Exploitation/attachments/{1FA75F72-251E-452F-B090-EA779934AB36}.png)
The craig.carr user is also part of the employees group, granting the GenericAll access to the following users;
bethan.websterjoanna.woodiain.whitesvc_helpdesk
employees Group
/Practice/Nagoya/3-Exploitation/attachments/{30D5232B-28D2-403B-A4E6-F3FE91A5EF92}.png)
/Practice/Nagoya/3-Exploitation/attachments/{63C8AE6F-099F-477A-AE4C-EEE8067BC00A}.png)
/Practice/Nagoya/3-Exploitation/attachments/{82F95BF5-5DFA-486D-9982-4C6FBA73E26B}.png)
As enumerated above, the employees group has the GenericAll access to the following users;
bethan.websterjoanna.woodiain.whitesvc_helpdesk
bethan.webster User
/Practice/Nagoya/3-Exploitation/attachments/{F12C4729-7BC5-4C18-983D-E07582AD11CD}.png)
/Practice/Nagoya/3-Exploitation/attachments/{31DC6BB2-127D-4DAE-AB8F-D9A3EB8926AF}.png)
/Practice/Nagoya/3-Exploitation/attachments/{48A2655E-E436-4C8D-A9CA-2DB3D160DACC}.png)
/Practice/Nagoya/3-Exploitation/attachments/{E224AA16-2A4E-4262-9A71-E42EA9880979}.png)
The bethan.webster user is part of the helpdesk group
joanna.wood User
/Practice/Nagoya/3-Exploitation/attachments/{888E5EDC-1543-480D-834C-033F5AC69146}.png)
/Practice/Nagoya/3-Exploitation/attachments/{6F9A5689-EC85-47CD-AC89-0EDCAAB9647A}.png)
/Practice/Nagoya/3-Exploitation/attachments/{DE4D2C95-D4B4-4753-9251-E2198E03C4A8}.png)
/Practice/Nagoya/3-Exploitation/attachments/{7943A713-22ED-4E94-A070-0566348C1022}.png)
The joanna.wood user is also part of the helpdesk group
svc_helpdesk User
/Practice/Nagoya/3-Exploitation/attachments/{726C2F60-491C-4C4C-9FD6-A84B4CDC1914}.png)
/Practice/Nagoya/3-Exploitation/attachments/{F236218D-F26C-4968-BD6B-2344061B8B18}.png)
/Practice/Nagoya/3-Exploitation/attachments/{604B30BD-D309-4020-BFEC-CBF8A08F4A14}.png)
/Practice/Nagoya/3-Exploitation/attachments/{827973A6-77B6-424F-AA56-013869768BCA}.png)
The svc_helpdesk account appears to be a service account as it has a SPN configured to it; http/nagoya.nagoya-industries.com
Additionally, the account is also part of the helpdesk group
iain.white User
/Practice/Nagoya/3-Exploitation/attachments/{FE3EC90D-402A-40B0-9C0B-5F27E808A14C}.png)
/Practice/Nagoya/3-Exploitation/attachments/{FF9657C5-A691-455F-A6E0-208A3A3F6BCE}.png)
/Practice/Nagoya/3-Exploitation/attachments/{1460D7EC-6D8D-451A-9C59-4F7D48DAB2BA}.png)
/Practice/Nagoya/3-Exploitation/attachments/{FFFF2D14-B6C5-4366-B77F-F96A2835148F}.png)
The iain.white user is also part of the helpdesk group
helpdesk Group
/Practice/Nagoya/3-Exploitation/attachments/{39FE7EDD-1FCD-4FBD-B1D7-E018C2F11C22}.png)
/Practice/Nagoya/3-Exploitation/attachments/{2E014CA8-4790-405E-BE72-5AE8D6419455}.png)
/Practice/Nagoya/3-Exploitation/attachments/{105AF71A-2DCD-4DAB-87AF-9FF9F4E2668A}.png)
The helpdesk group has the GenericAll access to a lot of users
christopher.lewis User
/Practice/Nagoya/3-Exploitation/attachments/{1540673B-08F7-4B08-8D23-111C4016669B}.png)
In particular, the christopher.lewis user has a transitive membership to the Remote Management Users group, allowing direct access to the DC host via WinRM
Active Session
/Practice/Nagoya/3-Exploitation/attachments/{4456A15F-F952-4DA2-B91D-2A4338E5A300}.png)
The svc_mssql account has an active session to the nagoya.nagoya-industries.com host