BloodHound
/Practice/Resourced/3-Exploitation/attachments/Pasted-image-20250422203231.png)
BloodHound is a powerful tool used by adversaries to visualize and analyze Active Directory relationships, allowing them to quickly identify and exploit potential attack paths and privilege escalation opportunities within a network. It automates the reconnaissance phase of an attack, helping attackers pinpoint weak points and ultimately compromise Active Directory environments.
Ingestion
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced/bloodhound]
└─$ KRB5CCNAME=../v.ventz@ResourceDC.resourced.local.ccache bloodhound-python -d RESOURCED.LOCAL -u v.ventz -k -no-pass --auth-method kerberos -ns $IP -dc ResourceDC.resourced.local --zip -c Experimental,LoggedOn,All -op python_
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: resourced.local
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: ResourceDC.resourced.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: ResourceDC.resourced.local
INFO: Found 14 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: ResourceDC.resourced.local
INFO: Done in 00M 07S
INFO: Compressing output into 20250422203358_bloodhound.zipUsing the TGT of the v.ventz user, Ingestion complete
Preps
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced/bloodhound]
└─$ neo4j_kickstart
2025-04-22 18:34:26.726+0000 INFO Starting...
2025-04-22 18:34:27.039+0000 INFO This instance is ServerId{823c0986} (823c0986-8860-45ad-af0e-a0f1316bef16)
2025-04-22 18:34:28.010+0000 INFO ======== Neo4j 4.4.26 ========
2025-04-22 18:34:28.956+0000 INFO Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2025-04-22 18:34:28.956+0000 INFO Updating the initial password in component 'security-users'
2025-04-22 18:34:30.515+0000 INFO Bolt enabled on localhost:7687.
2025-04-22 18:34:31.298+0000 INFO Remote interface available at http://localhost:7474/
2025-04-22 18:34:31.301+0000 INFO id: F22BE6505A50EE3B6AE80482B39DD2B6A7082E68C916A87DF6F1CD7ECA4DD942
2025-04-22 18:34:31.301+0000 INFO name: system
2025-04-22 18:34:31.301+0000 INFO creationDate: 2024-09-01T10:39:20.089Z
2025-04-22 18:34:31.301+0000 INFO Started.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced/bloodhound]
└─$ bloodhoundStarting neo4j & bloodhound
/Practice/Resourced/3-Exploitation/attachments/{21301E65-62A4-434D-942D-AD148AF5E011}.png)
Uploaded
Domain
/Practice/Resourced/3-Exploitation/attachments/{C9DFCC58-0C6C-4875-B2A0-8AFD408E7135}.png)
/Practice/Resourced/3-Exploitation/attachments/{DC271BE7-CFC9-4467-B36B-CC42C2B3F6D2}.png)
v.ventz User
/Practice/Resourced/3-Exploitation/attachments/{946C0316-D1F8-4FD3-8B12-0AD27E190E3B}.png)
/Practice/Resourced/3-Exploitation/attachments/{7ECBA6F2-598E-477A-B0DB-BBE17DEE294C}.png)
/Practice/Resourced/3-Exploitation/attachments/{4217FFED-81DB-4D7F-885D-0937E2408590}.png)
N/A
l.livingstone User
/Practice/Resourced/3-Exploitation/attachments/{650207F5-24A0-4A40-A01E-B546D2AC12FE}.png)
/Practice/Resourced/3-Exploitation/attachments/{82148E6F-11E7-4485-A838-E03FFA24DA9C}.png)
/Practice/Resourced/3-Exploitation/attachments/{27A4E34F-7434-4987-B3AF-6DE7D8EFAFFE}.png)
/Practice/Resourced/3-Exploitation/attachments/{D5714037-3801-4B2A-A4EA-1093CD8FF855}.png)
/Practice/Resourced/3-Exploitation/attachments/{04F7479A-6287-404B-ABA1-3DFFE0BD6A10}.png)
As enumerated previously, the l.livingstone user is able to WinRM and RDP to the target system
Additionally, the user has the GenericAll privilege over the ResouceDC.resourced.local host