InfoSec LAB

Vault_BloodHound

Created: 2 min read

BloodHound

BloodHound is a powerful tool used by adversaries to visualize and analyze Active Directory relationships, allowing them to quickly identify and exploit potential attack paths and privilege escalation opportunities within a network. It automates the reconnaissance phase of an attack, helping attackers pinpoint weak points and ultimately compromise Active Directory environments.

Ingestion

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault/bloodhound]
└─$ KRB5CCNAME=../anirudh@dc.vault.offsec.ccache bloodhound-python -d VAULT.OFFSEC -u anirudh -k -no-pass --auth-method kerberos -ns $IP -dc dc.vault.offsec --zip -c Experimental,LoggedOn,All -op python_
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: vault.offsec
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: dc.vault.offsec
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.vault.offsec
INFO: Found 5 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.vault.offsec
INFO: User with SID S-1-5-21-537427935-490066102-1511301751-1103 is logged in on DC.vault.offsec
INFO: Done in 00M 06S
INFO: Compressing output into 20250501215528_bloodhound.zip

Using the TGT of the compromised anirudh account, domain ingestion complete

Preps

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault/bloodhound]
└─$ neo4j_kickstart
2025-05-01 19:56:12.885+0000 INFO  Starting...
2025-05-01 19:56:13.188+0000 INFO  This instance is ServerId{823c0986} (823c0986-8860-45ad-af0e-a0f1316bef16)
2025-05-01 19:56:13.970+0000 INFO  ======== Neo4j 4.4.26 ========
2025-05-01 19:56:14.766+0000 INFO  Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2025-05-01 19:56:14.766+0000 INFO  Updating the initial password in component 'security-users'
2025-05-01 19:56:15.394+0000 INFO  Bolt enabled on localhost:7687.
2025-05-01 19:56:16.088+0000 INFO  Remote interface available at http://localhost:7474/
2025-05-01 19:56:16.093+0000 INFO  id: F22BE6505A50EE3B6AE80482B39DD2B6A7082E68C916A87DF6F1CD7ECA4DD942
2025-05-01 19:56:16.094+0000 INFO  name: system
2025-05-01 19:56:16.094+0000 INFO  creationDate: 2024-09-01T10:39:20.089Z
2025-05-01 19:56:16.094+0000 INFO  Started.
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTI┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vault/bloodhound]
└─$ bloodhound

Starting neo4j and bloodhound

Ingested domain data uploaded

Domain

anirudh User

As enumerated with ldapdomaindump, the anirudh user is part of Server Operators and Remote Management Users groups This would meant the user is able to WinRM to the target system

The anirudh user also have WriteDacl, WriteOwner, and GenericWrite accesses over the default domain policy object

Default Domain Policy Object

The Default Domain Policy object affects everything in the target domain

Interactive Graph View

Backlinks