HackSmarter BloodHound Guided Lab Challenge

First off, as someone who has been doing ethical hacking/red teaming for a bit now professionally, it would seem odd that I was doing a lab around BloodHound enumeration. The thing I find refreshing about the HackSmarter platform is that even with experience, I always glean something valuable that I can use to make me a better hacker. This lab was no different. The first few sections guide you through how to collect data for BloodHound, how to set up BloodHound in Kali, and then how to ingest the data you collected. I won't go through all those steps here, but I will focus on the challenge at the end.

Part 1: Using BloodHound

After proceeding through the modules, you are presented with a challenge of gathering a root.txt flag from the Administrator desktop on the host. Use whichever method you prefer to gather the data and then ingest into BloodHound. Navigate to Administration — File Ingest and upload the zip file.

After uploading the data, navigate to Explore. In this area, there are several items to choose from and a ton of built-in Cypher queries. These are all useful in their own right, but the goal of the challenge is to find a way to pivot from the pentest account to a domain admin. With that in mind, I went to search and searched for the pentest account. Once you find it, click on the node and select Outbound Object Control to see what other objects the account has control over. In our case, pentest has "GenericAll" rights to to a BACKUP_SVC account.

GenericAll means that our pentest account effectively has full control to manipulate the BACKUP_SVC account in any way we wish. Keep this in mind for later. Knowing this information, we then need to pivot to see what rights the BACKUP_SVC account has. I repeated the same steps from above to search for the account and click the node to check outbound control. I found that the BACKUP_SVC account has GetChanges and GetChangesAll rights to the hacksmarter.hsm domain.

This is where BloodHound is particularly powerful. You are able to check how to abuse this configuration in the right-side pane. "With both GetChanges and GetChangesAll privileges in BloodHound, you may perform a dcsync attack to get the password hash of an arbitrary principal." This is our path forward to domain admin.

Part 2: Exploiting the misconfiguration to get domain admin

As mentioned previously, our pentest account effectively has full control over the BACKUP_SVC account. Since we know that the BACKUP_SVC account can perform a dcsync attack, then we just need to get usable credentials for the BACKUP_SVC account. This can be accomplished by using BloodyAD.

bloodyad -H dc01.hacksmarter.hsm -u 'pentest' -p 'HackSmarter123!' set password backup_svc 'Password1!'

bloodyad -H dc01.hacksmarter.hsm -u 'pentest' -p 'HackSmarter123!' set password backup_svc 'Password1!'

Once we reset the password to something we know, we can then use impacket-secretsdump and gather all hashes on the domain controller.

This is the gold mine, but how do you know whom is a domain admin? BloodHound comes in clutch here as well. Navigate to Cypher — Saved Queries — All Domain Admins. There are two.

So, we know whom the domain admins are and we have their hashes, what do we do from here? From our initial RustScan of the host, we know that port 5985 (WinRM) is open. Evil-WinRM will be your friend here. We can attempt to crack the hashes for the accounts, but evil-winrm will allow you to input a hash to connect. Once we use this connect, voila! We are able to get the root.txt file and complete the challenge.

Conclusion

Overall, this is an excellent lab and challenge from HackSmarter. They continue to up the game in affordable training that is realistic and not "gamified." It is well worth checking out to level up your skills.