9. Set Up Neo4j and Launch BloodHound GUI

🎯 Goal:

Use BloodHound to find paths that could help user alfredo become a Domain Admin 😈

🔧 Tools:

  • Neo4j = the brain (stores all relationships like users → groups → computers)

  • BloodHound GUI = the eyes (lets you see those relationships)

🪜 Step-by-step:

✅ Step 1: Start Neo4j

In terminal:

sudo neo4j start

Then open browser:

http://localhost:7474

  • First time? Username: neo4j

  • Password: wonder (or change it if Neo4j asks)

✅ Step 2: Open BloodHound

In another terminal:

bloodhound

  • Don’t use sudo here.

  • Login with:

    • Username: neo4j

    • Password: wonder

✅ Step 3: Upload the data

  • You already ran bloodhound-python earlier and got a .zip file.

  • In BloodHound GUI, click Upload Data

  • Select the unzipped files (like computers.json, users.json, etc.)

✅ Step 4: Analyze Alfredo 👀

  1. Search:

    ALFREDO@MEGACHANGE.NYX

  2. Click Analysis tab

  3. Click Find Shortest Paths to Domain Admins

💥 If a path exists — BloodHound will show you how to go from Alfredo to full domain control.

We found that Alfredo has a ForceChangePassword permission over Sysadmin. What does that mean?

It means user alfredo is allowed to change the password of sysadmin, without knowing the current password! 😮

Because if sysadmin is a privileged user (like a Domain Admin), then:

  1. Alfredo can change their password 🔑

  2. Then log in as sysadmin .

  3. And boom — he becomes a domain admin.

Previous8. Perform Remote AD Recon with BloodHoundNext10. Abuse ForceChangePassword Right via RPC

Last updated