9. Set Up Neo4j and Launch BloodHound GUI

๐ŸŽฏ Goal:

Use BloodHound to find paths that could help user alfredo become a Domain Admin ๐Ÿ˜ˆ

๐Ÿ”ง Tools:

  • Neo4j = the brain (stores all relationships like users โ†’ groups โ†’ computers)

  • BloodHound GUI = the eyes (lets you see those relationships)

๐Ÿชœ Step-by-step:

โœ… Step 1: Start Neo4j

In terminal:

sudo neo4j start

Then open browser:

http://localhost:7474

  • First time? Username: neo4j

  • Password: wonder (or change it if Neo4j asks)

โœ… Step 2: Open BloodHound

In another terminal:

bloodhound

  • Donโ€™t use sudo here.

  • Login with:

    • Username: neo4j

    • Password: wonder

โœ… Step 3: Upload the data

  • You already ran bloodhound-python earlier and got a .zip file.

  • In BloodHound GUI, click Upload Data

  • Select the unzipped files (like computers.json, users.json, etc.)

โœ… Step 4: Analyze Alfredo ๐Ÿ‘€

  1. Search:

    ALFREDO@MEGACHANGE.NYX

  2. Click Analysis tab

  3. Click Find Shortest Paths to Domain Admins

๐Ÿ’ฅ If a path exists โ€” BloodHound will show you how to go from Alfredo to full domain control.

We found that Alfredo has a ForceChangePassword permission over Sysadmin. What does that mean?

It means user alfredo is allowed to change the password of sysadmin, without knowing the current password! ๐Ÿ˜ฎ

Because if sysadmin is a privileged user (like a Domain Admin), then:

  1. Alfredo can change their password ๐Ÿ”‘

  2. Then log in as sysadmin .

  3. And boom โ€” he becomes a domain admin.

Previous8. Perform Remote AD Recon with BloodHoundNext10. Abuse ForceChangePassword Right via RPC

Last updated