Whoami
  • Welcome
  • Home Lab: C2 Detection, Ransomware Defense & YARA Automation
    • SOC Lab – What is this Lab about ?
    • Part 1 - Setting Up the Environment
    • Part 2 - Detecting C2 Activity
    • Part 3 - Credential Dumping & Threat Detection
    • Part 4 - Blocking Ransomware
    • Part 5 - Reducing False Positives
    • Part 6 - Automated YARA Scanning
  • Automation Lab - Home Project
    • Sysmon Installation
    • Wazuh & TheHive: Installation, Configuration, and Optimization
    • Tracking Mimikatz Activity with Wazuh & Sysmon Logs
    • End-to-End Alert Automation: Wazuh → Shuffle → TheHive
  • Active Directory Attack Lab: Recon-to-Root
    • Reconnaissance Phase
      • 1. Full TCP Port Scan on Target Host
      • 2. Service and Version Detection
      • 3. Null Session SMB Enumeration
      • 4. LDAP Anonymous Bind Check
      • 5. Kerberos Username Enumeration
      • 6. Password Brute Force via SMB Login
    • Exploitation Phase
      • 7. Dump Domain Information via LDAP
      • 8. Perform Remote AD Recon with BloodHound
      • 9. Set Up Neo4j and Launch BloodHound GUI
      • 10. Abuse ForceChangePassword Right via RPC
      • 11. Validate New Credentials via WinRM
      • 12. Enumerate Local Privileges and AutoLogon
      • 13. Reuse Administrator Credentials
      • 14. Capture the User Flag
  • QRadar101 Lab Challenge
    • Scenario and Instructions
    • The Walkthrough
Powered by GitBook
On this page
  1. Active Directory Attack Lab: Recon-to-Root
  2. Exploitation Phase

9. Set Up Neo4j and Launch BloodHound GUI

Previous8. Perform Remote AD Recon with BloodHoundNext10. Abuse ForceChangePassword Right via RPC

Last updated 24 days ago

🎯 Goal:

Use BloodHound to find paths that could help user alfredo become a Domain Admin 😈

🔧 Tools:

  • Neo4j = the brain (stores all relationships like users → groups → computers)

  • BloodHound GUI = the eyes (lets you see those relationships)

🪜 Step-by-step:

✅ Step 1: Start Neo4j

In terminal:

sudo neo4j start

Then open browser:

http://localhost:7474

  • First time? Username: neo4j

  • Password: wonder (or change it if Neo4j asks)

✅ Step 2: Open BloodHound

In another terminal:

bloodhound

  • Don’t use sudo here.

  • Login with:

    • Username: neo4j

    • Password: wonder

✅ Step 3: Upload the data

  • You already ran bloodhound-python earlier and got a .zip file.

  • In BloodHound GUI, click Upload Data

  • Select the unzipped files (like computers.json, users.json, etc.)

✅ Step 4: Analyze Alfredo 👀

  1. Search:

    ALFREDO@MEGACHANGE.NYX

  2. Click Analysis tab

  3. Click Find Shortest Paths to Domain Admins

💥 If a path exists — BloodHound will show you how to go from Alfredo to full domain control.

We found that Alfredo has a ForceChangePassword permission over Sysadmin. What does that mean?

It means user alfredo is allowed to change the password of sysadmin, without knowing the current password! 😮

Because if sysadmin is a privileged user (like a Domain Admin), then:

  1. Alfredo can change their password 🔑

  2. Then log in as sysadmin .

  3. And boom — he becomes a domain admin.