Evil-Winrm & Blood/SharpHound.ps1

So recently I did a box that required running both of these.
When I loaded them from winrm the output kept being in cvs format and for the life of me I could get the Json zip not would it allow the -CollectionMethod All (error saying every other option worked but not all)

Lucky for me I think someone else was on the box at the same time I was and I managed to get the zip to crack the box.

With that said… later I came back even with full access and couldn’t run them local to the device either. I kept getting the error about domain.

Tried -Domain and -DomainController but not exeactly sure how in the world I get SharpHound to actually work.

Method I used…

Import-module ./SharpHound.ps1
Invoke-BloodHound -CollectionMethod All
(basic form and then others for domain/user creds nothing worked to get past the domain error or ldap error)

Nothing I found on google seemed to help me.
Anyone that could help me figure this out would be greatly appreciated!

Much <3,
~Monk3y

Most probably you missed user and password options, if you talk about the box I am thinking rn

Treeeez> @VoltK said:

Most probably you missed user and password options, if you talk about the box I am thinking rn

I think you’re right though I didn’t see those options.

LDAPUser - Username to connect to LDAP with. Requires the LDAPPassword parameter as well (Default: null)

LDAPPass - Password for the user to connect to LDAP with. Requires the LDAPUser parameter as well (Default: null)

Guess it would be like Invoke-BloodHound -LDAPUser Name -LDAPPAss Pass -CollectionMethod All

Edit

With that being said would you load that from the box… or from evil? Would it matter at that point?

Thank you to those who have sent me messages about this.
I’ve come to find a couple ways to make this work…

EVIL-WINRM

evil-winrm -i x.x.x.x -u user -p pass -s /pathtoscript/
Load SharpHound.ps1
Menu
(goto path you can write to)
Invoke-BloodHound -Domain HTB -LDAPUser #User -LDAPPass #Pass -CollectionMethod All -DomainController xxx -ZipFileName test.zip

BLOODHOUND-PYTHON

bloodhound-python -v -u xxx -p xxx -ns x.x.x.x -d htb.local -gc x.x.x.x -c All

I got different results with SharpHound.ps1 and bloodhound.py, the first one giving more information (GPOs).

Is it possible to find the path with the information provided by bloodhound.py?

I didn’t use the .py much. It’s not a full port of SharpHound.
Think I recall them saying that on the page actually.

I think i may know the box your taking about and i used the .py version and gained root that way :slight_smile:

The .py gives you multiple json files you have to import Manually. I agree there seemed to be less info from .py version than the .ps1 running directly on the box… but saying that i managed to root the box with the info from .py version

I went back and managed to do both version on the box.

Can someone assist me with the box we are talking about. aka root. I found the path I think I need to take. I cant get powerview working… No way to do it remotely. Or can I run winrm with the script option with powerview? Could use some help with the box that is being referenced :slight_smile:

Spoiler Removed

I can only tell you that my evil-winrm is not the problem. Maybe it could be the version you are using from bloodhound.ps1 or sharphound.ps1. Soon we will release version 2.1 of Evil-WinRM. Thanks for using it.

Type your comment> @CyberVaca said:

I can only tell you that my evil-winrm is not the problem. Maybe it could be the version you are using from bloodhound.ps1 or sharphound.ps1. Soon we will release version 2.1 of Evil-WinRM. Thanks for using it.

Right on! Love Evil-Win. No, it was 100% the call to use blood and sharp. Didn’t know it needed the creds and such. Based off the info above it works perfect on either version. Also think the box it was used on had a part to play.

Anyone have any idea why i’m getting a:
File “bloodhound.py”, line 5, in
bloodhound.main()
File “/root/BloodHound.py/bloodhound/init.py”, line 286, in main
disable_pooling=args.disable_pooling)
File “/root/BloodHound.py/bloodhound/init.py”, line 72, in run
self.pdc.prefetch_info(‘objectprops’ in collect, ‘acl’ in collect)
File “/root/BloodHound.py/bloodhound/ad/domain.py”, line 385, in prefetch_info
self.get_computers(include_properties=props, acl=acls)
File “/root/BloodHound.py/bloodhound/ad/domain.py”, line 352, in get_computers
for entry in entries:
File “/root/BloodHound.py/bloodhound/ad/domain.py”, line 150, in search
for e in sresult:
File “/usr/local/lib/python2.7/dist-packages/ldap3/extend/standard/PagedSearch.py”, line 64, in paged_search_generator
None if cookie is True else cookie)
File “/usr/local/lib/python2.7/dist-packages/ldap3/core/connection.py”, line 765, in search
raise LDAPAttributeError('invalid attribute type ’ + attribute_name_to_check)
ldap3.core.exceptions.LDAPAttributeError: invalid attribute type ms-mcs-admpwdexpirationtime

error?

I can’t user the GUI because everytime I load the jsons the screen goes white.

Please help.

I didn’t use the bloodhound.py script.

The two I used are bloodhound.ps1 and the bloodhound-python

When I do a locate bloodhound.py mine is located in my python3.

running it didn’t give me the same errors as you if ran from python3.

/shrug?

This is why I don’t like being dependent on tools.

The python in your command is going a bit bonkers. I’m just starting to get into python but i’d guess you didn’t use it right… try one of the other options to run it or look up the specific bloodhound.py

Bloodhound just really helps you track down what to do and how.

The first time I did this on windows, the 2nd time on linux only.
Windows was very interesting, linux was pretty easy after windows.

Well, that info is for if you’re doing forest lol

Type your comment> @Slxyre said:

This is why I don’t like being dependent on tools.

took the words right out of my mouth lol I swear the amount of time people spend struggling to get pre made scripts working… better off spending that time just learning how to do it without the pre made tools.