Enable 2FA in Settings to access challenges and protect your account.
Attack Scenarios
Complete each challenge to unlock the next. Answer the guided questions to discover the attack path.
Scenario Title
Scenario description
Import this file into BloodHound to explore the attack path
Stuck? Read the full step-by-step walkthrough article
Guided Questions
Answer each question to progress. Use BloodHound to find the answers!
Submit Flag
Once you've found the flag, submit it below to complete the challenge
Leaderboard
Top hunters in the BloodHound Azure AD CTF
| Rank | Hunter | Score | Completed | Last Activity |
|---|
Getting Started
Learn how to use BloodHound for Azure AD reconnaissance
1. Download Scenario Data
Each scenario provides a JSON file containing Azure AD data. Download it and import into BloodHound.
2. Import to BloodHound
Open BloodHound CE, click the upload button, and select the downloaded JSON file.
http://localhost:8080/ui/explore
3. Answer the Questions
Each scenario has guided questions. Use BloodHound's search and Cypher queries to find the answers.
4. Find the Flag
The final question leads to the flag. Flags are Base64 encoded in object descriptions.
echo "BASE64_STRING" | base64 -d
Useful Cypher Queries
// Find a user
MATCH (u:AZUser {displayName: "Username"}) RETURN u
// Find group memberships
MATCH (u:AZUser)-[:AZMemberOf]->(g:AZGroup) RETURN u.displayName, g.displayName
// Find app owners
MATCH (u)-[:AZOwns]->(app:AZApp) RETURN u.displayName, app.displayName
// Find role assignments
MATCH (p)-[:AZHasRole]->(r:AZRole) RETURN p.displayName, r.displayName
// Find attack paths
MATCH path = shortestPath((start:AZUser)-[*1..5]->(target:AZGroup))
WHERE start.displayName = "StartUser" AND target.displayName = "TargetGroup"
RETURN path
Install BloodHound
BloodHound is available on GitHub. Follow the installation guide to set up BloodHound on your system.
Quick Install Steps:
- Download the latest release from GitHub
- Install Neo4j database (v4.x recommended)
- Start Neo4j and change default credentials
- Run BloodHound and connect to Neo4j
- Import the scenario JSON files
Admin Panel
Manage users and invitations
Registered Users
0 users| Status | Username | Role | 2FA | Progress | Joined | Actions |
|---|
Send Invitation
Batch Invite
Import multiple users at once. Enter emails separated by commas, semicolons, or new lines. You can also paste from CSV.
Invitation Status
| Invited By | Status | Sent | Viewed | Registered | Actions |
|---|
Manage Question Answers
Edit answers for scenario questions. Changes take effect immediately.
Scenario Flag
Account Settings
Manage your security settings
Two-Factor Authentication
Add an extra layer of security to your account
2FA is disabled
Scan this QR code with your authenticator app (Google Authenticator, Authy, etc.)
Or enter this key manually:
2FA is enabled and protecting your account
Account Information
Your account details
Change Password
Update your account password