2 minute read

If you’re having problems with your SharpHound output uploading to BloodHound, you may be victim of an old version/new version incompatibility.

“File created from incompatible collector” and “NaN%” are super frustrating, particularly because you’ll only come across this roadblock when you’re in the throes of an engagement. In my case, I encountered this in both my 3rd OSCP attempt and in the TryHackMe room, “Post-Exploitation Basics.”

"Incompatible collector" results after trying to click-and-drag upload my SharpHound.ps1 loot.zip file

“Incompatible collector” results after trying to click-and-drag upload my SharpHound.ps1 loot.zip file

Solution

Use SharpHound.exe to collect your domain information, not SharpHound.ps1.

Location of SharpHound.exe tool on Kali

Transferring BloodHound.exe with $ python3 -m http.server 81

Transferring `SharpHound.exe` with `$ python3 -m http.server 81`

Successfully using SharpHound.exe in PowerShell.

Using SharpHound.exe

Transferring the SharpHound loot with scp

Transferring the SharpHound loot with `scp`

Successful upload to BloodHound

Successful upload to BloodHound

ACHTUNG!: I don’t think this will solve every instance of “incompatible collector,” but it worked for me today in my TryHackMe use-case. If this doesn’t work for you, look into the following options:

  1. Removing the Kali repo install of BloodHound and cloning from the project
  2. Downgrading your install of BloodHound back to when SharpHound.ps1 worked — try 3.0
  3. The use of bloodhound.py instead of SharpHound to collect domain information

Explanation

In the case of the TryHackMe room’s AttackBox, which is usually the route I go when I’m having trouble with my own Kali VM, the problem was that the SharpHound deployment on the environment’s Windows Server was only equipped with SharpHound.ps1 while the Ubuntu AttackBox had BloodHound 4.1.0 and my Kali VM used 4.2.0.

According to one of the project maintainers, rvazarkar, the “newest versions” of BloodHound do not make use of SharpHound.ps1. At the time of writing, the latest version BloodHound is 4.2.0, released this past August. The comment by rvazarkar was made on April 15th when 4.1.0 was the current release, making it the newest version at the time.

TryHackMe, Post-Exploitation Basics AttackBox BloodHound version 4.1.0

TryHackMe, Post-Exploitation Basics AttackBox BloodHound version 4.1.0

BloodHound maintainer indicating there was a sunset for SharpHound.ps1

BloodHound maintainer indicating there was a sunset for `SharpHound.ps1`

Sources

There was no one-line answer available on the first page of Google that I could see, hence the reason for this post. However, reading this GitHub issue on the project page led me to believe there was probably a version mismatch between the SharpHound pre-staged on the Windows Server and the BloodHound installed on the AttackBox and my Kali VM.

Leave a comment