Haze
Windows
Hard
4.6
MACHINE RATING2137
USER OWNS1983
SYSTEM OWNS29/03/2025
RELEASEDMachine Synopsis
Haze is a hard difficulty Windows machine focused on web exploitation, domain abuse, and Windows privilege escalation. Initial access is gained by exploiting a `Splunk Arbitrary File Read (CVE-2024-36991)` to extract an LDAP bind password, which is then decrypted using `splunk.secret`. With valid credentials, a BloodHound scan reveals further accounts, and password spraying provides access to a user with `GMSA` management rights. This allows abuse of the `PrincipalsAllowedToRetrieveManagedPassword` property to dump hashes and pivot into a privileged service account. Using Shadow Credentials, access is escalated to another user. Backup files expose more credentials, eventually giving admin access to `Splunk`. Finally, a custom app upload enables a reverse shell, and `SeImpersonatePrivilege` is abused to impersonate SYSTEM, completing the escalation chain.
Machine Matrix
