TheFrizz starts with a Gibbons learning management platform that has a file write vulnerability that allows me to write a webshell and get a foothold on the box. I’ll grab a hash and salt from the database and crack that to move to the next user, connecting over SSH using Kerberos for auth. I’ll find an archive files for a WAPT install in the RecycleBin, and recover that to get a password for the next user. That user can edit group policy objects (GPOs), which I’ll abuse to get a shell as SYSTEM.

0xdf hacks stuff

A detailed walkthrough of exploiting a Windows domain controller running Gibbon LMS. The attack chain begins with exploiting CVE-2023-45878, an unauthenticated file write vulnerability in Gibbon v25.0.00 that allows uploading a PHP webshell. Database credentials are extracted and a user hash is cracked to gain SSH access via Kerberos authentication. Further enumeration reveals WAPT backup files in the RecycleBin containing credentials for another user. The final privilege escalation leverages Group Policy Object (GPO) abuse through membership in the Group Policy Creator Owners group to achieve SYSTEM access.

HTB: TheFrizz