HTB TheFrizz

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html
• Blog Title: HTB: TheFrizz
• Suggested Section: Generic Hacking -> Web: Arbitrary File Write to RCE (add a subsection with CVE-2023-45878 Gibbon LMS PoC and parameter format). Cross-link notes to Pentesting Network -> Kerberos/SMB (Kerberos-only environments: time sync, krb5.conf, GSSAPI SSH/SPN).

🎯 Content Summary

Technical Summary: Gibbon LMS Arbitrary File Write to Pre-Auth RCE (CVE-2023-45878)

Target and Recon

Windows Domain Controller exposing:

• SSH: OpenSSH_for_Windows_8.1
• DNS: 53
• Kerberos: 88/464
• LDAP: 389/3268
• SMB: 445 (NTLM disabled)
• ADWS: 9389
• Apache: httpd 2.4.58 (OpenSSL 3....

  🔧 Technical Details

  Pre-auth arbitrary file write to RCE in Gibbon (CVE-2023-45878): Target modules/Rubrics/rubrics_visualise_saveAjax.php and POST img as [mime];[name],[base64] with any gibbonPersonID and path to a .php under the app root. The server base64-decodes and writes bytes without validation, enabling a webshell. Example img: image/png;foo,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4= and pat...

  🤖 Agent Actions

  I’ve updated HackTricks with the key technical material from the blog and cross-linked the Kerberos-only environment notes into the most relevant network pentesting pages. Below are the changes implemented.

  What I added

  1. Web: Arbitrary file write to RCE – Gibbon LMS (CVE-2023-45878)
  • File updated: src/pentesting-web/file-upload/README.md
  • What: A new subsection “Gibbon LMS arbitrary file write to pre-auth RCE (CVE-2023-45878)” documenting:
    • Vulnerable endpoint: /Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php
    • Parameters and format: img must be “[mime];[name],[base64]”, with path= and a dummy gibbonPersonID.
    • Clear curl PoCs to write a file and drop a minimal php webshell, with whoami example and notes on how the handler base64-decodes and writes bytes wit...

  ---

  This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

  🗑️ File Cleanup

  • searchindex.js removed: This auto-generated file has been removed to prevent conflicts

  The searchindex.js file is automatically generated and should not be included in manual commits.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html

Content Categories: Based on the analysis, this content was categorized under "Generic Hacking -> Web: Arbitrary File Write to RCE (add a subsection with CVE-2023-45878 Gibbon LMS PoC and parameter format). Cross-link notes to Pentesting Network -> Kerberos/SMB (Kerberos-only environments: time sync, krb5.conf, GSSAPI SSH/SPN).".

Repository Maintenance:

• MD Files Formatting: 873 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge