Diff HARD - WIndows.
Nmap scan
fries.htb on main via 🐍 v3.13.7 took 5s
$ nmap -Pn -sV -sC -T4 -A 10.10.11.96
Starting Nmap 7.98 ( <https://nmap.org> ) at 2025-11-27 09:33 +0800
Nmap scan report for fries.htb (10.10.11.96)
Host is up (0.29s latency).
Not shown: 984 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 b3:a8:f7:5d:60:e8:66:16:ca:92:f6:76:ba:b8:33:c2 (ECDSA)
|_ 256 07:ef:11:a6:a0:7d:2b:4d:e8:68:79:1a:7b:a7:a9:cd (ED25519)
53/tcp open domain Simple DNS Plus
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Welcome to Fries - Fries Restaurant
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-11-27 01:34:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fries.htb, Site: Default-First-Site-Name)
|_ssl-date: 2025-11-27T01:35:26+00:00; 0s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.fries.htb, DNS:fries.htb, DNS:FRIES
| Not valid before: 2025-11-18T05:39:19
|_Not valid after: 2105-11-18T05:39:19
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html;charset=ISO-8859-1).
| tls-nextprotoneg:
|_ http/1.1
| ssl-cert: Subject: commonName=pwm.fries.htb/organizationName=Fries Foods LTD/stateOrProvinceName=Madrid/countryName=SP
| Not valid before: 2025-06-01T22:06:09
|_Not valid after: 2026-06-01T22:06:09
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fries.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.fries.htb, DNS:fries.htb, DNS:FRIES
| Not valid before: 2025-11-18T05:39:19
|_Not valid after: 2105-11-18T05:39:19
|_ssl-date: 2025-11-27T01:35:25+00:00; -1s from scanner time.
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fries.htb, Site: Default-First-Site-Name)
|_ssl-date: 2025-11-27T01:35:26+00:00; 0s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.fries.htb, DNS:fries.htb, DNS:FRIES
| Not valid before: 2025-11-18T05:39:19
|_Not valid after: 2105-11-18T05:39:19
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: fries.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:DC01.fries.htb, DNS:fries.htb, DNS:FRIES
| Not valid before: 2025-11-18T05:39:19
|_Not valid after: 2105-11-18T05:39:19
|_ssl-date: 2025-11-27T01:35:25+00:00; -1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-11-27T01:34:46
|_ start_date: N/A
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 139.84 seconds
Visiting the port 80 website since given creds not working on any of the netexec enumeration
after that i did directory enumeration but that did not work out in my favor so i scanned the subdomain and sure enough i found some 200 which was code.fries.htb
turned out it was gitea repo for the website
and actually the creds worked in the gitea repo
after cloning the repo on my own machine and analyzed a while it has a db management system for it only accessable to to internals which one of them was me.
and interestingly
htb/machine/fries
$ cd fries.htb
cat .env 2>/dev/null || echo ".env not found"
ls -la | grep env
.env not found
fries.htb on main via 🐍 v3.13.7
❯ git log --all --full-history -- .env
git log --all --full-history -- "*.env"
git rev-list --all | xargs git grep -i "DATABASE_URL"
commit 3e8ca66c0de6388ac663d4c1ea56ad9d309fda3b
Author: Dale Cooper <dale@fries.htb>
Date: Wed May 28 10:14:29 2025 +0000
gitignore update
commit be59cceb54b56f00778822395bdf656216ab4b9f
Author: Dale Cooper <dale@fries.htb>
Date: Wed May 28 09:30:36 2025 +0000
Initial Commit
commit 3e8ca66c0de6388ac663d4c1ea56ad9d309fda3b
Author: Dale Cooper <dale@fries.htb>
Date: Wed May 28 10:14:29 2025 +0000
gitignore update
commit be59cceb54b56f00778822395bdf656216ab4b9f
Author: Dale Cooper <dale@fries.htb>
Date: Wed May 28 09:30:36 2025 +0000
Initial Commit
Binary file 47b29c411c3f2fac4fef6b2f896e6cd559dcf0ce:app/__pycache__/models.cpython-310.pyc matches
Binary file 47b29c411c3f2fac4fef6b2f896e6cd559dcf0ce:app/__pycache__/models.cpython-311.pyc matches
47b29c411c3f2fac4fef6b2f896e6cd559dcf0ce:app/models.py: db_url = os.environ.get("DATABASE_URL")
47b29c411c3f2fac4fef6b2f896e6cd559dcf0ce:app/models.py: raise ValueError("DATABASE_URL environment variable not set")
Binary file d03e0d7b694b38f417e59afd536ff32c28780518:app/__pycache__/models.cpython-310.pyc matches
Binary file d03e0d7b694b38f417e59afd536ff32c28780518:app/__pycache__/models.cpython-311.pyc matches
d03e0d7b694b38f417e59afd536ff32c28780518:app/models.py: db_url = os.environ.get("DATABASE_URL")
d03e0d7b694b38f417e59afd536ff32c28780518:app/models.py: raise ValueError("DATABASE_URL environment variable not set")
Binary file 0e410b791f951dd99cd948149ea9feb665cfbcb2:app/__pycache__/models.cpython-310.pyc matches
Binary file 0e410b791f951dd99cd948149ea9feb665cfbcb2:app/__pycache__/models.cpython-311.pyc matches
0e410b791f951dd99cd948149ea9feb665cfbcb2:app/models.py: db_url = os.environ.get("DATABASE_URL")
0e410b791f951dd99cd948149ea9feb665cfbcb2:app/models.py: raise ValueError("DATABASE_URL environment variable not set")
Binary file 2c5fc0fab831cd12bc189b05170f5769c78ad562:app/__pycache__/models.cpython-310.pyc matches
Binary file 2c5fc0fab831cd12bc189b05170f5769c78ad562:app/__pycache__/models.cpython-311.pyc matches
2c5fc0fab831cd12bc189b05170f5769c78ad562:app/models.py: db_url = os.environ.get("DATABASE_URL")
2c5fc0fab831cd12bc189b05170f5769c78ad562:app/models.py: raise ValueError("DATABASE_URL environment variable not set")
Binary file 6266ab41df06b9ccea7133d61058edf773886cb4:app/__pycache__/models.cpython-310.pyc matches
Binary file 6266ab41df06b9ccea7133d61058edf773886cb4:app/__pycache__/models.cpython-311.pyc matches
6266ab41df06b9ccea7133d61058edf773886cb4:app/models.py: db_url = os.environ.get("DATABASE_URL")
6266ab41df06b9ccea7133d61058edf773886cb4:app/models.py: raise ValueError("DATABASE_URL environment variable not set")
Binary file 45c2c6bb516f540d52b70af61ba5f3d066005d05:app/__pycache__/models.cpython-310.pyc matches
Binary file 45c2c6bb516f540d52b70af61ba5f3d066005d05:app/__pycache__/models.cpython-311.pyc matches
45c2c6bb516f540d52b70af61ba5f3d066005d05:app/models.py: db_url = os.environ.get("DATABASE_URL")
45c2c6bb516f540d52b70af61ba5f3d066005d05:app/models.py: raise ValueError("DATABASE_URL environment variable not set")
Binary file ed330345bc3d69bb0bd9292c52b05585abcc5c6b:app/__pycache__/models.cpython-310.pyc matches
Binary file ed330345bc3d69bb0bd9292c52b05585abcc5c6b:app/__pycache__/models.cpython-311.pyc matches
ed330345bc3d69bb0bd9292c52b05585abcc5c6b:app/models.py: db_url = os.environ.get("DATABASE_URL")
ed330345bc3d69bb0bd9292c52b05585abcc5c6b:app/models.py: raise ValueError("DATABASE_URL environment variable not set")
Binary file 83eef4b82f7acf78a3a1a0c66f844fee1f1cb9de:app/__pycache__/models.cpython-310.pyc matches
Binary file 83eef4b82f7acf78a3a1a0c66f844fee1f1cb9de:app/__pycache__/models.cpython-311.pyc matches
83eef4b82f7acf78a3a1a0c66f844fee1f1cb9de:app/models.py: db_url = os.environ.get("DATABASE_URL")
83eef4b82f7acf78a3a1a0c66f844fee1f1cb9de:app/models.py: raise ValueError("DATABASE_URL environment variable not set")
Binary file 3e8ca66c0de6388ac663d4c1ea56ad9d309fda3b:app/__pycache__/models.cpython-310.pyc matches
Binary file 3e8ca66c0de6388ac663d4c1ea56ad9d309fda3b:app/__pycache__/models.cpython-311.pyc matches
3e8ca66c0de6388ac663d4c1ea56ad9d309fda3b:app/models.py: db_url = os.environ.get("DATABASE_URL")
3e8ca66c0de6388ac663d4c1ea56ad9d309fda3b:app/models.py: raise ValueError("DATABASE_URL environment variable not set")
03a8dc3b3c0bcca9eabcd850ea72d8b7c90b697f:.env:DATABASE_URL=postgresql://root:PsqLR00tpaSS11@172.18.0.3:5432/ps_db
Binary file 03a8dc3b3c0bcca9eabcd850ea72d8b7c90b697f:app/__pycache__/models.cpython-310.pyc matches
Binary file 03a8dc3b3c0bcca9eabcd850ea72d8b7c90b697f:app/__pycache__/models.cpython-311.pyc matches
03a8dc3b3c0bcca9eabcd850ea72d8b7c90b697f:app/models.py: db_url = os.environ.get("DATABASE_URL")
03a8dc3b3c0bcca9eabcd850ea72d8b7c90b697f:app/models.py: raise ValueError("DATABASE_URL environment variable not set")
be59cceb54b56f00778822395bdf656216ab4b9f:.env:DATABASE_URL=postgresql://root:PsqLR00tpaSS11@172.18.0.3:5432/ps_db
Binary file be59cceb54b56f00778822395bdf656216ab4b9f:app/__pycache__/models.cpython-310.pyc matches
Binary file be59cceb54b56f00778822395bdf656216ab4b9f:app/__pycache__/models.cpython-311.pyc matches
be59cceb54b56f00778822395bdf656216ab4b9f:app/models.py: db_url = os.environ.get("DATABASE_URL")
be59cceb54b56f00778822395bdf656216ab4b9f:app/models.py: raise ValueError("DATABASE_URL environment variable not set")
Found the DB creds so i went on and logged into the db