Platform: Hack The Box
Season: 9
Difficulty: Hard
OS: Linux + Windows AD
Date: 2025-11-27
Author: x4cc3
Fries is a Hard dual-OS machine with an Active Directory domain controller and Linux-hosted web services.
The web application on port 80/443 leads to a Gitea instance at code.fries.htb with leaked working credentials. The Gitea repository contains the web app source code, and git history reveals PostgreSQL database credentials in a .env file that was committed before being added to .gitignore. The database was accessed but the full exploitation chain is not fully documented in the original notes.
nmap -Pn -sV -sC -T4 -A 10.10.11.96
| Port | Service | Version |
|---|---|---|
| 22/tcp | SSH | OpenSSH 8.9p1 (Ubuntu) |
| 53/tcp | DNS | Simple DNS Plus |
| 80/tcp | HTTP | nginx — "Welcome to Fries - Fries Restaurant" |
| 88/tcp | Kerberos | Windows AD Kerberos (fries.htb) |
| 135/tcp | MSRPC | Windows RPC |
| 389/tcp | LDAP | AD LDAP (Domain: fries.htb) |
| 443/tcp | HTTPS | nginx — SSL cert: pwm.fries.htb |
| 445/tcp | SMB | Microsoft DS |
| 5985/tcp | WinRM | HTTPAPI |
Added fries.htb to /etc/hosts.
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt \\
-u <http://fries.htb/> \\
-H "Host: FUZZ.fries.htb" -ac -t 50 -mc 200,301,302,401
Key finding: code.fries.htb — a Gitea instance.
Gitea repo logged in