HackTheBox Fries

Como es habitual en las pruebas de penetración de Windows, iniciará el equipo Fries con las credenciales de la siguiente cuenta:: d.cooper@fries.htb / D4LE11maan!!.

Nmap

Observamos los puertos abiertos de entrada.

nmap -sS -Pn -n -vvv --open --min-rate 5000 10.129.244.72 -oG port
PORT     STATE SERVICE          REASON
22/tcp   open  ssh              syn-ack ttl 62
53/tcp   open  domain           syn-ack ttl 127
80/tcp   open  http             syn-ack ttl 62
88/tcp   open  kerberos-sec     syn-ack ttl 127
135/tcp  open  msrpc            syn-ack ttl 127
139/tcp  open  netbios-ssn      syn-ack ttl 127
389/tcp  open  ldap             syn-ack ttl 127
443/tcp  open  https            syn-ack ttl 62
445/tcp  open  microsoft-ds     syn-ack ttl 127
464/tcp  open  kpasswd5         syn-ack ttl 127
593/tcp  open  http-rpc-epmap   syn-ack ttl 127
636/tcp  open  ldapssl          syn-ack ttl 127
2179/tcp open  vmrdp            syn-ack ttl 127
3268/tcp open  globalcatLDAP    syn-ack ttl 127
3269/tcp open  globalcatLDAPssl syn-ack ttl 127
5985/tcp open  wsman            syn-ack ttl 127

---

Observamos las versiones y servicios que corren para cada uno de los puertos, identificamos un dominio el cual agregamos a nuestro /etc/hos.

❯ nmap -sCV -p22,53,80,88,135,139,389,443,445,464,593,636,2179,3268,3269,5985 10.129.244.72 -oN target.txt
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-17 20:08 -0500
Nmap scan report for code.fries.htb (10.129.244.72)
Host is up (0.042s latency).

PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b3:a8:f7:5d:60:e8:66:16:ca:92:f6:76:ba:b8:33:c2 (ECDSA)
|_  256 07:ef:11:a6:a0:7d:2b:4d:e8:68:79:1a:7b:a7:a9:cd (ED25519)
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Gitea: Git with a cup of tea
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-01-18 08:09:06Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: fries.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-01-18T08:10:29+00:00; +7h00m02s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.fries.htb, DNS:fries.htb, DNS:FRIES
| Not valid before: 2025-11-18T05:39:19
|_Not valid after:  2105-11-18T05:39:19
443/tcp  open  ssl/http      nginx 1.18.0 (Ubuntu)
| tls-alpn: 
|_  http/1.1
|_http-title: Site doesn't have a title (text/html;charset=ISO-8859-1).
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=pwm.fries.htb/organizationName=Fries Foods LTD/stateOrProvinceName=Madrid/countryName=SP
| Not valid before: 2025-06-01T22:06:09
|_Not valid after:  2026-06-01T22:06:09
| tls-nextprotoneg: 
|_  http/1.1
|_http-server-header: nginx/1.18.0 (Ubuntu)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: fries.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-01-18T08:10:28+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.fries.htb, DNS:fries.htb, DNS:FRIES
| Not valid before: 2025-11-18T05:39:19
|_Not valid after:  2105-11-18T05:39:19
2179/tcp open  vmrdp?
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: fries.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.fries.htb, DNS:fries.htb, DNS:FRIES
| Not valid before: 2025-11-18T05:39:19
|_Not valid after:  2105-11-18T05:39:19
|_ssl-date: 2026-01-18T08:10:29+00:00; +7h00m02s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: fries.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-01-18T08:10:28+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.fries.htb, DNS:fries.htb, DNS:FRIES
| Not valid before: 2025-11-18T05:39:19
|_Not valid after:  2105-11-18T05:39:19
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC01; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2026-01-18T08:09:50
|_  start_date: N/A
|_clock-skew: mean: 7h00m01s, deviation: 0s, median: 7h00m00s

---

Wfuzz

Al fuzzear subdominios de fries.htb, encontré que code.fries.htb responde con HTTP 200, lo que confirma que es un subdominio válido y activo ahora agregamos este nuevo dominio al /etc/hosts.

❯ wfuzz -c -t 200 --hc=404 --hl=7 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host:FUZZ.fries.htb' http://fries.htb/
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://fries.htb/
Total requests: 4989

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                
=====================================================================

000000573:   200        271 L    1216 W     13479 Ch    "code"                                                                                 

---

Vamos al primer sitio web, observamos un panel de login, recordemos que tenemos credenciales que se nos dio previamente.

---

Al iniciar session observamos varios repos los cuales vamos a explorar.

---

Uno de los commit en uno de los repos, observamos credenciales parar una base de datos, vamos a guardar estos datos nos pueden ser util ah medida que avancemos.

---

En uno de los commit que nos topamos observamos un dominio entero, vamos a guardar este nuevo dominio en nuestro /etc/hosts.

---

Vistamos el nuevo dominio donde observamos nuevamente un panel administrativo, recordemos que tenemos credenciales previamente dadas asi que vamos a iniciar session cone ellas.

---

Al iniciar session en este pgAdmin observamos la version que corre, asi que vamos ah buscar vulnerabilidades asociadas a esta version.

---

Buscando encontre este poc publico en Github.

GitHub - Cycloctane/cve-2025-2945-poc: Python PoC script for pgAdmin4 Query Tool RCE (CVE-2025-2945)GitHub

El exploit funciona hasta el punto de la ejecución: detecta pgAdmin vulnerable, autentica bien y lanza el payload, luego abajo observamos que con penelope resivimos la revershell.

---

Estoy dentro de un contenedor Docker: solo tengo la interfaz eth0 con IP 172.18.0.4, que pertenece a una red interna (172.18.0.0/16), y no tengo salida directa a la red externa. Esto explica por qué la reverse shell a 10.10.15.143 falla: desde el contenedor no es enrutable. Para avanzar necesito pivotar (usar el host como puente), apuntar la shell a la IP del host Docker (normalmente 172.18.0.1) o usar otro método de ejecución que no requiera conexión directa de vuelta.

cb46692a4590:/pgadmin4$ ifconfig 
eth0      Link encap:Ethernet  HWaddr CA:6A:15:92:36:32  
          inet addr:172.18.0.4  Bcast:172.18.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:181 errors:0 dropped:0 overruns:0 frame:0
          TX packets:138 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:23191 (22.6 KiB)  TX bytes:27567 (26.9 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

cb46692a4590:/pgadmin4$ 

---

Dentro del contenedor de pgAdmin y las variables de entorno confirman cosas clave: tengo las credenciales por defecto de pgAdmin (admin@fries.htb : Friesf00Ds2025!!), el servicio corre con gunicorn y todo el stack es Python.

cb46692a4590:/pgadmin4$ env
SHELL=/bin/bash
PGADMIN_DEFAULT_PASSWORD=Friesf00Ds2025!!
PGAPPNAME=pgAdmin 4 - CONN:4035752
HOSTNAME=cb46692a4590
SERVER_SOFTWARE=gunicorn/22.0.0
PWD=/pgadmin4
CONFIG_DISTRO_FILE_PATH=/pgadmin4/config_distro.py
HOME=/home/pgadmin
OAUTHLIB_INSECURE_TRANSPORT=1
PYTHONPATH=/pgadmin4
TERM=xterm-256color
SHLVL=4
PGADMIN_DEFAULT_EMAIL=admin@fries.htb
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
_=/usr/bin/env
cb46692a4590:/pgadmin4$