Skip to main content

Starting the box

Link to the box: https://app.hackthebox.com/machines/fries.

Port Scan

We start off the box by running a port scan on the provided IP.
Attacker Linux
rustscan --ulimit 5000 -a 10.129.72.67 -r 1-65535 -- -A -vvv -oN Fries
Output of Rustscan:
Terminal Output
Open 10.129.72.67:22
Open 10.129.72.67:53
Open 10.129.72.67:80
Open 10.129.72.67:88
Open 10.129.72.67:135
Open 10.129.72.67:139
Open 10.129.72.67:389
Open 10.129.72.67:445
Open 10.129.72.67:443
Open 10.129.72.67:464
Open 10.129.72.67:593
Open 10.129.72.67:636
Open 10.129.72.67:2179
Open 10.129.72.67:5985
Open 10.129.72.67:9389
Open 10.129.72.67:49685
Open 10.129.72.67:49667
Open 10.129.72.67:49686
Open 10.129.72.67:49689
Open 10.129.72.67:49688
Open 10.129.72.67:49913
Open 10.129.72.67:62811
Open 10.129.72.67:62783
Output of Nmap:
Terminal Output
PORT      STATE SERVICE       REASON          VERSION
22/tcp    open  ssh           syn-ack ttl 62  OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b3:a8:f7:5d:60:e8:66:16:ca:92:f6:76:ba:b8:33:c2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLS2jzf8Eqy8cVa20hyZcem8rwAzeRhrMNEGdSUcFmv1FiQsfR4F9vZYkmfKViGIS3uL3X/6sJjzGxT1F/uPm/U=
|   256 07:ef:11:a6:a0:7d:2b:4d:e8:68:79:1a:7b:a7:a9:cd (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFj9hE1zqO6TQ2JpjdgvMm6cr6s6eYsQKWlROV4G6q+4
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 62  nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://fries.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-11-23 09:36:36Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fries.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-11-23T09:38:14+00:00; +3d23h36m03s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.fries.htb, DNS:fries.htb, DNS:FRIES
| Issuer: commonName=fries-DC01-CA/domainComponent=fries
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-11-18T05:39:19
| Not valid after:  2105-11-18T05:39:19
| MD5:   2410:a18d:14b3:7f5d:8e34:d144:0bac:6469
| SHA-1: 3e84:1436:bb47:6ccd:f5ee:f805:cacd:47b6:6485:7e09
| -----BEGIN CERTIFICATE-----
| MIIF4zCCBMugAwIBAgITYQAAACgkBIm4DHPMcwABAAAAKDANBgkqhkiG9w0BAQsF
...
| LlBoD6A7Z0XQ77rtTrk5tPjER7aq66k=
|_-----END CERTIFICATE-----
443/tcp   open  ssl/http      syn-ack ttl 62  nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
| ssl-cert: Subject: commonName=pwm.fries.htb/organizationName=Fries Foods LTD/stateOrProvinceName=Madrid/countryName=SP/[email protected]/organizationalUnitName=PWM Configuration/localityName=Madrid
| Issuer: commonName=pwm.fries.htb/organizationName=Fries Foods LTD/stateOrProvinceName=Madrid/countryName=SP/[email protected]/organizationalUnitName=PWM Configuration/localityName=Madrid
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-01T22:06:09
| Not valid after:  2026-06-01T22:06:09
| MD5:   118d:ea17:3fba:3b65:28de:8e26:33e7:19f2
| SHA-1: 5503:8aa8:0080:a853:ca73:87e3:b705:3fe8:b599:a855
| -----BEGIN CERTIFICATE-----
| MIIEGTCCAwGgAwIBAgIUW1MfdMXjo8YcnnMWmFQNMkXzkeAwDQYJKoZIhvcNAQEL
...
| yQtdyRxIZrJPyWOeB7g3W/xo7BhUKs/tC8lAY3nA4PoDVMh49pyf/JNU8b8F
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
| tls-nextprotoneg: 
|_  http/1.1
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: F588322AAF157D82BB030AF1EFFD8CF9
| tls-alpn: 
|_  http/1.1
|_http-title: Site doesn't have a title (text/html;charset=ISO-8859-1).
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fries.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2025-11-23T09:38:14+00:00; +3d23h36m03s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:DC01.fries.htb, DNS:fries.htb, DNS:FRIES
| Issuer: commonName=fries-DC01-CA/domainComponent=fries
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-11-18T05:39:19
| Not valid after:  2105-11-18T05:39:19
| MD5:   2410:a18d:14b3:7f5d:8e34:d144:0bac:6469
| SHA-1: 3e84:1436:bb47:6ccd:f5ee:f805:cacd:47b6:6485:7e09
| -----BEGIN CERTIFICATE-----
| MIIF4zCCBMugAwIBAgITYQAAACgkBIm4DHPMcwABAAAAKDANBgkqhkiG9w0BAQsF
...
| LlBoD6A7Z0XQ77rtTrk5tPjER7aq66k=
|_-----END CERTIFICATE-----
2179/tcp  open  vmrdp?        syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49685/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49686/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49688/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49689/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49913/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
62783/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
62811/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (91%), MikroTik RouterOS 7.X (91%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
A few key notes:
  • The Domain Controller (DC)‘s fully qualified domain name (FQDN): DC01.fries.htb.
  • Port 22 (SSH) is open.
  • Port 80 & 443 (Web Server) is open.
  • Port 5985 (WinRM) is open.

Edit the Hosts file

As always, we edit the /etc/hosts file to add the hostname: Attacker Linux
Attacker Linux
sudo nano /etc/hosts
/etc/hosts
Nano Interface
10.129.72.67 DC01.fries.htb fries.htb
  • Adding dc01.fries.htb since this is a Windows domain controller.
  • Putting dc01.fries.htb before fries.htb to make sure tools like NetExec works properly (KDC_ERR_S_PRINCIPAL_UNKNOWN).

Active Box

This box is currently still active on Hack the Box - Full writeup will be available when the box is retired. Feel free to reach out to me on LinkedIn or Discord for nudges & sanity checks.
Last modified on December 21, 2025