{"id":344,"date":"2025-11-30T19:47:56","date_gmt":"2025-11-30T11:47:56","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=344"},"modified":"2026-01-29T16:18:59","modified_gmt":"2026-01-29T08:18:59","slug":"344","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2025\/11\/30\/344\/","title":{"rendered":"HTB\u9776\u673a Fries \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"
\n

\u76ee\u6807\u4fe1\u606f<\/h1>\n

IP\u5730\u5740\uff1a<\/strong>10.10.11.96<\/strong><\/code>\uff08\u975e\u56fa\u5b9aIP\u5730\u5740\uff09<\/strong><\/p>\n

\u9898\u76ee\u51ed\u636e\uff1ad.cooper@fries.htb \/ D4LE11maan!!<\/code><\/strong><\/p><\/blockquote>\n

\n

\u4fe1\u606f\u6536\u96c6<\/h1>\n

ICMP\u68c0\u6d4b<\/h2>\n
PING 10.129.117.11 (10.129.117.11) 56(84) bytes of data.\n64 bytes from 10.129.117.11: icmp_seq=1 ttl=127 time=283 ms\n64 bytes from 10.129.117.11: icmp_seq=2 ttl=127 time=368 ms\n64 bytes from 10.129.117.11: icmp_seq=3 ttl=127 time=392 ms\n64 bytes from 10.129.117.11: icmp_seq=4 ttl=127 time=314 ms\n\n--- 10.129.117.11 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3003ms\nrtt min\/avg\/max\/mdev = 283.459\/339.228\/391.651\/42.739 ms<\/code><\/pre>\n
\u653b\u51fb\u673a\u548c\u9776\u673a\u95f4\u7f51\u7edc\u8fde\u63a5\u6b63\u5e38\u3002<\/p>\n
\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n
# Nmap 7.95 scan initiated Sun Nov 23 19:04:57 2025 as: \/usr\/lib\/nmap\/nmap -sA -p- --min-rate 3000 -oN ack_result.txt 10.129.117.11\nNmap scan report for 10.129.117.11\nHost is up (0.28s latency).\nNot shown: 65532 filtered tcp ports (no-response)\nPORT    STATE      SERVICE\n22\/tcp  unfiltered ssh\n80\/tcp  unfiltered http\n443\/tcp unfiltered https\n\n# Nmap done at Sun Nov 23 19:05:48 2025 -- 1 IP address (1 host up) scanned in 51.09 seconds<\/code><\/pre>\n
\u9776\u673a\u7591\u4f3c\u5f00\u653e\u4e863<\/code>\u4e2aTCP<\/code>\u7aef\u53e3\u3002<\/p>\n
\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n
TCP<\/strong><\/code>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.95 scan initiated Sun Nov 23 19:06:43 2025 as: \/usr\/lib\/nmap\/nmap -sT -sV -A -p- --min-rate 3000 -oN tcp_result.txt 10.129.117.11\nNmap scan report for 10.129.117.11\nHost is up (0.32s latency).\nNot shown: 65510 filtered tcp ports (no-response)\nPORT      STATE SERVICE       VERSION\n22\/tcp    open  ssh           OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   256 b3:a8:f7:5d:60:e8:66:16:ca:92:f6:76:ba:b8:33:c2 (ECDSA)\n|_  256 07:ef:11:a6:a0:7d:2b:4d:e8:68:79:1a:7b:a7:a9:cd (ED25519)\n53\/tcp    open  domain        Simple DNS Plus\n80\/tcp    open  http          nginx 1.18.0 (Ubuntu)\n|_http-server-header: nginx\/1.18.0 (Ubuntu)\n|_http-title: Did not follow redirect to http:\/\/fries.htb\/\n88\/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-11-23 18:07:41Z)\n135\/tcp   open  msrpc         Microsoft Windows RPC\n139\/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn\n389\/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: fries.htb0., Site: Default-First-Site-Name)\n| ssl-cert: Subject: \n| Subject Alternative Name: DNS:DC01.fries.htb, DNS:fries.htb, DNS:FRIES\n| Not valid before: 2025-11-18T05:39:19\n|_Not valid after:  2105-11-18T05:39:19\n|_ssl-date: 2025-11-23T18:09:35+00:00; +6h59m48s from scanner time.\n443\/tcp   open  ssl\/http      nginx 1.18.0 (Ubuntu)\n|_http-title: Site doesn't have a title (text\/html;charset=ISO-8859-1).\n| tls-alpn: \n|_  http\/1.1\n|_ssl-date: TLS randomness does not represent time\n| tls-nextprotoneg: \n|_  http\/1.1\n|_http-server-header: nginx\/1.18.0 (Ubuntu)\n| ssl-cert: Subject: commonName=pwm.fries.htb\/organizationName=Fries Foods LTD\/stateOrProvinceName=Madrid\/countryName=SP\n| Not valid before: 2025-06-01T22:06:09\n|_Not valid after:  2026-06-01T22:06:09\n445\/tcp   open  microsoft-ds?\n464\/tcp   open  kpasswd5?\n593\/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0\n636\/tcp   open  ssl\/ldap      Microsoft Windows Active Directory LDAP (Domain: fries.htb0., Site: Default-First-Site-Name)\n| ssl-cert: Subject: \n| Subject Alternative Name: DNS:DC01.fries.htb, DNS:fries.htb, DNS:FRIES\n| Not valid before: 2025-11-18T05:39:19\n|_Not valid after:  2105-11-18T05:39:19\n|_ssl-date: 2025-11-23T18:09:34+00:00; +6h59m48s from scanner time.\n2179\/tcp  open  vmrdp?\n3268\/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: fries.htb0., Site: Default-First-Site-Name)\n| ssl-cert: Subject: \n| Subject Alternative Name: DNS:DC01.fries.htb, DNS:fries.htb, DNS:FRIES\n| Not valid before: 2025-11-18T05:39:19\n|_Not valid after:  2105-11-18T05:39:19\n|_ssl-date: 2025-11-23T18:09:35+00:00; +6h59m48s from scanner time.\n3269\/tcp  open  ssl\/ldap      Microsoft Windows Active Directory LDAP (Domain: fries.htb0., Site: Default-First-Site-Name)\n|_ssl-date: 2025-11-23T18:09:34+00:00; +6h59m48s from scanner time.\n| ssl-cert: Subject: \n| Subject Alternative Name: DNS:DC01.fries.htb, DNS:fries.htb, DNS:FRIES\n| Not valid before: 2025-11-18T05:39:19\n|_Not valid after:  2105-11-18T05:39:19\n5985\/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n|_http-title: Not Found\n9389\/tcp  open  mc-nmf        .NET Message Framing\n49667\/tcp open  msrpc         Microsoft Windows RPC\n49685\/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0\n49686\/tcp open  msrpc         Microsoft Windows RPC\n49688\/tcp open  msrpc         Microsoft Windows RPC\n49689\/tcp open  msrpc         Microsoft Windows RPC\n49917\/tcp open  msrpc         Microsoft Windows RPC\n58920\/tcp open  msrpc         Microsoft Windows RPC\n58951\/tcp open  msrpc         Microsoft Windows RPC\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nDevice type: general purpose|router\nRunning (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (91%), MikroTik RouterOS 7.X (91%)\nOS CPE: cpe:\/o:linux:linux_kernel:4 cpe:\/o:linux:linux_kernel:5 cpe:\/o:mikrotik:routeros:7 cpe:\/o:linux:linux_kernel:5.6.3 cpe:\/o:linux:linux_kernel:2.6 cpe:\/o:linux:linux_kernel:3\nAggressive OS guesses: Linux 4.15 - 5.19 (91%), Linux 5.0 - 5.14 (91%), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) (91%), Linux 2.6.32 - 3.13 (85%), Linux 3.10 - 4.11 (85%), Linux 3.2 - 4.14 (85%), Linux 3.4 - 3.10 (85%), Linux 4.15 (85%)\nNo exact OS matches for host (test conditions non-ideal).\nNetwork Distance: 2 hops\nService Info: Host: DC01; OSs: Linux, Windows; CPE: cpe:\/o:linux:linux_kernel, cpe:\/o:microsoft:windows\n\nHost script results:\n| smb2-time: \n|   date: 2025-11-23T18:08:58\n|_  start_date: N\/A\n| smb2-security-mode: \n|   3:1:1: \n|_    Message signing enabled and required\n|_clock-skew: mean: 6h59m47s, deviation: 0s, median: 6h59m47s\n\nTRACEROUTE (using proto 1\/icmp)\nHOP RTT       ADDRESS\n1   329.75 ms 10.10.14.1\n2   330.39 ms 10.129.117.11\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Sun Nov 23 19:09:50 2025 -- 1 IP address (1 host up) scanned in 187.31 seconds<\/code><\/pre>\n
UDP<\/strong><\/code>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
# Nmap 7.95 scan initiated Sun Nov 23 19:13:56 2025 as: \/usr\/lib\/nmap\/nmap -sU -p- --min-rate 3000 -oN udp_ports.txt 10.129.117.11\nNmap scan report for 10.129.117.11\nHost is up (0.29s latency).\nNot shown: 65531 open|filtered udp ports (no-response)\nPORT    STATE SERVICE\n53\/udp  open  domain\n88\/udp  open  kerberos-sec\n123\/udp open  ntp\n389\/udp open  ldap\n\n# Nmap done at Sun Nov 23 19:14:48 2025 -- 1 IP address (1 host up) scanned in 51.29 seconds<\/code><\/pre>\n
UDP<\/strong><\/code>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n
\uff08\u65e0\uff09<\/code><\/pre>\n
\u540c\u65f6\u53d1\u73b0\uff0c\u9776\u673a\u64cd\u4f5c\u7cfb\u7edf\u4e3aWindows Server 2019<\/code>\uff0c\u4e3a\u57df\u63a7\u5236\u5668\uff0c\u57df\u540d\u4e3afries.htb<\/code>\uff0c\u57df\u63a7\u4e3b\u673a\u540d\u4e3adc01<\/code>\uff0c\u9664\u6b64\u4e4b\u5916\uff0c\u9776\u673a\u8fd8\u5b58\u5728\u4e00\u4e2aUbuntu Linux<\/code>\u5bb9\u5668\uff0c\u8fd0\u884c\u4e8622\/ssh<\/code>\u300180\/http<\/code>\u548c443\/https<\/code>\u670d\u52a1\uff0c\u5b50\u57df\u540d\u4e3apwm.fries.htb<\/code>\u3002<\/p>\n
\n
\u670d\u52a1\u63a2\u6d4b\uff08\u7b2c\u4e00\u9636\u6bb5\uff09<\/h1>\n
DNS\u670d\u52a1\uff0853\u7aef\u53e3\uff09<\/h2>\n
\u9996\u5148\u4f7f\u7528dig<\/code>\u5de5\u5177\u67e5\u8be2\u57df\u63a7DNS<\/code>\u5185\u4e3b\u8981\u8bb0\u5f55\uff1a<\/p>\n
dig any fries.htb @dc01.fries.htb<\/code><\/pre>\n
\"\"<\/p>\n
\u5c1d\u8bd5\u67e5\u8be2pwm<\/code>\u57df\u540d\uff1a<\/p>\n
dig any pwm.fries.htb @dc01.fries.htb<\/code><\/pre>\n
\"\"<\/p>\n
\u53d1\u73b0\u5185\u7f51IP<\/code>\u5730\u5740\u7591\u4f3c\u4e3a192.168.100.2<\/code>\u3002<\/p>\n
SSH\u670d\u52a1\uff0822\u7aef\u53e3\uff09<\/h2>\n
\u5c1d\u8bd5\u4f7f\u7528\u4efb\u610f\u8d26\u6237\u8fde\u63a5\u9776\u673aSSH<\/code>\u670d\u52a1\uff1a<\/p>\n
ssh root@fries.htb<\/code><\/pre>\n
\"\"<\/p>\n
\u53d1\u73b0\u9776\u673a\u5bb9\u5668SSH<\/code>\u670d\u52a1\u5141\u8bb8\u4f7f\u7528\u5bc6\u94a5\u548c\u5bc6\u7801\u4e24\u79cd\u65b9\u5f0f\u767b\u5f55\u3002<\/p>\n
Web\u5e94\u7528\u7a0b\u5e8f\uff08443\u7aef\u53e3\uff09<\/h2>\n
\u6253\u5f00\u4e3b\u9875\uff1ahttps:\/\/pwm.fries.htb\/<\/code><\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u9776\u673aHTTPS<\/code>\u670d\u52a1\u90e8\u7f72\u4e86PWM<\/code>\u5bc6\u7801\u7ba1\u7406\u7cfb\u7edf\uff0c\u7248\u672c\u4e3av2.0.8<\/code>\uff0c\u6253\u5f00\u4e86\u914d\u7f6e\u6587\u4ef6\u7f16\u8f91\u6a21\u5f0f\u3002<\/p>\n
\u5c1d\u8bd5\u70b9\u51fbConfiguration Editor<\/code>\u6309\u94ae\u8fdb\u5165\u914d\u7f6e\u7f16\u8f91\u5668\uff0c\u53d1\u73b0\u9700\u8981\u53e3\u4ee4\uff1a<\/p>\n
\"\"<\/p>\n
\u5728\u767b\u5f55\u9875\u9762\u4e0a\u8f93\u5165\u9898\u76ee\u51ed\u636e\uff0c\u53d1\u73b0\u9519\u8bef\uff0c\u79f0PWM<\/code>\u8fde\u63a5\u65e0\u6cd5Windows LDAP<\/code>\u6570\u636e\u5e93\uff0c\u767b\u5f55\u529f\u80fd\u4e0d\u80fd\u6b63\u5e38\u4f7f\u7528\uff1a<\/p>\n
\"\"<\/p>\n
\u4ece\u9519\u8bef\u63d0\u793a\u53ef\u5f97\u77e5PWM<\/code>\u914d\u7f6e\u6587\u4ef6\u4e2d\u4f7f\u7528\u57df\u7528\u6237svc_infra<\/code>\u4f5c\u4e3aLDAP<\/code>\u6570\u636e\u5e93\u8fde\u63a5\u7528\u6237\u3002<\/p>\n
\u9664\u6b64\u4e4b\u5916\uff0c\u8fd8\u53d1\u73b0\u8be5\u7aef\u53e3SSL<\/code>\u8bc1\u4e66\u7535\u5b50\u90ae\u4ef6\u5730\u5740\u4e3aweb@fries.htb<\/code>\uff0c\u4ee5\u53caPWM<\/code>\u914d\u7f6e\u7ba1\u7406\u5668\u5bc6\u7801\u5b58\u50a8\u5728PwmConfiguration.xml<\/code>\u6587\u4ef6\u4e2d\u7684\u4e8b\u5b9e\uff1a<\/p>\n
\"\"<\/p>\n
Web\u5e94\u7528\u7a0b\u5e8f\uff0880\u7aef\u53e3\uff09<\/h2>\n
\u5b50\u57df\u540d\u7206\u7834<\/h3>\n
\u5728\u5f00\u59cbWeb<\/code>\u9875\u9762\u679a\u4e3e\u524d\uff0c\u9996\u5148\u8fdb\u884c\u5b50\u57df\u540d\u7206\u7834\uff0c\u5b57\u5178\u4f7f\u7528\/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/bitquark-subdomains-top100000.txt<\/code>\uff1a<\/p>\n
wfuzz -w \/usr\/share\/wordlists\/seclists\/Discovery\/DNS\/bitquark-subdomains-top100000.txt -u 10.129.1.221 -H \"Host: FUZZ.fries.htb\" -t 70 --hh 154 --hc 400<\/code><\/pre>\n
\"\"<\/p>\n
\u6210\u529f\u53d1\u73b0\u5b50\u57df\u540d\uff1acode.fries.htb<\/code>\u3002<\/p>\n
\u4e3b\u7ad9\u70b9\u679a\u4e3e<\/h3>\n
\u6253\u5f00\u4e3b\u9875\uff1ahttp:\/\/fries.htb\/<\/code><\/p>\n
\"\"<\/p>\n
\u53d1\u73b0\u8be5\u7ad9\u70b9\u4e3a\u67d0\u9910\u9986\u7684\u5ba3\u4f20\u4ecb\u7ecd\u9875\u9762\uff0c\u4e3b\u9875\u6700\u4e0b\u65b9\u5b58\u5728\u4e00\u4e2a\u7535\u5b50\u90ae\u7bb1\uff1ainfo@fries.htb<\/code><\/p>\n
\"\"<\/p>\n
\u9664\u6b64\u4e4b\u5916\uff0c\u672a\u5728\u8be5\u7ad9\u70b9\u5185\u53d1\u73b0\u654f\u611f\u4fe1\u606f\u3002<\/p>\n
code\u5b50\u7ad9\u70b9\u679a\u4e3e<\/h3>\n
\u6253\u5f00\u4e3b\u9875\uff1ahttp:\/\/code.fries.htb\/<\/code><\/p>\n
\"\"<\/p>\n
\u53d1\u73b0code<\/code>\u5b50\u7ad9\u70b9\u8fd0\u884cGitea<\/code>\u6e90\u4ee3\u7801\u7ba1\u7406\u7cfb\u7edf\uff0c\u7248\u672c\u4e3av1.22.6<\/code>\uff0c\u672a\u53d1\u73b0\u516c\u5f00\u6f0f\u6d1e\u3002<\/p>\n
\u5c1d\u8bd5\u4f7f\u7528\u9898\u76ee\u63d0\u4f9b\u7684\u51ed\u636e\u767b\u5f55\uff1a<\/p>\n
\"\"<\/p>\n
\u767b\u5f55\u6210\u529f\uff01\u53d1\u73b0Gitea<\/code>\u5185\u5b58\u653e\u4e86\u4e3b\u7ad9\u70b9\u7684\u540e\u7aef\u6e90\u4ee3\u7801\uff1ahttp:\/\/code.fries.htb\/dale\/fries.htb.git<\/code><\/p>\n
\"\"<\/p>\n
\u9605\u8bfbREADME.md<\/code>\u6587\u4ef6\uff0c\u6210\u529f\u53d1\u73b0\u7f51\u7ad9\u540e\u7aef\u6570\u636e\u5e93\u4e3aPostgreSQL<\/code>\uff0c\u6570\u636e\u5e93\u540d\u4e3aps_db<\/code>\uff0c\u4ee5\u53ca\u7528\u4e8e\u5bf9\u6570\u636e\u5e93\u8fdb\u884cWeb<\/code>\u7aef\u7ba1\u7406\u7684\u5b50\u57df\u540ddb-memt05.fries.htb<\/code>\uff1a<\/p>\n
\"\"<\/p>\n
\u70b9\u51fb\u4ee3\u7801\u4ed3\u5e93\u4e3b\u9875\u9762\u4e0a\u7684Commits<\/code>\u6309\u94ae\uff0c\u67e5\u770b\u8be5\u4ed3\u5e93\u5386\u53f2\u63d0\u4ea4\u8bb0\u5f55\uff0c\u53d1\u73b0\u4ed3\u5e93\u4f5c\u8005\u53ca\u7ba1\u7406\u5458\u8fdb\u884c\u4e86\u591a\u6b21\u63d0\u4ea4\uff1a<\/p>\n
\"\"<\/p>\n
\u9010\u4e2a\u7ffb\u770b\u63d0\u4ea4\u8bb0\u5f55\uff0c\u5728\u8bb0\u5f55\u4e2d\u53d1\u73b0\u4e86\u7591\u4f3cPostgreSQL<\/code>\u7684\u51ed\u636e\u4fe1\u606f\uff1a<\/p>\n
===============> Commit 47b29c411c\nThe backend database can be managed from `http:\/\/db-mgmt05.fries.htb`. (This requires infra access, contact Dylan, Mike or Dale)\n===============> Commit 45c2c6bb51\nFor internal inquiries or reporting issues, please contact the Fries DevOps team or personally me directly at `dale@fries.htb`\nFor internal inquiries or reporting issues, please contact the Fries DevOps team or personally me directly at `d.cooper@fries.htb`\n===============> Commit ed330345bc\nThe backend database can be managed from `http:\/\/db-mgmt05.fries.htb`. (This requires mod v3 access, contact Dylan, Mike or Me)\n- The backend database can be managed from `http:\/\/db-mgmt05.fries.htb`. (This requires mod v3 access, contact Dylan, Mike or Dale)\n===============> Commit 3e8ca66c0d\nDATABASE_URL=postgresql:\/\/root:PsqLR00tpaSS11@172.18.0.3:5432\/ps_db\nSECRET_KEY=y0st528wn1idjk3b9a<\/code><\/pre>\n
\u6210\u529f\u53d1\u73b0PostgreSQL<\/code>\u6570\u636e\u5e93\u51ed\u636e\uff1a<\/p>\n