Machine: NanoCorp
Difficulty: Hard
Operating System: Windows Server 2022 / Active Directory
Attack Vector: NTLM Hash Coercion → Kerberos Authentication → DACL Abuse → Local Privilege Escalation
Key CVEs: CVE-2025-24071, CVE-2024-0670

Executive Summary

NanoCorp is an Active Directory-centric Windows machine that demonstrates a realistic multi-stage attack chain combining modern Windows vulnerabilities with classic AD exploitation techniques. The attack path involves leveraging a zero-interaction NTLM hash disclosure vulnerability (CVE-2025-24071) through malicious .library-ms files, cracking captured credentials, exploiting misconfigured Active Directory DACL permissions to escalate privileges horizontally, and finally achieving SYSTEM access through a local privilege escalation vulnerability in the Checkmk monitoring agent (CVE-2024-0670).

Table of Contents

1. Reconnaissance & Enumeration

1.1 Network Discovery

Starting with a comprehensive port scan to identify all available services:

nmap -sC -sV -p- 10.10.11.93 -oN nanocorp_scan.txt

Scan Results:

PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Simple DNS Plus
80/tcp    open  http              Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
88/tcp    open  kerberos-sec      Microsoft Windows Kerberos
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
3269/tcp  open  globalcatLDAPssl?
5986/tcp  open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) - WinRM SSL
9389/tcp  open  mc-nmf            .NET Message Framing

1.2 Key Findings from Reconnaissance

The scan reveals several critical services:

  • Port 80 (HTTP): Apache web server redirecting to nanocorp.htb

  • Port 88 (Kerberos): Active Directory domain controller

  • Port 389/636 (LDAP/LDAPS): Directory services

  • Port 445 (SMB): File sharing protocol

  • Port 5986 (WinRM SSL): Remote management over HTTPS

The presence of Kerberos, LDAP, and the domain name nanocorp.htb confirms this is a Windows Active Directory environment with the hostname dc01.nanocorp.htb.

Subscribe to keep reading

This content is free, but you must be subscribed to Andrés to continue reading.

Already a subscriber?Sign in.Not now

Keep Reading

No posts found

© 2025 Andrés.

Report abuse

Privacy policy

Terms of use

Powered by beehiiv