HackTheBox - Nanocorp

IppSec · Beginner ·🔐 Cybersecurity ·16h ago

Skills: Network Security90%

00:00 - Introduction 01:00 - Start of nmap 05:00 - Looking at the contact form, it behaves oddly so disregarding it 07:00 - Playing with the PHP File Upload to see if we can upload PHP Files 10:00 - Using wget to download an image and see when it was uploaded to the webserver 12:30 - Looking into CVE-2025-24071, which we can create a .library-ms file that leaks NTLMv2 Hashes 17:30 - Cracking the web_svc NTLMv2 hash 19:50 - Using impacket's getTGT, then running RustHound and discovering we can take over another account via changepassword 25:00 - Using BloodyAD to add ourself to a group and then change the password 31:40 - Using WinRMexec to get a shell because Evil-WINRM doesn't support KRB+SSL Auth 36:30 - WinRM Shell returned, discovering we can write php scripts to the web directory but unfortunately this doesn't get us seimpersonate privileges 40:15 - Discovering CheckMK is running on the box, finding a privesc CVE 45:50 - Looking into the registry to discover which cached MSI is CheckMK 52:00 - Using RunasCS to switch to the web_svc user because we need an interactive login 01:04:30 - Changing the PID in the POC Script to be much lower which gets us the shell

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

More on: Network Security

View skill →

GNS3 Labs: DMVPN, IPsec and NAT across BGP Internet routers: Answers Part 7

GNS3 Labs: DMVPN, IPsec and NAT across BGP Internet routers: Answers Part 7

Building a High-throughput VPN

Configuring Network Connectivity Center as a Transit Hub

VPC Flow Logs - Analyzing Network Traffic

HackTheBox - Intentions

HackTheBox - Intentions

Google Cloud Packet Mirroring with OpenSource IDS

Related AI Lessons

The Aftermarket She Diagnosed is the Aftermarket She Prescribed

Cybersecurity is an aftermarket for software quality failures, and building security upstream is the cure

Dev.to · Bala Paranj

Building a Zero-Knowledge Note Vault: What I Learned by Getting It Wrong First

Learn from mistakes in building a zero-knowledge note vault and understand the importance of end-to-end encryption

Medium · Cybersecurity

Part 3: Configuring and Validating the Windows 11 Domain Client

Learn to configure and validate a Windows 11 domain client, a crucial step in setting up a secure enterprise network.

Medium · Cybersecurity

Part 2: Configuring the Cyber Lab Environment — Windows Server 2022

Configure a Cyber Lab Environment using Windows Server 2022 for enhanced cybersecurity testing

Medium · Cybersecurity

Chapters (15)

Introduction

1:00 Start of nmap

5:00 Looking at the contact form, it behaves oddly so disregarding it

7:00 Playing with the PHP File Upload to see if we can upload PHP Files

10:00 Using wget to download an image and see when it was uploaded to the webserver

12:30 Looking into CVE-2025-24071, which we can create a .library-ms file that leaks

17:30 Cracking the web_svc NTLMv2 hash

19:50 Using impacket's getTGT, then running RustHound and discovering we can take ov

25:00 Using BloodyAD to add ourself to a group and then change the password

31:40 Using WinRMexec to get a shell because Evil-WINRM doesn't support KRB+SSL Auth

36:30 WinRM Shell returned, discovering we can write php scripts to the web director

40:15 Discovering CheckMK is running on the box, finding a privesc CVE

45:50 Looking into the registry to discover which cached MSI is CheckMK

52:00 Using RunasCS to switch to the web_svc user because we need an interactive log

1:04:30 Changing the PID in the POC Script to be much lower which gets us the shell

NordVPN Coupon Code | Best NordVPN Deal + FREE Months Bonus