HackTheBox - Nanocorp

IppSec · Beginner ·🔐 Cybersecurity ·6h ago

Skills: Network Security90%

00:00 - Introduction 01:00 - Start of nmap 05:00 - Looking at the contact form, it behaves oddly so disregarding it 07:00 - Playing with the PHP File Upload to see if we can upload PHP Files 10:00 - Using wget to download an image and see when it was uploaded to the webserver 12:30 - Looking into CVE-2025-24071, which we can create a .library-ms file that leaks NTLMv2 Hashes 17:30 - Cracking the web_svc NTLMv2 hash 19:50 - Using impacket's getTGT, then running RustHound and discovering we can take over another account via changepassword 25:00 - Using BloodyAD to add ourself to a group and then change the password 31:40 - Using WinRMexec to get a shell because Evil-WINRM doesn't support KRB+SSL Auth 36:30 - WinRM Shell returned, discovering we can write php scripts to the web directory but unfortunately this doesn't get us seimpersonate privileges 40:15 - Discovering CheckMK is running on the box, finding a privesc CVE 45:50 - Looking into the registry to discover which cached MSI is CheckMK 52:00 - Using RunasCS to switch to the web_svc user because we need an interactive login 01:04:30 - Changing the PID in the POC Script to be much lower which gets us the shell

Watch on YouTube ↗ (saves to browser)

Sign in to unlock AI tutor explanation · ⚡30

More on: Network Security

View skill →

GNS3 Labs: DMVPN, IPsec and NAT across BGP Internet routers: Answers Part 7

GNS3 Labs: DMVPN, IPsec and NAT across BGP Internet routers: Answers Part 7

Building a High-throughput VPN

Configuring Network Connectivity Center as a Transit Hub

VPC Flow Logs - Analyzing Network Traffic

HackTheBox - Intentions

HackTheBox - Intentions

Google Cloud Packet Mirroring with OpenSource IDS

Related AI Lessons

Password Security 101: Why we should never store raw password (FT. Bcrypt)

Learn why storing raw passwords is a security risk and how to use Bcrypt for secure password storage

Medium · Cybersecurity

HackAstra 2026 · Digital Forensics (Qualifier Round)

Learn about digital forensics challenges in HackAstra 2026's qualifier round, focusing on connecting small traces across memory, disk, applications, and user activity

Medium · Cybersecurity

The Dark Web Marketplace That Made Millions and Changed Cybercrime Forever

Learn about the dark web marketplace that made millions and changed cybercrime forever, and how it resembled a legitimate e-commerce site like Amazon, but ran on Bitcoin

Medium · Cybersecurity

How a Broken Instagram Link Led to a Social Media Account Takeover Risk

A broken Instagram link can lead to a social media account takeover risk, highlighting the importance of cybersecurity in social media

Medium · Cybersecurity

Chapters (15)

Introduction

1:00 Start of nmap

5:00 Looking at the contact form, it behaves oddly so disregarding it

7:00 Playing with the PHP File Upload to see if we can upload PHP Files

10:00 Using wget to download an image and see when it was uploaded to the webserver

12:30 Looking into CVE-2025-24071, which we can create a .library-ms file that leaks

17:30 Cracking the web_svc NTLMv2 hash

19:50 Using impacket's getTGT, then running RustHound and discovering we can take ov

25:00 Using BloodyAD to add ourself to a group and then change the password

31:40 Using WinRMexec to get a shell because Evil-WINRM doesn't support KRB+SSL Auth

36:30 WinRM Shell returned, discovering we can write php scripts to the web director

40:15 Discovering CheckMK is running on the box, finding a privesc CVE

45:50 Looking into the registry to discover which cached MSI is CheckMK

52:00 Using RunasCS to switch to the web_svc user because we need an interactive log

1:04:30 Changing the PID in the POC Script to be much lower which gets us the shell

Broken access control demo