Diff HARD
Adding the IP
sudo nano /etc/hosts
Nmap
> nmap -Pn -sV -sC -T4 10.10.11.93
Starting Nmap 7.98 ( <https://nmap.org> ) at 2025-11-13 14:48 +0800
Nmap scan report for 10.10.11.93
Host is up (0.35s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
|_http-title: Did not follow redirect to <http://nanocorp.htb/>
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-11-13 13:48:48Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap
3269/tcp open tcpwrapped
5986/tcp open ssl/wsmans?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.nanocorp.htb
| Subject Alternative Name: DNS:dc01.nanocorp.htb
| Not valid before: 2025-04-06T22:58:43
|_Not valid after: 2026-04-06T23:18:43
| tls-alpn:
| h2
|_ http/1.1
Service Info: Hosts: nanocorp.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-11-13T13:50:02
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: 7h00m00s
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 164.17 seconds
~ took 2m44s
>
Directory enumeration
~
> feroxbuster -u <http://nanocorp.htb/> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \\ \\_/ | | \\ |__
| |___ | \\ | \\ | \\__, \\__/ / \\ | |__/ |___
by Ben "epi" Risher π€ ver: 2.13.0
ββββββββββββββββββββββββββββ¬ββββββββββββββββββββββ
π― Target Url β <http://nanocorp.htb/>
π© In-Scope Url β nanocorp.htb
π Threads β 50
π Wordlist β /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
π Status Codes β All Status Codes!
π₯ Timeout (secs) β 7
𦑠User-Agent β feroxbuster/2.13.0
π Extract Links β true
π HTTP methods β [GET]
π Recursion Depth β 4
ββββββββββββββββββββββββββββ΄ββββββββββββββββββββββ
π Press [ENTER] to use the Scan Management Menuβ’
ββββββββββββββββββββββββββββββββββββββββββββββββββ
403 GET 9l 30w 301c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404 GET 9l 33w 298c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 9l 30w 334c <http://nanocorp.htb/img> => <http://nanocorp.htb/img/>
200 GET 7l 49w 1227c <http://nanocorp.htb/img/underline.png>
200 GET 55l 246w 19495c <http://nanocorp.htb/img/welcome-2.jpg>
200 GET 45l 246w 20681c <http://nanocorp.htb/img/gallery-img-02-tn.jpg>
200 GET 33l 353w 14420c <http://nanocorp.htb/js/anime.min.js>
200 GET 119l 179w 1776c <http://nanocorp.htb/slick/slick.css>
200 GET 13l 47w 5217c <http://nanocorp.htb/img/welcome-1.jpg>
200 GET 32l 234w 19924c <http://nanocorp.htb/img/gallery-img-05-tn.jpg>
200 GET 418l 699w 6148c <http://nanocorp.htb/css/tooplate-style.css>
200 GET 32l 234w 19924c <http://nanocorp.htb/img/gallery-img-01-tn.jpg>
200 GET 68l 298w 22111c <http://nanocorp.htb/img/gallery-img-03-tn.jpg>
200 GET 31l 253w 20439c <http://nanocorp.htb/img/gallery-img-04-tn.jpg>
200 GET 35l 239w 18731c <http://nanocorp.htb/img/team.jpg>
200 GET 204l 307w 3145c <http://nanocorp.htb/slick/slick-theme.css>
200 GET 221l 482w 6916c <http://nanocorp.htb/js/main.js>
200 GET 4l 1058w 69597c <http://nanocorp.htb/js/jquery-3.2.1.slim.min.js>
200 GET 47l 296w 26625c <http://nanocorp.htb/img/gallery-img-06-tn.jpg>
200 GET 229l 670w 16212c <http://nanocorp.htb/index.html>
200 GET 1l 248w 42863c <http://nanocorp.htb/slick/slick.min.js>
200 GET 5l 82w 33813c <http://nanocorp.htb/fontawesome/css/fontawesome-all.min.css>
200 GET 100l 178w 1756c <http://nanocorp.htb/slick/slick.less> 200 GET 61l 243w 6704c <http://nanocorp.htb/slick/ajax-loader.gif> 200 GET 10l 24w 161c <http://nanocorp.htb/slick/config.rb> 200 GET 194l 396w 4758c <http://nanocorp.htb/slick/slick-theme.scss> 200 GET 100l 178w 1756c <http://nanocorp.htb/slick/slick.scss> 200 GET 168l 324w 4181c <http://nanocorp.htb/slick/slick-theme.less> 200 GET 7l 1516w 142181c <http://nanocorp.htb/css/bootstrap.min.css> 200 GET 229l 670w 16212c <http://nanocorp.htb/> 200 GET 7l 38w 2217c <http://nanocorp.htb/slick/fonts/slick.woff> 200 GET 9l 55w 2247c <http://nanocorp.htb/slick/fonts/slick.eot> 200 GET 7l 50w 2083c <http://nanocorp.htb/slick/fonts/slick.ttf> 200 GET 14l 328w 2152c <http://nanocorp.htb/slick/fonts/slick.svg> 200 GET 12l 40w 8171c <http://nanocorp.htb/img/Thumbs.db> 200 GET 3004l 6913w 88454c <http://nanocorp.htb/slick/slick.js> 200 GET 43l 334w 25834c <http://nanocorp.htb/fontawesome/webfonts/fa-regular-400.woff> 200 GET 54l 296w 22164c <http://nanocorp.htb/fontawesome/webfonts/fa-regular-400.woff2> 200 GET 356l 1359w 35470c <http://nanocorp.htb/fontawesome/webfonts/fa-regular-400.ttf> 200 GET 356l 1367w 35704c <http://nanocorp.htb/fontawesome/webfonts/fa-regular-400.eot> 301 GET 9l 30w 334c <http://nanocorp.htb/css> => <http://nanocorp.htb/css/> 200 GET 363l 12407w 106698c <http://nanocorp.htb/fontawesome/webfonts/fa-regular-400.svg> 200 GET 1309l 5499w 108970c <http://nanocorp.htb/fontawesome/webfonts/fa-brands-400.ttf> 200 GET 246l 1430w 113581c <http://nanocorp.htb/fontawesome/webfonts/fa-brands-400.woff> 200 GET 224l 1206w 97742c <http://nanocorp.htb/fontawesome/webfonts/fa-brands-400.woff2> 200 GET 1944l 5163w 114204c <http://nanocorp.htb/fontawesome/webfonts/fa-solid-900.eot> 200 GET 1309l 5507w 109214c <http://nanocorp.htb/fontawesome/webfonts/fa-brands-400.eot> 200 GET 161l 1011w 83920c <http://nanocorp.htb/fontawesome/webfonts/fa-solid-900.woff> 200 GET 147l 867w 66659c <http://nanocorp.htb/fontawesome/webfonts/fa-solid-900.woff2> 301 GET 9l 30w 333c <http://nanocorp.htb/js> => <http://nanocorp.htb/js/> 200 GET 1413l 41226w 361397c <http://nanocorp.htb/fontawesome/webfonts/fa-solid-900.svg> 200 GET 1943l 5154w 113981c <http://nanocorp.htb/fontawesome/webfonts/fa-solid-900.ttf> 503 GET 11l 44w 401c <http://nanocorp.htb/examples> 200 GET 842l 4425w 483832c <http://nanocorp.htb/img/pop-bg.jpg> 200 GET 618l 31437w 504454c <http://nanocorp.htb/fontawesome/webfonts/fa-brands-400.svg> 403 GET 11l 47w 420c <http://nanocorp.htb/licenses> 301 GET 9l 30w 334c <http://nanocorp.htb/IMG> => <http://nanocorp.htb/IMG/> 200 GET 55l 246w 19495c <http://nanocorp.htb/IMG/welcome-2.jpg> 200 GET 13l 47w 5217c <http://nanocorp.htb/IMG/welcome-1.jpg> 200 GET 7l 49w 1227c <http://nanocorp.htb/IMG/underline.png> 200 GET 35l 239w 18731c <http://nanocorp.htb/IMG/team.jpg> 200 GET 45l 246w 20681c <http://nanocorp.htb/IMG/gallery-img-02-tn.jpg> 200 GET 68l 298w 22111c <http://nanocorp.htb/IMG/gallery-img-03-tn.jpg> 200 GET 32l 234w 19924c <http://nanocorp.htb/IMG/gallery-img-01-tn.jpg> 200 GET 12l 40w 8171c <http://nanocorp.htb/IMG/Thumbs.db> 200 GET 32l 234w 19924c <http://nanocorp.htb/IMG/gallery-img-05-tn.jpg> 200 GET 31l 253w 20439c <http://nanocorp.htb/IMG/gallery-img-04-tn.jpg200> GET 554l 3122w 4
Seems like i can directly see into the files of the http web
And from the img directory i got the databse so i downloaded on my machine
Looking little closer i found that there is another sudomain hire.nanocorp.htb
I tried to upload web shell and other exploits and none of them worked because the backend itself is very restricted. even tho shell.php is uploaded successfully the directory returns 403 which is unauthorized.