Platform: Hack The Box
Season: 9
Difficulty: Hard
OS: Windows (Active Directory)
Date: 2025-11-13
Author: x4cc3
NanoCorp is a Hard Windows AD machine. A Thumbs.db file in the web root exposes a SQLite database with app credentials. Subdomain enumeration reveals hire.nanocorp.htb with a file upload feature. CVE-2025-24071 (NTLM hash leak via .library-ms) captures a hash. Cracking yields web_svc credentials. BloodHound reveals an AD path: web_svc → IT_SUPPORT group → password reset on monitoring_svc → WinRM access. CVE-2024-0670 (Checkmk MSI repair race condition) escalates to SYSTEM.
Files visible in web root
Thumbs.db as SQLite database
| Port | Service |
|---|---|
| 80/tcp | HTTP (Apache — PHP) |
| 88/tcp | Kerberos |
| 389/tcp | LDAP (nanocorp.htb) |
| 445/tcp | SMB |
| 5986/tcp | WinRM (HTTPS) |
curl <http://nanocorp.htb/img/Thumbs.db> -o thumbs.db
The Thumbs.db file was actually a SQLite database containing application credentials.
Hire subdomain found