This write-up details the exploitation of the HackTheBox machine "NanoCorp". The attack path involves initial enumeration of SMB and web services, exploiting a recent vulnerability (CVE-2025-24071) to capture NTLM hashes, cracking credentials, and leveraging Active Directory misconfigurations to move laterally and finally escalate privileges to SYSTEM.
Nmap Scan We start with an Nmap scan to identify open ports and services on the target.
nmap -A -Pn 10.10.11.93 -o nmapresult
The scan reveals typical Windows domain controller ports: DNS (53), Kerberos (88), LDAP (389), SMB (445), and HTTPS (443). The machine is likely a Domain Controller.
DNS and Hosts File
Based on the scan, we add the domain and relevant hostnames to our /etc/hosts file for proper resolution.
echo "10.10.11.93 nanocorp.htb dc01.nanocorp.htb hire.nanocorp.htb" >> /etc/hosts
Web Enumeration
Visiting http://nanocorp.htb presents a corporate website. To discover hidden directories, we use Dirbuster.
dirbuster -u <http://nanocorp.htb>
Using the directory list directory-list-2.3-medium.txt, the scan doesn't reveal anything immediately interesting. However, clicking on the "About Us" page reveals an "Apply Now" button that leads to hire.nanocorp.htb. We add this subdomain to our hosts file.
Time Synchronization Since this is a domain environment, we synchronize our time with the Domain Controller to avoid Kerberos errors.
ntpdate 10.10.11.93
SMB Enumeration
We use enum4linux to gather information from SMB.
enum4linux 10.10.11.93
This provides some user and share information, but nothing directly exploitable.
Username Enumeration We attempt to enumerate valid domain users using a Kerberos user enumeration tool.
userenum --dc 10.10.11.93 -d nanocorp.htb /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
The scan returns several usernames, which we note for later.