HackTheBox - Nanocorp

00:00 - Introduction 01:00 - Start of nmap 05:00 - Looking at the contact form, it behaves oddly so disregarding it 07:00 - Playing with the PHP File Upload to see if we can upload PHP Files 10:00 - Using wget to download an image and see when it was uploaded to the webserver 12:30 - Looking into CVE-2025-24071, which we can create a .library-ms file that leaks NTLMv2 Hashes 17:30 - Cracking the web_svc NTLMv2 hash 19:50 - Using impacket's getTGT, then running RustHound and discovering we can take over another account via changepassword 25:00 - Using BloodyAD to add ourself to a group and then change the password 31:40 - Using WinRMexec to get a shell because Evil-WINRM doesn't support KRB+SSL Auth 36:30 - WinRM Shell returned, discovering we can write php scripts to the web directory but unfortunately this doesn't get us seimpersonate privileges 40:15 - Discovering CheckMK is running on the box, finding a privesc CVE 45:50 - Looking into the registry to discover which cached MSI is CheckMK 52:00 - Using RunasCS to switch to the web_svc user because we need an interactive login 01:04:30 - Changing the PID in the POC Script to be much lower which gets us the shell