[Protected] NanoCorp HackTheBox Writeup
[Protected] NanoCorp HackTheBox Writeup
November 9, 2025
Nmap Scan
Scanned at 2025-11-09 13:52:51 CET for 95s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
|_http-title: Did not follow redirect to http://nanocorp.htb/
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2025-11-09 19:52:56Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb, Site: Default-First-Site-Name)
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC01.nanocorp.htb
| Issuer: commonName=DC01.nanocorp.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-20T01:58:09
| Not valid after: 2026-04-21T01:58:09
| MD5: 4f00 467e e490 4141 7c94 19b7 4ab3 76e6
| SHA-1: 0b96 8038 2148 abee 9372 2809 14f1 b62a a539 320b
| SHA-256: 0961 34be c943 f812 6485 90e9 551e 5a0a ea5e da0e 3816 7fa0 7f78 dd31 2442 96af
| -----BEGIN CERTIFICATE-----
| MIIC5jCCAc6gAwIBAgIQKyceh/nPao5KqGDAS36CdjANBgkqhkiG9w0BAQsFADAc
| MRowGAYDVQQDExFEQzAxLm5hbm9jb3JwLmh0YjAeFw0yNTEwMjAwMTU4MDlaFw0y
| NjA0MjEwMTU4MDlaMBwxGjAYBgNVBAMTEURDMDEubmFub2NvcnAuaHRiMIIBIjAN
| BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwLfVnSlyVXDvehMvpvocpF69XQ4E
| QjHJ0ohAYkNamxD+VV4Lx8Dwtbm9k9aapGiOGQXdTNlmOd9g2GPunPzPD28fzp3F
| bLrV+gD34Oa67Q+aPN3H48jF9MUJJJQzOxRB79AeiZ8bCWSrxh3DiCIHfjTfnkty
| o89SIlFtLymNg9yDk3xSOsOPgYnN9bMWt796BPdTRcsE+5S8d931gwiFPlXhVCTi
| BTcZrkXzQiwxiSSoxNQXn8ihp7DGcESpZUYmXFXhcNBqzImymW1y0jWTCQ9+s5lm
| 2oI96kcKvt2vz81ihgu0vqB5uCwn9KuRYD70BirnVnVh/DBTer2ag/abVQIDAQAB
| oyQwIjATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcN
| AQELBQADggEBAHlMDS+PqA8rtEbHY/h6u/eConHuc3dLNtF94m9vSl8SKudVPcL7
| 8czQHDdSUndMyYoDwSkeY2vGGUkXyX/twIuDjE32OuKQAwCo4PsRTvjwpIkJ5ivR
| Jk+R8Fx6EdS6anfEBbKNP7nSag38BVu49H21NnXy/roO089kmMV6kMJ/dBMUC1rL
| lYMic816uMn0NFNzxvNsy2jEMbcFpQ8I27YyATPExl8oqqVssq9sItwH8QZ5+KyS
| QyXQu0HamVqGvAa67/XiZIPtZUcyWWfGE3+6HFndYWdsNFFgneWL0MAj1LyrqE+a
| zzSIlVvjRi21XI+Zb9c/VLOk7LxrEgXLD4w=
|_-----END CERTIFICATE-----
|_ssl-date: 2025-11-09T19:54:25+00:00; +6h59m59s from scanner time.
| rdp-ntlm-info:
| Target_Name: NANOCORP
| NetBIOS_Domain_Name: NANOCORP
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: nanocorp.htb
| DNS_Computer_Name: DC01.nanocorp.htb
| DNS_Tree_Name: nanocorp.htb
| Product_Version: 10.0.20348
|_ System_Time: 2025-11-09T19:53:44+00:00
5986/tcp open ssl/wsmans? syn-ack
| tls-alpn:
| h2
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dc01.nanocorp.htb
| Subject Alternative Name: DNS:dc01.nanocorp.htb
| Issuer: commonName=dc01.nanocorp.htb
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-04-06T22:58:43
| Not valid after: 2026-04-06T23:18:43
| MD5: 2e3e 1a10 10b8 7f43 dc93 a4d9 05ef 6053
| SHA-1: 4674 6312 27ce e783 91b7 ec00 1746 f114 d669 4ea0
| SHA-256: 45de 169d 93f6 4bd0 148b 2369 5026 1601 482a d91d 294d f080 79e0 9e12 27a2 ab45
| -----BEGIN CERTIFICATE-----
| MIIDMDCCAhigAwIBAgIQIG1hb/WXAZBNVk/iii5EyjANBgkqhkiG9w0BAQsFADAc
| MRowGAYDVQQDDBFkYzAxLm5hbm9jb3JwLmh0YjAeFw0yNTA0MDYyMjU4NDNaFw0y
| NjA0MDYyMzE4NDNaMBwxGjAYBgNVBAMMEWRjMDEubmFub2NvcnAuaHRiMIIBIjAN
| BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvhk2VBmIaEaly06th345bTcNsYcV
| D4rgwzD861bdYfo3DYKG0XykF5u1O17P/jO7TUokAfQB2IeNTAb77ZU1iK1PdCCX
| bv6jeV+MEgsJcvCUSYdX5eEurSnDgTteegJ5APzUVgleNaFMkQi7rB9gG422AJov
| fJzCxPHm0irdfJt0cH5JRGg1+5zcm3A8FzQ1WxBS0KfmfMKCYhnFufpiUcFMtire
| azOyDb4IXFEpWuDVuPrr0O5GwWIiHlydtfY5u8+AeDaIEFHfP2qtN4T+6BEyadOT
| hdbPLxx53qFxAWVfoHjr6M9RWUHKEVmRBacBa4Jjj5VzEWt0IJM9Nq7/2QIDAQAB
| o24wbDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF
| BwMBMBwGA1UdEQQVMBOCEWRjMDEubmFub2NvcnAuaHRiMB0GA1UdDgQWBBQaIgqw
| fFwJfesMFBU9Usbf0k55ODANBgkqhkiG9w0BAQsFAAOCAQEAY84V2Zwkjqqiraun
| KN+g7VoDri61Yn4U6DnVHt2h87gJRNVPukb64oAIqbTuyVRDe9CKtQo8SDul/x/Y
| GbNu0oHXYssqx37uowexR3AwoYkg1rLiRKik1cYbjawVjCUZ8ZEL1OLsMg362uaG
| hEvxeACIwiuoEpPXNWsLr4Vx44ImHMNVEeQg3luTTE/YcaProZO+/7TkB8yj1RbT
| D2hom7Eo8cGz5hVxCsHyv+KjUkWGC/prCEZXKgO+yHwc/ZGQIYnO0gEaNWnxlal5
| hFH4guGtiqkjjSQgPdSrCSxpEE1tHssCualeYyyMtxLq/dNLNSK+uRX+/A0/F7An
| VGJ53g==
|_-----END CERTIFICATE-----
6556/tcp open check_mk syn-ack check_mk extension for Nagios 2.1.0p10
9389/tcp open mc-nmf syn-ack .NET Message Framing
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49669/tcp open msrpc syn-ack Microsoft Windows RPC
49671/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
54428/tcp open msrpc syn-ack Microsoft Windows RPC
59345/tcp open msrpc syn-ack Microsoft Windows RPC
59364/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Hosts: nanocorp.htb, DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
[...]
Nmap done: 1 IP address (1 host up) scanned in 95.94 secondsEnter the Password to Unlock Content
Where can I find the password?
For Linux CTF machines, retrieve the root password hash from the /etc/shadow file.
- Access the file:
cat /etc/shadow(requires root privileges). - Example:
root:$y$j9T$Vy...Gp9B:20286:0:99999:7:::
For Windows CTF machines, retrieve Administrator NT Hash from NTDS.DIT if it's a Domain Controller otherwise retrieve the local Administrator NT hash from the SAM database.
- Use
secretsdump.pyfrom Impacket orhashdumpin Meterpreter (requires administrative privileges). - Example:
Administrator:500:aad3b435b...d3b435b51404ee:0b133be956...701affddec:::
Last updated on