# HTB-NanoCorp

5 min read
forcechangepassword impacket winrms CVE-2025-24071 CVE-2024-0670 AddSelf
Table of Contents 
Scope:
10.10.11.93

Recon

Nmap

Terminal window
sudo nmap -sC -sV -sT -Pn -T5 -vvvv --min-rate=5000 10.10.11.93


PORT     STATE SERVICE           REASON  VERSION
53/tcp   open  domain            syn-ack Simple DNS Plus
80/tcp   open  http              syn-ack Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
| http-methods:
|   Supported Methods: GET POST OPTIONS HEAD TRACE
|_  Potentially risky methods: TRACE
|_http-title: Nanocorp
88/tcp   open  kerberos-sec      syn-ack Microsoft Windows Kerberos (server time: 2025-11-12 14:23:30Z)
135/tcp  open  msrpc             syn-ack Microsoft Windows RPC
139/tcp  open  netbios-ssn       syn-ack Microsoft Windows netbios-ssn
389/tcp  open  ldap              syn-ack Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?     syn-ack
464/tcp  open  kpasswd5?         syn-ack
593/tcp  open  ncacn_http        syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?          syn-ack
3268/tcp open  ldap              syn-ack Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb0., Site: Default-First-Site-Name)
3269/tcp open  globalcatLDAPssl? syn-ack
5986/tcp open  ssl/http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=dc01.nanocorp.htb
| Subject Alternative Name: DNS:dc01.nanocorp.htb
| Issuer: commonName=dc01.nanocorp.htb
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows


Host script results:
|_clock-skew: 6h59m58s
| smb2-time:
|   date: 2025-11-12T14:23:43
|_  start_date: N/A
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 22381/tcp): CLEAN (Timeout)
|   Check 2 (port 20267/tcp): CLEAN (Timeout)
|   Check 3 (port 64929/udp): CLEAN (Timeout)
|   Check 4 (port 35963/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

This post is password-protected. Enter the password to continue:
My avatar

Thanks for reading my blog post! Feel free to check out my other posts or contact me via the social links in the footer.

More Posts
Comments