NanoCorp

---

1. Reconnaissance & Enumeration

1.1 Network Discovery

Starting with a comprehensive port scan to identify all available services:

nmap -sC -sV -p- 10.10.11.93 -oN nanocorp_scan.txt

Scan Results:

PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Simple DNS Plus
80/tcp    open  http              Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
88/tcp    open  kerberos-sec      Microsoft Windows Kerberos
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: nanocorp.htb)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
3269/tcp  open  globalcatLDAPssl?
5986/tcp  open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) - WinRM SSL
9389/tcp  open  mc-nmf            .NET Message Framing

1.2 Key Findings from Reconnaissance

The scan reveals several critical services:

• Port 80 (HTTP): Apache web server redirecting to nanocorp.htb
• Port 88 (Kerberos): Active Directory domain controller
• Port 389/636 (LDAP/LDAPS): Directory services
• Port 445 (SMB): File sharing protocol
• Port 5986 (WinRM SSL): Remote management over HTTPS

The presence of Kerberos, LDAP, and the domain name nanocorp.htb confirms this is a Windows Active Directory environment with the hostname dc01.nanocorp.htb.

1.3 Host Configuration

Add the discovered domain to /etc/hosts:

echo "10.10.11.93 nanocorp.htb dc01.nanocorp.htb" | sudo tee -a /etc/hosts

---

🔒

Premium Content

The full exploitation walkthrough, privilege escalation, and flags are available exclusively for members.

Unlock Full Writeup →