Machine Synopsis

`NanoCorp` is a hard difficulty Windows Active Directory machine focused on abusing insecure file extraction behavior, Active Directory ACL misconfigurations, Kerberos authentication quirks, and local privilege escalation through a vulnerable Checkmk agent installation. The attack begins by exploiting CVE-2025-24071 to leak the NTLMv2 hash of a service account via a crafted ZIP upload. After cracking the credentials, BloodHound reveals ACL abuse paths allowing escalation to the `monitoring_svc` account. Since the account belongs to the Protected Users group, Kerberos authentication is required to obtain a WinRM shell using a patched Evil-WinRM client. Finally, local enumeration reveals a vulnerable Checkmk agent affected by CVE-2024-0670, allowing privilege escalation to SYSTEM by abusing writable temporary batch files during an MSI repair operation.