Skip to content

HackTheBox Mirage Chaining NFS Leaks, Dynamic DNS Abuse, NAT... #1593

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

HackTheBox Mirage Chaining NFS Leaks, Dynamic DNS Abuse, NAT... #1593

wants to merge 1 commit into from
+175 −4

Conversation

@carlospolop
Copy link
Collaborator

@carlospolop carlospolop commented Nov 22, 2025

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://0xdf.gitlab.io/2025/11/22/htb-mirage.html
  • Blog Title: HackTheBox Mirage: Chaining NFS Leaks, Dynamic DNS Abuse, NATS Credential Theft, JetStream Secrets, and Kerberoasting to Own a Windows Domain Controller
  • Suggested Section: Windows Hardening -> Active Directory Methodology (add subsections on abusing AD DNS dynamic updates for internal service hijack and on Kerberoasting workflow prioritization with BloodHound); Network Services Pentesting -> add a new page for Pentesting NATS / Message Buses or extend an existing messaging/queue section to include NATS/JetStream credential harvesting and fake-server banner impersonation techniques.

🎯 Content Summary

This post is a full kill-chain walkthrough of the HackTheBox Mirage Windows Domain Controller, chaining NFS information disclosure, insecure AD-integrated DNS dynamic updates, NATS protocol abuse, poor secret handling in JetStream, Kerberoasting, and later AD CS ESC10 abuse to reach Domain Admin. It is highly technical and shows all commands, tooling, and protocol internals necessary to reproduce the attacks.


Recon & environment
An initial TCP scan with:
<...

🔧 Technical Details

1. Leveraging insecure AD-integrated dynamic DNS to hijack internal service hostnames
Active Directory DNS often defaults to allowing any authenticated user to create or modify A records in a zone. If a critical service hostname (e.g. nats-svc.mirage.htb) is missing or scavenged, an attacker with any domain cred can use nsupdate to register it to their own IP:
nsupdate
> server <dc-ip>
> update add nats-svc.mirage.htb 86400 A <attacker-ip>
> send
Any internal client resolving that name is now redirected to the attacker, enabling transparent man-in-the-middle for TCP services (HTTP, message buses, RPC endpoints, etc.). This technique is broadly applicable wherever AD DNS permits loose dynamic updates; defenders should restrict updates to dedicated service accounts and monitor A record changes for critical service names.


2. Impersonating a NATS server to harvest plaintext c...

🤖 Agent Actions

Summary

  • Extended AD DNS Records with a full workflow on re-registering stale dynamic hostnames to hijack plaintext services (NATS case study), including dig confirmation, nsupdate takeover, banner replay via nc, and downstream credential pivoting, plus cited the Mirage blog as a new reference.
  • Augmented BloodHound & Other AD Enumeration Tools with a “Prioritising Kerberoasting” section that ties RustHound-CE collection, BloodHound queries, and targeted NetExec Kerberoasting together; added the required references block.
  • Added a dedicated 4222 - Pentesting NATS / JetStream page covering enumeration, DNS-based service impersonation, JetStream credential harvesting, and hardening guidance, then linked it from the AMQP page.
  • Updated the AMQP page to remove angle-bracket placeholders, include a “See also” reference to the new NATS page, and appended a references section citing its sources.

Testing

  • Not run (not applicable).

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop
Copy link
Collaborator Author

carlospolop commented Nov 22, 2025

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2025/11/22/htb-mirage.html

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening -> Active Directory Methodology (add subsections on abusing AD DNS dynamic updates for internal service hijack and on Kerberoasting workflow prioritization with BloodHound); Network Services Pentesting -> add a new page for Pentesting NATS / Message Buses or extend an existing messaging/queue section to include NATS/JetStream credential harvesting and fake-server banner impersonation techniques.".

Repository Maintenance:

  • MD Files Formatting: 912 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlospolop