HackTheBox - Mirage

Name: HackTheBox - Mirage
Uploaded: 2025-11-22T15:11:17+00:00
Channel: IppSec
Description: 00:00 - Introduction 01:10 - Start of nmap 03:50 - Exploring NFS which is odd on a Windows Box 06:20 - Mounting the share with NFSv3, so we can spoof UI...

IppSec · Beginner ·🔐 Cybersecurity ·4mo ago

00:00 - Introduction 01:10 - Start of nmap 03:50 - Exploring NFS which is odd on a Windows Box 06:20 - Mounting the share with NFSv3, so we can spoof UID's to read any file we want 11:11 - Using NSUpdate to create a DNS Record for nats-svc.mirage.htb 15:36 - Running a NATS Server, so we can see clients connect to us when we put the malicious DNS Record in 21:45 - Failed to modify the code to remove the redaction around password, just grabbing the password from Wireshark since its not encrypted 25:50 - Grabbing the NATS Client, then using the credentials to connect to NATS and dump messages out…

Watch on YouTube ↗ (saves to browser)

Chapters (18)

Introduction

1:10 Start of nmap

3:50 Exploring NFS which is odd on a Windows Box

6:20 Mounting the share with NFSv3, so we can spoof UID's to read any file we want

11:11 Using NSUpdate to create a DNS Record for nats-svc.mirage.htb

15:36 Running a NATS Server, so we can see clients connect to us when we put the mal

21:45 Failed to modify the code to remove the redaction around password, just grabbi

25:50 Grabbing the NATS Client, then using the credentials to connect to NATS and du

29:26 Edit: Getting claude to fix the code correctly

32:49 Running Rusthound, discovering kerberoastable users, getting another credentia

39:00 Discovering Nathan.AADAM can login to the box, then discovering another user i

45:00 Talking about the Cross Session Relay attack and then using RemotePotato to st

52:00 Back to bloodhound, discovering mark.bbond can change javier.mmarshall's passw

54:45 Discovering javier's account is disabled via bloodyAD, then re-enabling it but

1:01:01 Talking about what separates senior engineers from juniors -- Its about knowin

1:13:00 Running Certipy to showing it will miss the ESC10 vulnerability then talking a

1:24:42 Using BloodyAD to change Mark's UPN to be DC01$, requesting a ticket, then get

1:27:15 Using getST with our machine account (GMSA), to forge a ticket that grants us

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →