Machine Synopsis

`Mirage` is a hard difficulty Windows machine that starts with an unauthenticated NFS share, enabling the attacker to download sensitive penetration test reports. The attacker then discovers that the domain's NATS server's DNS record has been automatically removed from the DNS Server, and the DNS Server is configured to allow insecure DNS updates, enabling the attacker to add a DNS A record and capture all NATS server-client communication on its rogue NATS server. The attacker then discovers streams on the NATS server, which is running on the Domain Controller, leaking credentials for the `DAVID.JJACKSON` user account. The newly compromised user is used to request a Service Ticket for the `NATHAN.AADAM` Kerberoastable user and to crack the hashes locally. After establishing a WinRM session on the Domain Controller, the attacker discovers that the `MARK.BBOND` user is also logged in to the Domain Controller at the same time and performs a cross-session NET-NTLMV2 hash leak. The user being a member of the `IT SUPPORT` group enables, modifies logon hours, and changes the password for the `JAVIER.The MMARSHALL` user account was compromised to read the gMSA password for the `MIRAGE-SERVICES$` service account. The service account has privileges to write the Public-Information property set for the `MARK.BBOND`. The Certificate Authority is configured to allow UPN mapping, and Certificate Binding is set to Compatibility (not Full Enforcement), allowing Attackers to perform the `ESC10` attack and gain privileges to perform a DCSync attack, thereby obtaining Domain Admins.