This document provides a detailed walkthrough for the Mirage HTB machine. The exploitation path involves NFS enumeration, DNS hijacking to intercept NATS credentials, Kerberoasting, and a sophisticated Active Directory certificate abuse (ESC10) to achieve full domain compromise.

We begin with a standard nmap scan to identify open ports and running services.

The scan reveals typical Active Directory services (Kerberos, DNS, LDAP) and an interesting, less common service on port 4222, identified as NATS.

We discover the domain names mirage.htb and dc01.mirage.htb. Let's add them to our /etc/hosts file.