Table of Contents

  1. Executive Summary

  2. Network Topology

  3. Environment Setup

  4. Reconnaissance

  5. Clock Synchronisation

  6. Pre-Windows 2000 → TGT for MS01$

  7. gMSA Password Extraction

  8. Foothold on DC01 via Evil-WinRM

  9. Pivoting to WEB01 via Ligolo-ng

  10. User Flag - NTLM Relay + RBCD

  11. Credential Dump from WEB01

  12. Root Flag - SPN Injection + Constrained Delegation

  13. Attack Chain Visualised

  14. Tools & Mitre ATT&CK Mapping

1. Executive Summary

Pirate is an Hard-rated, multi-host Windows Active Directory machine that simulates a realistic corporate environment with multiple domain-joined hosts, service accounts, and misconfigured delegation settings. The attack path chains six distinct AD attack primitives across three machines to achieve Domain Admin:

  • Pre-Windows 2000 Compatible Access - Authenticating as MS01$ using its machine name as password

  • gMSA Password Extraction - Reading managed service account passwords via LDAP

  • Pass-the-Hash over WinRM - Shell on DC01 using gMSA NTLM hash

  • L3 Network Pivoting - Establishing a transparent tunnel to the internal 192.168.100.0/24 subnet

  • NTLM Relay to LDAPS + RBCD - Creating a backdoor machine account with delegation rights over WEB01

  • SPN Injection + Constrained Delegation Abuse - Pivoting from WEB01 Administrator to full Domain Admin on DC01

No CVEs are required. Every step exploits Active Directory misconfigurations and abusable delegation settings - exactly what you'd encounter in a real-world enterprise penetration test.

2. Network Topology

┌──────────────────────────────────────────────────────────────────┐
│                        PIRATE.HTB Domain                         │
│                                                                  │
│   ┌─────────────────────┐       ┌──────────────────────────┐    │
│   │  DC01.pirate.htb    │       │  MS01.pirate.htb         │    │
│   │  10.129.202.43      │◄─────►│  (machine account MS01$) │    │
│   │  Windows Server 2019│       │  Pre-Win2000 group member│    │
│   │  Domain Controller  │       └──────────────────────────┘    │
│   │  KDC / LDAP / WinRM │                                        │
│   └────────┬────────────┘                                        │
│            │                                                      │
│    Internal Network: 192.168.100.0/24                            │
│            │                                                      │
│   ┌────────▼────────────┐                                        │
│   │  WEB01.pirate.htb   │                                        │
│   │  192.168.100.2      │                                        │
│   │  Windows Server 2019│                                        │
│   │  user.txt lives here│                                        │
│   └─────────────────────┘                                        │
└──────────────────────────────────────────────────────────────────┘

Attacker: 10.10.14.42 (Kali Linux, direct access only to 10.129.202.43)

3. Environment Setup

3.1 - /etc/hosts

sudo nano /etc/hosts

Add the following entries:

10.129.202.43   DC01.pirate.htb pirate.htb MS01.pirate.htb
192.168.100.2   WEB01.pirate.htb

3.2 - Kerberos Configuration

Kerberos requires a properly configured krb5.conf pointing to the correct KDC. Without this, getTGT, getST, and other Kerberos-based tools will fail to locate the realm.

sudo bash -c 'cat > /etc/krb5.conf << EOF
[libdefaults]
    default_realm = PIRATE.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = false

[realms]
    PIRATE.HTB = {
        kdc = 10.129.202.43
        admin_server = 10.129.202.43
    }

[domain_realm]
    .pirate.htb = PIRATE.HTB
    pirate.htb = PIRATE.HTB
EOF'

3.3 - Python Virtual Environment

Isolating impacket inside a venv prevents conflicts with system packages:

cd /home/jerry/Downloads/HTB/pirate/
python3 -m venv env
source env/bin/activate
pip install impacket gssapi ldap3

4. Reconnaissance

4.1 - Full Port Nmap Scan

nmap -sC -sV -T4 -p- 10.129.202.43 --open -oN nmap_full.txt

Key results:

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP
443/tcp  open  https
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap
3268/tcp open  ldap (Global Catalog)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (WinRM)
9389/tcp open  mc-nmf

Host script results:
|_clock-skew: mean: 7h03m29s, deviation: 0s, median: 7h03m29s
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required

4.2 - SMB Time Check

nmap -sV --script smb2-time -p 445 10.129.202.43

PORT    STATE SERVICE
445/tcp open  microsoft-ds?

Host script results:
| smb2-time:
|   date: 2026-03-01T22:11:44
|_  start_date: N/A

Critical observation: The DC's clock is 2026-03-01T22:11:44 UTC, while the attacker machine was at 2026-03-01 15:08:00 IST (~09:38 UTC). That's a +7h03m skew - Kerberos rejects anything beyond ±5 minutes. Must sync before proceeding.

🔐 PREMIUM WRITEUP - MEMBERSHIP REQUIRED

This machine is still active in HTB, so the full walkthrough, exploitation path, and flags cannot be publicly released.

But you can access the entire premium writeup right now.

🌟 Get Instant Access

Unlock the complete step-by-step solution, techniques used, notes, and exclusive insights by becoming a member.

Membership

Why Go Premium?

  • Early access to full detailed writeups

  • Passwords for active CTF solutions

  • Advanced exploitation techniques

Upgrade once - unlock everything instantly.

Keep hacking, keep learning, keep winning. 🎯

Keep Reading

© 2026 Andrés.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv