Pirate

---

1. Executive Summary

Pirate is an Hard-rated, multi-host Windows Active Directory machine that simulates a realistic corporate environment with multiple domain-joined hosts, service accounts, and misconfigured delegation settings. The attack path chains six distinct AD attack primitives across three machines to achieve Domain Admin:

• Pre-Windows 2000 Compatible Access - Authenticating as MS01$ using its machine name as password
• gMSA Password Extraction - Reading managed service account passwords via LDAP
• Pass-the-Hash over WinRM - Shell on DC01 using gMSA NTLM hash
• L3 Network Pivoting - Establishing a transparent tunnel to the internal 192.168.100.0/24 subnet
• NTLM Relay to LDAPS + RBCD - Creating a backdoor machine account with delegation rights over WEB01
• SPN Injection + Constrained Delegation Abuse - Pivoting from WEB01 Administrator to full Domain Admin on DC01

No CVEs are required. Every step exploits Active Directory misconfigurations and abusable delegation settings - exactly what you’d encounter in a real-world enterprise penetration test.

---

2. Network Topology

┌──────────────────────────────────────────────────────────────────┐
│                        PIRATE.HTB Domain                         │
│                                                                  │
│   ┌─────────────────────┐       ┌──────────────────────────┐    │
│   │  DC01.pirate.htb    │       │  MS01.pirate.htb         │    │
│   │  10.129.202.43      │◄─────►│  (machine account MS01$) │    │
│   │  Windows Server 2019│       │  Pre-Win2000 group member│    │
│   │  Domain Controller  │       └──────────────────────────┘    │
│   │  KDC / LDAP / WinRM │                                        │
│   └────────┬────────────┘                                        │
│            │                                                      │
│    Internal Network: 192.168.100.0/24                            │
│            │                                                      │
│   ┌────────▼────────────┐                                        │
│   │  WEB01.pirate.htb   │                                        │
│   │  192.168.100.2      │                                        │
│   │  Windows Server 2019│                                        │
│   │  user.txt lives here│                                        │
│   └─────────────────────┘                                        │
└──────────────────────────────────────────────────────────────────┘

Attacker: 10.10.14.42 (Kali Linux, direct access only to 10.129.202.43)

---

3. Environment Setup

3.1 - /etc/hosts

sudo nano /etc/hosts

Add the following entries:

10.129.202.43   DC01.pirate.htb pirate.htb MS01.pirate.htb
192.168.100.2   WEB01.pirate.htb

3.2 - Kerberos Configuration

Kerberos requires a properly configured krb5.conf pointing to the correct KDC. Without this, getTGT, getST, and other Kerberos-based tools will fail to locate the realm.

sudo bash -c 'cat > /etc/krb5.conf << EOF
[libdefaults]
    default_realm = PIRATE.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = false

[realms]
    PIRATE.HTB = {
        kdc = 10.129.202.43
        admin_server = 10.129.202.43
    }

[domain_realm]
    .pirate.htb = PIRATE.HTB
    pirate.htb = PIRATE.HTB
EOF'

3.3 - Python Virtual Environment

Isolating impacket inside a venv prevents conflicts with system packages:

cd /home/jerry/Downloads/HTB/pirate/
python3 -m venv env
source env/bin/activate
pip install impacket gssapi ldap3

---

---

🔒

Premium Content

The full exploitation walkthrough, privilege escalation, and flags are available exclusively for members.

Unlock Full Writeup →