https://z3r0s6.github.io/tags/pre-win2000/Recent content in Pre-Win2000 on z3r0sHugoenSun, 26 Apr 2026 00:00:00 +0000https://z3r0s6.github.io/machines/pirate/Sun, 26 Apr 2026 00:00:00 +0000https://z3r0s6.github.io/machines/pirate/<table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Difficulty</td> <td>Hard</td> </tr> <tr> <td>OS</td> <td>Windows (Active Directory)</td> </tr> <tr> <td>Domain</td> <td>PIRATE.HTB</td> </tr> </tbody> </table> <hr> <h2 id="summary"> Summary <a class="heading-link" href="#summary"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>Pirate is a Hard-rated multi-host Windows Active Directory machine simulating a realistic corporate environment with three domain-joined machines. The attack chains <strong>six distinct AD primitives</strong> with no CVEs required - every step exploits misconfigurations:</p> <p><strong>Pre-Windows 2000 Compatible Access</strong> (MS01$ machine account auth) → <strong>gMSA password extraction</strong> via LDAP → <strong>Pass-the-Hash</strong> over WinRM on DC01 → <strong>L3 network pivot</strong> via Ligolo-ng to the internal <code>192.168.100.0/24</code> subnet → <strong>NTLM relay</strong> to LDAPS with RBCD to gain WEB01 Administrator → user flag → <strong>SPN injection</strong> with Constrained Delegation abuse to impersonate Domain Admin on DC01 → root flag.</p>