February 28, 2026

Pirate HackTheBox Writeup - Season10

Adrian Reategui
Share
Hackthebox Pirate machine walkthrough

SUMMARY

This write-up covers the Pirate machine from HackTheBox Season 10, the initial foothold began with a Pre-Windows 2000 Compatibility (Pre2K) attack, which exploits a legacy Active Directory behavior where machine account passwords are set to match the machine name by default. This allowed recovery of valid credentials for MS01$, which were then used to enumerate the domain via BloodHound. The graph analysis revealed that MS01$ held ReadGMSAPassword permissions, enabling retrieval of a Group Managed Service Account password and access to a new user context.

With these credentials we access the machine, and found an internal network interface. Using Chisel in SOCKS proxy mode, the internal segment was tunneled and enumerated, revealing the Domain Controller. Since LDAP signing was not enforced on the DC, an NTLMRelay attack targeting LDAP was performed. PetitPotam was used to coerce an authentication from WEB01, relaying its machine account credentials to the DC’s LDAP service. Arriving as WEB01$, a Resource-Based Constrained Delegation (RBCD) was configured, ultimately allowing impersonation of the Administrator user on WEB01.

As Administrator on WEB01, credential dumping revealed a user with ForceChangePassword over a second user, who in turn held AllowedToDelegate privileges over WEB01. This delegation chain was abused by combining SPN Hijacking with Kerberos Constrained Delegation with Protocol Transition, allowing impersonation of the Administrator account directly on the Domain Controller and achieving full domain compromise.

PATH TO FOLLOW

  1. Reconnaissance
  2. Pre-Windows 2000 Compatibility Attack (Pre2K)
  3. Domain Enumeration with BloodHound
  4. Abusing ReadGMSAPassword
  5. Internal Network Discovery & Chisel SOCKS Tunneling
  6. NTLMRelay over Unsigned LDAP with PetitPotam
  7. Resource-Based Constrained Delegation
  8. Lateral Movement
  9. Credential Dumping & ACL Abuse Chain Discovery
  10. ForceChangePassword Abuse
  11. SPN Hijacking
  12. Kerberos Constrained Delegation + Protocol Transition
  13. Full Domain Compromise

CONTENT WILL BE RELEASED ONCE THE MACHINE IS RETIRED

pre2k relay RBCD SPN Hijacking Hackthebox Season10

Table of Contents