HTB Eighteen#2120
Merged
carlospolop merged 1 commit intomasterfrom Apr 28, 2026
Merged
Conversation
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://0xdf.gitlab.io/2026/04/11/htb-eighteen.html Content Categories: Based on the analysis, this content was categorized under "HackTricks Main → Network Services Pentesting → 1433 - Pentesting MSSQL (IMPERSONATE/exec_as_login, netexec --local-auth, MSSQL RID brute) AND Windows Hardening → Active Directory Methodology → Abusing AD ACLs/ACEs → BadSuccessor (add Windows Server 2025 functional level + dMSA migration abuse notes); optionally Web → Password hashing/cracking notes for Werkzeug PBKDF2-SHA256 → hashcat 10900 conversion". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
Collaborator
Author
|
merge |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Overview / Impact
This post is an end-to-end HackTheBox “assume breach” attack chain against Eighteen, a Windows Server 2025 Domain Controller (DC01) in the eighteen.htb AD domain. Starting with given credentials that only work as a local MSSQL login, the attacker: (1) enumerates MSSQL and abuses a misconfiguration (IMPERSONATE on another SQL login) to access an application database, (2) extracts and cracks a Werkzeug PBKDF2-SHA256 password ha...
🔧 Technical Details
Local MSSQL auth vs Integrated auth: If MSSQL login fails with “untrusted domain” using integrated auth, try authenticating as a local SQL login (e.g.,
netexec mssql <host> -u <user> -p <pass> --local-auth). Once connected, validate privilege boundaries by attempting (and observing errors for) features likexp_cmdshell/RECONFIGURE; the error messages confirm you must pivot via data access rather than direct OS command execution.MSSQL RID cycling through database access: When SMB/LDAP aren’t available, you can still enumerate AD accounts by RID brute forcing through MSSQL using netexec (
--rid-brute). Parse results to build a username list for spraying (grep -oP 'DOMAIN\\\w+\.\w+' | cut -d '\\' -f2).MSSQL login impersonation (IMPERSONATE) to pivot into protected DBs: If
enum_impersonateshows anIMPERSONATEgrant on another login, switch con...🤖 Agent Actions
I’m mapping the existing HackTricks structure first and reading the closest MSSQL, AD ACL, and password-hash pages before deciding on a single target file. After that I’ll check whether the blog actually adds anything new or whether the techniques are already covered.
I found there is already a dedicated
BadSuccessor.md, which makes it the leading candidate if the current page is missing the Windows Server 2025 functional-level and dMSA migration notes from the blog. I’m reading the nearby MSSQL, Werkzeug, and AD pages now to confirm what is already covered and avoid adding duplicated material.The MSSQL techniques from the box are already present in the main MSSQL page, so duplicating them would add noise. The real gap is in the BadSuccessor documentation: the repo already has the topic, but one page is stale and neither page clearly captures the Windows Server 2025 functional-level angle and the practical operator notes shown in the blog.
I’ve confirmed the repo already covers most of the box’s MSSQL side, so I’m validating the BadSuccessor details against current sources before editing. The main thing I need to avoid is preserving stale guidance, because the existing page still claims there was no patch.
I’ve finished source validation. I’m updating the dedicated ACLs/ACEs
BadSuccessor.mdpage only, keeping the change scoped to one file and focusing on what the blog adds materially: the Windows Server 2025/dMSA operator cues, the migration-state details, current patch status, and practical enumeration/exploitation notes.The edit is in place and I’ve re-read the rendered markdown plus the diff. I’m doing one last verification pass now to make sure the update stays within the “one file only” constraint and that the references section is correct and still at the end of the file.
Updated BadSuccessor.md as the single target file.
The MSSQL pieces from the blog were already covered in HackTricks, so I did not duplicate them. The useful gap was the BadSuccessor page: I rewrote it to emphasize the Windows Server 2025/dMSA migration mechanics, added practical checks like
Get-ADDomain/Get-ADForestandnetexec ldap -M badsuccessor, kept the abuse flow concise, and corrected the stale patch status by noting Microsoft assignedCVE-2025-53779and shipped an update in August 2025. I also added the blog URL plus the primary Akamai, Microsoft Learn, and MSRC references at the end of the file.This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.