Write-up

🖥️Eighteen

Bad Successorevilwinrm

HTB Eighteen — Detailed Solution Notes

Platform: Hack The Box | Machine: Eighteen | OS: Windows (Active Directory) | Difficulty: Medium/Hard | Vulnerability Types: MSSQL Impersonation, Weak Password Hashes (PBKDF2-SHA256), Password Reuse, & BadSuccessor AD Attack

🗺️ Attack Chain Summary

🧠 How Does a Hacker Think? — From Database to Domain

In an Active Directory environment, a database leak is more than just a data breach; it is often a "credential goldmine" for entering the domain. Impersonation privileges within a database allow for privilege escalation without needing a higher-privileged user's password. Once a single password is recovered, a hacker's first instinct is to test it across the domain (Password Reuse), as administrators often reuse credentials for application and system accounts. Finally, inherited permissions on Organizational Units (OUs) can be weaponized; a single misconfiguration in the delegation hierarchy can lead to total domain compromise through Kerberos abuse.

1️⃣ Reconnaissance

Network ScanningThe Nmap scan reveals a standard Active Directory profile with a critical MSSQL entry point:

Environment SetupTo ensure proper name resolution for Kerberos attacks, the target IP must be mapped in the local hosts file.

2️⃣ Initial Access: The MSSQL Impersonation Maneuver

Vulnerability AnalysisAfter connecting with kevin's credentials, the built-in enum_impersonate command is used to identify impersonation rights.

3️⃣ User Access: The Cracking & Spraying Maneuver

The Password Cracking ManeuverThe extracted hashes use 600,000 iterations, making them computationally expensive to crack.

The WinRM Maneuver

4️⃣ Privilege Escalation: The BadSuccessor Maneuver

Identifying the WeaknessThe attack exploits misconfigured Active Directory delegation permissions on specific OUs.

The "BadSuccessor" Strategy

🛠️ Core Maneuvers Breakdown

🔑 General Hacker Mindset Summary

Password Spraying is Essential: Once a password is found, spray it across the domain. Humans are predictable and often reuse passwords.
Kerberos and Time: If a Kerberos attack fails, check the clock. Time synchronization is the foundation of ticket validity.

You might also want to look at these

Support

LDAPRecon · WinRMExploitation · RBCDAttackApr 2026

DevArea

XXE/SSRF · JWT Auth Bypass · Shebang HijackingApr 2026

Facts

Camelon CMS · S3 EnumerationApr 2026

WingData

Wingftp · SHA256+Salt · TarfileMar 2026