Executive Summary
Eighteen is a sophisticated Active Directory exploitation challenge that demonstrates a complete attack chain from initial reconnaissance through domain compromise. The machine showcases multiple attack vectors including SQL Server enumeration, PBKDF2 hash cracking, lateral movement, and exploitation of a Delegated Managed Service Account (dMSA) vulnerability through the BadSuccessor attack.
Reconnaissance & Initial Access
Nmap Enumeration
The initial network scan revealed a Windows Server 2025 environment with several critical services exposed:
nmap -sC -sV -p- 10.10.11.95 -oN eighteen_scan.txt
Three open ports were discovered:
Port 80 (HTTP): Microsoft IIS 10.0 hosting the "eighteen.htb" web application
Port 1433 (MSSQL): Microsoft SQL Server 2022 RTM (Build 16.00.1000.00)
Port 5985 (WinRM): Microsoft HTTPAPI 2.0 (Windows Remote Management)
The Nmap NTLM information disclosure revealed critical domain details:
Domain: eighteen.htb
NetBIOS Name: EIGHTEEN
Computer: DC01 (Domain Controller)
OS: Windows 11/Server 2025 Build 26100
A significant clock skew of 6h31m37s was detected and documented for later exploitation.
