Executive Summary
Eighteen is a sophisticated Active Directory exploitation challenge that demonstrates a complete attack chain from initial reconnaissance through domain compromise. The machine showcases multiple attack vectors including SQL Server enumeration, PBKDF2 hash cracking, lateral movement, and exploitation of a Delegated Managed Service Account (dMSA) vulnerability through the BadSuccessor attack.
Reconnaissance & Initial Access
Nmap Enumeration
The initial network scan revealed a Windows Server 2025 environment with several critical services exposed:
nmap -sC -sV -p- 10.10.11.95 -oN eighteen_scan.txt
Three open ports were discovered:
Port 80 (HTTP): Microsoft IIS 10.0 hosting the "eighteen.htb" web application
Port 1433 (MSSQL): Microsoft SQL Server 2022 RTM (Build 16.00.1000.00)
Port 5985 (WinRM): Microsoft HTTPAPI 2.0 (Windows Remote Management)
The Nmap NTLM information disclosure revealed critical domain details:
Domain: eighteen.htb
NetBIOS Name: EIGHTEEN
Computer: DC01 (Domain Controller)
OS: Windows 11/Server 2025 Build 26100
A significant clock skew of 6h31m37s was detected and documented for later exploitation.
🔐 MACHINE STILL ACTIVE
This machine is currently live on Hack The Box. As per HTB policy, the full walkthrough (exploitation steps & flags) will only be released after the machine is retired - usually 30–60 days after launch.
But why wait?
🚀 Unlock the Full Advantage
Get instant access to exclusive, in-depth writeups, early techniques, and premium guidance - all for just $1.5.
Members get:
✨ Early access to detailed walkthroughs
✨ Passwords for active machines
✨ Advanced exploitation insights
✨ Priority support when you’re stuck
An easy upgrade that gives you more clarity and confidence.
💬 Need help while solving?
I’ve got your back - reach out anytime:
Email: [email protected]
Keep hacking, keep learning, keep winning. 🎯
