Eighteen is a Windows Server 2025 assume-breach box starting with MSSQL credentials. I’ll use MSSQL login impersonation to access the financial planner database and recover a Werkzeug PBKDF2 hash for the web admin. After cracking the hash and spraying the password against domain users, I’ll get a WinRM shell. From there, I’ll identify that the domain is running at the Windows 2025 functional level and exploit Bad Successor, abusing the dMSA migration feature to create a delegated managed service account that inherits the Administrator’s group memberships, giving full domain admin access.

0xdf hacks stuff

A detailed walkthrough of the HackTheBox 'Eighteen' machine running Windows Server 2025. Starting with MSSQL credentials, the attack chain involves MSSQL login impersonation to access a financial planner database, recovering and cracking a Werkzeug PBKDF2 hash, password spraying domain users to get a WinRM shell, and finally exploiting 'Bad Successor' (CVE-2025-53779) — a Windows Server 2025 vulnerability abusing the dMSA migration feature to inherit Administrator group memberships and achieve full domain admin access.

HTB: Eighteen