0xdfEighteen from HackTheBox is an assume breach Windows Server 2025 box featuring MSSQL impersonation, Werkzeug hash cracking, password spraying, and Bad Successor (CVE-2025-53779) to abuse dMSA migration for domain admin.
HTB: Eighteen
Eighteen is a Windows Server 2025 assume-breach box starting with MSSQL credentials. I’ll use MSSQL login impersonation to access the financial planner database and recover a Werkzeug PBKDF2 hash for the web admin. After cracking the hash and spraying the password against domain users, I’ll get a WinRM shell. From there, I’ll identify that the domain is running at the Windows 2025 functional level and exploit Bad Successor, abusing the dMSA migration feature to create a delegated managed service account that inherits the Administrator’s group memberships, giving full domain admin access.