HackThebox - Eighteen

The video walks through the Hack The Box machine “Eighteen,” an assumed‑breach scenario where the tester starts with a set of credentials for a Microsoft SQL Server. Initial reconnaissance with Nmap reveals only HTTP (IIS) and MSSQL ports, and the tester quickly pivots to the database using the supplied login. Key techniques include leveraging SQL impersonation (Kevin can impersonate appdev) to read the users table, extracting a PBKDF2‑SHA256 password hash, and cracking it to reveal the admin password “I love you one.” A RID brute‑force enumeration generates domain usernames, which are later used for password‑spraying via WinRM and the evil‑winrm tool to obtain a remote shell on the Windows 2025 host. Notable moments feature the line “Kevin can impersonate appdev,” the discovery of the cracked admin password, and the mention of the BadSuccesor exploit—still useful despite being largely patched. The tester also demonstrates handling of Flask cookies, z‑lib compression, and the challenges of domain versus local authentication. The walkthrough highlights how weak database permissions, reusable hashes, and unpatched Windows exploits can be chained to gain full system compromise, underscoring the need for strict impersonation controls, strong password hashing, and timely patch management.