HackTheBox - Signed
•February 7, 2026
0
Why It Matters
The walkthrough reveals hidden privilege‑escalation paths in Microsoft SQL environments, showing that attackers can bypass expected controls and gain domain‑admin rights, a critical reminder for defenders to harden SQL services and monitor for lateral‑movement indicators.
Key Takeaways
- •Enumerate SQL users via NetExec to discover hidden accounts.
- •Capture and crack NLM hash using Responder and hashcat.
- •Forge silver ticket with domain SID and groups for privilege escalation.
- •Use named pipe impersonation to restore SeImpersonatePrivilege and elevate.
- •Bypass XP cmd shell restrictions by leveraging SQL file read command.
Summary
The video walks through solving the HackTheBox "Signed" machine, an assumed‑breach challenge centered on a Microsoft SQL Server 2022 instance. Starting with default credentials, the presenter demonstrates initial enumeration, discovers that the guest account lacks XP cmd shell privileges, and pivots to more subtle techniques.
Key steps include using NetExec’s RID‑brute mode to enumerate far more domain users than the built‑in MSSQL commands reveal, capturing the service account’s NLM hash via a Responder SMB handshake, and cracking it instantly with hashcat and a rock.txt wordlist. With the clear‑text password, the attacker logs in via Windows authentication, extracts the domain SID via SQL queries, and forges a silver ticket using ticketer.py, embedding domain‑admin and user group SIDs.
The presenter highlights a legacy named‑pipe impersonation trick that restores the SeImpersonatePrivilege, allowing the attacker to leverage “potato” privilege‑escalation tools despite the lack of direct XP cmd shell access. He also shows practical code snippets—Python SID conversion, hash generation via MD4, and the final ticket creation script—illustrating each step’s reproducibility.
These techniques expose how a seemingly locked‑down SQL service can be abused to obtain system‑level access, underscoring the need for strict service‑account isolation, disabling unnecessary privileges, and monitoring for anomalous SMB connections on database hosts.
Original Description
00:00 - Introduction
01:00 - Start of nmap
02:05 - Logging into the SQL Database with the provided credentials, going over basic enumeration
04:00 - Using XP_DIRTREE to have the SQL Server make a request, sending it to ourself and stealing/cracking the hash
08:50 - Showing RID Brute Forcing with MSSQL to enumerate additional users
10:50 - Explaining how the SUSER_SID command performs a SID Bruteforce, converting the SID from binary to String notation
15:00 - Creating a Silver Ticket with Ticketer.py
23:30 - Impersonating an admin, so we can enable xp_cmdshell to get a shell on the box
27:20 - Showing CVE-2025-33073 posts, which explains the attack we will do with NTLM Relay and cred marshalling
28:30 - Getting Chisel up and running so we can add DNS Names
31:20 - Adding a special DNS Name so we can impersonate DC01, then starting NTLMRelay and forwarding connections to WinRM
37:00 - Using NetExec's coerce_plus to force a request to be made to our special DNS Name and getting a shell
42:30 - Showing if we impersonated the SQL Service itself we could abuse OpenRowSet to read files as administrator and just read root.txt from an SQL Shell
47:10 - Reading the powershell history which would get us the administrator password
54:10 - Showing yet another cool thing, we can abuse how tokens work to get the original token of our the service account which would allow us to have SEImpersonate,then we can use a potato to privesc
1:12:10 - Not every attempt is successful showing adding custom functions via CLR wouldn't give us administrative privileges
0
Comments
Want to join the conversation?
Loading comments...