Signed is an assume breach Windows box where I’m given credentials for a local MSSQL account. I’ll enumerate the database, coerce authentication from the MSSQL service account using xp_dirtree, and crack the NetNTLMv2 hash. With the service account password, I’ll forge a silver ticket with the IT group’s RID to gain sysadmin privileges on the database and get command execution. For root, I’ll show three paths: using OPENROWSET BULK impersonation with silver tickets to read files as Domain Admins and find the Administrator’s password in PowerShell history, relaying NTLM authentication from the DC using a crafted DNS record, and recovering SeImpersonatePrivilege from the original logon token to escalate with GodPotato.

0xdf hacks stuff

A Windows penetration test walkthrough starting with MSSQL credentials. The attack path involves coercing NetNTLMv2 authentication from the MSSQL service account using xp_dirtree, cracking the hash, then forging Kerberos silver tickets with elevated group memberships (IT group RID) to gain sysadmin database privileges and command execution. Three privilege escalation methods are demonstrated: exploiting OPENROWSET BULK with forged tickets to read Administrator's PowerShell history containing credentials, relaying NTLM authentication from the domain controller via crafted DNS records, and recovering SeImpersonatePrivilege from the original logon token to use GodPotato.

HTB: Signed