
In many organisations, MSSQL Server is seen as just a database service. In reality, if misconfigured, MSSQL can become the starting point of a Domain Compromise surprisingly quickly.

The Signed machine is a great example of an attack chain that goes all the way from
initial foothold → credential access → Kerberos abuse → SYSTEM
This article summarises the attack path concisely from a penetration tester's perspective.
Initial Foothold — MSSQL Only (100% Real)
Scanning revealed only a single open port:
1433 MSSQL
A realistic scenario — an organisation exposing its database to applications while closing every other service.
After logging in with obtained credentials, the user had low privileges (guest) and could not execute xp_cmdshell.
But one thing mattered: xp_dirtree worked.
That was the first pivot point.
Credential Access — NTLM Capture (This one's extremely satisfying)
xp_dirtree can force SQL Server to initiate an SMB connection to the attacker, which leaks the service account authentication.
Using Responder, we captured the hash of:
SIGNED\mssqlsvc
Then cracked the password (genuinely difficult if the password isn't dictionary-based — otherwise you'd need phishing to collect a custom wordlist):
purPLE9795!@

This step demonstrates that:
A weak service account password can immediately put an entire domain at risk.
Privilege Escalation — Silver Ticket (Cinema Ticket)
After logging in as mssqlsvc, we found:
SIGNED\IT = sysadmin in SQL Server
Instead of trying to brute-force SQL privilege escalation, the faster path was a Kerberos Silver Ticket.
The concept:
- Use the service account's NTLM hash
- Forge a Kerberos ticket
- Fake group membership
Logging in with the forged ticket:
IS_SRVROLEMEMBER('sysadmin') = 1
Now xp_cmdshell was available.
Code Execution — Getting a Shell
With sysadmin access, command execution is straightforward.
General steps:
- Enable xp_cmdshell
- Download netcat
- Reverse shell
Shell obtained as:
signed\mssqlsvc
User flag readable.
Root — Multiple Attack Paths
What's interesting about this machine is the multiple root paths — which mirrors real-world enterprise environments where there are always several routes in. Like a building with many doors.
Method 1 — Direct File Read (Seen in real engagements)
With Domain Admin privileges in the ticket, you can use:
OPENROWSET(BULK)
to read files directly from the filesystem.
This method is:
- Fast
- Quiet
- No shell needed
Method 2 — PowerShell History
A commonly overlooked file:
ConsoleHost_history.txt
The Administrator had run commands containing a plaintext password.
Classic example of:
Operational Security Failure
Then used RunasCs to spawn an Administrator shell immediately.
Method 3 — Token Impersonation (Everyone forgets to close this)
The service account had:
SeImpersonatePrivilege
Opening the door to Potato-type exploits.
Flow:
- Steal token
- Spawn process
- Escalate to SYSTEM
A technique penetration testers and red teamers use constantly in Windows environments.
Method 4 — Intended Solution (NTLM Reflection)
The intended path uses vulnerability:
CVE-2025-33073
Concept:
- DNS spoof
- Coerce authentication
- Relay NTLM → WinRM
- SYSTEM
This technique reflects the new attack trend:
Cross-protocol relay and identity abuse rather than traditional memory corruption exploits.
Key Takeaways
This machine teaches several important lessons:
1. Service Accounts are high-value targets — a weak password can collapse an entire domain.
2. MSSQL is not just a Database — it's a powerful entry point.
3. Kerberos Abuse still works — Silver Ticket remains highly effective.
4. PowerShell History is a Data Leak — most organisations don't monitor this at all.
5. SeImpersonatePrivilege = Dangerous — this privilege is almost a guaranteed local privilege escalation.
6. DNS and NTLM are still a large Attack Surface — many organisations haven't hardened these seriously.
Final Thoughts
Signed is a great example of a realistic enterprise attack chain.
Not a single-vulnerability exploit, but:
Misconfiguration + Weak Password + Privilege Abuse + Identity Attacks = Domain Compromise
And this is exactly what happens in real penetration tests and incident responses.
Want to see the full walkthrough? Come to the
Not The Hidden Wiki x HackTheBox Meetup (Not The Hidden Skillz) — where I (Sabastiaz), Chicken, and international guests will walk through both Machine and Sherlock challenges. 21 February 2026.
Register here: https://www.meetup.com/hack-the-box.../events/313264719/
P.S. All speakers will present in English — including us. So bear with us. (Snake Fish Fish Yes No ok Thank you)
More details on Facebook or LinkedIn
— — — — See you there — — — —