HTB Signed

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2026/02/07/htb-signed.html
• Blog Title: HTB: Signed
• Suggested Section: Network Services Pentesting -> 1433 - Pentesting MSSQL (xp_dirtree UNC coercion / NetNTLMv2 capture) and Windows Hardening -> Active Directory Methodology -> Kerberos Authentication (Silver Ticket / ticketer.py PAC group injection)

🎯 Content Summary

High-level goal / attack chain

This post walks through attacking the HTB Windows target Signed starting from low-priv SQL-only credentials and ending in OS command execution by abusing MSSQL features and Kerberos ticket forging. The demonstrated chain is:

1. Enumerate MSSQL with a local SQL login (scott).
2. Use xp_dirtree with a UNC path to coerce SMB authentication from the SQL Server service account and captu...

   🔧 Technical Details

   MSSQL UNC-path authentication coercion (NetNTLMv2 capture): If you can run MSSQL procs like xp_dirtree, point them at a UNC path (\\ATTACKER\share) to force the SQL Server service account to authenticate over SMB. Capture the NetNTLMv2 challenge/response with Responder (e.g., sudo uv run Responder.py -I tun0) and crack offline with Hashcat (NetNTLMv2 mode 5600, often auto-detected).

   RID-based domain enumeration via MSSQL SID translation: Use SUSER_SID('DOMAIN\\Name') and SUSER_SNAME(0x...) to translate between names and binary SIDs. Because the SID ends with a little-endian RID, you can infer identities (e.g., RID 500/501) or automate discovery using netexec mssql ... --rid-brute to list users/groups reachable through the MSSQL context.

   Kerberos silver ticket forging for a specific SPN + PAC group injection: If you know a se...

   🤖 Agent Actions

   Summary:

   • Expanded MSSQL NetNTLMv2 coercion guidance with a full chain: responder capture via xp_dirtree, cracking, deriving NTLM/domain SID/RID, and forging MSSQL silver tickets with PAC group injection for sysadmin and xp_cmdshell RCE.
   • Added the HTB “Signed” blog as a reference for the new MSSQL abuse flow.

   Tests:

   • Not run (documentation-only changes).

   ---

   This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2026/02/07/htb-signed.html

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting -> 1433 - Pentesting MSSQL (xp_dirtree UNC coercion / NetNTLMv2 capture) and Windows Hardening -> Active Directory Methodology -> Kerberos Authentication (Silver Ticket / ticketer.py PAC group injection)".

Repository Maintenance:

• MD Files Formatting: 944 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0