HackTheBox - Signed

00:00 - Introduction 01:00 - Start of nmap 02:05 - Logging into the SQL Database with the provided credentials, going over basic enumeration 04:00 - Using XP_DIRTREE to have the SQL Server make a request, sending it to ourself and stealing/cracking the hash 08:50 - Showing RID Brute Forcing with MSSQL to enumerate additional users 10:50 - Explaining how the SUSER_SID command performs a SID Bruteforce, converting the SID from binary to String notation 15:00 - Creating a Silver Ticket with Ticketer.py 23:30 - Impersonating an admin, so we can enable xp_cmdshell to get a shell on the box 27:20 - Showing CVE-2025-33073 posts, which explains the attack we will do with NTLM Relay and cred marshalling 28:30 - Getting Chisel up and running so we can add DNS Names 31:20 - Adding a special DNS Name so we can impersonate DC01, then starting NTLMRelay and forwarding connections to WinRM 37:00 - Using NetExec's coerce_plus to force a request to be made to our special DNS Name and getting a shell 42:30 - Showing if we impersonated the SQL Service itself we could abuse OpenRowSet to read files as administrator and just read root.txt from an SQL Shell 47:10 - Reading the powershell history which would get us the administrator password 54:10 - Showing yet another cool thing, we can abuse how tokens work to get the original token of our the service account which would allow us to have SEImpersonate,then we can use a potato to privesc 1:12:10 - Not every attempt is successful showing adding custom functions via CLR wouldn't give us administrative privileges