Difficulty: Medium
Skills: MSSQL enumeration & extended procedures, NTLM hash capture & cracking, Kerberos silver-ticket forging, OPENROWSET / xp_cmdshell abuse, SID/RID handling.
Box type: Windows (MS SQL / Kerberos / Active Directory)
An exposed Microsoft SQL Server hides an AD-backed escalation path: trigger an SMB callback from the database, capture and crack the MSSQL service NTLM hash, then forge Kerberos credentials that assert elevated group membership to gain sysadmin on the database and abuse SQL features to read sensitive files and pivot to the domain.
xp_dirtree, xp_cmdshell).S-1-... format and collect domain SID + relevant RIDs.dbo/sysadmin, then use xp_cmdshell or OPENROWSET to retrieve flags and sensitive files.This box ties together core Windows authentication mechanics: SQL extended procedures, NTLM capture and cracking, and Kerberos ticket forging. It’s an excellent hands-on lab for understanding how service account secrets + AD SIDs can be combined to produce powerful forged tickets and domain pivots.
xp_* extended procedures and whether your account has EXECUTE permission on them.S-1-... before feeding them into Kerberos tooling.xp_cmdshell is disabled, OPENROWSET(BULK...) and ad-hoc SQL features can still be useful once elevated.scott : Sm230#C5NatH — useful to begin MSSQL enumeration.
Reminder: Only run these steps against machines you own or are authorised to test (CTF/lab environments). Unauthorized testing against production or third-party systems is illegal and unethical.