technique://MSSQL RCE
- ArchetypeWindows Tier 2 Apr 27, 2026
Anonymous SMB exposes a config file with SA credentials. MSSQL xp_cmdshell goes active, winPEAS finds a PowerShell history file with admin credentials. Classic AD escalation in four steps.
also uses: SMB Anonymous - HTB — PingPongWindows Tier 0 Apr 27, 2026
Two-domain AD forest under Assumed Breach. NTLM disabled globally. TCP port 88 asymmetrically filtered — a custom impacket monkey-patch unblocks Kerberos. ESC13 on TemporaryWinRM template grants WinRM shell on DC1. Cross-realm Kerberos and Chisel tunnel reach the internal DC2.