Academy - Footprinting - MSSQL

Does anyone discovered the password for the second question?
Connect to the MSSQL instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server.

The password is given, you have to find the name of the database


hmmm, not really, if you try to connect, it fails with given credential. The hint says to try common passwords, I tried some lists, but no lucky :frowning:

Just tried few minutes ago and it worked. Do you use

└─$ python3 /usr/share/doc/python3-impacket/examples/ backdoor@ 1 ⨯
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Encryption required, switching to TLS
[-] ERROR(ILF-SQL-01): Line 1: Login failed for user ‘backdoor’.

Use also ‘-windows-auth’, like "python3 backdoor@IP -windows-auth "


Thanks mate. that’s did the tricky. I can;t believe, that switch was required.


Did you do all the others? I’m stuck at the last of dns and snmp, and the last two lab

1 Like

Yes, the mssql was the last one remaining.
DNS: did you try a different wordlist? also, you have to try something else
SNMP: I don’t remember exactly, but I am almost sure that came from walking
For the labs: the key is enumeration and use it to get the information

Tried everything that came to my mind but I can’t move on. Can you give me another hint?

1 Like

ok, what have you got so far for dns/snmp?
for the labs, how far did you go? what did you find?

For dns I tried every dns list in the folder with dnsenum and some other list from other folder but nothing.
For the medium lab after the nmap scan I made a bruteforce attack to get the Administrator password for winrm service. I read about mssql on the hint but i didn’t find it useful

1 Like

for DNS, use dig to get information regarding the domain and subdomain you found with dnsenum, one of them will reveal the information.
medium lab: yeah, the hint sometimes whoever write it, I have the impression is rushed and it doesn’t make sense. if you got the Admin password, once you connect to the host, you will see there is a way to connect to mssql. :wink:

1 Like

Did anyone here complete the IMAP/POP3 section? I can’t get the admin email address or read any emails at all. Any hints would be appreciated?

just wait, keep walking the public community, it will appear… has the HTB[… format.

use the command: fetch 2 RFC822
it will retrieve the entire message in a readable format…


Here is SQL Syntax that should help everyone once you are connected to the MSSQL Server.

Use metasploit module For getting hostname
–>use scanner/mssql/mssql_ping
python3 /usr/share/doc/python3-impacket/examples/ backdoor@ -windows-auth
SELECT name FROM master.dbo.sysdatabases;
You will see Non default database starting with Em*******


dude i really appreciate this!

1 Like

Please did anybody have to type this command “enable_xp_cmdshell” before they could get any reply from the databse ? I had been on this question for the better part of 2 days. Not until i typed in that command did i get any reply. When i typed in “SELECT name FROM master.dbo.sysdatabases;” or "
select name from sys.database " i got no reply. Was it the same for eveyone or just for me ?