Does anyone discovered the password for the second question?
Connect to the MSSQL instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server.
The password is given, you have to find the name of the database
2 Likes
hmmm, not really, if you try to connect, it fails with given credential. The hint says to try common passwords, I tried some lists, but no lucky 
Just tried few minutes ago and it worked. Do you use mssqlclient.py?
yes:
ââ$ python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py backdoor@10.129.201.248 1 ⨯
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
Password:
[*] Encryption required, switching to TLS
[-] ERROR(ILF-SQL-01): Line 1: Login failed for user âbackdoorâ.
Use also â-windows-authâ, like "python3 mssqlclient.py backdoor@IP -windows-auth "
2 Likes
Thanks mate. thatâs did the tricky. I can;t believe, that switch was required.
2 Likes
Did you do all the others? Iâm stuck at the last of dns and snmp, and the last two lab
1 Like
Yes, the mssql was the last one remaining.
DNS: did you try a different wordlist? also, you have to try something else
SNMP: I donât remember exactly, but I am almost sure that came from walking
For the labs: the key is enumeration and use it to get the information
Tried everything that came to my mind but I canât move on. Can you give me another hint?
1 Like
ok, what have you got so far for dns/snmp?
for the labs, how far did you go? what did you find?
For dns I tried every dns list in the folder with dnsenum and some other list from other folder but nothing.
For the medium lab after the nmap scan I made a bruteforce attack to get the Administrator password for winrm service. I read about mssql on the hint but i didnât find it useful
1 Like
for DNS, use dig to get information regarding the domain and subdomain you found with dnsenum, one of them will reveal the information.
medium lab: yeah, the hint sometimes whoever write it, I have the impression is rushed and it doesnât make sense. if you got the Admin password, once you connect to the host, you will see there is a way to connect to mssql. 
1 Like
Did anyone here complete the IMAP/POP3 section? I canât get the admin email address or read any emails at all. Any hints would be appreciated?
just wait, keep walking the public community, it will appear⌠has the HTB[⌠format.
use the command: fetch 2 RFC822
it will retrieve the entire message in a readable formatâŚ
Use metasploit module For getting hostname
â>use scanner/mssql/mssql_ping
python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py backdoor@10.129.201.248 -windows-auth
SELECT name FROM master.dbo.sysdatabases;
You will see Non default database starting with Em*******
2 Likes
dude i really appreciate this!
1 Like
Please did anybody have to type this command âenable_xp_cmdshellâ before they could get any reply from the databse ? I had been on this question for the better part of 2 days. Not until i typed in that command did i get any reply. When i typed in âSELECT name FROM master.dbo.sysdatabases;â or "
select name from sys.database " i got no reply. Was it the same for eveyone or just for me ?