Does anyone discovered the password for the second question?
Connect to the MSSQL instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server.
The password is given, you have to find the name of the database
2 Likes
hmmm, not really, if you try to connect, it fails with given credential. The hint says to try common passwords, I tried some lists, but no lucky 
Just tried few minutes ago and it worked. Do you use mssqlclient.py?
yes:
└─$ python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py backdoor@10.129.201.248 1 ⨯
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
Password:
[*] Encryption required, switching to TLS
[-] ERROR(ILF-SQL-01): Line 1: Login failed for user ‘backdoor’.
Use also ‘-windows-auth’, like "python3 mssqlclient.py backdoor@IP -windows-auth "
2 Likes
Thanks mate. that’s did the tricky. I can;t believe, that switch was required.
2 Likes
Did you do all the others? I’m stuck at the last of dns and snmp, and the last two lab
1 Like
Yes, the mssql was the last one remaining.
DNS: did you try a different wordlist? also, you have to try something else
SNMP: I don’t remember exactly, but I am almost sure that came from walking
For the labs: the key is enumeration and use it to get the information
Tried everything that came to my mind but I can’t move on. Can you give me another hint?
1 Like
ok, what have you got so far for dns/snmp?
for the labs, how far did you go? what did you find?
For dns I tried every dns list in the folder with dnsenum and some other list from other folder but nothing.
For the medium lab after the nmap scan I made a bruteforce attack to get the Administrator password for winrm service. I read about mssql on the hint but i didn’t find it useful
1 Like
for DNS, use dig to get information regarding the domain and subdomain you found with dnsenum, one of them will reveal the information.
medium lab: yeah, the hint sometimes whoever write it, I have the impression is rushed and it doesn’t make sense. if you got the Admin password, once you connect to the host, you will see there is a way to connect to mssql. 
1 Like
Did anyone here complete the IMAP/POP3 section? I can’t get the admin email address or read any emails at all. Any hints would be appreciated?
I also have trouble with this one, and don’t know how to access the second folder on the IMAP server. The emails are there and you can confirm this (and complete the exercises) by SSHing to the target machine using the credentials given.
Currently stuck on the last part of the SNMP section ("Enumerate the custom script that is running on the system and submit its output as the answer.), can someone give me a hint? I’m unsure if I need to brute force the community string (which I have been unable to) or look at any of the OIDs given when using the public string.
just wait, keep walking the public community, it will appear… has the HTB[… format.
use the command: fetch 2 RFC822
it will retrieve the entire message in a readable format…
Use metasploit module For getting hostname
–>use scanner/mssql/mssql_ping
python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py backdoor@10.129.201.248 -windows-auth
SELECT name FROM master.dbo.sysdatabases;
You will see Non default database starting with Em*******
1 Like
dude i really appreciate this!
1 Like