I’m stucked in the same… How did you find it?
1 Like
You are an absolute beaut! can’t believe I have only just found this out - its been a serious uphill battle with a non-domain joined Attack box haha
You likely have to enable the xp_cmdshell first - if you check out the other notes above you can SSH into the domain joined parrot OS on 172.16.5.225 with the creds htb-student:HTB_@cademy_stdnt!
This means you can then levarage mssqlclient.py against the host following the tutorial in the lab.
Happy hunting !
i can’t figure this out either. I am literally entering the computer name and it says incorrect answer. I’ve tried every single possible combination. Been stuck on this for hours and hours. I’m about to lose my freakin mind ugh.
Edit:
Finally figured it out. I ran Bloodhound while RDP’d in as damundsen then ran the raw cypher query there and was able to find the answer. Answer format is Academy-EA-xxxx if that helps anyone.
Hi everyone to give an overall hint for the last question.
1- SSH to the 172.16.5.225
2- run mssqlclient.py
3- xp_cmdshell lets you execute system commands (like type), but you need to call it with EXEC to properly trigger the command
run mssqlclient.py to the user DAMUNDSEN as in the section