Attacking Common Services- Attacking SQL Databases

hey y’all,

Need some help with the first question in the Attacking SQL database.
I have no clue how to get the mssql password. I have looked at all the db’s and I do not have access to the flagDB or hmaildb. Have no clue how to move forward on this section. Any help would be appreciated.

Try one of the approaches mentioned in the text in that chapter. It has to do with undocumented stored procedures. Try those and I’m sure you’ll figure it out.

Hey man, thanks for that. Let me try that. I had to take a quick brake.

I have the service account password but doesn’t seem to allow login. They can’t be impersonated either. I’m lost what to do, here.



Try sqsh (doesn’t work on pwnbox so VPN on own Liux machine), that did the trick for me. I always hate it when you get sidetracked with unclear ‘execution’ things but if you have the right password it should work.

Bro, I am lost haha… I think i am over looking something here. Would yall be able to give me another nugget? I have tried looking through the db however, I am unable to find the users table. However, I have found

  • 1> SELECT * FROM syslogins
  • 2> go
  • SELECT name, password FROM master…syslogins
  • go

however, I am unable to find much of use. I have tried enum the other ports and I might be missing something throughout the ports.

I will be looking into RDP. Hopefully I find something?

I tried logging in with sqsh using the right credentials of mssqlsvc but its not working.

Hello, I`m same as you… Looking through forums and searching for totally stuck at the moment…

yeah it’s not as intuitive but there is a GUI option. you just right click on what you want and there should be an option

Thanks!! I got it :slight_smile: :slight_smile: :slight_smile:

gui option for what?

For anyone still working on this, here are notes and hints (uncover as you progress).


  • I managed to login with the htbdbuser only with the sqlcmd tool


  • $ sqlcmd -S <IP> -U htbdbuser followed by the passwd.
  • as @ST_oma mentioned, look into undocumented stored procedures for mssqlsvc password


  • If you have password for mssqlsvc – I had to connect remotely from VPN because the sqsh is not working properly on the pwnbox. So establish VPN and try it form your PC.


  • Notice that the password obtained is not a local database password but NTLM password. Meaning this password is for the user thats on the OS, NOT directly on the database.
  • You can force the sqsh to use Windows Authentication, just look closely into the module text.



Check impacket mssqlclient, esp the command help once you’re connected. It has some nice added functionalities / shortcuts for most of the techniques taught in this chapter (easy activation of xp_cmdshell, enumeration of users that you can impersonate, links, etc.).

Great tool.

1 Like

Read this if you are using Impacket’s mssqlclient and can’t login as the mssqlsvc user and are getting the error “Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.”

DO NOT put the .\ or WIN-02\ in front of the username, leave it as user@host, but you DO need another option for Windows auth, check the help menu for that

1 Like

Guys, when you connect to mssql CLI there’s one option to authenticate :wink:

Hello, i tried all approaches can’t find the hash, any hint please ? thanks

follow these steps

  1. sqlcmd -S Target_Ip -U julio -P
  2. note table names
  3. start
    sudo impacket-smbserver share ./ -smb2support
  4. try any step from “Capture MSSQL Service Hash Section”
  5. note don’t forget enter ip of Attack box in 4th step
  6. copy hash to text file and crack it ( note start copying from "mss… to …000)
  7. crack it using john :- john Your hash file (leave wordlist to default )
  8. now login with the creds you found using -p 1433 userwhich_You_found@target_ip -windows-auth
  9. select name from master.dbo.sysdatabases
  10. use flagdb
  12. select * from tb_flag
    that’s it .
    Thank you for reading this, I hope it helped.

you couldn’t give better suggestions.