Who could help me with Attacking Common Services - Hard?
I stuck with getting a valid Administrators’ hash.
I have files downloaded from SMB share.
Among them, there was a user credentials pair I can access RDP and MSSQL but no admin access with. I can see that Administrator user does exist via Windows explorer however I have no access to it Desktop.
I can impersonalize second user but he has not admins’ role as well as the first one hasn’t. However, now I can see local server WINSRV02\SQLEXPRESS name and its domain LOCAL.TEST.LINKED.SRV and testadmin user.
Crackmapexec mssql for administrator and testadmin have no success.
Forcing Authentication Attacks using XP_SUBDIRS Hash Stealing with impacket I have got the following message like:
 AUTHENTICATE_MESSAGE (,WIN-HARD)
 User WIN-HARD\ authenticated successfully
I need some help here:
Got RDP into the machine using credentials from the SMB-share. However, I have no idea how to continue from there by “compromising the other user to get admin privileges”.
I have tried all other credential combination in order to log into the mssql database with no success. Looking into the other domain users, I am only able to “impersonate” the guest account via PS cmdlet.
I also found one admin credential, associated with “HTB Lab Admin” but that also did not get me further.
Any help is appreciated!
I got it today after receiving one hint:
I was too focused on trying to establish an authenticated connection with the local database server using the found credentials. This stopped me from moving further with the other necessary steps.
In fact, I could do the required enumeration, user impersonation and pivoting techniques just right from the first RDP session using sqlcmd.
The objective is also explained in one of the files found in the SMB share.
Thanks @mattdragon2 I got the flag.txt in two ways. One using the xp_cmdshell as you say (where previously you have to enable that functionality) and the other is using the “Execute” statement as indicated in the theory of HTB Academy MSSQL section.
when I impersonate the first time I don’t see the sysadmin on my impersonate table, I know I missed something… all I see is the name of the person I impersonated. I answered the question correctly with the right name.
When using Windows Authentication, we need to specify the domain name or the hostname of the target machine. If we don’t specify a domain or hostname, it will assume SQL Authentication and authenticate against the users created in the SQL Server. Instead, if we define the domain or hostname, it will use Windows Authentication. If we are targetting a local account, we can use SERVERNAME\\accountname or .\\accountname. The full command would look like: