Attacking Common Services - Hard

Hi Everyone!

Who could help me with Attacking Common Services - Hard?

I stuck with getting a valid Administrators’ hash.

I have files downloaded from SMB share.
Among them, there was a user credentials pair I can access RDP and MSSQL but no admin access with. I can see that Administrator user does exist via Windows explorer however I have no access to it Desktop.
I can impersonalize second user but he has not admins’ role as well as the first one hasn’t. However, now I can see local server WINSRV02\SQLEXPRESS name and its domain LOCAL.TEST.LINKED.SRV and testadmin user.
Crackmapexec mssql for administrator and testadmin have no success.

Forcing Authentication Attacks using XP_SUBDIRS Hash Stealing with impacket I have got the following message like:
] User WIN-HARD\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa


Found this really hard but managed to solve it.
Some clues:

If testadmin is a user who can run as sysadmin, then xp_cmd is useful if the database allows it or if you enable it.



I need some help here:
Got RDP into the machine using credentials from the SMB-share. However, I have no idea how to continue from there by “compromising the other user to get admin privileges”.

I have tried all other credential combination in order to log into the mssql database with no success. Looking into the other domain users, I am only able to “impersonate” the guest account via PS cmdlet.

I also found one admin credential, associated with “HTB Lab Admin” but that also did not get me further.
Any help is appreciated!

1 Like

I got it today after receiving one hint:
I was too focused on trying to establish an authenticated connection with the local database server using the found credentials. This stopped me from moving further with the other necessary steps.

In fact, I could do the required enumeration, user impersonation and pivoting techniques just right from the first RDP session using sqlcmd.
The objective is also explained in one of the files found in the SMB share.


Indeed @cherryeater , you must first impersonate a user and then identify the linked server. It’s all in the theory of HTB Academy section MSSQL

Thanks @mattdragon2 I got the flag.txt in two ways. One using the xp_cmdshell as you say (where previously you have to enable that functionality) and the other is using the “Execute” statement as indicated in the theory of HTB Academy MSSQL section.

Can anyone help me out? I can’t figure out how to retrieve the information from the columns… I got as far as this

But I am struggling to get any further.

I got it, going after the database was the wrong approach!

I was getting to xp_cmdshell, but target time limit shut me down. :unamused:

Finally had a last idea and got that one with a double impersonation, and a simple file read.


1 Like

when I impersonate the first time I don’t see the sysadmin on my impersonate table, I know I missed something… all I see is the name of the person I impersonated. I answered the question correctly with the right name.

double checking database…

After first impersonation, check again the sysadmin users, but this time with the execute ( ) trick.

1 Like


I needed this in addition to all the hints here and theory on the sql page. Hopes this helps someone.


did you have a issue with trying to read just the location of the flag? i kept getting :
dsp_desc_bind: Memory allocation failure for column #1

i solved it by creating the table and taking the output of flag.txt and storing it in the file as outlined in the guide provided, this might help others with if they get this error

1 Like

Hi, I’m having trouble with the medium lab, can you post a helpful hint on the medium forum?

For the medium lab, i enumerated all ports with nmap.

1 Like


I found all the files from the SMB users… but trying to get a credential for MSSQL but couldn’t find any.
How do i get into MSSQL at first ?

When using Windows Authentication, we need to specify the domain name or the hostname of the target machine. If we don’t specify a domain or hostname, it will assume SQL Authentication and authenticate against the users created in the SQL Server. Instead, if we define the domain or hostname, it will use Windows Authentication. If we are targetting a local account, we can use SERVERNAME\\accountname or .\\accountname. The full command would look like: