Thanks for the help all. This comment in particular helped me a lot. For anyone stuck, try a starting a program without using anything you’ve found… I don’t think HTB shows you how to do this n the study guides. Which makes the task even more fun! 
RDP → CMD → s****d (without any creds)
Saying that… I’m stuck now trying to impersonate a user xD!
3 Likes
Hi guys, any help appreciated! I’m currently RDP’d in, trying to use EXECUTE and IMPERSONATE paths but getting no-where. Neither users I can see have the admin role tears hair out
The guide written in ‘a text file’ and the section on sql, says establish/indentify and use a local linked server. The sql section mentions executing commands through local linked server… Took me a few hours to figure it out, there’s a learning curve.
2 Likes
Thanks so much. I did see this but didn’t think much of it, I’ll focus on this.
1 Like
Terrible 
can someone help me?
I have access to RDP (fiona) and i dont know what i doing wrong and whats next…
i used EXECUTE () and found user with sysadmin role but i dont know how i can use it.
I have username: ‘*****admin’
but dont have idea whats next… Really need someone - good person - who can explain me this path (maybe on private message) 
( sql is so hard for me ) @tlaing @subrealz @johnnyvims
Sometimes ago for me, but if i remember well, you can impersonate the new user you have found the same way you did with the previous one. If that doesn’t help, ping me again and I’ll go thru my notes.
All from sql page
snip
If we manage to gain access to a SQL Server with a linked server configured, we may be able to move laterally to that database server. Administrators can configure a linked server using credentials from the remote server. If those credentials have sysadmin privileges, we may be able to execute commands in the remote SQL instance…
snip
Example from page
1> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT
2> GO
this is the syntax for naming the person you are impersonating through the linked server.
without spoiling this get familiar with the syntax:
EXECUTE() AT [linked server]
then your gonna be half way done after figuring it out you can follow @johnnyvims suggestions and use the link I posted.
3 Likes
i will check it - if You have right, i totaly misunderstood command in example 
1 Like
I had gotten as far as running the example from the SQL section you mentioned, but it was the EXECUTE() hint that prompted everything for me. Thank you.
2 Likes
Are the credentials found in SMB valid for MSSQL as well? This is what I understood from OP, but those credentials only worked for RDP and not MSSQL
1 Like
same here, but I can’t figure out how to impersonate another user (john, sa or simon).
John
try putting the password in quotation marks, I think I remember single quotes working for me
1 Like
impersonation example is on the mssql/mysql section/page, after that it’s get harder to figure out, but closer to the answer
1 Like
I was finally able to figure it out.
1 Like
I’m really stuck don’t know what I am missing.
So far I’ve connected to fiona via rdp tried to query user in PS to find any users to impersonate but couldn’t find anyone.
1 Like
The example to impersonate is on the mssql/mysql section follow it exactly. Also if you answer the question at the bottom about the user correctly, that’s who you can impersonate. Every thing you need to find the person is on that page. It gets challenging after that. Also if you read everything on this forum you’ll be able to figure out the answers. Took me a few hours because I didn’t follow the details in the section, I googled just about everything.
2 Likes
Thanks for this thread guys, it really help me a lot. Just resolve it and I’m crying righ now 
2 Likes
At this one you could use the mssqlclient.py tool from impacket… test with it and everything fine, but have the same error dsp_desc_bin with sqsh with my Kali VM.
2 Likes
both users had value 0 returned for sysadmin role, that’s why I got confused which one to impersonate.
for the correct user tbh I just guessed it it’s one of them I didn’t know why it was john exactly when both had 0 value.
2 Likes