Attacking Common Services - Hard

tlaing · November 30, 2022, 2:07pm

On the forum you’ll see somebody telling me to perform impersonation and do the execute() trick after that. It’s confusing if you don’t follow along with the pages(forum and module) I got stuck myself until I went to the forum.

Only one of the users is able to execute commands remotely with admin privileges. The section doesn’t really specify exactly how to do anything it just shows you one example and leaves it up to you to figure rest out.

If you can take some time and experiment with different commands and see what the results are, The forum can give you some ideas of what commands to execute.

pavka · December 1, 2022, 6:38pm

Way to go:

Find Fiona → Connect to RDP with Fiona → there connect to SQL with Fiona → Impersonate John → after that find linked SQL-servers → execute command on linked server → get the flag!

chichecorp · December 22, 2022, 9:37pm

Hi, I am not sure at which step I am exactly.
I “think” I impersonated john correctly, but when I try execute commands on the linked server I get this error:

[-] ERROR(WIN-HARD\SQLEXPRESS): Line 1: Linked servers cannot be used under impersonation without a mapping for the impersonated login.

Is this the right path ?

chichecorp · December 22, 2022, 9:56pm

oh wow, just found the answer, wasted so much time on a very stupid error/mistake

Newuser · January 17, 2023, 3:28pm

Can you tell me what command should I use to obtain the flag? Shall I get a reverse shell? I found the linked server but I don’t get the right syntax.

tlaing · January 17, 2023, 3:53pm

What error message did you get?

Newuser · January 17, 2023, 4:03pm

I tried to a “whoami” command

1> EXECUTE('xp_cmdshell 'whoami'(''sysadmin'')') AT 
2> go
Msg 102, Level 15, State 1, Server WIN-HARD\SQLEXPRESS, Line 1
Incorrect syntax near 'whoami'.

tlaing · January 17, 2023, 6:08pm

try instead of if that doesn’t work I’ll login later and check the syntax…

tlaing · January 17, 2023, 6:12pm

Just remembered when you check to see if the server is linked it should give you the name of the server

tlaing · January 17, 2023, 6:28pm

essentially: the problem is not the syntax, the problem is the server name

Newuser · January 17, 2023, 6:30pm

It was not, it was the Syntax. I was able to fix it using chatgpt because I suck at understanding code. The code I posted already had the correct server name in it.

tlaing · January 17, 2023, 7:03pm

gonna a login later ‘sysadmin’ doesn’t need to be included in the whoami command that’s another error

tlaing · January 17, 2023, 7:05pm

Great it’s been months since I passed that one.

UDrinkincoffee · January 19, 2023, 12:55am

Whats up fellows, been stuck on this one for a while. Need some help, I have gotten all the way to impersonating john and finding the linked server however, unable to do the xp_cmdshell command. Any help would be appreciated.

Zelli · January 19, 2023, 2:21pm

Maybe it is disabled, try to enable it.

Donaldit · January 29, 2023, 8:49pm

Can you tell how you dealt with it?

Donaldit · January 29, 2023, 8:51pm

How did you get xp_cmdshell?

Neverakswhy · January 30, 2023, 6:48pm

i used both exec and execute but i am getting error what might be the reason
i impersonated user john

Can any find out whats the problem

M00th · January 31, 2023, 5:44am

I’m pretty sure you don’t have permission for BULK and I had to use double quotes e.g. " around my path. The answer is a mixture of the two of your pictures. You’re on the right path

Zelli · January 31, 2023, 6:57am

Hi, for the first screenshot I am not sure that notepad.exe will work in shell environment (as i think it will open notepad interactively), better to use for example ‘type’ it is basically cat in cmd. Regarding the second screenshot, maybe you don’t have enabled something important on the linked server?