After impersonating as John, do we have to connect to the linked server or just execute commands from the current MSSQL server?
I am not able to enable xp_cmdshell with or without connecting to the linked server.
Can you please provide a little nudge here?
**
Update: I was able to figure it out.
**
Were you able to get the xp_cmdshell method to work? I had to do this an alternate way.
If you did use the xp_cmdshell can you PM me the steps you took? I am happy to share the method I used.
Thanks NeverAskWhy. I am going to try this one again using this method. I couldn’t figure out the syntax to get this to work. I appreciate the help.
Uhm am i missing something? I impersonated the j user but i have no sysadmin privileges to continue
UPDATE: got it! 
@J4rvis @johnnyvims Could you please help me, I can’t find a way to enable the xp_cmdshell after impersonating J… I need clear step-by-step advice, I have tried a lot of different methods described by HTB Academy but it doesn’t seem to work so I am not making any progress. I have read all the comments in this forum and sometimes get ideas but still can’t figure it out 
…
@StormBreaker11 after impersonating, u gotta follow the steps that @Neverakswhy posted 6 days ago. what u need to do is basically trigger the xp_cmdshell not in the local db you’in, but sending queries to the linked db (that local.test.linked.srv). understand the syntax to send commands to that linked db (neveraskswhy user posted them), and first start by configuring advanced options, then reconfigure it, then once u’ve done that u just have to do the same configuring xp_cmdshell.
after that, u can directly use xp_cmdshell to send cmd commands to that db and get the flag. make sure to use the correct syntax for xp_cmdshell. scroll above in here and there’s a screen of the user “Newuser” of 29days ago suggesting u the syntax, u just gotta correct that.
cheers!
@J4rvis Thanks for your quick reply, I have done exactly what @Neveraskswhy stated 6 days ago but after impersonating as J… and following Neveraskswhy advice, I am still getting the following issue:
EXEC [LOCAL.TEST.LINKED.SRV].master.dbo.sp_configure ‘show advanced options’, 1
2> go
Configuration option ‘show advanced options’ changed from 1 to 1. Run the RECONFIGURE statement to install.
1> EXEC (‘RECONFIGURE’) AT [LOCAL.TEST.LINKED.SRV]
2> EXEC sp_configure ‘show advanced options’, 1;
3> go
Msg 15247, Level 16, State 1
Server ‘WIN-HARD\SQLEXPRESS’, Procedure ‘sp_configure’, Line 105
User does not have permission to perform this action.
What am I doing wrong?
I appreciate all your help.
you are close.
you have to figure out the name of the sysadmin at the Linked Database.
you can execute commands on the other database with a command formated like this:
EXECUTE(’ your command ‘) AT [LOCAL…]
inside this command you can also put the impersonating command you have learned.
Also you can do more commands at once. You just have to put a semicolon between each of them like:
EXECUTE(’ first command ; second command’) AT [LOCAL…]
if you have a command conatining a ’ you need to add another ’ to it. (‘’)
Thanks @suryateja i did manage to understand your point and made it after a lot of tries.
because i was facing syntax error.
after you follow @suryateja steps try this command
guys how did you manage to enable xp_cmdshell, I did it using BULK, However I have no clue how it can be done with xp_cmdshell, like how? I have done it tried multiple ways, but still keep getting error, ant help would be appreciated. thanks in advance
thank you @everyone for your help you guys are awesome!!
Guys I found the password of the user f**** and I could connected with RDP on the target machine.However I couldn’t access on the mssql database from the RDP (SQL Server Management Studio) and mssqlclient.py…
Could you please help with any hint regarding how to connect on the database? Maybe I need to use another password for f*** user?
THank you
Thank you @wfsahuo3 !
This is so helpful. and “duh!” realized the flag is on the local server not the linked remote server. I am curious where you got the syntax which is what must have taken you so long! All those quotes/double quotes!
No worries, glad i could help. Yeah, i think this lab was absolutely terrible. Especially because the “example” that’s provided isn’t helpful at all. I took me a long time to figure out the positioning of all the quotes, it was basically a lot of trial and error. But remember you can use this syntax in the future to run other commands on the linked server as well.
I was a bit perplexed here too, but figured it out - you don’t get a “greeting” message when you connect successfully. You just get a prompt for your query “1>”.
Once logged in as Fiona through RDP, you can just run sqlcmd -H localhost in Powershell, and you get a db session :).
Thank you for this, but this gives
dsp_desc_bind: Memory allocation failure for column #1
How did you get around this? Did you created new table?
There was not enough preparation with MS SQL for this lab. There should’ve been more explanation about using nested single quotes in MS SQL (since you need to be able to do that). There was also not enough elaboration about linked servers and even though I got the flag, I still honestly don’t understand why the user I impersonated was able to run admin commands on the linked server. Obviously the user was an admin, but it was showing a different user when I listed that part. This wasn’t a good lab for me, not because it was hard, but because it was poorly explained, was a hassle, and I didn’t learn anything from it.
Hey guys
Im really stuck in the sql part of attacking common services. I tried using the commands through sqsh since its a mssql service. I just cant find anything about the other user password. Please help!
f
No replyy…???