Attacking Common Services - Hard

HTB Content Academy
122

How did you get that issue fixed?

123

Hi guys, I’m facing a problem. I can’t impersonate the linked server displayed from mssql. When I use the command to identify the server user from the MSSQL chapter and replace the linked server name I get the following error :

“Msg 7437, Level 16, State 1, Server WIN-HARD\SQLEXPRESS, Line 1
Linked servers cannot be used under impersonation without a mapping for the impersonated login.”

Has anyone encountered this error before ?

EDIT : Well i quickly figured out i had to use ‘execute as login = ‘john’’ before exploiting the linked server.

124

what worked for me was instead of your second and fourth lines just do all the commands exec(‘sp_configure…’) at local linked server. and for the last line just do exec(‘xp_cmdshell ‘‘command’’’). remove the exec as login because youre already executing it as john just as a linked admin tldr. case in point you doing exec (‘reconfigure’) at linked server is the same thing, youre inputting commands as john who has these prviliges on the linked server. be sure to get the single quotes right, if you need to use quotes inside the exec parenthesis you need to single quotes (‘‘command’’) twice and not use double quotes (“command”).

125

make sure you did the execute as login properly and are executing commands at the correct linked server, it should say remote 0

1 Like
126

Thanks Dream Plumbing and Gas is a reliable and trustworthy plumbing company that can handle all your plumbing needs. They offer a wide range of services at affordable prices and are committed to providing high-quality customer service. If you’re looking for a plumber you can trust, contact Dream Plumbing and Gas today! Plumber Sydney

127

How did you all know to rdp into this? i wasted so much time trying to do mssql from the linux.

128

Hi everyone, I hope you’re all well,
for the ‘Attacking Common Services - Hard’ module I’ve already solved it by
first impersonating a J User…
using testadmin of the linked server LOCAL.TEST.LINKED.SRV to execute commands
using xp_cmdshell directly to get the flag, apparently there’s another way to log in or get the admin hash, and I tried but couldn’t
(using responder to capture the hash), I’d like you to please help me with the second method
thks…

129

Try sqlcmd -S . -E

130

Since you can basically enjoy the full control of that server I’ve put in action some knowledge found in previous chapters.
Instead of extrapolating the hash through Responder, which is still not 100% clear to me, I leveraged SAM exfiltration. Give it a try! :wink:

131

THANKS, I will try it

132

Done, it still easier than the Attacking Common Services -Easy

  1. smbclient -N -L //10.129.xxx.xx/ to see the shared SMB

smbclient //10.129.xxx.xx/Home

  1. Got Fiona Credential → use it ro RDP
  2. run sqlcmd from RDP Session
  3. Follow thourhg the sqlcmd impersonate section in the module
  4. Run everything with EXECUTE(‘xxxxxx’) AT [LOCAL_TEST.LINKED.SRV]
  5. Follow step in mssql impersonation in the section including enable xp_cmdshell
  6. Run Command prompt you need e.g. Dir, More C:\Users\Administrator\Desktop\flag.txt
    81> EXECUTE(‘xp_cmdshell ‘‘more C:\Users\Administrator\Desktop\flag.txt’’’) AT [LOCAL.TEST.LINKED.SRV]
    2> GO
133

found this kinda stupid. I already got the admin privileges as linked server, and then TestAppDB was the only DB that fiona and john couldn’t access it at first, so i went ahead and use execute statements in TestAppDB and this is what I got.

username password privileges

b’patric’ b’Testuser123!’ b’user’

b’julio’ b’Testadmin123!’ b’admin’

I thought this was the admin user that you were supposed to log in to get the flag with but apparently not. Don’t waste your time here.

134

For anyone that still needs help, I believe this is the intended solution given the module material:

  1. access SMB with a null session to grab credentials
  2. credentials should give you RDP access with one of the 3 users
  3. open command prompt and run sqlcmd
  4. Find out who you can impersonate with the command from the module
  5. using this impersonation, find linked servers using command from the module
  6. Read the C:\Users\Administrator\Desktop\flag.txt

HINT For the last step: You will be running several of these commands at once in an inception-style manner. You need to impersonate somebody and pass the “SELECT * … AS CONTENTS” read file command INSIDE of the EXECUTE command you’re passing to the remote server. All 3 techniques are in one command.