Attacking Common Services - SQL Databases

Hi, everyone!

I see that flagDB does exist however the server principal “htbdbuser” is not able to access the database “flagDB” under the current security context.
Generally, htbuser has an access to three DBs from six ones.
I found that there are two users sa and htbdbuser however the second one is not able to be impersonalizated.
Seeking throught the all accessible tables I saw nothing useful information.
I found the path to flagDB.mdf but htbdbuser is not able to read it.
I have an identified linked remote server (WINSRV02\SQLEXPRESS), however it seems its not accessible.

Plese, hint me what have I do next to find the answers!

Get the hash :slight_smile:


Thank you, friend!
I had done a mistake and your valuable hint helped me to have figure it out.

hi @b1ackr0se can you give me a hint for this section ?
What is a hash are you talking about ?

I found a user sa, who have a role ‘VIEW ANY DATABASE’.
But when I try to impersonate this user, it look like I dont have permission. Then I make a request to check the user ‘sa’. I found that this account is ‘disabled’…
So I try to enable this account by an update. But it look like another time that I dont have permission.
This is why I read the hint, but can’t find other hash…

use hashed account/password for first question

idk if you answered the question already (I hope you did), but I decided to give a hint anyway since I lost an hour trying to figure out the answer for the second question too. For anyone who struggles to answer the second question ask yourself - “What are the ways that I can authenticate against MSSQL DB? Am I trying to authenticate using Windows Authentication or SQL Authentication”

1 Like

it’s been a few months, but I remember answering the question(about who has access) at the bottom of the module first then, finding the other answer using with the same account name…

Hello, I am looking for a new job.
I am currently stuck with this.
I was able to connect to the SQL server.
However, no matter what command I type, nothing is output.
Is there any way to resolve this?

sqsh- Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty
1> SELECT name FROM master.dbo.sysdatabases
2> GO

resolved: I used pwnbox

1 Like

Using the hash stolen, and the password list provided.

Does not crack for question #1

Use lowercase ‘go’ when using sqsh. Works for me :smiley:

Use impacket!