I see that flagDB does exist however the server principal “htbdbuser” is not able to access the database “flagDB” under the current security context.
Generally, htbuser has an access to three DBs from six ones.
I found that there are two users sa and htbdbuser however the second one is not able to be impersonalizated.
Seeking throught the all accessible tables I saw nothing useful information.
I found the path to flagDB.mdf but htbdbuser is not able to read it.
I have an identified linked remote server (WINSRV02\SQLEXPRESS), however it seems its not accessible.
Plese, hint me what have I do next to find the answers!
hi @b1ackr0se can you give me a hint for this section ?
What is a hash are you talking about ?
I found a user sa, who have a role ‘VIEW ANY DATABASE’.
But when I try to impersonate this user, it look like I dont have permission. Then I make a request to check the user ‘sa’. I found that this account is ‘disabled’…
So I try to enable this account by an update. But it look like another time that I dont have permission.
This is why I read the hint, but can’t find other hash…
idk if you answered the question already (I hope you did), but I decided to give a hint anyway since I lost an hour trying to figure out the answer for the second question too. For anyone who struggles to answer the second question ask yourself - “What are the ways that I can authenticate against MSSQL DB? Am I trying to authenticate using Windows Authentication or SQL Authentication”
it’s been a few months, but I remember answering the question(about who has access) at the bottom of the module first then, finding the other answer using with the same account name…
Hello, I am looking for a new job.
I am currently stuck with this.
I was able to connect to the SQL server.
However, no matter what command I type, nothing is output.
Is there any way to resolve this?
sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty
1> SELECT name FROM master.dbo.sysdatabases
2> GO
3>
```
For anyone else that’s struggling, here are some hints:
From the previous page, responder is note worthy. (BONUS: to identify a hash, you can use the tool hashid [pip install hashid] to see what mode hashcat needs to use)
For this one, you’ll need to use what you got from question 1 to authenticate, then you should be able to enumerate the flagDB. You might need to do a search for the specific mssql command though as I didn’t find it in the module.
