Attacking Common Services - SQL Databases

Hi, everyone!

I see that flagDB does exist however the server principal “htbdbuser” is not able to access the database “flagDB” under the current security context.
Generally, htbuser has an access to three DBs from six ones.
I found that there are two users sa and htbdbuser however the second one is not able to be impersonalizated.
Seeking throught the all accessible tables I saw nothing useful information.
I found the path to flagDB.mdf but htbdbuser is not able to read it.
I have an identified linked remote server (WINSRV02\SQLEXPRESS), however it seems its not accessible.

Plese, hint me what have I do next to find the answers!

Get the hash :slight_smile:

1 Like

Thank you, friend!
I had done a mistake and your valuable hint helped me to have figure it out.

hi @b1ackr0se can you give me a hint for this section ?
What is a hash are you talking about ?

I found a user sa, who have a role ‘VIEW ANY DATABASE’.
But when I try to impersonate this user, it look like I dont have permission. Then I make a request to check the user ‘sa’. I found that this account is ‘disabled’…
So I try to enable this account by an update. But it look like another time that I dont have permission.
This is why I read the hint, but can’t find other hash…

use hashed account/password for first question