Attacking common services - SQL (stuck)

Hi all,

So far I managed to do a couple of modules, including some intermediate ones and sometimes got stuck but always managed to ‘soldier’ my way through and proud of that. But now I’m really stuck in ‘Attacking common services’ - SQL → first question ‘What is the password for the “mssqlsvc” user?’.

Things I’v done:

  1. Extracted the hash for this user (format mssqlsvc::WIN-02:3d5ddadaf62b17b6:386CB00…002E00310035002E00390037000000000000000000).
  2. Tried to pass it with xfreerdp and sqsh (domain not trusted)
  3. Tried to crack it with the pasword list in the cheat sheet (no results).

I’m certain that I’m overlooking something obvious or maybe I have done the rigth thing but that it went wrong because of something else which let me think I already did that and didn’t try it again.

Anyway, some hints to the right direction are greatly appriciated.

1 Like

For anybody else stuck here, try and use a different wordlist

how did you got the hash

Just as was mentioned in the module with the non documented sql command. If you are really stuck explain what you have done thus far and I will provide some hints.

Yep, I tried the usual wordlist and that didn’t work either. I was questioning if I’d even pulled the correct thing from the smbserver output, but it’s the right length for a NT hash.

edit: so you grab the ENTIRE line with the hash in the output from smbserver, drop that in a file and use mode 5600 for hashcat to crack it. I was just trying to pull the one thing out of the line that looked like an NT hash and crack it with mode 1000. If it fails, try the regular wordlist.

After getting the full Hash for user “mssqlsvc”.
Save the full hash in a file.
Use hashcat to crack it .
HINT : hashcat -m 5600 -a 0 crack.txt rockyou.txt