Important to know for someone that isn’t familiar with windows exploitation and stuff. You need to go into the SQL Server Manager application once you acquire the admin creds. I reconnected to the server but you don’t have to. Move into the accounts folder and run his query in the New Query button.
Important.txt is not empty it has a very small string right at the beginning of it. If it is empty I would suggest reloading the machine
Just to try and help everyone else out, as well as reminding myself how this is done…
Look at NFS first, you will need to mount a share.
Once the share is on your local machine, you will need to access it, hint: if you can’t access it, su to root.
Once you’re in the share, grep for a username and/or password.
You can then take these credentials to connect via RDP
Have a look around as this user, you won’t be able to login to SQL so see what else is about.
You will locate credentials for another user.
Use these credentials (or similar user…) to RDP again
Once you find the right user (as people re-use passwords…) you can login and access MSSQL
Once in, you’ll need to execute some WHERE commands to locate the user we are looking for.
If you get stuck, take a look here to learn SQL SQL WHERE Clause
Did you guys think this lab was easier than the easy lab? I did. I had way less trouble with this one.
Hi! I am little stuck i have run the nmap scan with -p- and all other evasion option as described in the course. but was not able to enumerate MSSQL server port. However, the NMAP scan specifically for the port of MSSQL server returns that the SQL server is running.
THe command i was using initially is
sudo nmap -sS -sV -p- X.X.X.X -Pn --disable-arp-ping --packet-trace
THen using the comments i was able to figure out SQL server … I run the scan specifically for SQL server and got the port
So i can help you. are you doing “Footprinting Lab - Medium”? if not just mention what exact part of the module are you doing and i will be able to assist
I am just wanting to learn the point where i am stuck … like what was wrong in my initial scan… why i was not able to get the MSSQL serve port using -p- scan… rest i am ok with the lab
From my notes related to “Footprinting Lab - Medium”. there are are no ports related to MySQL or MSSQL which can be discovered.
For reference i have used the following Nmap scan ‘sudo nmap -sS -sV -sC -A -Pn --top-ports 1000 10.129.29.234’
My only hint for you to go forward is to check the NFS.
good luck.
Thanks i have already mounted the NFS and working on it. Thanks
please PM … I have right click and perfrm the same step… unable to switch to new user
hi! unable to run sqlsrv as a different user. can you give me a hint?
After mounting the NFS, you should have obtained credentials for user “A***”. Then you should try to RDP using the credentials obtained, i myself use xfreerdp xfreerdp /u:user /v:10.129.230.101 /p:'password'
. There is no need to run services once you RDP, you can just open microsoft sql server management studio.
From here i will tell you to look around in the host for any important file that might contain information saved by the users which might help you in accessing microsoft sql server management studio.
Right click and run as administrator?
yes did it but the password is not working on local admin or admin account
Ah, I see…
I hate when HTB does these kinds of stuff, not the first time. I understand that we need to learn but this is just stupid. I like the content but the tasks are horrible at best. Might need to rethink if i want to use this service anymore.
My question to HTB staff, how can I know this if I have never even encountered it before? How can I research into something that I did not know was possible?
Im stuck just trying to mount the NFS and allow access to even view whats inside TechSupport.
Ive tried what was listed in the NFS section as well as
sudo mount -t nfs -o rw,nosuid,noexec,noatime,nodiratime,soft,proto=tcp,port=2049,vers=4.1,user=nobody IP:/TechSupport ./target-NFS
As well as just " sudo mount -t nfs IP:/TechSupport ./target-NFS/ -o nolock "
Not able to cd into the directory.
EDIT: lol, root terminal maybe?