I’m having trouble logging as mssqlsvc.
I need to authenticate using Windows Authentication but I can’t seem to find a convenient way to do it using sqlcmd.
I have tried using sqsh but it is not installed as of writing. I am also unable to install it manually.
Any advice?
I have completed many modules but sometimes you are really stuck. Most of the times I figure it out on my own or are helped with a little hint in this forum but on this one I’m really stuck. I tried it with sqlcmd on my own pc and a VPN but I really am lost in how to get to the linked server via the mssqlsvc account. Any help would indeed be appriciated…
Hi did you find a solution to this in the end? I’ve just raised a support ticket to get it fixed
Support helped me quite quickly in the end. There’s a workaround (not that obvious to me).
Try impackets mssqlclient instead, example command below (sqsh seems to be outdated and not easy to install from linux now):
sudo python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py htbdbuser@10.129.166.80
That worked! Thanks so much 
I can finally mark this module as complete
Happy to help @cooljagdash . Could I ask for help on - Attacking Common Services | Attacking DNS ? I’ve used subbrute for domains and keep trying:
dig any
dig axfr
but nothing useful. Any hint would be greatly appreciated!
The flag is very simple. You are definitely on the right track. Perhaps you have misconfigurations or using the wrong parameters?
Make sure you are using inlanefreight.htb and not inlanefreight.com.
Make sure the resolvers.txt is using the target IP address.
Finally, make sure your dig command has the right parameters:
dig [axfr|any|ns|mx|…] targetdomain @targetip
Thanks - I will try again. Maybe my brain is having a stupid day/I’m tired 
Haha I can’t believe i didn’t get that! Thanks.
no worries, glad to help
thanks, you just saved my day with this tip. Was struggling with this one for a bit
Heyo. I found the hash. Tried to crack it using hashcat; I tried the provided password list, as well as like 15+ different other playlist but I can’t crack it. Can anyone give a tip on which password list should be used?
Thanks in advance.
Try john instead. That did the trick for me.
If somebody stuck by crack the hash, maybe you should ask yourself what is the difference between NTLM Hash and NetNTLM.
john and hashcat worked for me to crack the hash.
Hi
i get the mssqlsvc hash and cracked it. but impossible to log with it ! i am completly stuck and in cant figure out what i have to do for get the perm for read the DBflag. please help me
Was about to post the same. Something isn’t quite right here 
.
I got the password for user mssqlsvc by acquiring the hash using responder and cracking it using hashcat.
Would have thought that with said password and username I’d be able to log in and enumerate the flagDB database to get the flag.
But neither mssqlclient.py, nor sqsh or sqlcmd (I installed the latter just to try this out) seem to accept the username & password as a valid pair. All 3 work with the htbdbuser credentials provided in the instructions.
I thought about using DBeaver (to try Windows Authentication, just as I tried with the -E flag and sqlcmd), but as luck would have it there’s a bug right now with the driver for MSSQL 
Windows authentication from linux · Issue #19079 · dbeaver/dbeaver · GitHub
Any tips on how to connect? I even tried using Remmina and RDP-ing into the server with the creds, but as nmap suggests, there’s no setup for that with this box.
Having the hash and user is first step. Mssqlclient looks good too. See if there are some auth related flags and parameters relevant here.
Solved it yesterday - my tip would be to not mess around with the hash after you’ve cracked the password using hashcat or john. You only need the username and password for the second question.
And I didn’t use mssqlclient.py from impacket (though you could if you wanted to ).
Use wordlist from Attacking FTP services
For anyone having trouble cracking the hash. What I did is firstly use the whole Responder hash (starts with “MSSQLSVC::WIN-02 …”). Then I fed it into hashcat with cracking mode 5600 (for Responder hashes) and rockyou.txt worked for me while the provided password list didn’t.
If you then have trouble authenticating with mssqlsvc and its password, thnik about what authentication types MSSQL supports. Hint: mssqlclient.py doesn’t use the default authentication type.
Good luck!