HTB Academy: Attacking Common Services - Attacking SQL Databases

I’m having trouble logging as mssqlsvc.

I need to authenticate using Windows Authentication but I can’t seem to find a convenient way to do it using sqlcmd.

I have tried using sqsh but it is not installed as of writing. I am also unable to install it manually.

Any advice?

1 Like

I have completed many modules but sometimes you are really stuck. Most of the times I figure it out on my own or are helped with a little hint in this forum but on this one I’m really stuck. I tried it with sqlcmd on my own pc and a VPN but I really am lost in how to get to the linked server via the mssqlsvc account. Any help would indeed be appriciated…

Hi did you find a solution to this in the end? I’ve just raised a support ticket to get it fixed

Support helped me quite quickly in the end. There’s a workaround (not that obvious to me).

Try impackets mssqlclient instead, example command below (sqsh seems to be outdated and not easy to install from linux now):

sudo python3 /usr/share/doc/python3-impacket/examples/ htbdbuser@


That worked! Thanks so much :slight_smile: I can finally mark this module as complete

1 Like

Happy to help @cooljagdash . Could I ask for help on - Attacking Common Services | Attacking DNS ? I’ve used subbrute for domains and keep trying:
dig any
dig axfr

but nothing useful. Any hint would be greatly appreciated!

The flag is very simple. You are definitely on the right track. Perhaps you have misconfigurations or using the wrong parameters?

Make sure you are using inlanefreight.htb and not
Make sure the resolvers.txt is using the target IP address.
Finally, make sure your dig command has the right parameters:
dig [axfr|any|ns|mx|…] targetdomain @targetip

1 Like

Thanks - I will try again. Maybe my brain is having a stupid day/I’m tired :rofl:

Haha I can’t believe i didn’t get that! Thanks.

1 Like

no worries, glad to help :slight_smile:

1 Like

thanks, you just saved my day with this tip. Was struggling with this one for a bit

1 Like

Heyo. I found the hash. Tried to crack it using hashcat; I tried the provided password list, as well as like 15+ different other playlist but I can’t crack it. Can anyone give a tip on which password list should be used?

Thanks in advance.

Try john instead. That did the trick for me.

If somebody stuck by crack the hash, maybe you should ask yourself what is the difference between NTLM Hash and NetNTLM.

john and hashcat worked for me to crack the hash.

i get the mssqlsvc hash and cracked it. but impossible to log with it ! i am completly stuck and in cant figure out what i have to do for get the perm for read the DBflag. please help me :slight_smile:

Was about to post the same. Something isn’t quite right here :thinking:.

I got the password for user mssqlsvc by acquiring the hash using responder and cracking it using hashcat.

Would have thought that with said password and username I’d be able to log in and enumerate the flagDB database to get the flag.

But neither, nor sqsh or sqlcmd (I installed the latter just to try this out) seem to accept the username & password as a valid pair. All 3 work with the htbdbuser credentials provided in the instructions.

I thought about using DBeaver (to try Windows Authentication, just as I tried with the -E flag and sqlcmd), but as luck would have it there’s a bug right now with the driver for MSSQL :smiley: Windows authentication from linux · Issue #19079 · dbeaver/dbeaver · GitHub

Any tips on how to connect? I even tried using Remmina and RDP-ing into the server with the creds, but as nmap suggests, there’s no setup for that with this box.

Having the hash and user is first step. Mssqlclient looks good too. See if there are some auth related flags and parameters relevant here.

Solved it yesterday - my tip would be to not mess around with the hash after you’ve cracked the password using hashcat or john. You only need the username and password for the second question.

And I didn’t use from impacket (though you could if you wanted to :slight_smile:).

here are a bunch of random sentences that i think might point you in the right direction.

hint: i had a response to every sentence he through at me .i love hash browns i make sure theres nothing left over when ever i order them. my favorite wrestler is dawyne johnson. before making sales quality clients are brought to a window to check their authorization.

:rofl: :rofl: :joy:

have fun guys. :crazy_face:


Use wordlist from Attacking FTP services