HTB Academy: Attacking Common Services - Attacking SQL Databases

I’m having trouble logging as mssqlsvc.

I need to authenticate using Windows Authentication but I can’t seem to find a convenient way to do it using sqlcmd.

I have tried using sqsh but it is not installed as of writing. I am also unable to install it manually.

Any advice?

1 Like

I have completed many modules but sometimes you are really stuck. Most of the times I figure it out on my own or are helped with a little hint in this forum but on this one I’m really stuck. I tried it with sqlcmd on my own pc and a VPN but I really am lost in how to get to the linked server via the mssqlsvc account. Any help would indeed be appriciated…

Hi did you find a solution to this in the end? I’ve just raised a support ticket to get it fixed

Support helped me quite quickly in the end. There’s a workaround (not that obvious to me).

Try impackets mssqlclient instead, example command below (sqsh seems to be outdated and not easy to install from linux now):

sudo python3 /usr/share/doc/python3-impacket/examples/ htbdbuser@


That worked! Thanks so much :slight_smile: I can finally mark this module as complete

1 Like

Happy to help @cooljagdash . Could I ask for help on - Attacking Common Services | Attacking DNS ? I’ve used subbrute for domains and keep trying:
dig any
dig axfr

but nothing useful. Any hint would be greatly appreciated!

The flag is very simple. You are definitely on the right track. Perhaps you have misconfigurations or using the wrong parameters?

Make sure you are using inlanefreight.htb and not
Make sure the resolvers.txt is using the target IP address.
Finally, make sure your dig command has the right parameters:
dig [axfr|any|ns|mx|…] targetdomain @targetip

1 Like

Thanks - I will try again. Maybe my brain is having a stupid day/I’m tired :rofl:

Haha I can’t believe i didn’t get that! Thanks.

1 Like

no worries, glad to help :slight_smile:

1 Like

thanks, you just saved my day with this tip. Was struggling with this one for a bit

1 Like

Heyo. I found the hash. Tried to crack it using hashcat; I tried the provided password list, as well as like 15+ different other playlist but I can’t crack it. Can anyone give a tip on which password list should be used?

Thanks in advance.

Try john instead. That did the trick for me.