HTB Academy: Attacking Common Services - Attacking SQL Databases

cooljagdash · October 25, 2022, 1:59am

I’m having trouble logging as mssqlsvc.

I need to authenticate using Windows Authentication but I can’t seem to find a convenient way to do it using sqlcmd.

I have tried using sqsh but it is not installed as of writing. I am also unable to install it manually.

Any advice?

ST_oma · October 28, 2022, 9:02am

I have completed many modules but sometimes you are really stuck. Most of the times I figure it out on my own or are helped with a little hint in this forum but on this one I’m really stuck. I tried it with sqlcmd on my own pc and a VPN but I really am lost in how to get to the linked server via the mssqlsvc account. Any help would indeed be appriciated…

cheekychimp · November 11, 2022, 12:33pm

Hi did you find a solution to this in the end? I’ve just raised a support ticket to get it fixed

cheekychimp · November 11, 2022, 12:50pm

Support helped me quite quickly in the end. There’s a workaround (not that obvious to me).

Try impackets mssqlclient instead, example command below (sqsh seems to be outdated and not easy to install from linux now):

sudo python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py htbdbuser@10.129.166.80

cooljagdash · November 11, 2022, 10:23pm

That worked! Thanks so much I can finally mark this module as complete

cheekychimp · November 12, 2022, 1:25pm

Happy to help @cooljagdash . Could I ask for help on - Attacking Common Services | Attacking DNS ? I’ve used subbrute for domains and keep trying:
dig any
dig axfr

but nothing useful. Any hint would be greatly appreciated!

cooljagdash · November 12, 2022, 11:09pm

The flag is very simple. You are definitely on the right track. Perhaps you have misconfigurations or using the wrong parameters?

Make sure you are using inlanefreight.htb and not inlanefreight.com.
Make sure the resolvers.txt is using the target IP address.
Finally, make sure your dig command has the right parameters:
dig [axfr|any|ns|mx|…] targetdomain @targetip

cheekychimp · November 13, 2022, 8:20pm

Thanks - I will try again. Maybe my brain is having a stupid day/I’m tired

cheekychimp · November 13, 2022, 11:51pm

Haha I can’t believe i didn’t get that! Thanks.

cooljagdash · November 14, 2022, 1:45am

no worries, glad to help

PSySpin · December 23, 2022, 7:07am

thanks, you just saved my day with this tip. Was struggling with this one for a bit

Aikita · January 21, 2023, 5:50pm

Heyo. I found the hash. Tried to crack it using hashcat; I tried the provided password list, as well as like 15+ different other playlist but I can’t crack it. Can anyone give a tip on which password list should be used?

Thanks in advance.

pp123 · January 25, 2023, 5:48pm

Try john instead. That did the trick for me.

t0p1c · February 16, 2023, 5:33pm

If somebody stuck by crack the hash, maybe you should ask yourself what is the difference between NTLM Hash and NetNTLM.

john and hashcat worked for me to crack the hash.

doudou1899 · February 18, 2023, 9:44am

Hi
i get the mssqlsvc hash and cracked it. but impossible to log with it ! i am completly stuck and in cant figure out what i have to do for get the perm for read the DBflag. please help me

lancedelacroix · February 18, 2023, 2:07pm

Was about to post the same. Something isn’t quite right here .

I got the password for user mssqlsvc by acquiring the hash using responder and cracking it using hashcat.

Would have thought that with said password and username I’d be able to log in and enumerate the flagDB database to get the flag.

But neither mssqlclient.py, nor sqsh or sqlcmd (I installed the latter just to try this out) seem to accept the username & password as a valid pair. All 3 work with the htbdbuser credentials provided in the instructions.

I thought about using DBeaver (to try Windows Authentication, just as I tried with the -E flag and sqlcmd), but as luck would have it there’s a bug right now with the driver for MSSQL Windows authentication from linux · Issue #19079 · dbeaver/dbeaver · GitHub

Any tips on how to connect? I even tried using Remmina and RDP-ing into the server with the creds, but as nmap suggests, there’s no setup for that with this box.

SISTEM · February 18, 2023, 2:20pm

Having the hash and user is first step. Mssqlclient looks good too. See if there are some auth related flags and parameters relevant here.

lancedelacroix · February 19, 2023, 1:30pm

Solved it yesterday - my tip would be to not mess around with the hash after you’ve cracked the password using hashcat or john. You only need the username and password for the second question.

And I didn’t use mssqlclient.py from impacket (though you could if you wanted to ).

SoSaymon · March 11, 2023, 2:02pm

Use wordlist from Attacking FTP services

BAlkan_BAndit · March 29, 2023, 9:59am

For anyone having trouble cracking the hash. What I did is firstly use the whole Responder hash (starts with “MSSQLSVC::WIN-02 …”). Then I fed it into hashcat with cracking mode 5600 (for Responder hashes) and rockyou.txt worked for me while the provided password list didn’t.

If you then have trouble authenticating with mssqlsvc and its password, thnik about what authentication types MSSQL supports. Hint: mssqlclient.py doesn’t use the default authentication type.

Good luck!