Yeah I think something on the machine is killing curls and wgets directly from the box. If i curl from the reverse shell the files dont come fully the connection dies or get 0 bytes. If I ran the same command through the SQL command it will get the files correctly.
User finally pwned. If you need any help ill try to help much as I can.
Once on the SVC_ACC manual enemuration is the way. Its just kinda tucked away on the users folders dont waste time in the higher directory levels C:* , etc…
Youll find some useful information in a certain file related to sql configs.
1 Like
Being mi**********an you can extract some info from a memory dump file. memproc and its plugins works ok
1 Like
** Do i need to exfil the file or am i capable of doing it on the box through the shell. If i do need to exfil can you DM me how you approached that.*
Nevermind I figured it out. You can EXFIL it im just silly. Security polcies are blocking some methods. 
Hi, Anyone knows what to do with the mem.dmp file
Nothing I’m trying to run commands as mi**********an is working. What am I missing?
I currently got mi*******an credentials. How can I get a session with this user? any hints?
You need to analyze it with a tool. Ive been unable to get any tool to work properly for myself.
One tool i know works but im unable to get it to function correctly on pwnbox. It would be a lot easier if you had access to a windows machine to move the file to and dmp.
if you have windows machine you can do the use something to load the dmp into memory and use mimikatz to digest it. Theres other tools to there that can analyze memory files. Hack tricks can lead you to some.
1 Like
Since you cant remote in with the creds you need to think of a way to get a 2nd revshell opened from your current shell.
There is tools that let you essentially impersonate that user to perform actions as that user.
If i wanted to run a process as another user what COMMAND utility could you employ.
I am trying to use the RUNAS, but it skips when credentials are asked. Will give it another try so
Any hints to enable xp_cmdshell consistently? I’ve had it fire once, but most of the time, using exactly the same payload, I either get the syntax or “No results. Previous SQL was not a query.” issue.
the machine resets the enable on the xp_cmdshell. So, you need to continuously re-enable it to use it.
I know, I just keep getting “No results. Previous SQL was not a query.” now. Issue seems to be chaining commands.
EDIT: Solved the issue. Thanks for the help 
1 Like
If there is anyone struggling with getting permissions on the MSSQL instance there is a section in HackTricks specially for pentesting MSSQL.
So I am just going to let you know that. That is not an error it just means that whatever you put in has been executed and since there is no data to be given back to you it will just show that. e
1 Like
need some help/hints for root. I’m in L******9.
Can you help me with the User flag?
If anyone needs help with the Memory Dump Ill try to answer you tomorrow just send me a DM.
Next user has been pwned. Now to onto root.
I’m still bumping.
Can’t transfer any reverse shell file because it get’s pickup by protection. Also, running powershell reverse shell, even with b64 encoding, gets picked.
Saw an article about bypassing AV detection but required compiling a C shell in the machine, which, then again, I don’t have a compiler.
PS: Tried nc.exe, msfvenom, powershell with b64
Have you tried using powercat to evade windows defender?