McDatabaseAdmin came rushing into the room and cried to McSkidy, “We’ve been locked out of the reindeer schedule – how will Santa’s transportation work for Christmas?” The grinch has locked McDatabaseAdmin of his system. You need to probe the external surface of the server to see if you get him his access back.
MS SQL Server is a Relational Database Management System (RDBMS). One simple way to think of a relational database is a group of tables that have relations.
We covered interacting and recovering Microsoft SQL Database Server using sqsh database shell. This was part TryHackMe Advent Of Cyber 3 Day 11.
There is an open port related to MS SQL Server accessible over the network. What is the port number?
Knowing the MS SQL Server is running and accessible over the network, we want to check if our username and password are still valid. Using the AttackBox terminal, we will use the command
sqsh (pronounced skwish), an interactive database shell.
A simple syntax would be
sqsh -S server -U username -P password, where:
-S serveris used to specify the server, for example
-U usernameis used to provide the username; for example,
-U sais the username that we have enabled.
-P passwordlets us specify the password.
Let’s try to run,
sqsh -S MACHINE_IP -U sa -P t7uLKzddQzVjVFJp
If the connection is successful, you will get a prompt. What is the prompt that you have received?
McDatabaseAdmin told us the database name is
reindeer and it has three tables:
To display the table
names, you could use the following syntax,
SELECT * FROM table_name WHERE condition.
SELECT *is used to return specific columns (attributes).
*refers to all the columns.
FROM table_nameto specify the table you want to read from.
WHERE conditionto specify the rows (entities).
We can see four columns in the table displayed above: id, first (name), last (name), and nickname. What is the first name of the reindeer of id 9?
Check the table
schedule. What is the destination of the trip scheduled on December 7?
Check the table
presents. What is the quantity available for the present “Power Bank”?
Now, let’s see if we can run MS Windows commands while interacting with the database. Some MS SQL Servers have
xp_cmdshell enabled. If this is the case, we might have access to something similar to a command prompt.
The command syntax is
xp_cmdshell 'COMMAND';. Let’s try a simple command,
whoami, which shows the user running the commands. In the terminal output below, after connecting to MS SQL Server, we tried
xp_cmdshell 'whoami';, and we can see that the user is
nt service\mssqlserver. This means that any command we pass to
xp_cmdshell will run as
There is a flag hidden in the
grinch user’s home directory. What are its contents?