McDatabaseAdmin came rushing into the room and cried to McSkidy, “We’ve been locked out of the reindeer schedule – how will Santa’s transportation work for Christmas?” The grinch has locked McDatabaseAdmin of his system. You need to probe the external surface of the server to see if you get him his access back.

MS SQL Server is a Relational Database Management System (RDBMS). One simple way to think of a relational database is a group of tables that have relations.

We covered interacting and recovering Microsoft SQL Database Server using sqsh database shell. This was part TryHackMe Advent Of Cyber 3 Day 11.

Get OSCP Certificate Notes

Challenge Answers

There is an open port related to MS SQL Server accessible over the network. What is the port number?

Knowing the MS SQL Server is running and accessible over the network, we want to check if our username and password are still valid. Using the AttackBox terminal, we will use the command sqsh (pronounced skwish), an interactive database shell.

A simple syntax would be sqsh -S server -U username -P password, where:

  • -S server is used to specify the server, for example -S MACHINE_IP
  • -U username is used to provide the username; for example, -U sa is the username that we have enabled.
  • -P password lets us specify the password.

Let’s try to run, sqsh -S MACHINE_IP -U sa -P t7uLKzddQzVjVFJp

If the connection is successful, you will get a prompt. What is the prompt that you have received?

McDatabaseAdmin told us the database name is reindeer and it has three tables:

 

  1. names
  2. presents
  3. schedule

To display the table names, you could use the following syntax, SELECT * FROM table_name WHERE condition.

  • SELECT * is used to return specific columns (attributes). * refers to all the columns.
  • FROM table_name to specify the table you want to read from.
  • WHERE condition to specify the rows (entities).

We can see four columns in the table displayed above: id, first (name), last (name), and nickname. What is the first name of the reindeer of id 9?

Check the table schedule. What is the destination of the trip scheduled on December 7?

Check the table presents. What is the quantity available for the present “Power Bank”?

Now, let’s see if we can run MS Windows commands while interacting with the database. Some MS SQL Servers have xp_cmdshell enabled. If this is the case, we might have access to something similar to a command prompt.

 

The command syntax is xp_cmdshell 'COMMAND';. Let’s try a simple command, whoami, which shows the user running the commands. In the terminal output below, after connecting to MS SQL Server, we tried xp_cmdshell 'whoami';, and we can see that the user is nt service\mssqlserver. This means that any command we pass to xp_cmdshell will run as nt service\mssqlserver.

There is a flag hidden in the grinch user’s home directory. What are its contents?

Video Walk-Through