[Day 11] Networking Where Are The Reindeers? | Advent of Cyber 3 (2021)

Today is about network again and a little bit of a database query. I am very interested in learning database, because I rarely touch with the database.

Let’s expose the database..

# There is an open port related to MS SQL Server accessible over the network. What is the port number?

1433

I use -sS for stealth scan, and -sV to see the version and -Pn for break the ping blocking.

# If the connection is successful, you will get a prompt. What is the prompt that you have received?

1>

# We can see four columns in the table displayed above: id, first (name), last (name), and nickname. What is the first name of the reindeer of id 9?

Rudolph

I use SELECT * FROM reindeer.dbo.names; but you can also use SELECT * FROM reindeer.dbo.names WHERE id=9;

# Check the table schedule. What is the destination of the trip scheduled on December 7?

Prague

With the same way.

# Check the table presents. What is the quantity available for the present “Power Bank”?

25000

# There is a flag hidden in the grinch user's home directory. What are its contents?

THM{YjtKeUy2qT3v5dDH}

Check for the command xp_cmdshell first.

And as you can see, the flag.txt hide in the Grinch’s Documents folder.

# Congratulations, the flag you have recovered contains the password of McDatabaseAdmin! In this task, we learned how to use sqsh to interact with a MS SQL Server. We learned that if xp_cmdshell is enabled, we can execute system commands and read the output using sqsh.

just click Question Done

Conclusion

I learn some new knowledge today, it’s about MS SQL Server Vulnerabilities, xp_cmdshell and sqsh command. I am very happy, and thanks.