MSSQL

Microsoft SQL is similar to other SQL databases and it can be accessed using a 'sqsh' tool.

sqsh -S 10.11.1.31 -U test -P "password"

Remote Shell - XP_Cmdshell

Remote commands can be executed on the MSSQL hosting system through the sqsh tool.

The following command can be used to enable xp_cmdshell,

EXEC sp_configure 'show advanced options', 1;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
go

The following command can be used to execute commands on the remote system,

xp_cmdshell 'whoami';
go

MSSQL shell with file upload capability - The Portal of Knowledgealamot.github.io

If there is trouble in enabling the xp_cmdshell, then you can try to disable and re-enable it using the following commands,

XP_Dirtree

This is another undocumented stored procedure within MSSQL that can be used for listing out the files and directories. This command lists the following three parameters,

Files - This will display the files present in the folder

Directory - This is the directory that you pass to the command

Depth - This displays the number of sub level folders

Master Database File

The master.mdf file records all system level information for a SQL Database. It also contains instance wide meta data such as logon info, endpoints, linked servers and system configuration settings. It also records the existences of all databases and the location of all files.

However, this file cannot be accessed while the database is running as MSSQL processes creates a lock on it. But if you do have access to it, then the login credentials can be extracted from it.

The passwords are hashed and stored in the file, however they can be extracted using the following method and the hash can be cracked using hashcat.

Powershell-PostExploitation/Invoke-MDFHashes at master · xpn/Powershell-PostExploitationGitHub

The above script can be used for extracting the hashes. If you are on a Linux system, then you can use Pwsh to run the powershell script.

The has can be cracked as follows,