MS SQL Lateral Movement
SQL Servers have a concept called "links", which allows a database instance to access data from an external source. MS SQL supports multiple sources, including other MS SQL Servers. These can also be practically anywhere - including other domains, forests or in the cloud.
We can discover any links that the current instance has:
SELECT srvname, srvproduct, rpcout FROM master..sysservers;\
\
This shows a link to sql-1.cyberbotic.io which we can query using OpenQuery:
The use of double and single quotes is important when using OpenQuery.
We can also check the xp_cmdshell status.
\
If xp_cmdshell is disabled, you won't be able to enable it by executing sp_configure via OpenQuery. If RPC Out is enabled on the link (which is not the default configuration), then you can enable it using the following syntax:
The square braces are required.
\
Manually querying databases to find links can be cumbersome and time-consuming, so you can also use Get-SQLServerLinkCrawl to automatically crawl all available links.
\
This output shows that the link from SQL-2 to SQL-1 is configured with a local 'sa' account, and that it has sysadmin privileges on the remote server.
To execute a Beacon on SQL-1, we can pretty much repeat the same steps as previously. However, note that SQL-1 may only be able to talk to SQL-2 and not to WKSTN-2 or any other machine in the DEV domain.
\
Because of all of the additional quotes needed for OpenQuery, it's easier to use an encoded command.
The inclusion of a benign statement at the beginning of the query is required for xp_cmdshell to trigger.
\
\
Last updated