search

MS SQL Privilege Escalation

This instance of SQL is running as NT Service\MSSQLSERVER, which is the default during more modern SQL installations. It has a special type of privilege called SeImpersonatePrivilege, which allows the account to "impersonate a client after authentication".

beacon> getuid
[*] You are NT Service\MSSQLSERVER

beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe TokenPrivileges

====== TokenPrivileges ======

Current Token's Privileges

                SeAssignPrimaryTokenPrivilege:  DISABLED
                     SeIncreaseQuotaPrivilege:  DISABLED
                      SeChangeNotifyPrivilege:  SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
                       SeImpersonatePrivilege:  SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
                      SeCreateGlobalPrivilege:  SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
                SeIncreaseWorkingSetPrivilege:  DISABLED

[*] Completed collection in 0.037 seconds

\

In a nutshell, this privilege allows the user to impersonate a token that it's able to get a handle to. However, since this account is not a local admin, it can't just get a handle to a higher-privileged process (e.g. SYSTEM) already running on the machine. A strategy that many authors have come up with is to force a SYSTEM service to authenticate to a rogue service that the attacker creates. This rogue service is then able to impersonate the SYSTEM service whilst it's trying to authenticate.

SweetPotatoarrow-up-right has a collection of these various techniques which can be executed via Beacon's execute-assembly command.

\

PreviousMS SQL Lateral MovementNextDomain Dominance

Last updated