Elevated sql_svc
Checking for user privileges of the sql_svc user after performing basic enumeration
ps c:\Windows\system32> whoami /all
whoami /all
USER INFORMATION
----------------
User Name SID
============== ==============================================
sequel\sql_svc S-1-5-21-4078382237-1492182817-2568127209-1106
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ =============================================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access Alias S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT SERVICE\MSSQL$SQLMOCK Well-known group S-1-5-80-3352489819-4000206481-1934998105-2023371924-4240525201 Enabled by default, Enabled group, Group owner
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.Much different result compared to the other regular session This is due to the nature of a service account.
Service accounts often have elevated privileges and are used to run critical services, making them valuable targets for attackers. When exploited, attackers can gain access to these elevated privileges and associated resources. The retained elevated environment and context result from leveraging the service account’s permissions and settings, allowing attackers to maintain control over the compromised system and potentially move laterally and escalate privileges within the network.
However, the regular PowerShell session doesn’t have as much privileges because privileges and group memberships shown are limited to the context of that session. These privileges might be restricted within that specific session, especially if the user doesn’t have administrative rights within the local system or domain. This is a standard security measure to limit the capabilities of service accounts when not explicitly needed.
when I exploited the MSSQL instance via Silver Ticket Attack and gained access to it, I leveraged the service’s elevated permissions to execute code as the administrator user, essentially bypassing the restrictions of a regular PowerShell session
Nonetheless, the sql_svc user, IN THE CURRENT CONTEXT, has both SeAssignPrimaryTokenPrivilege and SeImpersonatePrivilege
that calls for the potato exploits