To emulate these attack vectors, we will need to deploy a couple of MSSQL databases on the test domain used in previous posts.<\/p>\n\n\n\n
MSSQL installation on internal servers.<\/h2>\n\n\n\n
For this lab, SQL Express will be enough, which can be downloaded from the following link:<\/p>\n\n\n\n
https:\/\/download.microsoft.com\/download\/5\/1\/4\/5145fe04-4d30-4b85-b0d1-39533663a2f1\/SQL2022-SSEI-Expr.exe<\/a><\/p>\n\n\n\n Now I’ll be using a different lab, deployed recently on a NUC.<\/p>\n\n\n\n This is the new infrastructure:<\/p>\n\n\n\n For this exercise, we will deploy two MSSQL instances in the child domain internal.jsec.rt<\/strong> and the parent domain jsec.rt<\/strong>, however, the configuration of links between the two databases will be for a next post.<\/p>\n\n\n\n The steps are repeated for both machines, as this is a lab.<\/p>\n\n\n\n *Note: Make sure you have installed .NET Framework 4.7.2.<\/p>\n\n\n\n Choosing the Basic<\/strong> option is enough for our purposes.<\/p>\n\n\n\n Accept the terms and conditions.<\/p>\n\n\n\n We choose the installation route and then click on Install<\/strong>.<\/p>\n\n\n\n Once the installer finishes downloading and copying files, we’ll have a working MSSQL instance.<\/p>\n\n\n\n We’ll use the recommended Microsoft tool to interact with the database.<\/p>\n\n\n\n Installation can be done with the default values for the purpose of this lab.<\/p>\n\n\n\n By default, the database is accessible only locally, to allow network access, we’ll follow these steps.<\/p>\n\n\n\n Start the Database configuration app.<\/p>\n\n\n\n We expand the SQL Server Network Configuration<\/strong> option and click on the Protocols<\/strong> tab, where we’ll modify the TCP\/IP<\/strong> Protocol.<\/p>\n\n\n\n We change the Enabled<\/strong> dropbox value to Yes<\/strong>.<\/p>\n\n\n\n Then, we switch tabs to IP Addresses<\/strong> and add the port where the database will listen for connections by modifying the value of TCP Port<\/strong> of the IPAll<\/strong> section.<\/p>\n\n\n\n Then, to restart the service and apply the changes, we access the SQL Server Services<\/strong> menu, right click on the SQL Server<\/strong> object and then click on Restart.<\/strong><\/p>\n\n\n\n Now, to confirm the service is listening on all interfaces, we can run netstat<\/strong> and findstr<\/strong> to filter the results, showing matches of the configured port.<\/p>\n\n\n\n From the Kali host, we can confirm the service is remotely accesible using Impacket-mssqlclient<\/strong>.<\/p>\n\n\n\n We get the hostname and the configured database as a reply, so now we can configure the vulnerabilities.<\/p>\n\n\n\n Recapping the mentioned vulnerabilities.<\/p>\n\n\n\n For the first two functions, we do not need to do much, since it was installed on a Windows domain, regular users have very reduced query privileges, but any credential gives us access to public functions.<\/p>\n\n\n\n But to replicate the behavior in corporate networks, we will register SPN tickets in the respective domains to allow authentication by Kerberos to the respective service.<\/p>\n\n\n\n For this task, on our domain controller we will use the following command:<\/p>\n\n\n\n setspn -S MSSQLSvc\/coreint.internal.jsec.rt internal.jsec.rt\\serveradmin<\/p>\n\n\n\n This way, the instance can be identified through Active Directory enumeration.<\/p>\n\n\n\n For the third point, we will create a local database user with Sysadmin<\/strong> privileges, which is one of the requirements to enable the “xp_cmdshell<\/strong>” function.<\/p>\n\n\n\n In the respective databases, we access the database manager.<\/p>\n\n\n\n We access with the domain user that installed the database engine.<\/p>\n\n\n\n Once inside, we access the Security<\/strong> submenu and then Logins<\/strong>, right clicking it and accessing the New Login<\/strong> option.<\/p>\n\n\n\n To add a domain user as a valid user with privileges in the database, click on Search<\/strong>, then click on the Locations<\/strong> button and in order to search for internal domain users, expand the parent domain jsec.rt<\/strong> and select the subdomain internal.jsec.rt<\/strong> where our test user resides.<\/p>\n\n\n\n We write the user name to which we want to give privileges, in my case Sqluser<\/strong>, and we click on Check Names, to make sure that the user is being identified correctly.<\/p>\n\n\n\n We click on OK<\/strong> and move to the Server Roles<\/strong> tab, where we’ll give this user Sysadmin<\/strong> privileges by checking the corresponding box.<\/p>\n\n\n\n We click OK and our user is ready.<\/p>\n\n\n\n From within our Kali host, we confirm the remote access using impacket-mssqlclient<\/strong>.<\/p>\n\n\n\n Its necessary to use the -windows-auth<\/strong> flag to be able to authenticate as operating system or domain users.<\/p>\n\n\n\n To finish the configuration, we’ll add the machine account of the Coreint<\/strong> server as a local administrator on the DBInt<\/strong> server for the relay attack.<\/p>\n\n\n\n To exploit these scenarios, we’ll use the tool PowerUpSQL<\/strong> and a domain joined Windows host with a low privileged user (jsec<\/strong>).<\/p>\n\n\n\n There are many cases where it is possible to identify MSSQL instances configured in the domain, for internal applications and others, for the case of Web applications hosted on a server with MSSQL, it is possible to discover the exposed directories and in some cases, identify sensitive files that could be downloaded.<\/p>\n\n\n\n Simulating a real scenario, on a server with MSSQL I installed XAMPP to have a web server, creating a backup folder with a name that would be a bit complicated to find without bruteforcing on directories.<\/p>\n\n\n\n Now, we can use PowerUpSQL<\/strong> to discover MSSQL instances in the domain and use the public function “xp_dirtree” to list internal paths.<\/p>\n\n\n\n Using a non domain joined host that has visibility towards the internal network, we confirm reachability to the domain controller.<\/p>\n\n\n\n Then, we import the script after setting the execution policy value to Bypass<\/strong>.<\/p>\n\n\n\n Now, to be able to consult the information to the domain, we need that the imported functions are executed from the context of a domain user, to make this, some of the simplest options are:<\/p>\n\n\n\n The first two options are possible to validate quickly, so in this case, we will use runes to raise a shell in the context of a domain user.<\/p>\n\n\n\n Once the respective shell has been obtained and the access to the internal domain has been validated, we proceed to list the MSSQL instances registered in the domain.<\/p>\n\n\n\n We find two registered instances, where we’ll use a new function to test our connectivity.<\/p>\n\n\n\n Confirming the accessibility to these using any domain user, we proceed to list the internal directories using the public function “xp_dirtree<\/strong>“.<\/p>\n\n\n\n We can read more about this function in the following link:<\/p>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/jsec.drawio-2-1024x734.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-1024x804.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-1-1024x790.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-2-1024x795.png\")
<\/figure>\n\n\n\nInstalling a Database management suite.<\/h2>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-5-1024x778.png\")
<\/figure>\n\n\n\nRemote access configuration.<\/h2>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-6-824x1024.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-7-1024x500.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-8-1024x683.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-10-1024x688.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-11-1024x327.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-12-1024x308.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-13-1024x423.png\")
<\/figure>\n\n\n\nPreparing the vulnerable environment.<\/h2>\n\n\n\n
\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-36-1024x321.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-15-980x1024.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-18-1024x787.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-22-1024x1004.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-20-1024x841.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-21-1024x806.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-23-1024x317.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-24-1024x617.png\")
<\/figure>\n\n\n\nAttack path 1: Directory listing through MSSQL.<\/h2>\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-26-1024x345.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-27-1024x525.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-28-1024x264.png\")
<\/figure>\n\n\n\n\n
![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-30-1024x305.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-37-1024x824.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-38-1024x714.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/jsec-rt.com\/wp-content\/uploads\/2023\/11\/image-39-1024x724.png\")
<\/figure>\n\n\n\nWhat is XP_DIRTREE?\u00a0 What are the alternatives to XP_Dirtree<\/a><\/blockquote>