impersonate - execute as login

Connect to the database

mssqlclient.py -windows-auth north.newyork.local/miguel.cabrera:ilovebaseball@yonkers.north.newyork.local

  • Let’s enumerate impersonation values:

enum_impersonate

  • The previous command list all users with impersonation permission

“SQL Login is for Authentication and SQL Server User is for Authorization. Authentication can decide if we have permissions to access the server or not and Authorization decides what are different operations we can do in a database. Login is created at the SQL Server instance level and User is created at the SQL Server database level. We can have multiple users from a different database connected to a single login to a server.”

  • Ok let see the result :

  • Ok miguel.cabrera got login impersonation to the user sa.

  • So we can impersonate sa with execute as login and execute commands with xp_cmdshell

exec_as_login sa
enable_xp_cmdshell
xp_cmdshell whoami

  • And we get a command execution !

  • Let’s continue our enumeration as login sa this time:

enum_logins

  • As we can see with sa login we see a lot more things. And we can see that elena.lopez is sysadmin on the mssql server

  • Let’s see if there is others impersonation privileges:

  • As sysadmin user (sa), we can see all the information in the database and so the others users with impersonation privileges.

  • Another way to get in could be to access as claudio.ortiz and do execute as login on user elena.lopez.

PreviousEnumerate MSSQL servers with CrackMap & ImpacketNextMSSQL Coerce and relay

Last updated