RFC - Offensive Security Notes
  • Active Directory
    • Enumeration
      • Active Directory Module
        • Enumerating the Domain
        • Enumerating ACLs
      • PowerView 3.0
      • Verify connectivity to domain controller
      • WMI domain enumeration through root\directory\ldap
      • PAM Trust
      • DNS discovery
        • Get-DnsServerZone
    • Privilege Escalation
      • Kerberos Delegation
        • Unconstrained delegation
        • Constrained delegation
        • Resource-based Constrained Delegation
      • Escalating from child to parent domain
      • Abusing inter-forest trust
      • WSUS server abuse
      • ACL Enumeration with PowerView 2.0
    • Persistence
      • Kerberos attacks
        • Golden ticket
        • Silver ticket
      • DSRM (Directory Services Restore Mode)
  • Initial Access
    • VBA Macros
      • Mark-of-the-Web
  • Discovery
    • Juicy files
      • PowerShell history
    • Network Enumeration
      • Network discovery scans
        • Ping scan
      • Nmap
      • Perimeter firewall scanning for open outbound ports
  • Execution
    • WMI
      • Remote code execution using WMI
    • PowerShell
      • C# assembly in PowerShell
        • List load assembly
        • Add-Type
        • UnsafeNativeMethods
        • DelegateType Reflection
        • Reflective Load
    • C# .Net Assembly
      • Process injection
        • Debugging
        • Using VirtualAllocEx and WriteProcessMemory
        • Using NTAPI Undocumented Functions
    • ReverseShells
      • Linux
        • Stabilizing zsh shell
    • Metasploit
      • HTTPs Meterpreter
  • Exploitation
    • Win32 APIs
      • OpenProcess
      • VirtualAllocEx
      • WriteProcessMemory
      • CreateRemoteThread
  • Credential Access
    • Microsoft Windows
      • Windows credential audit and logon types
      • Local credentials (SAM and LSA)
      • Lsass from forensics dump
      • Access Tokens
        • SeImpersonatePrivilege
      • ntds.dit
        • Dumping the contents of ntds.dit files using PowerShell
      • Mimikatz
      • LAPS
  • Lateral Movement
    • Windows Lateral Movement
      • Remote Desktop Protocol (RDP)
      • PowerShell Remoting (PS Remote)
        • Kerberos double hoping
      • Windows Task Scheduler
    • Linux Lateral Movement
  • Persistence
  • Defence Evasion
    • Antimalware Scan Interface (AMSI)
      • Debugging AMSI with Frida
      • PowerShell Bypasses
      • JS/VBA Bypasses
    • PowerShell
      • PowerShell version 2
      • Constrained Language Mode
      • Just Enough Administration (JEA)
      • ScriptBlockLogging
    • Microsoft Defender
    • Anti-virus evasion
      • Evasion and bypassing detection within C#
        • Encryptors
          • Aes encryptor
        • Sandbox evasion
          • Time accelerated checks
    • AppLocker
      • InstallUtil
      • MsBuild
  • Network Pivoting
    • Proxies and port fowarding
      • SSH
      • Metasploit
      • Socat
      • SSH Shuttle
      • Windows netsh command
    • Network discovery and scanning
  • Exfiltration
    • Windows
      • Copy files over SMB
  • Services
    • MS SQL Server
      • Enumeration
      • UNC Path Injection
      • Privilege Escalation
      • Linked Servers
      • SQL Injection
  • Misc
    • CrackMapExec
    • Cheat sheets
  • Cloud
    • Azure
      • Authentication
      • Enumeration
        • AzureHound
        • Az.Powershell
        • Microsoft Graph PowerShell
      • Initial Access
        • Device Code Phishing
        • Family-Of-Client-Ids - FOCI
        • JWT Assertion
Powered by GitBook
On this page
  • Overview
  • Examples
  • Enumeration IMPERSONATE permissions
  • EXECUTE AS LOGIN
  • EXECUTE AS USER
  • From db_owner to sysadmin
  1. Services
  2. MS SQL Server

Privilege Escalation

Overview

Privilege escalation in Microsoft SQL Server is the process of gaining higher levels of access or control over the SQL Server instance or database than originally granted.

Examples

Enumeration IMPERSONATE permissions

IMPERSONATE permissions in Microsoft SQL Server allow a user to impersonate another user or login and execute statements on their behalf. This can be useful for troubleshooting and testing permissions, but it also introduces potential security risks if not used properly.

Enabling IMPERSONATE permissions

To grant IMPERSONATE permission at the server level, use the following command:

GRANT IMPERSONATE ON LOGIN::[login_name] TO [user_name];

To grant IMPERSONATE permission at the database level, use the following command:

GRANT IMPERSONATE ON USER::[user_name] TO [user_name];

To grant IMPERSONATE permission at the schema level, use the following command:

GRANT IMPERSONATE ON SCHEMA::[schema_name] TO [user_name];

Finding IMPERSONATE permissions

To find out which users or logins have been granted IMPERSONATE permission in Microsoft SQL Server, you can use the following query:

SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'

EXECUTE AS LOGIN

The EXECUTE AS LOGIN statement in Microsoft SQL Server allows a user to execute a batch of SQL statements in the context of a specified login. This can be useful for testing permissions and troubleshooting issues related to permissions and access controls.

When using EXECUTE AS LOGIN, the user must have the IMPERSONATE permission on the target login. This permission is typically granted to members of the sysadmin fixed server role, but can also be granted to other users and roles as needed.

EXECUTE AS LOGIN = 'sa';
-- SQL statements to be executed as 'mylogin'
REVERT;

EXECUTE AS USER

The EXECUTE AS USER statement in Microsoft SQL Server allows a user to execute a batch of SQL statements in the context of a specified user. This can be useful for testing permissions and troubleshooting issues related to permissions and access controls.

When using EXECUTE AS USER, the user must have the IMPERSONATE permission on the target user. This permission is typically granted to members of the sysadmin fixed server role, but can also be granted to other users and roles as needed.

EXECUTE AS USER = 'sa';
-- SQL statements to be executed as 'myuser'
REVERT;

From db_owner to sysadmin

In Microsoft SQL Server, the db_owner role has a high level of privileges within a specific database, but it does not have permissions outside that database. However, if a database has been marked as trustworthy, a user with the db_owner role can execute code within that database with the permissions of the database owner. This can allow an attacker to elevate their privileges and potentially gain access to the sysadmin role.

Identify a trustworthy database

Use the following query to identity trustworthy domains:

SELECT name, is_trustworthy_on FROM sys.databases WHERE is_trustworthy_on = 1;

Use the following query to verify your user role:

use <trustworthy_db>
SELECT r.name AS RoleName FROM sys.database_role_members rm INNER JOIN sys.database_principals p ON rm.member_principal_id = p.principal_id INNER JOIN sys.database_principals r ON rm.role_principal_id = r.principal_id WHERE p.name = USER_NAME() AND r.name = 'db_owner';

If your user is a db_owner of a trustedworthy database, you can elevate your privileges:

"use msdb; EXECUTE AS USER = 'dbo';"
PreviousUNC Path InjectionNextLinked Servers

Last updated 2 years ago