Clarifications on Popping a reverse shell via SQL link abuse

[GrassfedMeatSticks]

Not sure how far into the weeds you want to get with keeping workspaces, terminals, and operations organized, but without prior experience or your explicit in-person instruction, the Popping a reverse shell via SQL link abuse section would have been difficult to complete. Would this be a good place to gently begin introducing organizing principles for aspiring pen testers?

General recommendations in chronological order:

Pull up Mayfly (creator of GOAD!) blog about attacking SQL here.

• Would it be difficult to stage scripts either on the Kali VMs OR in a place where we could browse to or curl from?

Copy the contents of the python reverse shell code Mayfly supplies us with... Save that to a file called revshell.py in a new tab.

• Would it be overkill or redundant to provide guidance as to how and where you'd like revshell.py to be saved? Should we have spun up an additional exegol workspace or tab? I ran my mssqlclient.py commands from my one exegol prompt.

Setup a "listener" on some random high number port in order to "catch" a shell from BRAAVOS...

• Similar to the previous question/recommendation, would it help specifying this is to be done in a separate terminal tab?

Now go back to your tab where you had mssqlclient.py open, and paste the resulting code into the xp_cmdshell prompt on BRAAVOS, making sure theh command starts with xp_cmdshell:

• Typo (theh).
• Consider "Now go back to the terminal tab with the SQL >braavos (sa dbo@master)> prompt. Type xp_cmdshell then a space, then paste the output from the revshell.py script."

Of note, my reverse shell returned some additional/different output from your screenshot. Not sure if it was because it was done outside of an exegol prompt/session.

[7MinSec]

Great feedback/suggestions here. Yep this page needs some polish.

[GrassfedMeatSticks]

Revisiting this idea as I am starting on Exploiting ESC3 and trying to figure out where I last saw the SQL_SVC plaintext password (Spoiler alert: nxc smb braavos -u student4 -p Password123! --local-auth --lsa from an exegol workspace--though still not 100% on whether/how we may need multiple exegol workspaces (#155) OR multiple terminal tabs/windows into the same exegol workspace (#183)).

I like the iterative structure of the course, however, each new attack path reinforces the importance of keeping listeners/reverse shells, shells, browsers, and captured secrets organized. Though this environment is crazy-vulnerable, I imagine this iterative process of revisiting previously-pwn'd creds figures prominently in real-world penetration tests.

[7MinSec]

Thanks for all the feedback. I agree the steps for reverse shell are a lot. I think in the live environment it will make more sense because I can go slowly with the students and explain each step as we go - so that we can keep track of the different tabs, being in/out of exegol, etc. I'll refine this in the next iteration of curriculum (v1.1).

[GrassfedMeatSticks]

Thanks.

Ran into another instance where organization would be critical: Toward the end of the course in Abusing domain trusts, we have to use ROBB.STARK's password, which was obtained way back on Validating ROBB.STARK's cracked credential (Had to scroll way back to the nxc smb north.sevenkingdoms.local -u robb.stark -p 'Robbs-cracked-password' command to find it).

[7MinSec]

OK will bake that into future curriculum clarifications.

[GrassfedMeatSticks]

The Putting it all together section is a great example of what I was recommending. Not sure when it was created, but something like this can help n00bs conceptualize how I they may want to organize their loot.

[GrassfedMeatSticks]

Revisiting this on my second run through and found some new issues. Here's a summary of the requested changes from this issue so they don't all get jumbled and lost (sorry for the comment formatting):

• Consider setting up the netcat listener BEFORE tinkering with the Mayfly script. I think it'll flow much better. Consider:
  1. Open a new terminal tab.
  2. Setup a "listener" on some random high number port in order to "catch" a shell from BRAAVOS: nc -lvp 7777 + your bulleted explanation and screenshot.
  3. Pull up Mayfly (creator of GOAD!) blog about attacking SQL here.
  4. Scroll nearly to the bottom and copy the contents of the python reverse shell code Mayfly supplies us with...
  5. Open a new terminal tab.
  6. Create revshell.py via nano revshell.py
  7. Paste and save the script.
  8. Run the revshell.py script, substituting in your IP address and listener port. This will generate obfuscated PowerShell code you can use on your xp_cmdshell prompt to kick off a shell to your attacking system....
  9. Copy the output to your clipboard.
  10. Now go back to your exegol tab where you had mssqlclient.py open, type xp_cmdshell then a space, then paste the output from the revshell.py script."
• Note there was a typo in the original step 10 above ("theh") that still seems to have persisted.
• Consider staging scripts like the Mayfly script either on the Kali VMs OR in a place where we could browse to or curl from to facilitate acquisition.
• Consider guiding students on how best to to keep their loot, shells, creds, and windows organized.
• Consider indicating whether/when/if we can close the SQL connection in our first exegol window so we can use that shell again (unless it is best practice to continue to spawn new exegol tabs).

[GrassfedMeatSticks]

@7MinSec , I know you've flagged this for the 1.1 revision, but there is a minor typo and reorganization effort here that might be worth baking into the 1.0.