Skip to content

adip-offensec/MSSQLChainLab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
scripts
scripts
 
 
README.md
README.md
 
 
Vagrantfile
Vagrantfile
 
 

Repository files navigation

MSSQL Linked Server Attack Chain Lab

An educational lab demonstrating SQL injection leading to MSSQL linked server pivoting across multiple Windows servers.

Lab Architecture

VM IP Role
web01 192.168.56.10 IIS with vulnerable ASP.NET app
sql11 192.168.56.11 Primary MSSQL (contains FlightDB)
sql27 192.168.56.27 Linked SQL Server
sql53 192.168.56.53 Final target SQL Server

Prerequisites

  • VirtualBox (latest version)
  • Vagrant (v2.4+)
  • At least 8 GB RAM (4 VMs × 2 GB)
  • 60 GB free disk space
  • Internet connection (for downloading base boxes)

Quick Start

# Navigate to the lab directory
cd /path/to/MSSQLChainLab

# Start all VMs (this will take 1-2 hours on first run)
vagrant up

# Check VM status
vagrant status

# SSH into a specific VM
vagrant ssh web01
vagrant ssh sql11

Attack Path

  1. Reconnaissance: Scan the subnet 192.168.56.0/24
  2. SQL Injection: Exploit vulnerable web app at http://192.168.56.10/SQLiApp/Search.aspx
  3. Gain Sysadmin: Use SQLi to get sysadmin on sql11
  4. Pivot via Linked Servers: sql11 → sql27 → sql53
  5. Capture Flags: Read C:\flag.txt on each SQL server

Flags

Flag Location
FLAG{SQL11_Compromised} sql11: C:\flag.txt
FLAG{SQL27_Compromised} sql27: C:\flag.txt
FLAG{SQL53_Compromised} sql53: C:\flag.txt

Credentials

Service Username Password
SQL (web_svc) web_svc WebSvc123!
SQL (sa) sa P@ssw0rd!
SQL (link_user) link_user LinkPass123
Vagrant vagrant vagrant

Vulnerabilities

  • SQL Injection: Vulnerable ASP.NET page with string concatenation
  • Weak Authentication: SQL accounts with weak passwords
  • Excessive Privileges: web_svc has sysadmin role
  • Linked Server Misconfiguration: Linked servers allow pivoting

Troubleshooting

# View provisioning output
vagrant provision

# Destroy and recreate a specific VM
vagrant destroy sql11
vagrant up sql11

# Check logs
vagrant ssh sql11
Get-EventLog -Application -Newest 50

Cleanup

# Destroy all VMs
vagrant destroy -f

# Or destroy specific VM
vagrant destroy web01

Network Configuration

The VMs communicate on a private VirtualBox network:

  • Network name: mssql-net
  • Subnet: 192.168.56.0/24

Your attacker machine should be on the same host-only network to access the lab.

Educational Use Only

This lab is designed for security training and CTF practice. Do not use these techniques in production environments.

About

MSSQL Linked Server Attack Chain Lab - Educational security lab demonstrating SQL injection and pivoting

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages