Feature Requests

[aconite33]

Would it be possible to add additional functionality to put the system back in a state before exploitation?

E.g., in order to run a command via XP_CmdShell it needs to be enabled. Running Invoke-SQLOSCmd enables the XP_CmdShell, but doesn't disable it afterwards.

Also, doing the privesc (Invoke-SQLEscalatePriv) giving an account sysadm, have a descalation, to return the user to a normal, non-elevated state.

[nullbind]

Bummer I thought I had it setup to restore state. I'll take a look at that along with the other issue you mentioned. Thanks for the heads up, I appreciate it! I'll ping once I make some progress.

[nullbind]

Hi @aconite33,

I tested the most recent version of Invoke-SQLOSCmd. It enabled, and disabled the configurations successfully. In my test environment I used PowerUpsSQL version 1.91.117 to validate Invoke-SQLOSCmd worked correctly against the following standard editions of SQL Server:

• SQL Server 2005
• SQL Server 2008
• SQL Server 2012
• SQL Server 2014
• SQL Server 2016
• SQL Server 2017

What version of SQL Server were you attacking? Also, what version of PowerUpSQL were you running? Maybe it bombed out due to a version issue?

Also, below are a few reasons the the 'xp_cmdshell' and 'Show Advanced Options' configurations would not be disabled at the end of the command execution:

• The configurations were already enabled when you got on the box.
• The command or query execution was interrupted.
• Policy Based Management was configured to prevent certain actions (even as a sysadmin)...I've never actually seen that one in production, but played with it in the lab.

Let me know your thoughts.

Thanks,

Scott

PS: I created a separate ticket for the "Invoke-SQLEscalatePriv" feature request.
#18

[nullbind]

I'm going to close this one out, but let me know if you have any follow up comments.