Thick Client — Attacking databases the fun/easy way

Richard Clifford
Sep 26, 2018 · 2 min read

I was recently looking at a desktop application of a large security firm which manages the security of various large buildings around the UK. The application was fairly straight-forward for a standard thick-client which retrieved and stored data in SQLServer from a remote host.

The test started off as every other test does — setting up tools, installing dependencies, etc. If you are familiar with a web assessment or a thick-client assessment then the methodology should be familiar to you. Once I had the basic tools setup such as Echo Mirage, Burp, etc, it was a case of looking through the traffic to see if there was anything interesting. After going through the application and logging the traffic I found something interesting!

The application was connecting to the database over a clear-text connection which meant the database credentials were being sent.

[Disclaimer] I am going to redact any sensitive information.

Image for post
Image for post
Credentials being sent over clear-text

From this I was able to grab the database credentials, use the metasploit module “windows/mssql/mssql_payload” and get a meterpreter shell. The joy of this is that the shell was running as SYSTEM! \o/

Image for post
Image for post
SYSTEM shell on the database server

From metasploit and the meterpreter shell I was able to dump the entire database, create new users on the system, pivot through the network, etc. It goes to show that it’s not a great idea to send credentials over clear-text.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store