OSEP DeHospital Walkthrough Part 3: Lateral Movement and SQL Links
← Back to Blog

OSEP DeHospital Walkthrough Part 3: Lateral Movement and SQL Links


OSEP DeHospital Walkthrough Part 3: Lateral Movement and SQL Links

In the DeHospital environment, reaching the deepest network enclaves requires mastery of database exploitation. The PEN-300 exam tests your ability to pivot through isolated subnets by abusing Microsoft SQL Server links, a critical technique for capturing the internal flags.

⚠️ Stuck on the Database Pivot? SQL lateral movement is complex. See exactly how the pros chain OPENQUERY attacks by referencing our DeHospital Lateral Movement Guide.

Weaponizing the Hospital Databases

The DeHospital infrastructure relies heavily on linked patient and administrative MSSQL databases. Standard networking pivoting tools (like Chisel) may not reach these restricted segments directly.

  • Enumerating Linked Servers: Once you compromise a low-tier SQL service account, you must query master..sysservers to find database links bridging the network gap.
  • Executing xp_cmdshell: Pivot through the database links using nested OPENQUERY commands. By enabling and executing xp_cmdshell on the remote linked server, you can force it to download and execute your C# shellcode, granting you a shell in the restricted zone.

Execute Flawless Lateral Movement

Get the exact SQL syntax, nested queries, and pivoting strategies required to traverse the DeHospital network.