OSEP DeHospital Walkthrough Part 3: Lateral Movement and SQL Links
OSEP DeHospital Walkthrough Part 3: Lateral Movement and SQL Links
In the DeHospital environment, reaching the deepest network enclaves requires mastery of database exploitation. The PEN-300 exam tests your ability to pivot through isolated subnets by abusing Microsoft SQL Server links, a critical technique for capturing the internal flags.
⚠️ Stuck on the Database Pivot? SQL lateral movement is complex. See exactly how the pros chain OPENQUERY attacks by referencing our DeHospital Lateral Movement Guide.
Weaponizing the Hospital Databases
The DeHospital infrastructure relies heavily on linked patient and administrative MSSQL databases. Standard networking pivoting tools (like Chisel) may not reach these restricted segments directly.
- Enumerating Linked Servers: Once you compromise a low-tier SQL service account, you must query
master..sysserversto find database links bridging the network gap. - Executing xp_cmdshell: Pivot through the database links using nested
OPENQUERYcommands. By enabling and executingxp_cmdshellon the remote linked server, you can force it to download and execute your C# shellcode, granting you a shell in the restricted zone.
Execute Flawless Lateral Movement
Get the exact SQL syntax, nested queries, and pivoting strategies required to traverse the DeHospital network.