So, this is probably a bug, but I thought it was something interesting to exploit and examine. I was able to get PowerShell access at the console for Nano server. This only works with the PowerShell runtime, not the command prompt.
I have a Windows Server 2016 Nano server running locally on my laptop under Hyper-V. Here’s the console view from Hyper-V initially:
I enter a PSSession with the VM and then execute “powershell.exe”.
Now the console has changed to a solid cursor:
From here, I can enter commands at the console window. The results from stdin and stderr are echoed back to the original PowerShell window.
And you can execute non-readonly commands, like Stop-Process. You don’t need to use the -Force switch, it will prompt you at the console window and allow you to input your confirmation.
I confirmed my user context was the same as what I had started my remote PSSession with:
Which you can see that my user name is Administrator, which are the credentials I provided to Get-Credential. So, this essentially gets you console access that persists after the PowerShell session has been closed. Not sure if there’s anything more to do from here, since the same protections for the OS should be in place, but it could be an interesting avenue to test.