Quick noddy breakout tip using Favourites

I did another Citrix breakout job just the other day and as per usual found the effectively cosmetic only lockdown provided for by group policy… remember kids: “Group Policy is not a security boundary”.

So I had a bit more of a play about imagining I had less access than I did. Turns out that while file paths and calls were correctly disabled within the address bar of internet explorer, I could quite happily specify them as a link within the favourites bar by modifying a pre-existing favourite and then clicking it.

“Right click, add toolbar, links”
Why on earth does this method work if paths are disabled in IE?!

Clicking the abused favourite link would then pop explorer (or tbh anything you like, its effectively a .lnk at this point).

Yes… classic armadillo security – Crunchy on the outside, gooey on the inside. #DimeBar

Not world-destroying by any means but yet another method of breakout worth considering. Not sure why i’ve not used this before now but meh, its one to remember for next time 🙂

Updating the Thinkpad X220 Bios…

So this is more for my notes and I suppose to save anyone else out there the pain i’ve just gone through for the last few hours trying to upgrade my v1.20 bios to the latest 1.44.

So I followed endless guides after failing a few times myself and nothing seemed to work. Grub image booting was the closest but in that mode while it successfully booted the update tool, it disabled the onboard keyboard and no external usb keyboard I had available would work either.

You will need for this:

  • Windows VM
  • Yumi MBL (the stable version worked fine for me, didn’t need the UEFI beta)
  • A suitable usb key that is seen by your thinkpad within the BIOS.
  1. First, plug in the usb key you intend to burn the image to into the laptop.
  2. Not all my USB keys worked, I had more success with USB2.0 usb keys vs USB3.0 supporting ones.
  3. Bounce the box and get into the bios.
  4. Navigate to where you can specify the boot order.
  5. Look for the label of your USB drive showing next to USB HDD. If its not there, you’re going to need another key. If it is continue!
  6. Set the order such that the USB will boot first in the list.
  7. Set the bios boot support to both (not UEFI only, we’re going legacy mode here just to get the damn thing to boot).
  8. bounce the box and boot into your OS.
  9. Fire up your windows VM. Download YUMI Multiboot linux executable to disk.
  10. Download the lenovo update image available from the lenovo support website.
  11. Get your usb key into your windows VM.
  12. Using YUMI MBL, select the option to “boot unlisted iso (GRUB)” and tick “format fat32” then select the lenovo iso.
  13. Click next, etc… and wait for the usb key to be created.
  14. When created, reboot your host, leave the usb key where it is it’ll hopefully (providing you’ve set up the boot order correctly) boot up just fine on its own.

YUMI will boot and offer you a grub menu, select “boot unlisted iso” and select the lenovo iso from the list.

This will finally get the iso booted and crucially you’ll have a keyboard that works. Check it with a quick f1 before you go any further, if it doesn’t work you’re on your own. I spent like 6 hours trying different combinations to get this damn thing updated.

Select option 2 to start the upgrade process, accept the warnings and wait a while. It’ll warn you and offer you the opportunity to “do not remove the cd or remove the cd”. Pull the usb drive at that point and hit enter.

Your Thinkpad will reboot, you’ll see a message saying “updating electronic control program” or words to that effect for a short period of time before another reboot and it booting into your original hdd os.

Reboot once again and smash that thinkvantage button (if thinkvantage button doesnt appear to be working, alternate smashing the f1 button too) to get back into the bios check the version numbers, they should now be updated. Go back through where you’ve screwed with your boot order and UEFI support and set them all back to where you want them and you’re done!

Grab a cuppa, stick your feet up and chill, you’re done!

Control Panel Funtimes – Basic but worthy of note

Accessing control panel applets via control.exe and rundll32 or just directly calling the .cpl, like ncpa.cpl to access network settings is not new.

I find myself often referring to a friend’s blog over here: https://www.attackdebris.com/?p=143

Where he breaks out some of the other tools that are always handy on a breakout job, the amount of times that the dsquery line has come in handy on everything from breakouts to redteam engagements is insane.

What is new however is me losing my damn notes file on them, thankfully it seems Microsoft has published their own notes so for those of us with rubbish memories…

Here you go: https://support.microsoft.com/en-us/help/192806/how-to-run-control-panel-tools-by-typing-a-command

Key bit: “rundll32.exe shell32.dll,Control_RunDLL appwiz.cpl”.

Oh and another golden oldie while we’re at it, introducing Godmode a feature that’s existed for bloody yonks…

  • Create a folder
  • name it: GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
  • Open it.

See shortcuts to every control panel option your account should have access to.