Foreword:
I started writing this blog post a long time ago (October 2013 wordpress tells me) and figured it was about time I published it just to clear my decks of “draft” posts as it were. I intend to publish things more often but maybe not all Pentest based, some ham radio and electronics gumpf may filter into it as those are also hobbies of mine.
With that and the slight addition that this was going to be NFAL Episode Two on it’s own so its now kind of NFAL Episode 2.5 The continuing adventures of noddy testing… on with the original post!
Background
Forgive me if this comes across as teaching all 1 of my readers to suck eggs but this is just a dump of common ways I often find useful for breaking out of kiosk jails.If you’re a penetration tester or even a savvy user, chances are you already know of these methods but this is noddy stuff, purely because I thought it made for a fun blogpost, it was fun playing with it on client systems at least.
I did this as a talk at an internal company training day and titled it “Smashing Windows” slides for the talk will be attached at the bottom of the blogpost for what it’s worth but I’ve no recording of it and this blog post is essentially just it regurgitated from memory 🙂
Recently I did some testing involving the “Remote Application” features of terminal services through a terminal services web gateway.
Initially logging in using AD credentials on the front page you’ll be presented with a few icons on the webpage which in turn launches applications. (Similar to CITRIX stuff i’ve seen in the past). You get presented with a full application as if it is on your desktop, similar in the way VMWare Fusion works on the Mac, its not a full “session” but rather an “application session”.
The beauty with it (at least from our point of view) is that File – Open, will open files on the remote server (providing they haven’t GPO’d paths out of the address bar, etc).
Spawning any processes will spawn them on the remote server and present them to you over terminal services. So if you get an external link to click, it’ll spawn IE which again will be on the remote server.
Another thing to note is that the processes you’re spawning will be on the application server serving that particular application not the web host that is just presenting the applications.
For a recent client I had access to about 6 different applications each one hosted by a pair of load balancing application servers. So breaking the jail on one, got me MSTSC and I just logged in using that into the other application servers/etc that made up the network (having a nice portable portscanner/discovery tool is very useful at this point).
Method #1 – Open Sesame
The File Open and File Save dialogs are king. If you have access to one of these you’ve basically got a mini explorer.exe. There are several avenues of attack.
The Orange Box – Known as the breadcrumb, this little thing normally is affected by some GPO and is limited in use but can be handy hopping back up the directory structure.
The Yellow Box – Filename box, Unlike the breadcrumb this one appears to be affected by different GPO policies and is not always locked down. I have been able to browse to C:\windows\system32\cmd.exe in here when the breadcrumb wouldn’t let me out of my own profile. Try typing exact paths to existing files and you may find yourself lucky.
The Red Box – Search and Help. Two great ways of breaking out of the jail. Search can often get you files, providing your “high” enough up the tree. Help can find you ways of popping Internet Explorer open. So can search if its unsuccessful finding files, it’ll often prompt you for “search online” which will likely result in IE spawning.
The rest… it’s unlikely you’ll get a nice folder pane on the left hand side, normally you’ll end up with some basic folders available but no ability to browse out of your user profile if its locked down, but its worth a quick look and the file type box, that will limit you when writing a file or saving one. If it has an “all files” option, that’s better.
Finally right click! try it… if you’re lucky you’ll be able to write a file, rename it to .bat or .vbs, get some script running commands for you, its a long shot but hey it might work.
Method Two: IExplore.exe your hard drive
Aside from the usual address bar file://c:\ or browsing to your own metasploit browser autopwn. There are also ways and means of breaking out of this that aren’t so obvious.
File – Open… Or the address bar, IE can open any files. It’s not limited by file filter, it can also open network resources just fine and view folders. Great for accessing hack armoury resources.
Drag and drop… Want to exploit the file “open with” dialog? Drag and drop an unknown file extension onto it and it’ll pop it right up after you hit “open”.
Working on an embedded windows client (*Cough* Embedded XP Wyse Terminals*cough*) and have no access to the file system? That sucks. Try tools – Internet options, open objects and open files will often net you two different drives, the first being the system ram drive, the second being your user profile area.
Finally, have access to the file system but still can’t spawn anything interesting? Try firing up word or any of the office suites, how?… Look for “read me” and licence files.
You may get lucky and find some .doc style terms of service links or be able to create your own .doc. Once you’re in word go for macro execution and you’re winning.
Method 3: If in doubt… give it a clout!
Also consider the windows error reporting dialog, on one particular job I couldn’t access notepad.exe myself and the file open dialog I had access to could only see *.acme files, so was pretty useless.
Help and support was disabled so help got me nothing, however entering in a string instead of a number into an input field of the application would cause the application to crash and the windows error reporting window to pop up from there I viewed the microsoft privacy policy and pow… Internet explorer! which lead me onto bigger and better things 😉
Powerpoint Presentation: Smashing Windows