Foreword:

I started writing this blog post a long time ago (October 2013 wordpress tells me) and figured it was about time I published it just to clear my decks of “draft” posts as it were. I intend to publish things more often but maybe not all Pentest based, some ham radio and electronics gumpf may filter into it as those are also hobbies of mine.

With that and the slight addition that this was going to be NFAL Episode Two on it’s own so its now kind of NFAL Episode 2.5 The continuing adventures of noddy testing… on with the original post!

Background

Forgive me if this comes across as teaching all 1 of my readers to suck eggs but this is just a dump of common ways I often find useful for breaking out of kiosk jails.If you’re a penetration tester or even a savvy user, chances are you already know of these methods but this is noddy stuff, purely because I thought it made for a fun blogpost, it was fun playing with it on client systems at least.

I did this as a talk at an internal company training day and titled it “Smashing Windows” slides for the talk will be attached at the bottom of the blogpost for what it’s worth but I’ve no recording of it and this blog post is essentially just it regurgitated from memory 🙂

Recently I did some testing involving the “Remote Application” features of terminal services through a terminal services web gateway.

Initially logging in using AD credentials on the front page you’ll be presented with a few icons on the webpage which in turn launches applications. (Similar to CITRIX stuff i’ve seen in the past). You get presented with a full application as if it is on your desktop, similar in the way VMWare Fusion works on the Mac, its not a full “session” but rather an “application session”.

The beauty with it (at least from our point of view) is that File – Open, will open files on the remote server (providing they haven’t GPO’d paths out of the address bar, etc).

Spawning any processes will spawn them on the remote server and present them to you over terminal services. So if you get an external link to click, it’ll spawn IE which again will be on the remote server.

Another thing to note is that the processes you’re spawning will be on the application server serving that particular application not the web host that is just presenting the applications.

For a recent client I had access to about 6 different applications each one hosted by a pair of load balancing application servers. So breaking the jail on one, got me MSTSC and I just logged in using that into the other application servers/etc that made up the network (having a nice portable portscanner/discovery tool is very useful at this point).

Method #1 – Open Sesame

The File Open and File Save dialogs are king. If you have access to one of these you’ve basically got a mini explorer.exe. There are several avenues of attack.

The File Open dialog box, a veritable feast of juicy jail breaking goodness.

The Orange Box – Known as the breadcrumb, this little thing normally is affected by some GPO and is limited in use but can be handy hopping back up the directory structure.

The Yellow Box – Filename box, Unlike the breadcrumb this one appears to be affected by different GPO policies and is not always locked down. I have been able to browse to C:\windows\system32\cmd.exe in here when the breadcrumb wouldn’t let me out of my own profile. Try typing exact paths to existing files and you may find yourself lucky.

The Red Box – Search and Help. Two great ways of breaking out of the jail. Search can often get you files, providing your “high” enough up the tree. Help can find you ways of popping Internet Explorer open. So can search if its unsuccessful finding files, it’ll often prompt you for “search online” which will likely result in IE spawning.

The rest… it’s unlikely you’ll get a nice folder pane on the left hand side, normally you’ll end up with some basic folders available but no ability to browse out of your user profile if its locked down, but its worth a quick look and the file type box, that will limit you when writing a file or saving one. If it has an “all files” option, that’s better.

Finally right click! try it… if you’re lucky you’ll be able to write a file, rename it to .bat or .vbs, get some script running commands for you, its a long shot but hey it might work.

Method Two: IExplore.exe your hard drive

Aside from the usual address bar file://c:\ or browsing to your own metasploit browser autopwn. There are also ways and means of breaking out of this that aren’t so obvious.

File – Open… Or the address bar, IE can open any files. It’s not limited by file filter, it can also open network resources just fine and view folders. Great for accessing hack armoury resources.

Drag and drop… Want to exploit the file “open with” dialog? Drag and drop an unknown file extension onto it and it’ll pop it right up after you hit “open”.

Working on an embedded windows client (*Cough* Embedded XP Wyse Terminals*cough*) and have no access to the file system? That sucks. Try tools – Internet options, open objects and open files will often net you two different drives, the first being the system ram drive, the second being your user profile area.

Finally, have access to the file system but still can’t spawn anything interesting? Try firing up word or any of the office suites, how?… Look for “read me” and licence files.

You may get lucky and find some .doc style terms of service links or be able to create your own .doc. Once you’re in word go for macro execution and you’re winning.

Method 3: If in doubt… give it a clout!

Also consider the windows error reporting dialog, on one particular job I couldn’t access notepad.exe myself and the file open dialog I had access to could only see *.acme files, so was pretty useless.

Help and support was disabled so help got me nothing, however entering in a string instead of a number into an input field of the application would cause the application to crash and the windows error reporting window to pop up from there I viewed the microsoft privacy policy and pow… Internet explorer! which lead me onto bigger and better things 😉

Powerpoint Presentation: Smashing Windows

Using VBS to fire up FTP as a local command shell

This is probably a duplicate somehwere but I wanted it noted for my own use anyway – here’s a very handy VBS that does the job nicely for accessing useful commands as a user on a locked down desktop.

In this example I choose to fire up FTP.exe as its well known that local commands can be run within the FTP.exe interface.

'run ftp

CreateObject("WScript.Shell").Run "cmd.exe /k ftp"

Using the above and the bang character, this will allow you to run commands on the host. For example: !cd or !c:\windows\system32\calc.exe

Odd Behaviour: On XP64 !cd did not appear to persist the path post it’s single command, however on windows 7 and 32bit XP it did so. Pretty noddy stuff but useful to remember.

No Macros Allowed?

Myself and a colleague were presented with a “Defect Fixed, macros are completely disabled on the host” statement from a long term pentest engagement, I was new to the project so decided to give it a good kicking.

At first glance, no access to the editor was possible and only trusted signed macros were capable of running. We could be forgiven at this point for even mistakenly “passing” the defect if we hadn’t been so determined.

After a bit of poking and managing to pop open the editor across the office suite, I was convinced I could get it to play ball all the way. My colleague thankfully indulged my inane ramblings about digitally signing and feeling like it’s so close to popping.

3 to 4 hours later and a fair few dead ends, we got macro editing and execution as a trusted signed macro across all the office apps available on the host (aside from outlook, that could probably fall too given more poking but we had proved our point).

What follows is a quick run through of what we did:

First problem, Creating the macro – we need an editor

If the macro menu is disabled and the buttons on the developer toolbar are greyed out (or even removed from the interface) try the following.

In Word: Right click the toolbar, select “customise quick access toolbar”, select “all commands” and add the buttons labelled “view code” and “design mode”. The view code button will be greyed out until the design mode button is pressed so press the design mode button, hit view code and voila the VB Editor pops open!

In Excel: Right click the sheet tab and select view code – it is also accessible through the same way it was in Word.

In Powerpoint: There should already be a view code option on the ribbon. Failing that activate it as you would in Word above.

Just sign here, here and here

Our second issue, accessing the security window and then the macro security window using the above toolbar button method (anything with the word macro in was disabled from a UI point of view in the ribbon menus, so you had to load the plain “security” window in order to get the macro security screen to pop). We could see that only signed macros were allowed to run. Nightmare, what can we do now?

Well, coming at this from a lockdown breakout just don’t save the document. Group Policy only applies in terms of macro execution to a saved word document. Writing a macro and executing it instantly is usually not blocked.

However this is a long term pentest engagement and sometimes the ability to save documents and have say your VBA port scanner or VBA based file downloading widget saved for later use on other engagements is a useful thing. We used to just copy paste from text files but that’s frustrating and doesn’t allow you to really go to down with forms and things to prettify your attack “docs” 🙂

So we need to sign our macros. While poking about the office program files folders I noted the following executable: selfcert.exe

Run it, and it’ll produce a lovely new certificate for you to sign your macros with, now granted it’s self signed but word doesn’t really care too much about that.

Tools -> Digital Signatures -> Choose Certificate -> Select your cert. Now it’s signed. You may need to reopen the document to get it to run.

This is all fantastic until…

But wait, mommy told me not to run macros from strangers…

Okay so we’ve got our macro signed, but due to the security settings they’ve hobbled it further and disabled any prompting for self-signed macros, allowing only trusted macros to run. So we need to find a way to explicitly trust our self-signed macro.