Assigned Access Kiosk - BREAKOUT ("Hard Mode")
Вставка
- Опубліковано 1 чер 2024
- Huge thanks to Micro Center for sponsoring this video! Check them out here:
New Customers Exclusive - Get a Free 240gb SSD at Micro Center: micro.center/4eec2e
Check out the ASUS PC builder: micro.center/387a98
Join the Micro Center Community: micro.center/9ad8fd
For more content, subscribe on Twitch! / johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
PayPal: paypal.me/johnhammond010
E-mail: johnhammond010@gmail.com
Discord: johnhammond.org/discord
Twitter: / _johnhammond
GitHub: github.com/JohnHammond
00:00 Thank You to Our Sponsor!
02:17 Intro and Recap
03:15 CORRECTION- Credentials NOT needed
04:47 Demo of the Original Breakout
09:00 The Trick
10:22 CORRECTION - This file path and credentials are NOT needed
13:54 Watching our Kiosk break on reboot
16:09 Exploring online resources to pop open Explorer
18:11 NEW Demo - Without using credentials
21:40 Just takes the filename -- no directory changes needed
23:34 Outro
If you would like to support the channel and I, check out Kite! Kite is a coding assistant that helps you code faster, on any IDE offer smart completions and documentation. www.kite.com/get-kite/?... (disclaimer, affiliate link)
Huge thanks to Micro Center for sponsoring this video! Check them out here:
New Customers Exclusive - Get a Free 240gb SSD at Micro Center: micro.center/4eec2e
Check out the ASUS PC builder: micro.center/387a98
Join the Micro Center Community: micro.center/9ad8fd
Wow that’s a crazy coupon!
Hey john , what happens if blockchain is implemented everywhere...Is Pentesting will Dies
you want to teach CTF's analysis and all that , great im here for that. BUT>> how about you do a videos or a series where you go over Windows MacOs and linux regarding to protection.
How can we know if we got some infection on our pc? like how to be safe 101, cuz with all that knowledge surely you know more than "Install anti-Virus X".
Would be interesting to see the defence side as "consumer" and as deep understanding
Microcenter is amazing but there's barely any stores near me :(
I think the real point of this video is showing how difficult it is to lock-down a machine against a a reasonably knowledgeable and dedicated attacker. Management thinks they can replace staff with kiosks for self-service. But there still needs to be a human watching the kiosks to keep a lookout for hackers.
Shushhhhhh. Dont tell them. We want to be able to place zero cost orders!
But there has to be a way for a tech to beable to work on it
I was able to breakout of a Trader Joes product lookup kiosk literally using the keyboard. Open the keyboard, press the keyboard settings button, press the settings button which will show the taskbar and open settings, close the fullscreen microsoft edge window, and PROFIT!
Sure, we gained access to a standard-user level CMD. I'd love to see this taken further with a privesc up to getting an actual Administrator-level CMD to fully "own the box"!
Any standard privesc route could work, there is nothing inherent to a kiosk that brings a privesc with itself afaik. Also, the question of why has to be asked, what would you wanna do on that kiosk that only an admin could be able to do?
@@flrn84791 install a key logger?
Most Kiosks configuration runs with touchscreen. The monitor in 99% of cases are incorporated in frames and usb or other stuff are hidden.
Well, yes. But the actual machine has to be somewhere, and it is usually behind a locked door. That is for maintenance. So what you could do is pick the lock and maybe bring your own USB keyboard (preferably wireless), and mouse maybe, and you'll be able to achieve this. I wouldn't suggest you trying this though, because this is actually violation of laws as this is invading a property which isn't your own. Even if you didn't achieve anything with it, you still picked the lock, and that technically is illegal and can land you in jail.
Kiosk is normally one of those mini NUC machines, I know because at our hospital we set them up like that.
Hearing and speech impaired options could be interesting. Input sanitization is always interesting
Had a kiosk at a job that when the front sung open for removing money, etc. had a slide out tray with a small keyboard and trackball.
Managed to break my local Pubs "car reg enter kiosk" that is only touch screen. Found that holding on certain text areas opened up an emoji window that then allowed you to navigate to a browser. The browser than had access to any other website and (downloads etc) folders. You can then change teh screen to whatever you like away from the intended use (for example a youtube video of a guy named Rick..)
Just curious,
1) if you make a .lnk to cmd.exe would that allow you to run it?
2) after you had access to full edge browser, could you have saved a PowerShell script file to give you more access?
3) would running saving/running file from Downloads directory have given you more access?
4) also, in the open/save file dialogue, you might be able to run "copy c:\windows\sysyem32\cmd.exe {whatever dir you want}" since you can run commands from the address bar
I don't think (1) would work out because it's just telling the computer to "run that application over there". The name of the shortcut doesn't affect the name of the program you run. So the shortcut would activate but then you'd get that error message telling you the application couldn't be run.
Also I thought he addressed (4) in the video
@@1stAshaMan i think he only addressed it in terms of "hey its an ms explorer BUT AS A BROWSER". I didnt hear anything about running commands such as copy/paste within the browser itself...
@@anonymousejr Notice the comment above mine says (edited). Before I mentioned it they asked if you could try what you see at about 19:50 in this video. They probably didn't notice that bit and after rewatching decided to ask a new question. I saw the edit but hadn't bothered to fix my comment.
@@1stAshaManoh, i see... oh well, my bad lol.
ah yes, SYSYEM32
I really enjoyed this adventure John. Microsoft have Win 10 and 11 IoT versions of the OS targeted at embedded/kiosk system use. Might be worth checking that out also.
0/10 no bing wallpaper app
On a more serious note, really fun video!
A lot of show case computers allow to use paint. I remember that you were able to create cmd with specific paint colors :D
Yup! You make 6x1 pixel 24 bit bmp image, then rename the file with .bat at the end
I did a similarish thing with a school computer. The school admin blocked access to the c drive through file manager, but I figured out that typing C: then click run command would let me get into the c drive. The admin also blocked CMD buttt didn't block .bat files so I did some sys info stuff to figure out specs for a friend of mine. It's really interesting learning about a lot of this stuff! Thanks John for making these videos!!!
Hey, so based on my testing and setup you can restrict access to all drives via group policy or reg keys, this will block everything in explorer, would love to see you do a breakout when adding that policy
Would love to try -- which policies had you changed or registry keys had you modified to get that set up?
GPEDIT, you can do under user or machine configuration
User Configuration > Administrative Templates > Windows Components > Windows Explorer > Prevent access to drives from My Computer
Note: there is hide and prevent, hide will not block the access
@@elie3876 Edge policies can also be used to block: browsing file://, downloading, (most) printing, and file selection dialogs in general
More please! It's wonderful!
Nice job reminds me of exploring through linux file managers. You can also do that in most web browsers for local file access.
I believe the normally the wizard makes the kiosk account with no password to get it to auto login.
Just watched the previous video, now I’m excited about this!
You could try to create a new folder, then rename the folder to
Controll.{ED7BA470-8E54-465E-825C-99712043E01C}
Where as normally you will then get all windows tools in that special folder.
Thanks! I had forgotten all about this "God Mode" folder trick. IIRC I used it on XP.
Just tried this... hilarious.. love little "cheats" like this
i'm new to networking and IT, and with all our classes virtual, this helps me understand some things, so thank you is what I'm trying to say. lol
Yeah! Another great video from John, the time traveling security professional! 😁
Lol I liked that reference of Loki "Variant timeline" 😂
i always love your videos. learn lots in every video. gotta say tho i'd imagine if you didn't have access to the keyboard. since kiosk mode isn't supposed to be able to have a keyboard except for debugging. and the touch screen keyboard probably won't let you do anything fancy.
There is a shortcut in browsers F4 or F6 depending on the browser to directly change the URL, so maybe you can try that...
awesome series John thanks :)
This makes me wonder : if the kiosk is going to run a browser anyway, why would anyone pay for a Windows licence, when you could make a Linux kiosk?
Especially since you could really lock the machine down and get rid of everything unnecessary (file explorer, desktop environment etc.), to the point that even if someone somehow gets access to the command line, they only have execute permissions on the browser and read-only access to everything else. At that point they would need a privilege escalation exploit to do anything interesting.
Probably because the MSP/Support staff these companies have only work with Windows.
Plus the only way to get a terminal/shell would be ctrl+alt+f2-f9 or whatever tty they did not use. Even then though you would not get access unless you knew a password, in which you can barely do anything on a non-super user account (assuming they have it setup and locked down correctly)
College I attended had Ubuntu box running Firefox kiosk, we only had access to touchscreen and website to log into the grading system.
Website naturally had mail and password fields, submit button and built in keyboard without any modification keys (probably html/js).
I noticed password field showed an option for password manager, and clicked on it which brought me to firefox settings, where I could navigate to Google's services, including Google translate.
There I could input any link and click on it because Google translate has an option for onscreen keyboard and creates a hyperlink when translating.
There was also an option to open a file.
I never found out what would downloading a file do (since I opened a system file in google translate in hopes of reading them, which just made kiosk screen white and unusable), and I couldn't figure out how to open an actual file explorer.
The few things we did was open youtube on it, play browser games, etc.
Those were one of my last days in college, sucks that I couldn't reverse shell it and do fun stuff with that :/
I find it interesting that this still is a thing, its kinda ancient by now.
Same thing was commonly used to bypass Windows login in the past.
Sticky keys, console combination.
Well I found that fascinating , first time I have watched a video on this sort of thing
Microcenter ad was so good you had me googling if it was available in France
Cool little series 👍
Whilst i'd love to see microsoft lockdown kiosk mode by default, these vunrebalies can be restricted by enabling various other microsoft technologies, like keyboard filter, applocker, shared PC modes, to limit percistance and Unified write filters. But i just wish it was out of the box
When I was in jail we had a kiosk for ordering on commissary and sending messages/making calls and the network went down one day. The kiosk's software was running on Google Chrome so the "DNS Connection Refused" error message popped up, and clicking it eventually allowed me to traverse to the file system and even gain access to printers, although I never actually printed anything; just looked around at it
Lovely outro!
This was lovely... Thank you for sharing!
P.S.
I already had it in my Watch later playlist...🤓
oh wow, this simple stuff of shortcuts is powerful!
this should be interesting for future vulnerabilities john.
I have not heard someone say borked in SOO long. Thank you
When you tried to right click and it didn't work I wonder if doing ctrl + f10 which is the keyboard version of right clicking would that work?
The man, the legend, John Hammond !
The john multiverse is crazy rn
"There wasn't enough time for tests"
The fact that Micro Center sponsored this makes you look cool, but it makes them look cool too.. ;)
Intresting, Loved this type of priv escalation, how can i find this sort of priv escapes videos.
once you are in some sort of file explorer can you create new text file (top left) in a location where you have some privelages, write cmd.exe in the file, save as .bat file, rename to msedge and try to run that? or does the file name restriction apply to the extention as well?
If you can download anything you can just code a program download it rename and do whatever you want
Calculator = ultimate game over
that's nice!
the good ol' rename an exe trick is what I used in high school to run whatever i wanted.
Fantastic
The funny thing is u did exactly this to a random kiosk at Ikea when I was like 14.
in one place there is a kiosk with a touch screen with windows 8 so it was enough to swipe from the left corner of the screen and this strip appeared because it was not secured
if you can create new text files, maybe you can create a .bat file to run commands
This is the greatest video ever I watched...
This trick used to work (or still does, idk) with the accessibility on screen keyboard in the lock screen.
I've done that on several computers to enable Administrator to recover people's files. Boot with any live Linux disc or USB, rename cmd.exe to osk.exe then reboot and launch the "on screen keyboard" to get the command prompt then enable Administrator with no password. Login to that account and you're in and copying off the non-encrypted files, or change the owner's account password, but not if they have any files encrypted.
Or just boot with a live Linux USB and copy the files to another USB.
question for the escape room - is Win+E and/or Win+R allowed?
No
Flabbergasted that only the name and not the path is whitelisted
No forreal Microsoft not using absolute path? Crazy
Best would be to compare the hash of the target file with the permitted file before running.
something like used to be a thing to get by the login on xp, replace the onscreen keyboard with cmd
I tried the same thing on windows 10. I managed to open a normal windows explorer but it wont let me go to any other path than the download folder. It says "Wen can't open '{literally any path except downloads here}'. Your organization has blocked it.
Hello, World!
Awesome video!
I was once told that on extremely locked down systems like this, you can simply place a .exe file in a zip, open the zip in explorer, click the .exe file and it just runs bypassing all the security restrictions. Not sure if that bug still exists.
Just wondering why the calc did not run even when executed with the admin cmd?
Sadly there is no micro centers in Arizona :(
So the "root hole" is that the help is online and its viewing handled very badly. Is this true in all versions of Windows 11? I imagine there would be many enterprises which would want to have their users be able to use help offline/without Internet access. The next step, that the full edge is launched is also needed as a root failure. So in that case - I wonder if setting other browsers as the system browser would work. Or using GP to change how Edge works by default?
I feel like the first half of this video has too many steps. If you already know the admin password why not just reboot and log in as admin...
Also, what about if the kiosk doesn't have a physical keyboard or mouse and is a touchscreen kiosk. How much harder does it become then?
thanks for this, this is sooo cool :D, now i regret not using wm`s
This is so crazy and soo easy, but indirect, well done :D
seen alot squaters at the Kiosk!
Correct me if I'm missing something, but when you do the second method - the no password method - you're only in cmd as user "kiosk". At that point, running something asuser admin would still require the password, right?
EDIT: Looks like I'm not the only one who noticed that. But at that point there's nothing stopping you from making an executable and just naming it msedge.exe and running it too... right? A lot of steps to get from cmd to writing an exe but it should be possible, maybe with a rubberducky and a ready to go bat file, assuming you have USB access?
I created the KIOSK-Mode in a Windows 10 machine (latest 21H2) and with CTRL+O you can only see contents of the "Downloads"-folder. There is no other folder visable (only the Desktop, but you can't even open that). I coudn't access any other folder in this menu. The farthest I've come is opening the settings app. But I couldn't figure out how I might need to keep going.
I was able to create a shortcut to the msedge.exe and thought that there is some paramter magic to sideload another executable or something but then it was already 2 am and I was tired and needed to sleep :D
I didn't know that you can use the edge browser to actually access files on the computer! That did the trick! Also I noticed, the moment you open the containing folder of the downloaded file, you can suddenly see the whole filesystem (but I still can't access any folders other than my Downloads folder). Renaming the downloaded emd.exe to msedge.exe also works in Windows 10.
Thank you for the video!
Can you show how you can make a priv esc happen witha most recently patched Windows? Or is that too black haty for youtube :D
"I didn't know that you can use the edge browser to actually access files on the computer!"
This has been true ever since Explorer / Internet Explorer first came out. WIN95 probably. It also works vice-versa - you can plug URL's into desktop explorer bars to this day and they'll open in the default browser.
I love Porteus Kiosk. There those issues dont matter.
at first, when Jhon was saying “thank you to the sponsor of this video Micro…” my brain had a conversation and a mini freak out - Micro SOFT?!?!!! no way, no way they sponsored this video, oh wtf did they actually?!???! -… Center” ahh oh jeesus, ofc they didnt, how would they, Brain, but ya new that and was just kidding eh 🤘😎
So this presumes you have access to a keyboard (and admin). What if you were standing in front of it as a simple touch screen kiosk? Is there a way to bring up an onscreen keyboard/accessibility options?
well i guess you could try to save a file and use the buttons only to copy and paste?
@@charababis6321 some have long hold/press in particular spots. Just curious how you'd get past the initial no keyboard
What I see a lot is being unable to rename programs. Also my windows 10 has the sys32 folder protected where I cannot change anything even though I am admin
dumb idea: if ctrl+o,p,n,etc. and ctrl+alt+del work, I wonder if ctrl+shift+esc works to just pop task manager. Then from there you can run a new task of explorer. Don't think your going to be able to run cmd from new task becuase of the file name lockdown but task manager is just another option / tool for an escape.
Ctrl alt delete or Ctrl shift ESC don't work
At work they were using some kind of program to lock down old and outdated Windows XP terminals by HP from the mid-2000s. I was allowed to take one home since they were being scrapped and replaced anyway, and decided I would try to break into it. What I ended up doing is booting from a USB drive with Puppy Linux, which is Ubuntu-based. I downloaded chntpw through the repository and was able to make the admin password blank to get into the admin account.
I was going to try to play some old games on it, but the sound is garbage and doesn't work.
Actually, Puppy linux is arch, ubuntu, debian, and slackware based. It is a weird distro.
@@crazycrystals I didn't know it is Arch-based as well. I'll have to check that out.
hey john just here wondering, wouldn't pathing into system32 via the browser be helpful ?
Didn't we do that in the latter half of the video?
@@_JohnHammond oh lol i post that mid video, btw i love ur videos man !
What about the CMD URI from microsoft edge?
Could you not right click open in new window in the Downloads view.
The "Get help" button is the true MVP
THIS. IS. SO. FREAKING. COOL!!!!!!!
used to use this back in the windows nt days at school.
locked us out running games etc.. rename the file, boom.
Someone did rename their program to explorer.exe and left it in their home folder. Not sure on the setup back then, but it would run the explorer.exe from their home folder and not the correct location when they logged in.
you forgot to put the link to the previous video where you set up hard mode in the description
If only we had known this in school
So primary take away from this series of videos: MS needs to disable the "?" help icon in the open/save dialog box. Thats all. That would prevent all of the attacks shown.
Microsoft needs to shutdown completely, that's the only way to prevent the attacks!
The problem isn't the help button itself, the program is the help points to the internet... like everything else now days.. windows xp and 7 help.chm files where fine I guess, yeah they where there own mini web browser too but they are farrr more locked down that an edge window running in full screen.
Or don't use windows? A linux build with nothing but xorg and a browser would be impossible to escape without an ACE vulnerability in the browser
@@MobCat_ Until hackers learned how to create malicious .chm and .mht files.
@@MobCat_ o hi mobcat whatcha uptos
Where do you download this vm? I want to try it out.
TIL: If you're going to use assigned access, create rules by hash.
That was one of the first thoughts I had. I am watching this video for work, to see if there are cool ways to harden my assigned access kiosk.. This video really goes to show how valuable security research is, haha.
Nice!, but can you show howto escalate privileges without knowing the admin password... and maybe test a Linux Kiosk 👌
Probably PrintNightmare LPE, if it's an older/not-updated box?
@@_JohnHammond ah thats true! thanks!
This reminds of when I opened the cmd prompt on my school issued laptop they heavily restricted and privilege escalated into admin… they were confused at the end of the year when I turned the computer in but I never got in trouble so win win
👍!
I think there is the same kind of process in a Windows password overwrite exploit I saw before to remove a password with a Windows restore disk by copying the cmd binary over the Ease of Access features exe or something like that so you can access cmd prompt in Windows from the login screen. From there you can just use net user to set the password. This was back in the windows 7 days I think though so maybe it doesn't work anymore.
Although if you can boot from USB or CD there are a number of different ways you could probably gain entry so......
simplified version: boot off of linux USB, rename cmd.exe to sethc.exe, and press shift five times (or spam it)
Replace c:\windows\system32\sethc.exe with cmd.exe, then invoke StickyKeys. If you reboot, you can invoke StickyKeys at a login screen and have a SYSTEM shell.
you need an admin password to do that.
@@yotoprules9361 That is left as an exercise to the reader. Lol!
I remember once when the admin dont allow cmd. They forgot powershell
time to break some computers in my college library XD
Ikat for the win.
I'd of popped open notepad and saved a batch file
Wait can you not just put in a usb with the exe name and open it with ms edge?
9:47 wouldn't just deleting the file and restarting work?
how do i get the cahleng file?
Awesome. But can you run doom that way? ;)
What do you pass on your hair to maintain it firm?
You can try hair mousse, I've used couple brands and effects were comparable.
If instead of using an already made account let the kiosk configuration process create the account, file access is disabled as far as I can see. maybe a good "extra hard" challenge? :)
After a reboot, file access is disabled just as well, other than the Downloads the directory. From what I had tested, the same download cmd.exe and rename trick shoouuuuldd still work
if you knew admin password you could just log out and log in to the admin account
Not sure what I'm missing here. If you have the admin password, just restart the computer and log on to admin. None of this matters at this point.
You might want to watch the beginning again and pay attention
Maybe starting from the chapter called Correction - credentials not needed?
I think Sean’s point is he was gonna post this without the admin “bypass” which thus would have made this whole thing unless cause if you have the admin password just login as admin
is this the one where he/you escape/s without the admin password?
just watched it, great video! crazy how it just checks for the name
It is nice and everything but a real kiosk is a closed system usually without any physical keyboard and a lack of ctrl, alt and shift keys. Without having a usb or a bluetooh connection there would be no way to connect any hardware to it. It is possibly disabled in the BIOS to connect anything to the USB ports, etc...
This is true, but the average business usually goes with the lowest bidder. No one who actually knows infosec is working installing kiosks for casual applications. Most of the kiosk outfits employ people at GeekSquad level, and many, less.