Jump to content

Recommended Posts

Posted

Came across a scenario that I'm testing out. I've set up a machine in my office to mimic a machine I came across in the wild. The machine is locked down with group policies. The user has access to Internet Explorer and a custom program. Trying to access the file system from IE is blocked. There is no run or anything else. Web surfing is possible but limited to a white list of sites.

I've got a free dinner from a client if I can figure out a way to be able to a program. I can't reboot with live-CD though, that's cheating.

Any ideas?

Posted (edited)

One trick that I figured out on my campus. Open notepad, write in a cmd or whatever code you want and save it as a .bat file. Run the .bat file and away you go.

Darren also did mention something very similar to this on one episode, can't remember which. Might have been ducky related.

Or if you are trying to get a shell on it, you can fire up S.E.T. and instead of typing in a DNS name, type in the IP so it doesn't hit a DNS white/black list and run the java exploit and reverse shell :)

Edited by Mr-Protocol
Posted

One trick that I figured out on my campus. Open notepad, write in a cmd or whatever code you want and save it as a .bat file. Run the .bat file and away you go.

Darren also did mention something very similar to this on one episode, can't remember which. Might have been ducky related.

Or if you are trying to get a shell on it, you can fire up S.E.T. and instead of typing in a DNS name, type in the IP so it doesn't hit a DNS white/black list and run the java exploit and reverse shell :)

I wish it was that easy. He set up the policy so there is only Internet Explorer and custom program that doesn't allow user interaction. No Notepad, no paint, not even Microsoft help.

The IP address trick doesn't work either.

Posted

If the user has access to any type of storage area, be it local, network or removeable, then you could do what I did and create a shortcut to the following:

C:\Windows\System32\reg.exe add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD

Which would allow cmd.

This worked at my school, which ran windows server 2003 over a network or windows xp machines. Group Policy was set up to make the majority of the restrictions in the local registry. If this is the case then this would work. There are others that you'd be able to find aswell, such as the run button and the shutdown button.

If, when you try to run command prompt via a shortcut without running the above registry change first, and you the cmd window appear, but with some text about being disabled by the system administrator, then I'd expect this to work.

Posted

Maybe MITM arp poison and own the traffic? Then re-route to your malicious server with a java payload for reverse shell?

I was thinking about something like that. I could put a fonera in line hosting a local copy of the ikat kiosk hacking website. I redirect all traffic internally, bypassing the need to go outside the firewall. Hmm.

Right now IE blocks all file system access, got a couple other tricks to try.

Posted

There has to be ways to get a shellcode payload on the computer and execute it, whether it be with a java applet attack, sending it through email, getting it on a locally mapped drive or whatever. As long as the browser can run java it should work.

If you were on the LAN with another machine listening there would be no need to go outside the firewall either and between arp spoofing, dns/dhcp spoofing, the millions of msf options, something should do the trick that will get you free lunch.

Posted

Or forget about the client and look for weaknesses in the router/switch. Same for whatever server is running. Or use a lantap to view the traffic between the client and the router. You also never said anything about dos attacks, so you could do that too to try to squeeze the dinner.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...