beakmyn Posted November 15, 2011 Posted November 15, 2011 Came across a scenario that I'm testing out. I've set up a machine in my office to mimic a machine I came across in the wild. The machine is locked down with group policies. The user has access to Internet Explorer and a custom program. Trying to access the file system from IE is blocked. There is no run or anything else. Web surfing is possible but limited to a white list of sites. I've got a free dinner from a client if I can figure out a way to be able to a program. I can't reboot with live-CD though, that's cheating. Any ideas? Quote
hexophrenic Posted November 15, 2011 Posted November 15, 2011 http://pauldotcom.com/2011/07/bypassing-software-restriction.html Quote
Mr-Protocol Posted November 16, 2011 Posted November 16, 2011 (edited) One trick that I figured out on my campus. Open notepad, write in a cmd or whatever code you want and save it as a .bat file. Run the .bat file and away you go. Darren also did mention something very similar to this on one episode, can't remember which. Might have been ducky related. Or if you are trying to get a shell on it, you can fire up S.E.T. and instead of typing in a DNS name, type in the IP so it doesn't hit a DNS white/black list and run the java exploit and reverse shell :) Edited November 16, 2011 by Mr-Protocol Quote
beakmyn Posted November 16, 2011 Author Posted November 16, 2011 One trick that I figured out on my campus. Open notepad, write in a cmd or whatever code you want and save it as a .bat file. Run the .bat file and away you go. Darren also did mention something very similar to this on one episode, can't remember which. Might have been ducky related. Or if you are trying to get a shell on it, you can fire up S.E.T. and instead of typing in a DNS name, type in the IP so it doesn't hit a DNS white/black list and run the java exploit and reverse shell :) I wish it was that easy. He set up the policy so there is only Internet Explorer and custom program that doesn't allow user interaction. No Notepad, no paint, not even Microsoft help. The IP address trick doesn't work either. Quote
Mr-Protocol Posted November 16, 2011 Posted November 16, 2011 Maybe MITM arp poison and own the traffic? Then re-route to your malicious server with a java payload for reverse shell? Quote
Xcellerator Posted November 16, 2011 Posted November 16, 2011 If the user has access to any type of storage area, be it local, network or removeable, then you could do what I did and create a shortcut to the following: C:\Windows\System32\reg.exe add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD Which would allow cmd. This worked at my school, which ran windows server 2003 over a network or windows xp machines. Group Policy was set up to make the majority of the restrictions in the local registry. If this is the case then this would work. There are others that you'd be able to find aswell, such as the run button and the shutdown button. If, when you try to run command prompt via a shortcut without running the above registry change first, and you the cmd window appear, but with some text about being disabled by the system administrator, then I'd expect this to work. Quote
Mr-Protocol Posted November 16, 2011 Posted November 16, 2011 There also used to be a local exploit with firewire that would allow autorun scripts like the old USB hacksaw. Not sure if it still works. Quote
beakmyn Posted November 16, 2011 Author Posted November 16, 2011 Maybe MITM arp poison and own the traffic? Then re-route to your malicious server with a java payload for reverse shell? I was thinking about something like that. I could put a fonera in line hosting a local copy of the ikat kiosk hacking website. I redirect all traffic internally, bypassing the need to go outside the firewall. Hmm. Right now IE blocks all file system access, got a couple other tricks to try. Quote
Mr-Protocol Posted November 17, 2011 Posted November 17, 2011 You can boot from a USB ;) Not a live CD then profit from free lunch/dinner? LOL! Tell him he was not explicit enough in his rules. Social Engineering win? Quote
bobbyb1980 Posted November 17, 2011 Posted November 17, 2011 There has to be ways to get a shellcode payload on the computer and execute it, whether it be with a java applet attack, sending it through email, getting it on a locally mapped drive or whatever. As long as the browser can run java it should work. If you were on the LAN with another machine listening there would be no need to go outside the firewall either and between arp spoofing, dns/dhcp spoofing, the millions of msf options, something should do the trick that will get you free lunch. Quote
bobbyb1980 Posted November 17, 2011 Posted November 17, 2011 Or forget about the client and look for weaknesses in the router/switch. Same for whatever server is running. Or use a lantap to view the traffic between the client and the router. You also never said anything about dos attacks, so you could do that too to try to squeeze the dinner. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.