Saturday, February 22, 2020

Breaking the Internet Kiosk

Objective


Recently for one our Redteam objective, our client request if we can actually break or escape from their Kiosk Solution Environment. Kiosk Lockdown is commonly used in Virtual Internet Banking Station, Airports and various customer services center lot.

Kiosk Lockdown Solutions.


A typical Kiosk Lockdown usually are wrapped around a container like the following pseudo layout.


Svchost.exe --> Lockdown Solutions --> Whitelisted App (in most cases Browsers) 
                

Case Studies - Lockdown Protections


In my case we are only given a keyboard and a mouse to navigate. Here is a screenshot of our lockdown kiosk.


All Drives and Shortcuts are disabled, Start Button have been disabled.



Message from  CTRL + ALT  + DEL have bee suppressed.





Using the UNC path trick didnt work.




Using the File - Print - PDF trick also didn't work this time.


Escaping the Kiosk- Poor man No Kobalt-Strike style.

While the environment certainly looks quite secure in 2020. They are still few loopholes we can leverage on.

What if we host a legit cmd.exe binary and hosted on the Internet and download it can we execute it?


Clicking on RUN works well as cmd is a legit signed  binary and was considered non-malicious by Defender by default. However we will encounter this error which prevent us from using cmd.exe :(


Thanks to Atuk Didier Steven, we can leverage on cmd.exe created by the  ReactOS Project.  (A free and opensource windows implementation binary).


It works.



In order to stay under the radar .. We can fetch "legit" tools from sysinternal 
live.sysinternals.com via net use




Run procexp . from now we have a clear visibility on how to escape :)




No comments: