Objective
Recently for one our Redteam objective, our client request if we can actually break or escape from their Kiosk Solution Environment. Kiosk Lockdown is commonly used in Virtual Internet Banking Station, Airports and various customer services center lot.
Kiosk Lockdown Solutions.
A typical Kiosk Lockdown usually are wrapped around a container like the following pseudo layout.
Svchost.exe --> Lockdown Solutions --> Whitelisted App (in most cases Browsers)
Case Studies - Lockdown Protections
In my case we are only given a keyboard and a mouse to navigate. Here is a screenshot of our lockdown kiosk.
All Drives and Shortcuts are disabled, Start Button have been disabled.
Message from CTRL + ALT + DEL have bee suppressed.
Using the UNC path trick didnt work.
Using the File - Print - PDF trick also didn't work this time.
Run procexp . from now we have a clear visibility on how to escape :)
All Drives and Shortcuts are disabled, Start Button have been disabled.
Message from CTRL + ALT + DEL have bee suppressed.
Using the UNC path trick didnt work.
Escaping the Kiosk- Poor man No Kobalt-Strike style.
While the environment certainly looks quite secure in 2020. They are still few loopholes we can leverage on.
What if we host a legit cmd.exe binary and hosted on the Internet and download it can we execute it?
Clicking on RUN works well as cmd is a legit signed binary and was considered non-malicious by Defender by default. However we will encounter this error which prevent us from using cmd.exe :(
Thanks to Atuk Didier Steven, we can leverage on cmd.exe created by the ReactOS Project. (A free and opensource windows implementation binary).
In order to stay under the radar .. We can fetch "legit" tools from sysinternal
live.sysinternals.com via net use
live.sysinternals.com via net use