April 3, 2013 at 10:51 pm #8351
First of all, I apologize if this is in the wrong location/forum, or totally inappropriate to ask. I checked around, but didn’t see anything explicitly wrong with this. I also apologize in advance for the length, and really appreciate any help!
I am 25 and have been on computers since I was 8. I am pretty advanced in computers and currently have several MCPD’s for development (I know- C# sucks or whatever)… I know a good bit about networking and administration, but have never really had my own environment to mess around in. I hope to change that soon and setup a v-farm at home to test around in. I have always been really interested in security while programming, and try to test programs our companies develop to make sure at least there is some level of security in their logic, authentication, and authorization procedures. My end goal is hopefully to gain enough knowledge in the networking and infrastructure area that I can take the CEH.
So enough of the back story, here is my current situation. I am really the only one at my company of 150 that really knows more than the average person about security, and as such, was asked by one of our PM’s to try and ‘hack’ a solution that our core infrastructure team had built. The solution was meant to provide a secure testing environment that allowed access to only 1 website, and 1 website only. The main blocks were to make sure that the audience could not access other internet, email, or system resources. The solution is basically a WYSE zero client, in a specific vlan that all traffic then goes through a barracuda filter. The WYSE client connected to Citrix receiver and connected to a Windows 7 Enterprise VM.
The first time I had a hack (pun not intended) at the system, I was actually able to achieve all of the tasks of accessing system files, accessing internet sites, and sending emails. The environment had been secured by group policy:
1 – 1 icon on desktop for IE directly linked to testing site
2 – start menu reduced to logoff/disconnect, Windows Security button, and link to testing site
3 – start menu search/execute/address bar non-functional
4 – Win+E disabled
5 – Win+R disabled
6 – CTRL+ALT+DEL only allowed logoff or cancel
7 – CTRL+SHIFT+N disabled on desktop (attempt to get into FS)
8 – Initial browser had 0 toolbar, however opening via desktop gave address bar/toolbars
9 – All web browsing not on testing site blocked
So initially, I accessed the filesystem via shell:system in the address bar. Even though the drives had been restricted access via GP, I could still use that to get into sys32, and then anywhere. CMD, mmc, all control panels, taskmgr, etc, were completely locked down. If I had spent more time, I would have tried to maybe use a bat file (I could open notepad/mspaint/etc low risks) to replace a service file so that it would elevate permissions, but I was limited on time so didn’t get to test that.
The next thing I did was to use the address bar in IE to navigate to one of google’s ips (yeah, I have some blocks memorized). I figured that they might only be blocking dns lookup. Trying to access http://22.214.171.124/ resulted in a block page, however knowing that google now provides a https option, I changed the protocol to that, and was successfully on the internet. I was able to access web proxies via IP and get into gmail and send an email.
This was my first real ‘hacking’ attempt for work, and not even really so – it was simple stuff really. But that didn’t stop me from being ecstatic. Well, after I gave them my report, they worked on securing alot of the VM and had me give another go at it today.
They had gone and hidden the address bar and toolbars from IE via GP, and I couldn’t get them back at all, even via the desktop shortcut. None of the key shortcuts for ‘open url…’ worked. I was about to call defeat (even though I figured they still hadn’t blocked IP navigation) when I remembered about the IE shortcut for navigating to copied URL. I typed the same IP as earlier for google into a textbox on the website, copied it, and then pressed CTRL+SHIFT+L, and I was at google. I was also still able to access shell:system.
After I finished my go at it today, I think I finally got it through their heads that they NEED to only allow IPs for the testing site, and block all others. They are also working on trying to disable the CTRL+SHIFT+L shortcut, so that takes away one of my navigation bars right there. The other one that I got to was the download box (CTRL+J) and was able to click Options>>Browse, but they are disabling that box as well.
As I said, I am a total noob to this, and don’t really have a CI background. I know what a barracuda filter is, but that’s about it. I have messed around with GP a bit, but I am by no means an expert. So, I come to you. I am now 2 for 0 and very excited. I would love to try and get through 1 more time and be successful. I will have my chance soon, but after they make these changes, I am not sure what else I can do. What other ways are there to get to an address bar so that I can access system resources or attempt direct navigation to sites. If they setup the barracuda as I said, is there any way that you can think that I’d be able to defeat it? The only thing I had though (only because I think the CI guy said blocking by hostheader) was to be able to somehow add a hosts entry or similar to map the testing domain to something like google’s ip… That should only work if they didn’t do it correctly – or at least that’s what I think. I have done lots, and am sure I have forgot some things here, so if you have any questions or suggestions on whatelse I could attempt, I would be GREATFUL!
April 4, 2013 at 2:13 am #52494cd1zzParticipant
Can you use removable media or is there a CDROM either virtual or physical? If so, just drop a shell and try to escalate from there. Are there any other apps the regular user can access at all? Like in the system tray? Sometimes AV will still be accessible and within the AV you can escape the restricted desktop via the same methods….help menu etc.
April 4, 2013 at 2:20 am #52495
Nope. The start menu only has a link to the testing site. The system tray only has the clock, and the ‘Show Desktop’ icon. The desktop only has the link to the site. I tried doing CTRL+SHIFT+N to make a new directory so maybe I could get an explorer window and use that address bar, but no right clicking, context menu, and the command is blocked by GP.
Sometimes I can invoke a help prompt, like by pressing F7 and clicking for more info about Caret browsing, but the help dialogs address bar didn’t let me do anything.. apparently it has been rewritten since last time I used it… It has been a few years since I needed a win help dialog! 😛 If anyone has any ideas on getting to an address bar from there to try and run commands, that would be helpful.
As for removable media, nothing inserted on the zero client is accessible to the win machine except for the keyboard. It has usb ports, but they don’t map. The zero client is pretty well locked down too. The first time I attempted hacking it, I could get into admin mode, but they’ve since locked that down and it has to be unlocked on the server and rebooted to access the menus.
Thanks for your response, and for reading the ridiculously long post!
April 4, 2013 at 2:24 am #52496cd1zzParticipant
I assume right click on the taskbar is dead too? Any right clickage?
April 4, 2013 at 2:25 am #52497
No right or middle click… Darn thing might as well have a mac mouse.
April 10, 2013 at 12:44 am #52498TribanParticipant
Sounds like you did a pretty good job at breaking stuff. Pick up some self study stuff for CEH to bone up on the material you may not be as familiar with and go from there. You should be able to pass the test. Or you can use this exercise to see if work will send you to training. You have the aptitude and some decent knowledge. You have proven you are an asset in this field for your company. Worth asking them. Hmm, no USB drives eh? can you reach other parts of the internal network from the terminal? File shares and such?
- You must be logged in to reply to this topic.