First of all, I apologize if this is in the wrong location/forum, or totally inappropriate to ask. I checked around, but didn't see anything explicitly wrong with this. I also apologize in advance for the length, and really appreciate any help!
I am 25 and have been on computers since I was 8. I am pretty advanced in computers and currently have several MCPD's for development (I know- C# sucks or whatever)... I know a good bit about networking and administration, but have never really had my own environment to mess around in. I hope to change that soon and setup a v-farm at home to test around in. I have always been really interested in security while programming, and try to test programs our companies develop to make sure at least there is some level of security in their logic, authentication, and authorization procedures. My end goal is hopefully to gain enough knowledge in the networking and infrastructure area that I can take the CEH.
So enough of the back story, here is my current situation. I am really the only one at my company of 150 that really knows more than the average person about security, and as such, was asked by one of our PM's to try and 'hack' a solution that our core infrastructure team had built. The solution was meant to provide a secure testing environment that allowed access to only 1 website, and 1 website only. The main blocks were to make sure that the audience could not access other internet, email, or system resources. The solution is basically a WYSE zero client, in a specific vlan that all traffic then goes through a barracuda filter. The WYSE client connected to Citrix receiver and connected to a Windows 7 Enterprise VM.
The first time I had a hack (pun not intended) at the system, I was actually able to achieve all of the tasks of accessing system files, accessing internet sites, and sending emails. The environment had been secured by group policy:
1 - 1 icon on desktop for IE directly linked to testing site
2 - start menu reduced to logoff/disconnect, Windows Security button, and link to testing site
3 - start menu search/execute/address bar non-functional
4 - Win+E disabled
5 - Win+R disabled
6 - CTRL+ALT+DEL only allowed logoff or cancel
7 - CTRL+SHIFT+N disabled on desktop (attempt to get into FS)
8 - Initial browser had 0 toolbar, however opening via desktop gave address bar/toolbars
9 - All web browsing not on testing site blocked
So initially, I accessed the filesystem via shell:system in the address bar. Even though the drives had been restricted access via GP, I could still use that to get into sys32, and then anywhere. CMD, mmc, all control panels, taskmgr, etc, were completely locked down. If I had spent more time, I would have tried to maybe use a bat file (I could open notepad/mspaint/etc low risks) to replace a service file so that it would elevate permissions, but I was limited on time so didn't get to test that.
The next thing I did was to use the address bar in IE to navigate to one of google's ips (yeah, I have some blocks memorized). I figured that they might only be blocking dns lookup. Trying to access http://188.8.131.52/ resulted in a block page, however knowing that google now provides a https option, I changed the protocol to that, and was successfully on the internet. I was able to access web proxies via IP and get into gmail and send an email.
This was my first real 'hacking' attempt for work, and not even really so - it was simple stuff really. But that didn't stop me from being ecstatic. Well, after I gave them my report, they worked on securing alot of the VM and had me give another go at it today.
They had gone and hidden the address bar and toolbars from IE via GP, and I couldn't get them back at all, even via the desktop shortcut. None of the key shortcuts for 'open url...' worked. I was about to call defeat (even though I figured they still hadn't blocked IP navigation) when I remembered about the IE shortcut for navigating to copied URL. I typed the same IP as earlier for google into a textbox on the website, copied it, and then pressed CTRL+SHIFT+L, and I was at google. I was also still able to access shell:system.
After I finished my go at it today, I think I finally got it through their heads that they NEED to only allow IPs for the testing site, and block all others. They are also working on trying to disable the CTRL+SHIFT+L shortcut, so that takes away one of my navigation bars right there. The other one that I got to was the download box (CTRL+J) and was able to click Options>>Browse, but they are disabling that box as well.
As I said, I am a total noob to this, and don't really have a CI background. I know what a barracuda filter is, but that's about it. I have messed around with GP a bit, but I am by no means an expert. So, I come to you. I am now 2 for 0 and very excited. I would love to try and get through 1 more time and be successful. I will have my chance soon, but after they make these changes, I am not sure what else I can do. What other ways are there to get to an address bar so that I can access system resources or attempt direct navigation to sites. If they setup the barracuda as I said, is there any way that you can think that I'd be able to defeat it? The only thing I had though (only because I think the CI guy said blocking by hostheader) was to be able to somehow add a hosts entry or similar to map the testing domain to something like google's ip... That should only work if they didn't do it correctly - or at least that's what I think. I have done lots, and am sure I have forgot some things here, so if you have any questions or suggestions on whatelse I could attempt, I would be GREATFUL!