Main Content

Heya - HollyGraceful here, I make all of this content in my spare time, like it? Please support me :)
You can donate via Bitcoin or Patreon!

Windows Desktop Breakout

Many organisations “lock-down” their desktop environments to reduce the impact that malicious staff members and compromised accounts can have on the overall domain security. Many desktop restrictions can slow down an attacker but it’s often possible to “break-out” of the restricted environment. Both assessing and securing these desktop environments can be tricky, so I’ll run you through how I assess them here, highlight some of the tricks and the methodology that I use with the intention that both breakers and defenders can get a better look at their options.

Depending on the particular configuration the options available to a security assessor will differ, however the general steps required will be the same. The tightness of the environment will determine where in the chain you start. There are so many variations to desktop breakout that I’ll try and cover the base methodology here and as many “tricks” as possible. The aim of this article is to take you from a locked down environment to arbitrary command execution and at that stage you’re ready to escalate privileges, which is a vast subject and so it has it’s own tag on this site already!

The steps are generally:

– Gain Access to a Dialog Box
– Abuse the dialog box to gain access to command execution
– Abuse command execution to escalate privileges

 

Gain Access to a Dialog Box

If you’re placed directly into an appication, such as with a Citrix environment, you can abuse the normal functionality of the software to gain access to a dialog box. This can either be through the top menu bar, to access options such as “Save as” and “open”, or alternatively through keyboard shortcuts to the same functions:

Default Functions:
– Save As (Ctrl+S)
– Open (Ctrl+O)
– Print (Ctrl+P)

Accessibility Options

By default within modern Windows you can access accessibility options through key presses – these options offer access to an explorer window:
– Shift x5
– Holding shift for 8 seconds

Abusing Dialog Boxes

Once you’ve gained access to a dialog box or windows explorer box the aim is to gain access to cmd.exe, ftp.exe or an arbitrary exe file. The can be as simple as typing the address of the command line into Windows Explorer, which is C:windowssystem32cmd.exe. However often you will be prompted with a warning stating that access to CMD has been resticted by an administrator, in this case an alternative method must be used and the attacker should aim to access one of the following:

– .bat files
– ftp.exe
– powershell.exe
– schtasks.exe
– cscript.exe
– wscript.exe
– arbitrary exes (such as those delivered on USB pens, via email, over file shares or downloaded from the Internet)

Once the ability to execute arbitrary commands has been achieved the attacker has a lot of flexibility to enable them to escalate privileges. Such as listing account lockout policies, lists of domain users and domain administrators and determining potential weaknesses in Windows services.

 

Breakout Example

I think the best way to get an appreciation for the steps involved and the typical targets, I’ll run you through an example of a breakout. Here I’ve got a Windows 8.1 Pro client machine hooked into my domain and locked down using Group Policy. Most options have been removed, there are no desktop icons and right-click has no effect.

A screenshot of the Windows 8.1 desktop.

Immediately I go for the easy-win and try and access cmd.exe from the start menu. Here you can see the default denied message as the administrator has restricted access. So our target is command execution, but we have to get it indirectly.

A CMD window open on the Windows desktop displaying a message stating that access to CMD has been restricted.

We can access Windows Explorer, but access to most drives/folders is restricted and as before, right click has no effect. One of our options then is to utilise the “Home” menu at the top of the Explorer Window to create a new shortcut.

A screenshot showing the user creating a new shortcut.

We can set the location to “ftp”, which will find the default ftp.exe within the System32 directory and create a shortcut to this file.
A screenshot showing the create shortcut menu. The user has typed the path "ftp".

When we execute this file we gain the FTP prompt, as shown below:

A screenshot showing the shortcut executed and a window showing the ftp> prompt.

By default, this prompt gives us the ability to execute arbitrary operating system commands, by prefixing the command with an exclamation mark. For example, !ipconfig, as shown:

A screenshot showing the command ipconfig has been ran by prefixing it with an exclamation point.

At this point we have arbitrary command execution and we’ve broken out of the desktop restrictions and are in the position to start looking for methods of privilege escalation.

 

If however, the one tricked I’ve shown above doesn’t work, you’re not out of luck. Stick to the idea of abusing dialog boxes and menus to gain access to any of the commands in the list at the top of this post – ftp, powershell, wscript, etc. Another method we could have used would be to open notepad.exe from the start menu, and create a new batch file (a file that ends .bat which when double-clicked in Windows will execute the commands listed in the file). We can either utilise this batch file to execute commands directly, or as before we can access FTP to use the !-prefix trick as before.

A screenshot showing a batch file has been created which executes the command "ftp".

Another thing to keep in mind is that the default group policy restriction prevents an attacker from gaining an interactive shell through CMD.exe although it doesn’t prevent command execution through CMD! This can be achieved by supplying a command to cmd as a parameter using the switch /K. For example: cmd.exe /K ipconfig

This is shown below, demonstrated through batch file execution although it’ll work in many different contexts.

A batch file which executes the command "cmd.exe /K ipconfig" to bypass cmd.exe access restrictions.

Another method of getting command execution is through Visual Basic Script execution, if it’s installed you can execute Visual Basic (VBA) through Microsoft Office documents or alternatively Visual Basic scripts can be executed through .vbs files. The following screen show demonstrates command execution through VB saved in a VBS file. The contents of the file are shown in the open notepad document and executes when the attacker double clicks the file on the desktop.

A screenshot showing the command ipconfig has been ran by using WScript access on Windows, executed by a batch script.

 

An attackers next steps will likely be enumeration through commands such as the following:

net user /domain
net group "Domain Admins" /domain
net localgroup administrators
net accounts
net accounts /domain

These commands, respectively, list: domain users, domain administrators, local administrators, local account lockout policy, and domain account lockout policy.

 

Defending

So how do we prevent all of this? Well the issue really is that even in a restrictive environment an attacker can often flex many built in features of the Windows operating system to gain command execution at their privilege level on the local machine. Defence in depth should be used where protection mechanisms are put in place both to prevent command execution wherever possible and steps should be taken to prevent privilege escalation. The first can be achieved through application white-listing, so that authorised users can only execute a predefined list of known good software and thereby blocking “breakout tricks” such as utilising cscript.exe and ftp.exe. Simply blocking “known bad” applications based on a hash, filename or filepath is often ineffective – especially where an attacker can enumerate the blacklist as this will lead to more effective attempts at bypassing protection mechanisms.

Additionally escalation can be prevented through ensuring that all workstation patches are installed, not only for the operating system itself but also for added software such as Flash, Java and the Web Browsers. Unnecessary software and services should be removed, such as “bloatware” which is often bundled by the vendor on new machines. Plus by reducing the number of services installed it is less likely that security misconfiguration (such as unquoted service paths) will occur and it reduces the attack surface an attacker has to target. Additionally restricting or removing unnecessary built-in Windows features such as the FTP or Telnet client (the later of which is now removed by default on modern Windows) will further reduce the attack surface.

Finally defence can be assessed through good offensive techniques, take a look at the stops listed above and see if any of the potential path ways to dangerous application or script-able environments is possible