PayloadsAllTheThings/Methodology and Resources/Escape Breakout.md
2020-12-17 08:56:58 +01:00

111 lines
3.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Application Escape and Breakout
## Summary
* [Gaining a command shell](#gaining-a-command-shell)
* [Sticky Keys](#explorer---sticky-keys)
* [Dialog Boxes](#dialog-boxes)
* [Creating new files](#creating-new-files)
* [Open a new Windows Explorer instance](#open-a-new-windows-explorer-instance)
* [Exploring Context Menus](#exploring-context-menus)
* [Save as](#save-as)
* [Input Boxes](#input-boxes)
* [Bypass file restrictions](#bypass-file-restrictions)
* [Internet Explorer](#internet-explorer)
* [Shell URI Handlers](#shell-uri-handlers)
* [References](#references)
## Gaining a command shell
* **Shortcut**
* [Window] + [R] -> cmd
* [CTRL] + [ALT] + [SHIFT] -> Task Manager
* **Access through file browser**: Browsing to the folder containing the binary (i.e. `C:\windows\system32\`), we can simply right click and `open` it
* **Drag-and-drop**: dragging and dropping any file onto the cmd.exe
* **Hyperlink**: `file:///c:/Windows/System32/cmd.exe`
* **Task Manager**: `File` > `New Task (Run...)`
* **MSPAINT.exe**
* Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels
* Zoom in to make the following tasks easier
* Using the colour picker, set pixels values to (from left to right):
* 1st: R: 10, G: 0, B: 0
* 2nd: R: 13, G: 10, B: 13
* 3rd: R: 100, G: 109, B: 99
* 4th: R: 120, G: 101, B: 46
* 5th: R: 0, G: 0, B: 101
* 6th: R: 0, G: 0, B: 0
* Save it as 24-bit Bitmap (*.bmp;*.dib)
* Change its extension from bmp to bat and run
## Sticky Keys
* Spawn the sticky keys dialog
* Via Shell URI : `shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}`
* Hit 5 times [SHIFT]
* Visit "Ease of Access Center"
* You land on "Setup Sticky Keys", move up a level on "Ease of Access Center"
* Start the OSK (On-Screen-Keyboard)
* You can now use the keyboard shortcut (CTRL+N)
## Dialog Boxes
### Creating new files
* Batch files Right click > New > Text File > rename to .BAT (or .CMD) > edit > open
* Shortcuts Right click > New > Shortcut > `%WINDIR%\system32`
## Open a new Windows Explorer instance
* Right click any folder > select `Open in new window`
## Exploring Context Menus
* Right click any file/folder and explore context menus
* Clicking `Properties`, especially on shortcuts, can yield further access via `Open File Location`
### Save as
* "Save as" / "Open as" option
* "Print" feature selecting "print to file" option (XPS/PDF/etc)
* `\\127.0.0.1\c$\Windows\System32\` and execute `cmd.exe`
### Input Boxes
Many input boxes accept file paths; try all inputs with UNC paths such as `//attackerpc/` or `//127.0.0.1/c$` or `C:\`
### Bypass file restrictions
Enter *.* or *.exe or similar in `File name` box
## Internet Explorer
### Download and Run/Open
* Text files -> opened by Notepad
### Menus
* The address bar
* Search menus
* Help menus
* Print menus
* All other menus that provide dialog boxes
## Shell URI Handlers
* shell:DocumentsLibrary
* shell:Librariesshell:UserProfiles
* shell:Personal
* shell:SearchHomeFolder
* shell:System shell:NetworkPlacesFolder
* shell:SendTo
* shell:Common Administrative Tools
* shell:MyComputerFolder
* shell:InternetFolder
## References
* [PentestPartners - Breaking out of Citrix and other restricted desktop environments](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/)
* [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/)