Windows Desktop Breakout
Author: HollyGraceful Published: 06 August 2021 Last Updated: 03 November 2022
Many organisations “lock-down” their desktop environments to reduce the impact that malicious staff members and compromised accounts can have on the overall domain security. Many desktop restrictions can slow down an attacker but it’s often possible to “break-out” of the restricted environment. Both assessing and securing these desktop environments can be tricky, so I’ll run you through how I assess them here, highlight some of the tricks and the methodology that I use with the intention that both breakers and defenders can get a better look at their options.
Depending on the particular configuration the options available to a security assessor will differ, however the general steps required will be the same. The tightness of the environment will determine where in the chain you start. There are so many variations to desktop breakout that I’ll try and cover the base methodology here and as many “tricks” as possible. The aim of this article is to take you from a locked down environment to arbitrary command execution and at that stage you’re ready to escalate privileges, which is a vast subject and so it has it’s own tag on this site already!
The steps are generally:
– Gain Access to a Dialog Box
– Abuse the dialog box to gain access to command execution
– Abuse command execution to escalate privileges
Gain Access to a Dialog Box
If you’re placed directly into an appication, such as with a Citrix environment, you can abuse the normal functionality of the software to gain access to a dialog box. This can either be through the top menu bar, to access options such as “Save as” and “open”, or alternatively through keyboard shortcuts to the same functions:
– Save As (Ctrl+S)
– Open (Ctrl+O)
– Print (Ctrl+P)
By default within modern Windows you can access accessibility options through key presses – these options offer access to an explorer window:
– Shift x5
– Holding shift for 8 seconds
Abusing Dialog Boxes
Once you’ve gained access to a dialog box or windows explorer box the aim is to gain access to cmd.exe, ftp.exe or an arbitrary exe file. The can be as simple as typing the address of the command line into Windows Explorer, which is C:\windows\system32\cmd.exe. However often you will be prompted with a warning stating that access to CMD has been restricted by an administrator, in this case an alternative method must be used and the attacker should aim to access one of the following:
– .bat files
– arbitrary exes (such as those delivered on USB pens, via email, over file shares or downloaded from the Internet)
Once the ability to execute arbitrary commands has been achieved the attacker has a lot of flexibility to enable them to escalate privileges. Such as listing account lockout policies, lists of domain users and domain administrators and determining potential weaknesses in Windows services.
The general process:
Immediately I go for the easy-win and try and access cmd.exe from the start menu. Here you can see the default denied message as the administrator has restricted access. So our target is command execution, but we have to get it indirectly.
We can access Windows Explorer, but access to most drives/folders is restricted and as before, right click has no effect. One of our options then is to utilise the “Home” menu at the top of the Explorer Window to create a new shortcut.
We can set the location to “ftp”, which will find the default ftp.exe within the System32 directory and create a shortcut to this file. By default, this prompt gives us the ability to execute arbitrary operating system commands, by prefixing the command with an exclamation mark. For example, !ipconfig, as shown:
At this point we have arbitrary command execution and we’ve broken out of the desktop restrictions and are in the position to start looking for methods of privilege escalation.
If however, the one tricked I’ve shown above doesn’t work, you’re not out of luck. Stick to the idea of abusing dialog boxes and menus to gain access to any of the commands in the list at the top of this post – ftp, powershell, wscript, etc. Another method we could have used would be to open notepad.exe from the start menu, and create a new batch file (a file that ends .bat which when double-clicked in Windows will execute the commands listed in the file). We can either utilise this batch file to execute commands directly, or as before we can access FTP to use the !-prefix trick as before.
Another thing to keep in mind is that the default group policy restriction prevents an attacker from gaining an interactive shell through CMD.exe although it doesn’t prevent command execution through CMD! This can be achieved by supplying a command to cmd as a parameter using the switch /K. For example: cmd.exe /K ipconfig
Another method of getting command execution is through Visual Basic Script execution, if it’s installed you can execute Visual Basic (VBA) through Microsoft Office documents or alternatively Visual Basic scripts can be executed through .vbs files.
An attackers next steps will likely be enumeration through commands such as the following:
net user /domain net group "Domain Admins" /domain net localgroup administrators net accounts net accounts /domain
These commands, respectively, list: domain users, domain administrators, local administrators, local account lockout policy, and domain account lockout policy.
So how do we prevent all of this? Well the issue really is that even in a restrictive environment an attacker can often flex many built in features of the Windows operating system to gain command execution at their privilege level on the local machine. Defence in depth should be used where protection mechanisms are put in place both to prevent command execution wherever possible and steps should be taken to prevent privilege escalation. The first can be achieved through application white-listing, so that authorised users can only execute a predefined list of known good software and thereby blocking “breakout tricks” such as utilising cscript.exe and ftp.exe. Simply blocking “known bad” applications based on a hash, filename or filepath is often ineffective – especially where an attacker can enumerate the blacklist as this will lead to more effective attempts at bypassing protection mechanisms.
Additionally escalation can be prevented through ensuring that all workstation patches are installed, not only for the operating system itself but also for added software such as Flash, Java and the Web Browsers. Unnecessary software and services should be removed, such as “bloatware” which is often bundled by the vendor on new machines. Plus by reducing the number of services installed it is less likely that security misconfiguration (such as unquoted service paths) will occur and it reduces the attack surface an attacker has to target. Additionally restricting or removing unnecessary built-in Windows features such as the FTP or Telnet client (the later of which is now removed by default on modern Windows) will further reduce the attack surface.
Finally defence can be assessed through good offensive techniques, take a look at the stops listed above and see if any of the potential path ways to dangerous application or script-able environments is possible.