Windows Breakout Techniques

In penetration testing, security assessments of restricted environments (such as VDI - Virtual Desktop Infrastructure) or applications - often called environment or application jailbrakes/breakouts - are pretty common. Usually, these environments offer the bare minimum functionality to users (for example only a browser for kiosks, or strict application controls as in they don’t allow cmd.exe to be launched) as one step closer to securing the environment. Although many articles already exist for the same purpose, this post is an attempt to document as many ways as possible to launch either a command prompt (cmd.exe) or PowerShell prompt (powershell.exe) in the grounds of a locked environment that doesn’t allow direct launching of cmd.exe. Ultimate goal, to be used as a reference for penetration testers and raise the awareness of those interested in defending their environments.

This page contains the following sections:

Directly launching utilities

Always check if you can directly access and launch cmd.exe, powershell.exe, powershell_ise.exe, taskmgr.exe, explorer.exe! Sometimes you may be looking for this huge needle your grandma was using to sew duvet covers ;)

Windows Start menu

A right click on the Windows Start menu on Windows 10, opens a context menu that allows users to open utilities such as PowerShell, Task Manager and File Explorer. In restricted environments that do not allow the direct launch of these utilities, the start menu may become a good alternative.

cmd from Microsoft Edge via “Load profile…” functionality

It’s possible to launch cmd from Microsoft Edge by loading a profile and taking advantage of the dialog box that opens. The steps to reproduce this:

For defenders: In this case, the parent process of cmd.exe is msedge.exe and therefore parent-child process relationship is a pretty solid indicator of suspicious activity. Think about that…why would Microsoft Edge spawn a command prompt? Adding up to suspiciousness, would be good to check the command line arguments of processes launched by this specific command prompt. The chain msedge.exe -> cmd.exe -> net.exe user, can be good enough to flag a compromise.

cmd from Microsoft Edge via “Print” functionality

The print functionality offers another way to open a dialog box and therefor the chance to launch a command prompt or any other process. The steps to achieve this:

cmd from Microsoft Edge via “Save As” functionality

On the browser users have the option to save a page by hitting the right click and selecting “Save As”. Exactly like in the previous two sections, a dialog box opens up and simply type the path of the path to cmd.exe (alternatively, within the explorer window, right click on a directory and select Open in a new window).

Task Manager

Windows Task Manager (taskmgr.exe) offers functionality to launch a process. Navigate to File -> Run new task. A box is opened where you can type the name of program, folder, document, or Internet resource to open.

How to arrive to Task Manager? The key combination ctrl + alt + delete will redirect you to a Windows screen where there is a button to open Task Manager.

Resources

[1] https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/system-hardening-for-xenapp-and-xendesktop.pdf

[2] https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/

tags: #kiosk breakout