Many organizations these days use restricted windows environment to reduce the surface of vulnerability. The more the system is hardened the less the functionalities are exposed.
I recently ran across such a scenario, where an already hardened system was protected by McAfee Solidcore. Solidcore was preventing users from making any changes to the system like installing/un-installing softwares, running executables, launching applications etc.
The system (Windows 7) which I was testing, boots right on to the application login screen while restricting access to other OS functionalities.
I could not do anything with that system except for restarting it. I spent a whole week in gathering information about the application and the system, which includes social engineering as well 😛
And then I got an entry point to start with. The credentials to login to the application(that gave me headache for one week) was available on Internet (thanks to Google dork). The credential I got was admin credential.
Once logged in, there wasn’t much to do or access any functionalities of the host machine. The application was very well designed, to prevent users from accessing any of the host functionalities.
However, the application had an option to print documents, which actually allowed me to access to file explorer of the host machine.
Print-->printer settings-->add a printer-->location-->browse location
Every windows file explorer has a windows help option which provides free help about windows features. It was possible to open command prompt from the help option.
I was only able to open command prompt but not any other windows application. Even after getting access to command prompt I was unable to do any changes in the system(not even opening a notepad). Every windows application that I tried to open, ended up with the following error message:
The error was very clear that the application is blocked and it can either be enabled from registry editor or group policy editor. However I had access to none due to Solidcore restriction. I used the following batch script to modify registry key and enable task manager(though I was not sure if it was actually blocked from registry editor or group policy editor):
And to my surprise I was able to unlock task manager. Similarly I was able to unlock and open control panel. My main objective was to disable or uninstall Solidcore as it was restricting the desktop environment. But then the system kept on giving me challenges. I was able to uninstall any software except for Solidcore.
Then there was only one way left to disable Solidcore / enable installation of other software and that was “Group Policy Editor“. However I didn’t have direct access to gpedit. I used the following way to get access to gpedit:
Open Task manager-->File -->New task-->Type MMC and enter
This opened Microsoft Management Policy
In mmc File-->Add/Remove snap-in--> Select Group Policy Objects and click on add
Now I was able to perform numerous actions like enabling blocked system applications, allowing access to Desktop, disabling windows restrictions etc. As mentioned earlier, my main objective was to disable Solidcore and find out a way to run any windows executable.
Group Policy editor provides an option to run/block only allowed windows software. And this policy can be set in the following way:
Group Policy editor-->User Configuration > Administrative Templates > System
On the right side there's option "Do not run specified windows applications". Click on that:
Edit-->Select Enabled-->Click on show list of disallowed applications--> then add the application name that you want to block(in my case it was solidcore). Then click "Ok" .
To apply changes I restarted my system. In the same way it was possible to enable list of allowed applications that can run in windows(a malicious software as well).
And that’s how I was able to break out of a completely restricted desktop environment