Video není dostupné.
Omlouváme se.
Kiosk BREAKOUT - Web Browser to Command Prompt (Easy Mode)
Vložit
- čas přidán 18. 08. 2024
- Setting up the Kiosk in "Easy Mode" (FrontFace Lockdown tool): • Kiosk BUILD - "Easy Mo...
For more content, subscribe on Twitch! / johnhammond010
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
PayPal: paypal.me/john...
E-mail: johnhammond010@gmail.com
Discord: johnhammond.or...
Twitter: / _johnhammond
GitHub: github.com/Joh...
If you would like to support the channel and I, check out Kite! Kite is a coding assistant that helps you code faster, on any IDE offer smart completions and documentation. www.kite.com/g... (disclaimer, affiliate link)
Words never spoken before by man:
"Yes, I want the Bing Wallpaper App"
💀
hahahahah
Lol that was a really good one 😂
I actually use that. Has really nice pics.
That response alone made me go to comment, then I saw yours. You beat me to it. This dude is amazing.
One trick from escaping kiosk-mode browsers, which has worked for me quite often is to click a link while holding down the shift key. This opens a new browser window, just like in your "final" escape. Shift is often allowed key in kiosks, because people want to be able to type also Capital letters.
Doesn't seem to work with the Firefox kiosk mode though, shift will still open a new window but it'll still be in kiosk mode.
Although I will note the the Ctrl+L keybind still functions and will let you change the url, at least in my testing environment with Firefox started as the main application
@@FatherlyFox if you can change the url then just type the url to access cmd or anything else
@@FatherlyFox ok, fair enough. I have recently only met chrome/chromium kiosks. Thanks for the info :)
@@DarisYT on a windows kiosk that'd be an issue, idk about Linux based kiosks where the first and only thing (obvs after PID 1) to start is the kiosk app whether it's a web browser or proprietary app leveraging direct graphics on linux. not sure how a web browser would escalate to a Code Execution situation when used as a kiosk barring obvs security issues that may arise from the program itself.
Just a cool feature: If you type "cmd" or "powershell" in the Windows Explorer path bar it'll open it in the current folder. 😁
yeah i use that all the time when developing discord bots to install packages and other stuff like that
Was just about to post exactly this. It also works in save dialogs, but more than likely it's locked down and inaccessible (but definitely worth a shot)
You've just made my life 10 times easier
omg Thank youuuuuuu!!!!
Shit didn't know that I usually right click or open tab on explorer to run cmd on path
I enjoyed the heck out of this. I used to do this when I was unsupervised in high school on a bunch of computers running Novel Netware. Netware would run an autologin.bat as your login script which ran as admin so you could simply modify that batch to run anything you wanted as you logged in. Game exes were blocked but the librarian caught me playing minesweeper once and was like how did you do that? "I dono, it was up when i got here..." Windows has so many different ways to do things that it's next to impossible to make something "foolproof" without bricking the whole OS.
lol thats true.
more than it is already broken :)
I used to do this too. The computers were "locked down" but in webpage design a webpage editor is basically just a text editor so we would use it to modify auto exec. The teacher loved us because we would fix the wall papers from internet explorer.
I don't think it was Netware, but my schools were running some Novell product on their computers. I had a couple of tricks I used. First, despite cmd.exe being locked down and not allowing command entry, for whatever reason batch scripts were able to execute single commands and return their output to a file. My choice entry point into gaining privileged access though was Microsoft's Visual Basic Script runtime, because, it was apparently possible to run commands with administrator access from a Visual Basic script. I didn't really abuse this as much as I could have, but I did manage to dump all of my classmate's school files, and I demonstrated my ability to access grades, test files, and assignments to a teacher (who did nothing about it).
I agree I had somewhat same adventure 😂
This was a breath of fresh air. I enjoy all of Johns content but I thoroughly enjoyed him finding ways around windows.
Just right-click any folder in the save as dialog and select "Open in new window" to get a full explorer window. Also, you can just type 'cmd' in the addressbar of the same save as dialog, opening a command prompt window in the current folder.
At 7:55 - Since mouse was working, pehaps we could copy and paste. So write the command in the textbox on the webpage or something, and copy and paste it.
How do you make it run without the keyboard even if it pastes
bing wallpaper app really coming in clutch 😁
10:12 😂I don't think anyone's ever been so excited to get the bing wallpaper app, beautiful moment.
I remember doing stuff like this with a food order kiosk at my school's cafeteria. Scanning my student card again and again would eventually result in a .NET runtime error and crash the ordering program. Then I would just have pure Windows 7 to use.
I remember almost always opening a web browser, going to CZcams, starting a video called "10 hours of noise" and then opening the ordering program again. Everyone who walked past saw the kiosk fully operational, but since it had speakers, it sounded like the fans were spinning at max speed thanks to the video in the background.
We also sometimes just crashed it, opened paint and left a blank canvas. Then we would just peek from around the corner, looking at people drawing on the touchscreen kiosk and getting yelled at by the teachers. Fun times.
Order kiosk on school? Must not have been long ago eh?. That didn't exist 13 years ago 🤣
@@208Concepts 8 years ago. It was used to choose a lunch for the next day.
@@FilFee yeah, we never had that 🤣
Not to burst your bubble, but Edge (or previously IE) is itself a file explorer.
So in this procedure, to get out of the "lock" you can do F1 -> type file:///C:/Windows/system32/cmd.exe on the address bar of Edge -> ? -> profit
no address bar
@@x3ICEx He did get an address bar when he previewed the Microsoft privacy statement at 4:55
@@robbgosset674 yes but not via "F1 -> type cmd.exe in the address bar of Edge -> ? -> profit"
@@robbgosset674 that browser only shows of you managed to guess the admin password....
@@niiiiiix no, admin password is demonstrated to be completely optional
On the Microsoft website, you could go to help and find a knowledge base article about Windows settings, often these include direct shortcut links that open a certain settings page in Win 10. If the kiosk doesn't have a keyboard, this would be a nice method to get touch access to the on-screen keyboard or other settings.
I think John should start a "Can I Hack This" Series.
This does bring back major memories for me. I remember when I was a kid the local JC Penny would have this wedding/baby shower registry computer in the front area and when my parents took my brother and me school clothes shopping my main objective to to break into that computer without raising suspicion …this was circa 1998 so getting around its kiosk mode was a simpler time…but the concept in practice with modern systems like this is literally exactly the same.
You could replace the lockdown exe with a link to explorer, or type: start . at the command prompt. Even change the help (F1) link to open explorer using the registry. So much fun can be had
I'm fond of making batch files if you can get notepad from a save dialogue...then using start foobar in the batch file can launch many a thing. If notepad is accessible then can also type some vb script. beauty.
I don't think that the lockdown.exe will be executed on start up. The app looks like a configuration tool which sets some local security policies and registry entries. You could replace it with something malicious (eg script to download and execute rat, then launch the original lockdown.exe), break the autostart of edge and wait for the admin to fix it.
hello I would like to have someone's help please, it's urgent I want to recover my Facebook account because there are photos of my mom '' peace to her soul '', I forgot the password and I do not receive the 6-digit code in my emergency mailbox and the telephone number is old. I am in France, please someone serious to help me !!! thank you
I like how you showed the struggles when something didn't work out the way you thought, instead of just skipping and just make a very brief summary of what happened. Cool video!
Here's a fun story... in my town there are these bus timetable terminals, no keyboard its all web based but touch screen. so only input you have is touching pre-defined links on the page.. and that was their security... windows wasn't locked down, just IE11(windows XP days people!!) in full screen mode.... however, this industrial kiosk outside in all sorts of weather was a big metal box, with no airflow, so they had to put a vent in and a cover! unscrewing the vent cover exposed the small little ITX sized PC inside with a nice reachable USB port for me to plug my backpack sized keyboard into! endgame!
Lol thats a physical hack
@@user-nq6si4iq6c yeah it is. Thanks 😊 I wasn’t sure when I physically removed the cover. And physically plugged the keyboard in. But it’s great you confirm.
This was so cool because I never thought about how to get out of a Kiosk before, and this shows so many options. Awesome!
Not only is FrontFace listening and fixing your attacks, but when it detects something it hasn't fixed it self-destructs the system. Curious and quite potent software.
10:13 never expected John Hammond to be excited that much on a Bing Wallpaper made me crack haha
This was super fun to watch. I wanna cut out "oooh bing wallpaper app" for meme purposes 🤣🤣
Love that energy and fun you always bring into all of your videos ! When I'll be old, I want to be John !! Thanks man !
Couldn't you enter "cmd" into the adressbar of every single file explorer window you encountered ? This should open cmd for you immediately.
As far as I know this should work. In an "normal" save/open dialog you can start any application which is in the current PATH. Just type cmd, powershell, calc,..... in the address bar and hit enter
I'm pretty sure it would also work in edge itself at the url bar
Yeah. Also, if a "save file" dialog appears, right-click a folder then choose to open it in a new window, and Explorer should open.
You could enter "CMD" in the Path selector of the Save File Dialog, and that should spawn a CMD.exe
I love the kinda series you've got going on. It's really interesting
Really cool with a live run through where we can see what you do when things go wrong. So much can be learned from mistakes and banging your head against the wall. Thanks for the content.
John, I think the reason the print dialogue started to fail was that you needed to wait for the preview to finish loading before clicking print.
YES! I was yelling at the screen over here. It's 143 pages, let it load.
My favorite escape to use is to open the “view certificate details” (for example by going to a page with self signed or expired certificate and clicking “show more details”) then open the “save certificate” menu which opens the save file dialog
Clicked on the video because it seemed interesting. I'll admit not my pace, but I can really appreciate this mans name. JP fans anyone?
I needed to find a backdoor into a really strict VMWare Horizon deployment that was similar to this. I've found that in Windows, with any folder you have write privileges to you can drop a shortcut to cmd.exe. This uses the default system path, but if someone is changing that you probably won't have a stable OS.
By far the most excited I've ever seen anyone about Bing
Previous to this video I though bing was useless. Now I know bing is your best friend. It just gives you the keys and says go have some fun.
You be amazed at how many stores this works in.
Press SHIFT 5 times.
Exits full screen to thru up a prompt, and from there your in.
In the save as window you could have right-clicked a folder and chosen "Open in a new window" to get a pure Windows Explorer. So going though Edge to open the downloads folder was a bit unnecessary. Also in the save as window you never tried to right-click the lockdown app. If it would have allowed you to do that you could have chosen "Open" and skipped like 20 steps. Anyway... Love your vid. This kind of content is good for a developer as it helps us think of how to build more secure software solutions.
Literally the only time someone has been exited about BING !!
when i started watching this video, i feel like "tf I'm doing here?" but after watching the full video, I glad that i watched it :)
At 3:01 you changed my life forever, I don't know how I've lived this long without knowing the alt+left hotkey for go back in a browser.
Heck, you just brought me to a great idea. My local IKEA kiosks run in MS Edge Kiosk mode, and I can just rightclick anything. Next time I’m there, I’ll print..
This was such a throwback :) Back in school (Windows 95 times) they used something similar to enable and disable applications people could use or see in the start menu. The only thing, they never disabled was the Windows Help right in the start menu... So instead of doing boring excel stuff, we fired up minesweeper or media player out of "Help" to have some fun :)
This is also a really good concept for busting out of Citrix/VMWare Horizon environments as well. Great stuff!
Love it. My favorite hacking it without any software just the user going at it.
"Give me an add for Bing! Please!" - John Hammond, in "Words never before put together"
This has been blessed by the algorithm
This takes me back to High School and exploiting the Novell Logins by using printer help options. Ahhh The good days
No one in history has ever been that excited to download the bing wallpaper app
Congrats John! I think you're the first person in the world to be excited about Bing Wallpaper!
if you get access to a file explorer you can shift right click and get open with powershell, or you can type cmd into the file explorer address bar, or you could copy and paste into the windows terminal (using right click) to bypass keyboard input all together (using newlines to send commands)
Oh man, this takes me back to high school!
This type of stuff is why I'm subscribed. Can't wait for the hard mode one!
Really liking this series so far. Hoping for lots more.
for the casual user that managed to get to part of a browser, the lockdown tool seems adaptive. Where Lockdown fails is when an experienced user can bypass, as you did, the adaptations.
It's so cool seeing how excited you get about neat hacker stuff. Like at 10:12
also never thought I'd see somebody be so happy for anything bing.
Thank you! I like this info a lot 😃
For the terminal: if you have mouse input, you can just copy stuff from the nrowser and construct something like "start cmd" by pressing the right mouse button in the terminal - acts as a paste.
Im halfway through and someone may already have mentioned this, but i believe the reason the print dialog wasnt working anymore because you didnt give it time to preview. Maybe that's why the "printing failed" popup came!
I used to breakout from kiosk mode in my local internet café; set up multiple BITS background download tasks; allow USB storage devices; come back next day. You know the drill.
(Internet was an expensive commodity back then)
You can write "cmd" and press enter in any address bar to open cmd
in Open/Save dialog or full windows explorer
This was thoroughly enjoyable! Thank you, John! 😀👍
WOW, I used to do this at the library as a kid all the time. Always trying to get another hour added to my library card for the computers.Ah yes, good times.
When you rebooted the computer if you had physical access's to a USB port you could boot into a USB with a Linux distro and gain file access to the other drive.
I was at the Ford dealership the other day waiting on an oil change and their kiosk for showing off the big trucks had a log me in update window. Guess what's also on the window? The learn more link! Instantly opened Edge and I was able to browse anywhere and have access to the taskbar.
Another great video Mr. H thank you 👏👏👏👏👏
Shift clicking a link can work to have fun. Typing cmd in the web browser can work too.
I remember getting into a kiosk with a touch display by pulling towards the mid of the screen from the bottom left corner, it was win 10 so idk if it can transfer to here... but if it functions the same way then you get pretty much unlimited access too the pc barring the things that require an admin pass ofc
Oh i also forgot to mention... i did it when i was a kid so the chances of it being patched by now are quite high anyway
You could NET USER to find the accounts on the kiosk. Then NET USER "Admin accnt here" "Password you want"
Which would change the password to whatever you want it to be. You could also create another account via NET USER and login to that one.
Made the premier... But now I have to wait for more John!
"Give me Bing ads", never heard those 4 words in that order before
When you had the cmd open, you could have copy-pasted letters from the MS website to form commands
Not sure if anyone mentioned it, and I'm only halfway through the video, but I'm pretty sure printing with the Print to PDF option will open a File Explorer window
Edit: Hah, you did exactly that right after I posted this. I read your mind!
Great video John!!!!
Hi John, you are doing very engaging videos! Thanks!
14:50 - Oook John got me laughing :D
Love your VM's :D Good job and nice video John!
you could have clicked on the arrow beside the plus on the new Powershell(aka Windows Terminal) to open the cmd or even Linux Kali terminal
in my highschool they used a VM, the login screen was just the login screen to VMware, and the icons & taskbar and stuff were hidden. but we figured out that if we spammed shift, the sticky key prompt would come up and we could go on control panel and from there type explorer.exe to get the start menu/taskbar back and have full access to the host PC which happened to have a lot of privileges
i typed that before you used sticky keys on the kiosk lol
Typing CMD into windows explorer address bar will open the command prompt with the current directory.
What would happen if you tried creating a new file while in the save window? Also, before you close the save window right clicking and opening that new file. This could open up bat file to gain access to a cmd prompt.
Well that escalated quickly, definitely going to go have to setup a VM so can follow along for the assigned access Tom-foolery
like 2 minutes into this video I was yelling at you to go to the support page and downlaod a friggin driver lol
love trying to follow along!
Seeing you struggle when stuff breaks and be excited to find stuff is so fun. But kee-osk is killing me :D
I have seen Kiosk stations that don't have ESC, F1-F12, CTRL and ALT/ALT GR on top of running in Kiosk mode with just a web browser, now that is hard mode! :p
Wouldn't the kiosk be part of a domain with GPO restrictions that prevent things like cmd and powershell from being executed in the first place?
Not necessarily, it depends on the application, entity or precautions taken. Some admins don't want publicly accessible computers on their domain.
@@bryantiheme3261 local GPO maybe
I used to work at a place that I could do the old replace accessibility menu with cmd on the start screen and get a system level command prompt on the login screen. Had to do this a few times for machines that had been off the business's network for so long that I couldn't login, and the user's account was locked down.
A long time ago I worked for a company that had windows XP kiosks, we had a bigass local GPO that blocked all the fun things on the kiosk, we did however allow people to use regular windows functions/programs, not only a locked down browser, and only allow saves to desktop, which would wipe on timeout. It was a nightmare to setup and block all things a hacker could do. All the things mentioned in the comments here, was blocked.. But i'm sure someone could still find a loophole somewhere..
@@Pytte you can pull the Ethernet out on XP machines while loading your AD profile on login and then XP would panic and grant your account admin rights by default + no logon scripts would run
Simply disabling f1 key and printing service (or removing pdf printer) will do the trick. But the best option for making kiosk is applocker.
if you can access file manager, you coud cut and paste commands using the letters on the Edge support page. If you have python, you could use the os module and os.remove This command will delete password protected files
One thing that might work is renaming files in the download dialog. If it does you can rename the sticky keys application then name the cmd application to what the sticky keys name was, then hitting shift 5 times will open up the console. Then you can use that. This also works on a login screen, which I am not sure if they fixed this in newer versions of windows, if you arent logged in you basically have admin access to a system.
9 times out of 10, Ctrl+shift+ESC will open taskmgr even if ctrl+alt+del is disabled. From experience, most people don't know about that hotkey, so it's often overlooked when configuring kiosks. Also, Ctrl+ESC can sometimes open the start menu. It's really annoying when you don't want that functionality and it's fairly easy to disable, but not all that many people know that hotkey exists, so it's often overlooked.
Awesome video dude!
Uwielbiam te filmy
Predecition before I watch. Copy and pasted commands into the address bar of the web browser.
I was assuming no physical keyboard access at all
I'm almost certain that it would be blocked but if you can do Windows key+R or some other thing to get the run prompt you can access anything on the machine
Woah, this shits making a comeback?? I never really stopped doing this despite kiosks continually disappearing everywhere, I'd really like to see the ikat site come back online
A company I worked for deployed some software which put a self serve password reset link in the Windows GINA(log on dialog). They didn't lock it down at all. I embarrassed the software vendor by showing how I could use these methods to launch a command prompt with system level permissions. About 10 years later I started working for a new company that was using the same software and had the same vulnerabilities. You'd think people would learn to lock things down and test for vulnerabilities, but many IT pros really don't know what they are doing these days.
Seems to me it would be more beneficial to do this with windows 7. Almost everything that isn't used as a normal computer still runs windows 7.
You can type cmd in the explorer address bar and press enter to run it
to run program in path, you can just type them to the save as Path input ontop, just type cmd and hit enter
or type explorer and enter, you get file explorer
when you were in the file save prompt right clicking any folder gives you the option to open in a new window giving you access to the default file explorer much faster
Great journey 👏 thanks john
Applocker is your friend, block everything except what is needed to actually login and open a locked down edge..
I could give you a locked down VM within no time that is 50 times more secure than what you just showed, easy piecy. :^D
I did kind of this to reach other websites in big city's public library. It was lot more easier that time, it took them like 2 months to chase the ppl down but not to solve the problem :D Well, of course, they didn't find me :D
was half expecting him to try file protocol in the browser