Give me a browser, I’ll provide you with a Shell

Give me a browser, I’ll provide you with a Shell

A restricted browser, that’s all you delight in… what cease you cease?

That is the scenario I become facing right thru a pentest. The target become a windows server, working a VDI — VMware Horizon.
you log into the VDI the usage of your active directory tale and catch catch admission to to a diminutive browser that nearly all tremendous enables you to make utilize of a single software, no cyber web connection.

Neatly, that’s a effective and steady technique for workers to study their calendars or inquire of the progress of their tasks.
but, as a red teamer, I need a shell, not a calendar.

okay, what cease you cease if the absolute best ingredient you delight in catch admission to to is a browser?

effectively, or not it will seemingly be the largest to know with this absolute best ingredient you may maybe presumably additionally pwn a server if the vogue to make utilize of it, the imperfect technique. 😏

Piece One: Repeat Me What You Got
What about starting by reading the server’s recordsdata?
as prolonged as we’re not licensed to learn them it’s regarded as as as a LFI.
Okay, how?

you’ve already considered a URL, haven’t you? lawful to your knowledge, that’s what introduced you to this text.
a URL has different ingredients:


What I desire to talk about is the very first portion, schema or protocol.

the protocol signifies the blueprint of rules that can identify the transmission and alternate of recordsdata.

In extra perfect phrases, protocol says the vogue to take care of the rest of the URI.
As an example, the mailto protocol means that the rest of the URI is an email take care of. by clicking on a link love your browser opens a mail composing online page on your default email software and devices the as the receiver’s email take care of.

There is one other frigid protocol known as file. By the usage of that you just may maybe presumably additionally learn recordsdata the usage of a browser.
the important file I attempted become the hosts file:
file:\C:WINDOWSDesign32driversand loads othershosts

and as anticipated it returned the vow material of the hosts file.

Frigid… I point out lawful a accepted behavior 🙂
but that’s very diminutive, or not it will seemingly be the largest to know the staunch direction of the file so that you just may maybe learn its vow material.
A directory itemizing would delight in helped… Why not lawful search recordsdata from of for it?

The file protocol also presentations the vow material of directories,
lawful if you happen to give it the placement of that directory, that clear-gash.
Here’s a effective example: file:///c:/
enter it into the URL bar and it’ll list the vow material of C force for you ✌

Piece Two: Files Are Supreme, But A Shell Is Larger
I may maybe maybe presumably learn the entire recordsdata on the server (nearly), but I become level-headed in the browser. I wished to catch admission to the underlying OS, cease you delight in any notion the vogue to cease that?

let me provide you with a speed:
What’s the route of if you happen to must upload a file to a online page?

Here’s the assign the story gets attention-grabbing…

when uploading a file, first or not it will seemingly be the largest to purchase that file, lawful?
The window that enables you to purchase the file is an OS software and if you happen to catch catch admission to to this OS software you delight in catch admission to to a pair frigid OS functionalities love increasing and executing recordsdata.

okay, now must level-headed I birth shopping the in discovering software and pray that I gain an upload functionality? effectively, that may maybe maybe presumably work.
but I purchase a wiser technique,
I invent what I want: doc.write('')


hehe, that become fun 😉

what if the devtools is disabled for any motive?
let me introduce you to 1 other attention-grabbing protocol: javascript
if the browser is chromium-essentially essentially based you may maybe presumably additionally enter this into the URL bar and catch the a similar consequence: javascript:doc.write('')

okay, it’s give me my shell time…

The manner I chose become to invent a .bat file with the vow material cmd.exe
and carry out it to catch a shell.
you may maybe presumably additionally invent and carry out recordsdata from this file picker window if you happen to delight in the write and carry out permission in the directory you may maybe presumably presumably be in.
but there may maybe maybe presumably even be a controversy, if the file name extensions option is disabled you may maybe presumably additionally’t swap the file extension to .bat and carry out it.
when the option is disabled:

and when enabled:

okay, let’s utilize a itsy-bitsy trick right here…

the usage of Commence in contemporary window you’ll catch catch admission to to the OS’s file explorer 🙃

From there you may maybe presumably additionally swap the file name extensions option and enable it. after which invent and alter your file…

and… when shaded is the sexiest coloration 😎

Okay, we bought a shell, carried out? no, not yet…

Piece Three: Even Extra, Cus I’m A Hacker

what if you happen to may maybe maybe additionally’t launch file explorer and enable the file name extensions option, or one other form of restriction?
let me will let you, what cease you detect on this image:

the ability to invent about a different recordsdata? maybe.
but I detect a reverse shell hidden amongst these alternate choices…

invent a Microsoft Be aware Document,
launch it,
Press ALT+F11,
and write your reverse shell code 🙂

That is Microsoft Be aware’s scripting engine, you may maybe presumably additionally write and carry out
Visual Long-established code the usage of this functionality.
That’s the functionality social engineers utilize to penetrate an organization’s interior networks, the usage of a phishing email and a malicious Be aware doc attachment.

Even Extra Restricted? you may maybe presumably additionally’t invent recordsdata?
gain a Be aware doc on the server and edit it 🙂

if you happen to utilize a tool, learn all of its functionalities.

become it apt?
I don’t search recordsdata from of you to raise me a cup of coffee,
order me one thing…
Discord: REDN#9702

Read More

Ava Chan

Ava Chan

I'm a researcher at Utokyo :) and a big fan of Ava Max