Escaping Alcatraz: Breaking out of Application Sandboxed Environments - Kirk Hayes

and he's going to talk to you today about breaking out of application sandbox environments carcase fun yeah okay we even lose stuff a little bit so I'm excited to be here today Dave graver gave a great talk and I think there's a lot of great talks on tap today hope you guys are excited for this one I know I am I'm excited to be here and mainly because I can finally tell my family friends I went to Harvard thank you for laughing at my lame jokes yeah so I'm going to talk about escaping Alcatraz today and we'll just jump right in this is a little bit about Who I am Patrick I already talked about me so

we'll just move right on so we're going to look at a lot of different things today specifically we're going to look at the history of Alcatraz you'll notice that Alcatraz is in quotations there's a reason for that we're going to look at the island the prison of Alcatraz but we're also going to I'm going to define what I mean by Alcatraz for the purpose of this presentation we're then going to move into some escapes and how we break out of these and we're going to do it at different levels I'm using the Wolfenstein three levels because as kid I love playing Wolfenstein 3 anybody's played that when they were growing up awesome so you'll know how these

different levels got gradually harder and harder until you got I am death incarnate and I never could get through that so but we will through this one to these escapes we'll talk about the mitigation techniques how can we stop or at least figure out that somebody's trying to escape and then we'll wrap up with a little conclusion here so a couple years ago I would do some work out in the San Francisco area and I'm a big history guy so when I go places on vacation or for work I like to go visit historical sites on it just gives the history kind of instead of it's just in the book when you learn in school really being able to

touch and see things needs a lot for me so when we were out there of course I had to go to Alcatraz and was a ton of fun so how many anybody had been to Alcatraz a number of you okay great so some of this you'll know Alcatraz opened in 1934 it's this island in the middle of the San Francisco Bay San Francisco Bay if you don't know is not warm water it's cold it gets up to about sixty degrees Fahrenheit at the warmest so that's that since late August September at sixty degrees hypothermia kicks in within an hour to two you'll pass out from the cold so it's a mile and a half to the closest shore how long do you

think that it would take to swim a mile and a half anybody have a guess twenty minutes No about an hour and a half my sister-in-law does triathlons and a lot of these things and so she'll swim this type of distance in warmer water but in the ocean and it takes her about an hour and 20 minutes hour-and-a-half and she trains for this so a mile and a half hour and have to take approximately hypothermia is kicking in within an hour to two it's very unlikely that somebody if they try to escape yep they get past the guards they get past the walls they get past everything and they try to swim it's very unlikely they're going to

survive so the government kind of thought this is a great place for this president looking house ability most notorious prisoners here and they'll be safe well in the 29 years of operation there were 14 escape attempts this was by 36 prisoners two of them tried twice 23 were caught six were shot and killed two drowned but the scary part is their spy unaccounted for and they don't know what happened to these there's been reports that they've been seen afterwards but we don't know for sure if they survived if we think about that with our computing environment that can be kind of scary if you set up your network and you try to secure it but if there's five

unaccounted for English's actors in your environment that can be kind of scary so we've got to be careful with that now I don't want to just talk about the island we want to talk about what we're really here for which is these applications sandbox environments and some of the technologies we use are the Microsoft Remote Desktop you can use this and do web applications publish these applications to the web login access them just like they're on your computer I don't recommend it I've used it just as a proof of concept it was terribly slow when I tried doing this but it's great for for management and trying things up we also have VMware View they're thin app which is what I used

when I was a sysadmin works great allows you to just publish these apps and it's very easy to manage and then if you ask anybody Citrix everybody knows what Citrix is it's probably one of the BEA leader in this space with application virtualization but we can apply these same concepts that we'll learn today - kiosk PCs so you go to the library and you want to look up some books and you have the the browser window that's lost there for you to look it up what can you escape that can you get out of that to get access to the underlying operating system it's it's possible right so we'll look at that as well so

what's the purpose of these applications well simplified management we're responsible we're expected to do less with or more with less now we don't want to hire more people and all that companies so if we can simplify this management's going to make it easier for us we want to be able to provide remote access to our our resources easily for our users we want to deliver these applications to any device so if my sales team or my executives want to use their iPad to access some Windows 98 application that can only run Windows 98 we want to be able to do that and so this allows us to do and then we can centralize that control of those

applications so I can provide an application that's all set up ready to go for that user and specify who's has access to it what they can access and really control that application and so from from a administration standpoint these things are great and we want to do this but as the malicious actor or as a pen tester myself I want to be able to break out because having access to an application is cool having actions to that data is okay but I want more right I want to I'm going to start moving around the environment more so I want to escape out of that if I can and then keep moving but to escape we need a good

escape plan so this map is shows the locations that those 14 escape attempts were made from and by who and the dates all that stuff but each of these attempts they had to have a plan they couldn't just wing it they're not going to do well if they did that so they have to get everything ready maybe they have a scape rafts that they have to build maybe they have to get a job and it's certainly part of the prison so that they can gather the materials they want they have to know where they want to escape from the one kind of at the top escape attempt 13 those three of those there's three guys in that one and those

three of those were part of the five that are on account of for they needed to know where they wanted to escape from because of the way that the current was running in the water and everything that would help them be successful so we want to do the same thing so I've created a little escape plan here for us so the first thing we want to do is of course obtain access to our Alcatraz so what's that mean do we want to get arrested no we're not going to prison we have to gain access to that computing environment so if it's Citrix if it's VMware whatever it is we need to gain access how do we

do that a number of ways we kiosk pcs we can get physical access these virtualized maybe we do password guessing that's usually the easiest way people are very choose weak passwords that we can just guess and often that's how we get in the second thing we want to do of course is figure out how secure this application is and so we do this by just poking around the application usually normal usually if you use is use it the way it's designed we can start seeing flaws in it based on what we've done in the past this is where the prisoners are getting that job in that certain area they're doing the reconnaissance of where the guards are

when and figuring out what the best time is for their escape then we want to set up our tap infrastructure and that's where we set up our command control channels we set up our media Metasploit or Empire listener of some sort and so we get that all set up and ready to go this is where of course our prisoners are creating their escape raft again they're probably not going to make that swim so let's create a raft so that's maybe we can make it and then we escape the application this is where we actually get code execution we can get access to the underlying operating system and out of that sandbox environment and this is where the

prisoners have escaped and they've made that attempt and finally we profit we gain access to other resources other data and that's what we want this is where the prisoners get their freedom but the prisoners now have to do something they can't just live life normal they have to keep their I over their shoulder at all times and as a attacker we need to do the same thing I need to make sure I'm careful what I'm doing to cover my tracks and to be quiet so that way I'm not detected and the prisoners would be sent back to jail we would be kicked out and possibly the loopholes that we found will be blocked so we need to be careful there

so we're going to get into some escapes then and so we're going to have some fun with this we're gonna start on the easy level if you played Wolfenstein this level was so easy just blow right through it and and so that's what we're going to hit here keep in mind some of these demos are heavily blurred and that's just because the data that's in them and to protect the systems that are being recorded so so this first one this first one is a the remote desktop web access we've gained access and for all of our attempts here we're going to assume that you have access we're not going to cover that part we're going to

kind of go the other steps and in this case the application is Internet Explorer's is very common we see this all the time and it's most applications or most companies when they do this they want to be able to provide access to their internal resources the internal websites so they give access to Internet Explorer to do that so Internet Explorer is a lot like another Explorer that's in Windows called Windows Explorer right a lot of the code is similar that they do the same functionality I can access files from Internet Explorer so why not so I'm going to type in the path to the command prompt because that's one good place to start with for this so type it

in we run it and we have a command prompt right very easy there's no difficulty here at all and we can run basic commands and so I'll run through you know what's the hostname of the Machine maybe what are what's the user I'm running as what our users on the system are in the domain we can type all these commands we can start running executable too long we can whatever we want to do at this point we have access in this case we're going to also look at who's the domain admins and on the domain we notice that da3 who's the user we're running at is a domain admin again this is easy level right this is not

likely to happen in the real world but we need that tutorial kind of to get started to see where we can start from the second demo here again is pretty easy and same Internet Explorer but we're going to right click and go to view source we're going to save the source as and gives us kind of a pseudo Windows Explorer we can just right click on computer open now we have access to the file structure and then we'll go gate to see windows system32 and this time we're going to use Windows PowerShell because usually that's a lot easier we can do a lot more with it and the same kinds of commands that we had

as before we can run our hostname and all that so very easy not very hard usually when I play a game I skip that easy level when I go right to the next level or even harder but we need to kind of understand how we start so that gave us that so we'll bump up the difficulty a little bit and what they don't hurt me and I like to think of this as more of a amaze and so this maze you know you can look at it and you probably can figure out what the best path is without even trying my three-year-old did this maze and you can see she she traced the whole way

without getting stuck once which is pretty good and then she proceeded to correct make it more pretty so she colored it and now you can't really see the path but that's okay but it was even easy for her she's three so again there's multiple ways as well so maybe there's multiple ways to escape we got a look at so in this demo we have an old version of wind Microsoft Word and so we're going to try to open a file we're right-clicking things aren't working that way we can't right click and open because of the version of it so we're going to look at some different things here we don't even have a C Drive

so we can't go with navigate the drive again we try using it somewhat normal and we poke at it we try to see where we can escape from and so nothing is working there so let's look at some other areas we'll look at the print dialog I like to use the print dialog because it's not usually thought of a good place to escape but it's easy to escape from from that so maybe we could try I tried looking for a printer in the directory the directory wasn't working had some issues there maybe look at the options there's nothing really there look at the properties of that printer sometimes you'll see files pass in there that we can mess with it's important to

always change that printer to different printers because the different properties in this case we have a default folder so we can browse and look at it again it's an older version of Windows of word so it might not be as easy as some of the newer stuff so we're just going to get out of that so we'll try some other things maybe in the help menu and we notice that Microsoft Office online so let's click that and we get access to our Internet Explorer browser which we had fun with before so we're moving we're making a little bit more progress here we have no file many of those so we can't do file save as or open or any of that maybe we

can try navigating to a web site here so we'll try going to Google nothing's loading they may have some kind of web application proxeny that's stopping us so or a little proxy for the web that doesn't allow us outbound access maybe we can go to the internet options and so going to the temporary internet files areas is a lot of fun too because they have links to where those are stored where those files are and so if you files doesn't work maybe view objects well and now we have access to Windows Explorer so we can try typing in the path and doing that but this is going to be unsuccessful they have some protections in place for this again this

is that maze where we're butting up against dead ends okay let's move another way let's try something else and so in this we're going to create a new folder just as an example there was nothing on there but likely you'll find folders within my documents and stuff for that user and in this case when we double-click it it moves us to a different Windows Explorer Explorer too which is a little more powerful it's kind of like the power shell of Windows Explorer it gives us a little more and now we can start to play and and get more access here so we're going to try modifying the path here to just the C Drive which we didn't have access to

through word remember and now we do so now again we'll go system32 and we're going to try to run the command prompt again now we get a message that software restriction policy is in effect and that's blocking so now what do we do so maybe we can copy this file off and move it to our My Documents folder so create a new folder just throw it in well paste it in there and we can now try to run it now this ran because the software restriction policy was based on the path but like David says maybe renaming the file would work here different different options so now we can start enumerate this application what was a little more

difficult you'll notice kind of up in in this area there's Excel icons and so we as we poked around here and we're usually normal we we see what does it what are those dude so we find that it allows us to save the data as an Excel so let's save it and once we save it it actually opens it in Excel which gives us access to another application and if we go to the Excel options we can go to the the ribbon and to enable the Developer tab which isn't enabled by default but gives us a lot of control so now if we go to that Developer tab we can now run a macro which is a lot of

fun so let's let's create a macro and in this case I like to use unicorn to do this Dave and them over it just a sec made this and it's great tool to to really easily make those the macro so we'll just generate a macro here we'll copy it will paste it in usually this is used in session attacks and things like that but hey I have control over a remote Excel why not try it so we'll paste that in but now we need to get our attack infrastructure set up and again unicorn makes it nice and easy by giving us an RC file that we can just load into through Metasploit and not have to type everything out so we'll

load that in and this is going to establish our listener so now we're our attack infrastructure setup we figured out where we're going to attack escape from and so then we can once we listen there's up we can actually do the escape and we got the cows a so it's likely to succeed whenever you see that so our listeners up we'll run the macro we'll get an error which is in the macro itself so I don't care I don't care about saving it but then we'll switch back to our listener and we found out we have a session open so now we can interact with that machine we could pivot into the internal network we could

do what we want at this point so again it's gotten a little harder it's not too hard though so let's let's get a little harder here again we've got the maze it's a little harder of a maze though you probably can't look at this and figure out the path like that right it takes a little more you have to kind of play with it my six-year-old son tried doing this you can tell that he hit a lot of roadblocks on the way but he was able to finally do it and so we may do the same thing we may find a lot of a blocks but if we keep trying we'll get there so we're back to our remote

desktop here and our internet explorer so we'll run that this is the problem that I have with remote desktop is it's just slow so even on the local network that's why I never used it so we'll just run this this time where I is a different user hopefully when you're doing your password guessing and you're starting these processes you have multiple accounts that you can have compromised that you can use usually if one is burned you're okay you can move on so in this case we have the file menu and we're going to go open we're going to look around to see what we can do here often I'll find that a lot of things are locked down on it on

the system but interactively so I go to the command prompt or PowerShell so we'll go to the command prompt here and I'll right-click and open and I'll find this message but it's been disabled by the administrator happens a lot so I can't interactively use this command prompt now I could try moving it I could try renaming it in those cases maybe it all fails but let's let's try some other things and so we'll do all file and we're going to actually create a file sometimes you could download a file if you have access to your own servers but in this case I'll just create one we're going to just give it a generic name whatever PowerShell and I'm going to

open that now I have notepad so now I have a little bit more access here and so we're just going to try calling the command prompt from it and I like to throw in the pause in there when you do not interactive because just in case it just closes you can pause it and see what's on the screen in this case I can't go to the properties to rename it so I'm gonna have to reopen it and save as so I have a batch file this could be done with VB script - or any other scripting language that you might want to use we'll give it the bat extension

and then we'll try right clicking open and we'll see what happens and we see we've hit another dead end here we can't do that it's not allowing us it's been blocked by the administrator so let's let's change this let's use PowerShell instead often when you see command prompted block power self not so let's try it so again we're going to right-click and open and this time we have PowerShell but it was PowerShell through a back script which uses command prompt so we have some kind of execution there so even if you don't have access to PowerShell you can't run those things and nothing interactive is happening for you you can at least run command so I do

this often when when I'm trying to enumerate the system and figure out users and from the domain and everything else I could run it throw that pause in there and now I have the data I want and just go from there so let's move to the hard level I like to think of this as this kind of mace right now we have the Minotaur in there we have fire we have maybe the walls are changing on us as we're walking through this labyrinth so it's it's actually extremely hard when I played Wolfenstein I stayed away from these levels is I just got killed so again we have another app and this time we're going to hit the shift key

five times to get our sticky key prompt and even if we don't get that command prompt we didn't still do things and we can open up the preferences for the sticky keys and that gives us control panel windows explorer so let's try some things let's try running these files and we're trying PowerShell we're trying PowerShell ISE we're trying command prompt and these things are all failing on us and so you're going to hit this you're going to these systems are more locked out so maybe we can try running an actual command through command prompt it's not working either try open your notepad or something nuttin things are just not working for us so we'll see we're blocked at all

these different places and so I can't even right-click they've disabled that so sometimes we can go to the settings and get a internet explorer window which is back to where we like to escape from it's a good place to escape from so we have no file menu this time we can get to the internet so I can get to a server that I control I have a batch file waiting for me I want to download that but it's not letting me so maybe I can go to the internet options and allow it but they blocked that too so again we're a lot harder here no file menu I can't right click and save as to do this or

view source and or any of that stuff so that's not the best way so let's break out of here go back to the application remember it we want to use this as normal so let's see what we can do so we start clicking around and we find export to excel and so we'll see what happened well we get an Excel document right in this case that Excel options were locked down I couldn't enable that Developer tab but why not use the cell to put in macros that we want or other commands we want so here I'm going to try with PowerShell and I missed the quote so we'll run that it yes let's run it and nothing happens

ok so let's try with our command prompt this is likely to fail as well and that's ok it happens run that nothing happens as well but when PowerShell is blocked a lot of times Power Cells interactive scripting environments not and so we'll run PowerShell ISE and run that and Loan hold we now powershell interactive scripting environment which is great now I can do whatever I want from that load load in my own custom modules run commands everything autocompletes for me so it's nice and easy so here i'm going to dump all the users in the domain so then i can use those in other attacks if i wanted to i could use in a corner or

another empire or something to get a shell if i wanted whatever you want to do at this point and then for our last demo this one is extremely tough

I don't know why that's not let's just open it up here

ah so the export didn't work on that one for some reason so we'll just skip that one in that one sometimes you'll get a system that you can't get command execution you can't get anything to load but what can you do with it and in in that example that was not playing I could steal data right I can I was able to finally get to be using the printer menu I was able to escape out and get access to the file system and I could mount my drives on that system so now when I do that I can then start moving data back and forth between them and I was able to steal all their data which

is great especially their custom proprietary software which then I can pull off decompile find you know different flaws in and then without even trying then exploit their system a different way their proprietary software so so what can we do we need to be able to mitigate things and and I don't like to just show hey this is how we own things we want to be able to also mitigate these things so first thing we want to do is of course those login portals if I can stop me from logging in that's going to go a long way so use multi-factor authentication train your users to use those strong passphrase is going to make my job a lot harder and

it's going to make it harder for me to get through you want to secure your operating systems these issues you saw are not issues with vmware they're not issues with citrix or remote desktop there are issues at the operating system level we have to secure our operating system in our applications that are on those so prevent access to your command prompt your powershell PowerShell ISE a lot of these different things that Dave had talked about as well restrict the use of those macros I shouldn't have to be able to just load any macro I want you should be able to limit that and restrictive the internet access really I mean why should I connect to my company

and then get out to the internet through Citrix the purpose of that should be to access internal websites so limit that access and then monitor everything you you have to be able to know where this is happening I've been hit I hit a lot of walls while I was trying things you should be able to see that when you're monitoring so in conclusion you know securing your systems it's not a game we had some fun with the Wolfenstein and the mazes and all that stuff but it's hard work and so we have to be diligent and do that using multi-factor authentication again it's your friend lock down those shared systems no matter what architectures you select and of

course it can't catch what you don't see escaping is a lot of fun it for me it's it's one of my favorite things to do is get access to these systems and then escape them in some sort so it's a lot of fun as well and so that's it thank you and so my contact information some of the tools I've written and stuff if you want to if anybody has questions of course would be great so thank you [Applause]

who have I been stopped by a general-purpose kiosk where multiple applications are available I don't see those a lot personally when I'm when I'm doing testing a lot of it most of it is all through the virtual application so you're Citrix or VMware you're that kind of thing but what I'm saying here is just the same things can apply to those systems as well yeah I again those locking down those those management tools is probably the biggest thing there and monitoring those those systems would be the biggest help

I have not no