Kiosk Escapes Pt 2 - Ft. Microsoft Edge!!
Backstory ๐
So...there was this one location in Vegas during Defcon 27 that had these pcs that could be used by the general public. Kiosks as some would say...Well I went over to them to see what all accessibility these kiosks had to offer out of general curiosity, you know, "can these let me access facebook, github, reddit" etc. type stuff. Well, to my astonishment these kiosks had an interface that wouldn't allow me to access the C:\
drive! Well this was a problem because I had just downloaded an image of beef off of the internet that I just-so-happened to have needed to print! This is a serious issue! So after spending some time poking around I was able to find a sufficient work around for this issue for any future travelers needing to print pictures of beef on a locked down Kiosk!
The Hac…I mean, Workaround Part –TLDRers Start here โคต
So, when you approach the Kiosk this is what you see; and in case you’re wondering, that windows key isn’t a part of the Windows OS it’s some “help” function as you can see:
So on these machines, many of the shortcuts were disabled. I later discovered that "alt+tab" and exiting the kiosk's sandboxing application allowed me to escape but that's beside the point! Much of what I tried failed initially in terms of shortcut keys. After you log in to the machine as the guest user the systems allow you to access what many would consider the best internet browser of the modern era: Microsoft Edge (lol).
The interesting thing about this is that when you try to access the file system on Windows using Edge it actually opens the directory using Windows Explorer.
Doing this actually bypassed the whatever weird policy this particular location had in place at the time:
If I wanted to actually use Windows Explorer to access the C:\
drive the policy would disallow the attempt:
Even “worthless” Chrome would obey the machines policy and block access to the file system’s C:\
drive!
Now, this also worked in Firefox but it wasn’t as sexy. Firefox didn’t use Windows Explorer, it used it’s browser’s ftp-like directory browser functionality. For demonstration I did this locally:
The last thing to note from trying to print a picture of beef off the internet was that the machine wouldn't let me use the start menu at all. Well using "Win+k" then "Win+x" allowed me to pop the start menu and bypass the shortcut key restrictions in place. This allowed me to do things like reboot the machine which restored the Kiosks main sandbox application and access other things that Windows Explorer wasn't offering just in case I needed to configure the printer settings etc. etc..
In checking out my options I also noticed that these machines didn't block access to the bios and allowed users to boot to USB and configure "all the things" in case the current operating system disallowed printing all together:
Conclusions ๐ก
- Microsoft Edge brings up Windows Explorer when you navigate to
C:\
in the URL Win+x
can be used to access the start menu when shortcut keys are limited- Kiosks have feelin…I mean bios too!
__________________
< PrInt M0r B33f!! >
------------------
\ (__)
\ /oo|
\ (_"_)*+++++++++*
//I#\\\\\\\\I\
I[I|I|||||I I `
I`I'///'' I I
I I I I
~ ~ ~ ~