Physical attacks
Mobile Apps Pentesting
Pentesting

Escaping from GUI applications

Check for possible actions inside the GUI application

  • Close/Close as

  • Open/Open with

  • Print

  • Export/Import

  • Search

  • Scan

You should check if you can:

  • Modify or create new files

  • Create symbolic links

  • Get access to restricted areas

  • Execute other apps

Maybe using a Open with option you can open a cmd.exe, command.com, Powershell/Powershell ISE, mmc.exe

If you can execute something with commands you can execute binaries like rundll32.exe, at.exe, schtasks.exe, regedit.exe, qwinsta.exe, systeminfo.exe, msinfo32.exe, msconfig.exe, wmic.exe, eventvwr.exe

Bypassing path restrictions

Use:

  • Environment variables: There are a lot of environment variables that are pointing to some path

  • UNC paths: Paths to connect to shared folders. You should try to connect to the C$ of the local machine ("\\127.0.0.1\c$\Windows\System32")

  • Other protocols: about:, data:, ftp:, file:, mailto:, news:, res:, telnet:, view-source:

  • Symbolic links

  • Shortcuts: CTRL+N (open new session), CTRL+R (Execute Commands), CTRL+SHIFT+ESC (Task Manager), Windows+E (open explorer)

  • Shell URIs: shell:Administrative Tools, shell:DocumentsLibrary, shell:Librariesshell:UserProfiles, shell:Personal, shell:SearchHomeFolder, shell:Systemshell:NetworkPlacesFolder, shell:SendTo, shell:UsersProfiles, shell:Common Administrative Tools, shell:MyComputerFolder, shell:InternetFolder

Download Binaries

Console: https://sourceforge.net/projects/console/ Explorer: https://sourceforge.net/projects/explorerplus/files/Explorer%2B%2B/ Registry editor: https://sourceforge.net/projects/uberregedit/