Application Escape and Breakout #
Gaining a command shell #
- [Window] + [R] -> cmd
- [CTRL] + [SHIFT] + [ESC] -> Task Manager
- [CTRL] + [ALT] + [DELETE] -> Task Manager
- Access through file browser: Browsing to the folder containing the binary (i.e.
C:\windows\system32\), we can simply right click and
- Drag-and-drop: dragging and dropping any file onto the cmd.exe
- Task Manager:
New Task (Run...)>
- Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels
- Zoom in to make the following tasks easier
- Using the colour picker, set pixels values to (from left to right):
- 1st: R: 10, G: 0, B: 0
- 2nd: R: 13, G: 10, B: 13
- 3rd: R: 100, G: 109, B: 99
- 4th: R: 120, G: 101, B: 46
- 5th: R: 0, G: 0, B: 101
- 6th: R: 0, G: 0, B: 0
- Save it as 24-bit Bitmap (.bmp;.dib)
- Change its extension from bmp to bat and run
Sticky Keys #
- Spawn the sticky keys dialog
- Via Shell URI :
- Hit 5 times [SHIFT]
- Via Shell URI :
- Visit “Ease of Access Center”
- You land on “Setup Sticky Keys”, move up a level on “Ease of Access Center”
- Start the OSK (On-Screen-Keyboard)
- You can now use the keyboard shortcut (CTRL+N)
Dialog Boxes #
Creating new files #
- Batch files – Right click > New > Text File > rename to .BAT (or .CMD) > edit > open
- Shortcuts – Right click > New > Shortcut >
Open a new Windows Explorer instance #
- Right click any folder > select
Open in new window
Exploring Context Menus #
- Right click any file/folder and explore context menus
Properties, especially on shortcuts, can yield further access via
Open File Location
Save as #
- “Save as” / “Open as” option
- “Print” feature – selecting “print to file” option (XPS/PDF/etc)
Input Boxes #
Many input boxes accept file paths; try all inputs with UNC paths such as
Bypass file restrictions #
Enter . or *.exe or similar in
File name box
Internet Explorer #
Download and Run/Open #
- Text files -> opened by Notepad
- The address bar
- Search menus
- Help menus
- Print menus
- All other menus that provide dialog boxes
Accessing filesystem #
Enter these paths in the address bar:
Unassociated Protocols #
It is possible to escape a browser based kiosk with other protocols than usual
If you have access to the address bar, you can use any known protocol (
to trigger the open with prompt and select a program installed on the host.
The program will than be launched with the uri as a parameter, you need to select a program that will not crash when recieving it.
It is possible to send multiple parameters to the program by adding spaces in your uri.
Note: This technique required that the protocol used is not already associated with a program.
Example - Launching Firefox with a custom profile:
This is a nice trick since Firefox launched with the custom profile may not be as much hardened as the default profile.
- Firefox need to be installed.
- Enter the following uri in the address bar:
irc://127.0.0.1 -P "Test"
- Press enter to navigate to the uri.
- Select the firefox program.
- Firefox will be launched with the profile
In this example, it’s the equivalent of running the following command:
firefox irc://127.0.0.1 -P "Test"
Shell URI Handlers #
- shell:System shell:NetworkPlacesFolder
- shell:Common Administrative Tools
- PentestPartners - Breaking out of Citrix and other restricted desktop environments
- Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013
- Escaping from KIOSKs - HackTricks
- Breaking out of Windows Kiosks using only Microsoft Edge - Firat Acar - May 24, 2022