How I broke into Kiosk machine to get admin access
I am Harish SG, a security researcher who studies Masters in Cybersecurity at UT Dallas,previously hunted on the Microsoft Bug Bounty Program and Google VRP. Now I am researching on building cross malware killswitch.
I am sharing this article for security awareness and educational purposes only.
In this article! I will share how I hacked into a Windows Kiosk Machine and got admin shell
What is Windows Kiosk mode?
Windows Kiosk Mode, also known as Assigned Access, is a feature in Windows operating systems that allows you to restrict a computer or device to a specific application or set of applications. It is commonly used in scenarios where the device needs to serve a specific purpose and should not be accessible for general use.
When you enable Kiosk Mode, the user is limited to using only the designated application(s) and cannot access the desktop, start menu, taskbar, or other applications. This can be useful in public environments such as information kiosks, retail displays, interactive exhibits, or self-service stations.
Here’s how you can set up Kiosk Mode in Windows:
- Create a new user account: It is recommended to create a dedicated user account for Kiosk Mode to separate it from other user accounts on the device.
- Configure Assigned Access: Open the Settings app, go to “Accounts,” and select “Family & other users.” Under “Set up a kiosk,” click the “Assigned access” option.
- Choose the application: Select the application you want to run in Kiosk Mode. Windows provides a list of available applications installed on the device. You can choose a Microsoft Store app or a traditional desktop application.
- Configure other settings: Customize the options according to your requirements. You can specify whether the user can exit the kiosk app using specific keyboard shortcuts, adjust accessibility settings, or enable automatic sign-in.
- Save and enable Assigned Access: Once you’ve configured the settings, save them and enable Assigned Access. Windows will then enter Kiosk Mode, and the user will only have access to the designated application(s).
- To exit Kiosk Mode, you can sign out or restart the device. You’ll need to sign in with a different user account to regain full access to the Windows desktop.
Now lets see how I broke out of kiosk mode
- In this kiosk , edge was configured as assigned browser to open only google.com
- I clicked on upload photo on google image search bar it was opening file explorer windows to choose photo
- I clicked on help icon, it opened unrestricted edge window and from there I opened Download folder it opened unrestricted file explorer
- From there I navigated to system32 folder and clicked on cmd.exe but it failed to execute
- Now I copied cmd.exe into world writable folder such as Pictures and renamed it into msedge.exe and executed
- Boom! it worked and I got Shell access
- but I know this specific kiosk machine had no pin by default So I tried to get admin access if you don’t know pin you can simply run shutdown /l it will logout of current context
- so I went back to system32 and copied iscipl.exe and pasted into another world readable folder and renamed it into msedge.exe and it asked for UAC but I skipped since it does not have any pin by default
- Now I opened config tab in the window from there I chose export report it opened file explorer dialog and I opened cmd.exe from there
- Boom, I got admin shell access
Note: In the above POC video I pasted cmd.exe into C directory that's why it asked for UAC if you paste into other world writable folder it won't ask for UAC and I did not demonstrated admin access in the video
Thanks for reading my article
Follow me : https://twitter.com/CoderHarish
