Apologies for the long title, I just couldn't resist. This article/blog post compliments my previous one on evading GPO and getting a command prompt. Anyhow, that's in the past, let's move on with our lives.
Why would you want to evade Group Policy in the first place? I think I've mentioned it before but usually as part of a GAP (Government Assurance Pack) analysis performed in a penetration test. Clients usually want to know their if their implemention of a GAP lockdown leaves the workstation in a good condition, e.g. do any loopholes allow a malicious user to break out of the environment. Also, does the lockdown stop users from doing what they need to do? Again, a fine line between usability, functionality and security. I feel kinda like a lawyer when performing these reviews - it's often a case of looking through pages of GPO rules and software restriction policies and looking for wildcards with regards to executable files/directories and cross referencing these with writable privileges. Anyway... going a bit into the methodology there, lets get back on track.
Lets assume you have exhausted all other options with regards to breaking out of the environment and you're near to smashing the place up... Wait! I may just be able to help.
Windows has a little thing called "Services" which can be accessed by typing "services.msc" from the run prompt. Great - but what if the run prompt has been locked down? Well you can usually access it through the start menus - even as a normal or power user. If you can't do it via this method then you need to overcome this obstacle first - not covered in this post! There are 101 ways to break out of Windows environments in little but effective ways - Office macros, Internet Explorer functionality and Windows Help are your friends here.
Right, so you managed to get this badboy services application open? That's good news. You will be presented with a big list of all different services, some system, some third party (see screenshot below). Some of these will get started automatically on boot, others are required to be started manually and some will be disabled. Some are executed in the context of Local Service, a specific user, others as Local System. We are looking for a service with the right qualities, think online dating, GSOH, etc;
- It must be executed in the context of Local System;
- It can be manually started (although automatic is good but will require a reboot);
- The service must call an executable in a directory to which we have write access to.
(click image to enlarge)
Satisfy all these conditions and the service has marriage written all over it.
As a normal user, or even as a power user, we won't be able to edit any of the services parameters; paths, etc. However, we will be able to stop/start it. Ignore that for now.
You'll notice a load of services point to executables in the Windows System directory, write access here is out of the question. You will get lucky with third party applications that act as a service to the OS, those which live in C:\Program Files\... (which we can potentially write to) and those which need to be run in the context of Local System.
Lets assume we found some Citrix service in this example which is manually started and runs under the context of Local System when started and finally, it lives in C:\Program Files\Citrix\CitrixBah.exe. You can see all this information from going into the properties (right click) on the specific service - an example is in the screenshot below.
(click image to enlarge)
So in our example, in the "Path to executable:" bit would be C:\Program Files\Citrix\CitrixBah.exe. We first stop this service. Please note it is always good to pick non-essential services to impersonate if you have the choice! We go looking in C:\Program Files\Citrix\ (via 1000 breakout methods) and find CitrixBah.exe and rename it to CitrixOld.exe. If we didn't have write access to this folder we'd see a nasty Windows popup right now... but since from your paperwork (or even from xcacls) you know you have write access, its all good.
You now get creative - I usually whack up my own compiled code that will add a new user and assign them to the Administrators group (via net user command). I get this onto the box via whatever isn't locked down; USB, CD-ROM (always a killer...) and over the Internet. I name this CitrixBah.exe and place it in C:\Program Files\Citrix\. When run as a normal user this obviously gives me a great big nada... However, since it will be run under the context of Local System, happy times.
Now go back to Windows Services, right click and click "Start" or you can do it within the properties. It will quickly run your goodness then quit. You will now have your own admin user. Re-login or just right click and run "Explorer" with the Run-As goodness with your new user.
Don't forget to put the old CitrixBah.exe back too! ;o)
Thank you, and goodnight.