The CSUN game room has pretty locked down computers…
My first class at Cal State Northridge (CSUN) happened today.
It was pretty exciting, but after class, I wandered around to stave off boredom. I ended up finding the CSUN game room, which was a pretty sick setup. Although one side was a game room with a few pool tables and other table games, and beyond that, couches and game consoles, the other side was setup similar to the computer cafe’s which are still popular in South Korea.
Obviously I needed to asses their security. Because of my experience with the cruise ship computers, I somewhat knew what I needed to do. The windows UI on the machines in the CSUN game room, is locked down.
Rather than the normal window’s interface, it was a proprietary interface specially dedicated to games. I could not even open a browser.
In addition to that, none of the keyboard shortcuts worked. Windows + R (run dialog). Or Windows + E (explorer).
So similar to the cruise ships, my initial goal was to restart the windows UI. For some strange reason, the windows UI is located under the program explorer.exe, which is the same program as the filebrowser. On the cruise ship, finding and launching this program is how I restarted the windows UI.
However, I quickly discovered something interesting. When launching discord through the locked down UI, the edge browser would launch for half a second, and then disappear, the tab closing itself. I launched a new tab before it closed, and edge stayed open…
Once edge was open, the first thing I tried was chromium’s Control + O open file dialog.
However, I couldn’t open things, and more interestingly, the right click, and any other methods of accessing the context menu I tried, were blocked.
So I tried to download another file browser. Blocked:
But interesting, I could click the “open downloads folder” and get the proper windows file browser open. In this file browser, I could simply single click on applications to open them.
I located explorer.exe, the program which launched the windows UI on the cruise ship computers, and…
For whatever reason, launching the explorer.exe program simply results in another instance of the filebrowser launching, rather than the windows UI launching. So I decided to try some other stuff.
I tried a few things. Powershell, command prompt, registry editor, no dice.
I went down the list of apps in C:\Windows, checking things out, when I found something interesting unblocked:
The strangest thing about being able to launch this application, window’s “Computer Management” app, located at compmgmt.msc is that it requies administrative privileges to simply launch.
When first bootup, the computer autologins to a default user called “User”. Apparently, the default user was an administrator.
From here, I can get to “task scheduler”. Because I am already an administrator for some reason, I am able to schedule tasks, which can be any abitrary thing.
However, this isn’t really a big deal when it comes to access of this machine itself. All these computers at this pc cafe use image based deployments, and I am presuming these images are immutable so any system changes I make would be reset the moment I log out.
However, with administrative access within the network, I could do things like a Denial-of-Service attack, by eating up bandwidth, or I could seek lateral movement through the network, if the machines aren’t isolated properly.
There were multiple ways this kind of access could have been prevented. Why do the users logged in need administrative access? All they are doing is using discord and playing games, they don’t need administrative access.
Another thing that could have been done is simply preventing me from launching compmgmt.msc, the same way powershell or cmd are prevented.
And finally, they could have used a browser other than edge. The browser on that system is not intended for normal browsing, but rather it’s intended for logging into your online accounts, like Discord or the video game providers. Since that’s the case, why use a fully featured browser that lets you open a file browser? There exist browsers that are far more locked down, and cannot do things like browse files, only open a single webpage — perfect for this usecase.