ATM/Kiosk Hacking Reloaded

This blog revolve around Positive Hack Days 2022 Payment Village challenges. This came to my attention by accident from some of the Payment Village members who personally attended this conference. Personally, It's a conference I'll make an effort to attend next year as it genuinely looks amazing.  

alt

I blogged about PHDays 2021 ATM/Kiosk challenges a few months ago, you can find that blog here. The machines this year were significantly better and more complex than last year. I'm seriously looking forwards to next years challenges.

Online Banking Portal

One of the challenge mediums this year was through their custom online banking application. The description is fairly barebone. In essence, during the event report everything you find.

alt

After creating an account and signing into the application you'll be presented with the following UI. Within the app you have the ability to transfer funds, apply for loans, calculate loans as well as configure personal user data.

alt

Rounding Attack

When converting, bank rounds the amount to two decimal places, that is, too $0.01. As an example lets say that the rates for 1GBP = 1.30USD then a fraudster would transfer GBP cents into US during the transfer as a result of conversion, they will receive 0.01 US out of the ether. The following would apply:

0.02 USD => float(0.0153; 2) == 0.02 GBP
0.02 GBP => float(0.026; 2) == 0.03 USD
Profit = 0.01 USD

If this is confusing let me rephrase it. In this banking app, the conversion rate from USD to RUB is 79.5 therefore $1.3 RUB = $0.01635 USD (1.3 / 79.5 = 0.01635). So, if I send the equivalent of $0.01635 USD in RUB (1.3) into the USD account $0.01635 will round up to $0.02. As a result I'll have effectively made $0.00365 out of the thin air.

Let's prove this in action. As seen below I'm transferring 1.3 from the RUB account into the USD one.

altalt

As you can see I transferred 1.3 RUB (which is  $0.01635 USD) and it ended up being rounded up leaving me with $0.02 USD netting me a $0.00365 USD profit.

alt

Scientific Notation Bug

This is a vulnerability that I've found in old MMORPG back in 2012-2014 but they appear everywhere. This occurs when the e scientific notation is handled for numbers. For example sending 1.1e5 will actually send 110000.

What I'll do to prove that this bug is present is send 1e1 USD which is 10 from the USD account to the RUB account.

alt

Now since the transfer rate from USD to RUB is 79.5 if we were to send 10 USD we should expect to receive 795 RUB.

alt

Besides using this to perform the rounding attack 1.635e-2 = 0.01635 I'm not sure how to abuse this maliciously, if its obvious to you ping me on twitter.

Since most of the input fields in this application are in Russian, a language I don't speak, I wont be spending time trying to find exploits within the loan applications.

ATM Images

There are two ATM images, respectively ATM1 and ATM2 the descriptions to the challenges will be found before the technical details. Huge shoutout to the creator circuit for these VM's I highly recommend you try them for yourself.

ATM1.ova (Difficulty Medium)

Tasks:
  1. Kiosk bypass;
  2. Bypass the applocker;
  3. Elevation of privileges to administrator;

There are several files on the C:\ drive task_kiosk.exe , task_applocker.exe, task_escalation.exe, which need to be launched in order for the task to be counted.

task_kiosk.exe available to launch immediately after the kiosk crawl, task_applocker.exe blocked by the applocker, to run task_escalation.exe administrator rights are required.

Additional tasks - attacks on the ATM web interface (classic WEB vulnerabilities)

Limitations:

Do not use a bootable USB flash drive and safe mode;

Okay so when we boot up the image we get:

alt

Let’s keep it simple. Instead of finding fancy escapes just smash down the shift key (~5 times) until you get the following popup.

alt

Click on the “Disable this keyboard…” hyperlink.

alt

Cool. So, since this is an easy box we can right-click on the page and go to print.

alt

Then go to Find printer… to pop up the iexplorer.exe.

altalt

For those of you who forgot you can run command in the file explorer. Therefore we’re able to spawn cmd.exe by going to C:\Windows\System32\cmd.exe

altalt

Cool so we have a cmd shell and we’ve confirmed that we are the ATM user. But this doesn’t really solve anything. If you remember we were told that theres a lot of files on disk and that we eventually need to find a way to bypass AppLocker. So what I did next was go to C:\Atm

alt

As you can see there’s nothing there. However if we go to C:\Users\ATM\Downloads we’ll find the following folder. The key here is to open this file in a new window. The password to the zip is 123 and I extracted the binary to my downloads folder.

alt

In doing this you get an “unfucked” windows explorer.

alt

Now if you go back to C:\Atm or C:</code> voila we’ve got files.

alt

Theres a file called atmkey when opened in notepad we get the following MXTivV99iqrQLgA no real idea what this does at this point maybe its the password to the ATM user?

alt

If I open the payout.exe binary the following pops up which loosely translate to successful issuance of money.

alt

At this point I was kinda stumped. I decided to go back to basics.  

alt

Maybe the atmkey.txt contents is the password for the ATM user?

alt

No thats not it. I went back to C:</code> and ran the task_kiosk.exe and got the following? So I’ve officially completed this step.

alt

If I run the task_applocker.exe I’ve clearly not finished this step. same applies for the task_escalation.exe

alt

While looking around I found the following file. This is actually super neat. Basically since the user ran the Get-History PowerShell cmdlet this lets us get the full history from that point (the list of commands entered during the current session). This is caused by the PSReadline module being installed and enabled by default starting from PowerShell Windows 10 onward. It is responsible for recording what is typed into the console. The default option is to save history to a file. In our case this file is ConsoleHost_history.txt

alt

From the explorer windows I opened PowerShell by running C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe. Then I ran runas to and tried the Admin:hackhack credentials from the ConsoleHost_history.txt file.

alt

So the logical thing to do now would be to run the task_escalation.exe binary now that we’re admin. So I guess we have to be administrator and not admin.

alt

However if I run the task_applocker.exe binary it turns out I bypassed AppLocker? Not really sure if this was the intended solution but I’ll keep it moving.

alt

Okay. Let’s say I want to open explorer from this terminal I’m also unable to.

alt

Same thing happens when I try to open it directly. This also happened to the recycle-bin when running start shell:RecycleBinFolder and TaskManager. Additionally net use was and running fsutil fsinfo drives didn’t show me anything I didn’t already know.

alt

I decided to open ms-paint with the runas admin terminal session but again my explorer was downgraded and the C:\Atm and C:</code> directories were empty.

alt

To work around this, I spawned PowerShell from the ms-paint explorer. Now I was able to go to C:\Users\Admin</code> which I previously was unable to as the ATM user. Unfortunately I and found absolutely nothing there.

alt

Going back to see if there is a unique ConsoleHost_history.txt but its the same file at heart. By the way there is not password reuse from Admin->Administrator.

alt

Remember how I said that running @start iexplore and start . didn’t work. This is essentially me trying to open the explorer window. Let’s just go full morbius mode and use wmic.exe to spawn explorer.

alt

As a result we’ve completely exit the sandbox =:) What happens next is something I genuinely don’t understand (and something I’m not going to bother understanding, sorry) If I right-click the windows icon and click on Windows PowerShell (Admin)

alt

The UAC will prompt and if I use the password hackhack it works and I get a PowerShell shell.

alt

Then if I run the task_escalation.exe binary… success?

altalt

This is fucked. As you can see in the image below we did exactly this earlier but through our runas admin session. So it has to be an issue with runas or who the binary perceives privileges which is kinda frustrating because it wasted a good 2h of my time.

alt

ATM2.ova (Difficulty Hard)

ATM2 difficulty hard

Tasks:

  1. Kiosk bypass;
  2. Bypass the applocker;
  3. Elevation of privileges to administrator;

There are several files on the C:\ drive task_kiosk.exe , task_applocker.exe , task_escalation.exe , which need to be launched in order for the task to be counted.
task_kiosk.exe available to launch immediately after the kiosk crawl, task_applocker.exe blocked by the applocker, to start task_escalation.exe administrator rights are required.

Additional tasks - attacks on the ATM web interface (classic WEB vulnerabilities)

Limitations:

Do not use a bootable USB flash drive and safe mode;

Okay so when we boot up the VM we’re presented with the following.

alt

Right-clicking doesn’t work within this portal. Sticky keys also don’t work. So let’s keep it simple and hit CTRL+P and do just like before.

altalt

Cool. Literally 20 seconds after booting the VM to escape the kiosk.

alt

I kind feel bad about this so I’ll show you other ways I could’ve escaped this kiosk. Doing CTRL+N to open a new windows as seen below will also provide you with everything you need to escape the kiosk.

alt

From this point simply do CTRL+J and you’ll have so many options to escape the kiosk.

alt

Another kiosk bypass is by doing CTRL+L and you’ll have a bypass in the Browser button as seen below.

alt

Moving on. Within the cmd.exe I spawned I run start . to get an explorer.exe outside of the print restricted explorer spawned from the printing explorer.

alt

There is a fileC:\Atm with the following.

alt

Just like in ATM1 I’ll go ahead and 100% escape the sandbox/kiosk with the same wmic trick as before. You can also do this with msbuild so I don’t think it’s a challenge oversight.

alt

I’ll go ahead and include some embarrassing failures & low IQ moments that would have been funny if they had worked. This is really just sharing my thought process.

At this point we’re looking for a way to run the task_applocker.exe binary.

In terms of recon I went  to Event Viewer and checked BagMRU to enumerate folders that were opened in Windows Explorer. I found nothing of real value.

So I went ahead with some generic AppLocker bypasses attempts like rundll32.exe advpack.dll,RegisterOCX c:\task_applocker.exe or stuff like rundll32 url.dll, OpenURL file://c:\task_applocker.exe I even tried to make it fancier rundll32.exe javascript:"…\mshtml.dll,RunHTMLApplication ";eval(“w=new%20ActiveXObject(“WScript.Shell”);w.run(“cmd”);window.close()”); but eventually I concluded that rundll32, regsvr32, installutil.exe, bginfo.exe, regasm.exe, regsvcs.exe weren’t going to work which are old / known methods of bypass the poorly made rules. I then attempted it with Msbuild but same story. C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Msbuild.exe C:\Atm\test.csproj

alt

However, the main reason behind MsBuild failing was windows defender.

alt

Obviously I didn’t have the permissions to exclude AV locations for my binaries.

alt

Don’t get it twisted, it’s not like defender will ever really prevent us from doing what we want. We can bypass it with little to no effort. Again, if we wanna go full morbius mode I can retrieve a CobaltStrike beacon. But ultimately this does nothing for us.

altalt

Going back to the AppLocker bypass If  I was admin I’d be able to simply reimport/overwrite/delete the existing group policies with null/* ones as demonstrated in this technique and this blog.

alt

I’ll mention that moving the binary to folders that are by default writable by normal users didn’t help. The same goes for using a downgraded version of PowerShell. So I ended up trying a load stuff. Generally speaking I was trying to find a lolbas that might work. LOLBAS is Living Off The Land Binaries and Scripts, they can be useful for bypassing AppLocker rules in general with different implementations.

altalt

At this point I was seriously at a loss. I had committed ~7h to trying to solve this with more-or-less no progress so I asked the challenge creator for the hint.

alt

I NEVER user runas so this was completely unknown to me. Everyday is a school day as they say. Since there is not a simple way to run a program with higher privileges without /savecred option in windows I guess it’s still used fairly often? If the program must be interactive this is typically used. Basically, since the Admins credentials have been previously saved by this user then it can be retrieved from. c:\users\username\appdata\roaming\microsoft\credentials  with the /savecred flag.

alt

Quickly checking out privileges to see if we can run gpedit.msc

alt

We are a member of Administrators so we should have no issues editing/creating AppLocker rules. Instead of creating a * path rule I’ll simply delete the rule below.

altalt

Nice. All that is left is to run task_escalation.exe. At this stage, just like in ATM1 I’m unable to open an explorer from within the runas /user:Admin command-line. To get around this I use run mspaint and notice a .lnk file on the Admin users desktop.

alt

Simply right-click the administrator_cmd.lnk, go to Properties then navigate into the Shortcut tab. Basically all a .lnk really is, is a shortcut to a binary. We’ll change this to the task_escalation.exe binary as seen below.

alt

Then just save and apply the changes and run the .lnk

alt

In doing so we will trigger a UAC prompt so clicking Yes will complete the execution.

alt

And thats it! We’ve completed ATM2.

alt

Additional tasks - attacks on the ATM web interface

This is an optional section that I did not complete. I personally have no interest at digging into web applications on my free time. Regardless, I’ll  document my notes and progress. Maybe someone will want to pickup where I left-off.

Remember the kiosk escape with CTRL+N that disclosed the IP of the ATM. So that a public IP that resolves to bank.paymentvillage.org.

alt

Doing some quick recon I found a few endpoints that didn’t amount to much.

— Ports —
22 open ssh
80 open http
5432 open postgresql
6379 open redis
8081 open blackice-icecap
altalt

There’s also another useless page that doesn’t require authentication that we can access that looks like the following.

alt

Below is some weird behavior. The way the app is failed authentications results in the banking dashboard being leaked. The redirection actually leaks the page the valid user is redirected upon successfully authentication.

When I attempt to log in with invalid credentials I get redirected back to the initial page. During this process the application leaks the /cabinet endpoint data which is only accessible when you log in successfully. So this is a weird “vuln” in & of itself.

alt

To prove this I’m able render the page in burp preview. Notice that I don’t have a valid user cookie.

alt

Moving on. Turns out that I can simply use my credentials from the web challenges to authenticate. This application is completely useless, there’s no actions or changes you can perform here.

alt

I ran some cheap directory enumeration on the endpoint and retrieved the following endpoints.

alt

The endpoint of interest to us is favicon.ico as seen below we get a verbose error message mentioning file_get_contents which screams path traversal / potential LFI.

alt

As a result we have arbitrary read files as seen below.

altalt

I didn’t peruse this path any further. Theres definitely something here. I’ll leave finding it as an exercise to the reader.

Some extra notes. Theres a lot of files in the C:\Atm directory. They all don’t seem to do anything or create funky logs or important information. However, there is a binary server.exe. After starting the binary and confirming that it’s running I got the following error messages.

altalt

This actually ends up happening when you try to reach the ATM on port 80 from another host on the same VNET or locally.

altalt

When you click OK an internet explorer page will launch and you’ll be directed to the organizers site.

alt

I guess what someone could do here is trace the intended hackerguard.dll calls and make the lib yourself fulfilling what server.exe procs. This is not my definition of a good time. Also the main issue with this is that I can’t run process hacker, daphne, or process explorer as its all denied. This doesn’t stop you from simply exporting them using my gofileserver. After-all building a custom dll that calls functions in Kernel32.dll which will in turn spawn a cmd or whatever isn’t challenging. The idea here is that server.exe will load the DLL into a process. In a restricted environment, it can be injected into a legitimate process and thus bypass the restriction mechanisms.

Final Thoughts:

I personally think that anyone reading this blog should attempt this lab themselves. These VM’s offer a unique challenge set & touch on skills/techniques you don’t often use.

I hope you liked the blogpost. Follow me on twitter I sometimes post interesting stuff there too.

Thank you for reading!

Article Link: ATM/Kiosk Hacking Reloaded