# Escaping from KIOSKs {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** ๐Ÿ’ฌ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** ๐Ÿฆ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} --- ## Check physical device | Component | Action | | ------------- | -------------------------------------------------------------------- | | Power button | Turning the device off and on again may expose the start screen | | Power cable | Check whether the device reboots when the power is cut off briefly | | USB ports | Connect physical keyboard with more shortcuts | | Ethernet | Network scan or sniffing may enable further exploitation | ## Check for possible actions inside the GUI application **Common Dialogs** are those options of **saving a file**, **opening a file**, selecting a font, a color... Most of them will **offer a full Explorer functionality**. This means that you will be able to access Explorer functionalities if you can access these options: * Close/Close as * Open/Open with * Print * Export/Import * Search * Scan You should check if you can: * Modify or create new files * Create symbolic links * Get access to restricted areas * Execute other apps ### Command Execution Maybe **using a `Open with`** option\*\* you can open/execute some kind of shell. #### Windows For example _cmd.exe, command.com, Powershell/Powershell ISE, mmc.exe, at.exe, taskschd.msc..._ find more binaries that can be used to execute commands (and perform unexpected actions) here: [https://lolbas-project.github.io/](https://lolbas-project.github.io) #### \*NIX \_\_ _bash, sh, zsh..._ More here: [https://gtfobins.github.io/](https://gtfobins.github.io) ## Windows ### Bypassing path restrictions * **Environment variables**: There are a lot of environment variables that are pointing to some path * **Other protocols**: _about:, data:, ftp:, file:, mailto:, news:, res:, telnet:, view-source:_ * **Symbolic links** * **Shortcuts**: CTRL+N (open new session), CTRL+R (Execute Commands), CTRL+SHIFT+ESC (Task Manager), Windows+E (open explorer), CTRL-B, CTRL-I (Favourites), CTRL-H (History), CTRL-L, CTRL-O (File/Open Dialog), CTRL-P (Print Dialog), CTRL-S (Save As) * Hidden Administrative menu: CTRL-ALT-F8, CTRL-ESC-F9 * **Shell URIs**: _shell:Administrative Tools, shell:DocumentsLibrary, shell:Librariesshell:UserProfiles, shell:Personal, shell:SearchHomeFolder, shell:Systemshell:NetworkPlacesFolder, shell:SendTo, shell:UsersProfiles, shell:Common Administrative Tools, shell:MyComputerFolder, shell:InternetFolder_ * **UNC paths**: Paths to connect to shared folders. You should try to connect to the C$ of the local machine ("\\\127.0.0.1\c$\Windows\System32") * **More UNC paths:** | UNC | UNC | UNC | | ------------------------- | -------------- | -------------------- | | %ALLUSERSPROFILE% | %APPDATA% | %CommonProgramFiles% | | %COMMONPROGRAMFILES(x86)% | %COMPUTERNAME% | %COMSPEC% | | %HOMEDRIVE% | %HOMEPATH% | %LOCALAPPDATA% | | %LOGONSERVER% | %PATH% | %PATHEXT% | | %ProgramData% | %ProgramFiles% | %ProgramFiles(x86)% | | %PROMPT% | %PSModulePath% | %Public% | | %SYSTEMDRIVE% | %SYSTEMROOT% | %TEMP% | | %TMP% | %USERDOMAIN% | %USERNAME% | | %USERPROFILE% | %WINDIR% | | ### Download Your Binaries Console: [https://sourceforge.net/projects/console/](https://sourceforge.net/projects/console/)\ Explorer: [https://sourceforge.net/projects/explorerplus/files/Explorer%2B%2B/](https://sourceforge.net/projects/explorerplus/files/Explorer%2B%2B/)\ Registry editor: [https://sourceforge.net/projects/uberregedit/](https://sourceforge.net/projects/uberregedit/) ### Accessing filesystem from the browser | PATH | PATH | PATH | PATH | | ------------------- | ----------------- | ------------------ | ------------------- | | File:/C:/windows | File:/C:/windows/ | File:/C:/windows\\ | File:/C:\windows | | File:/C:\windows\\ | File:/C:\windows/ | File://C:/windows | File://C:/windows/ | | File://C:/windows\\ | File://C:\windows | File://C:\windows/ | File://C:\windows\\ | | C:/windows | C:/windows/ | C:/windows\\ | C:\windows | | C:\windows\\ | C:\windows/ | %WINDIR% | %TMP% | | %TEMP% | %SYSTEMDRIVE% | %SYSTEMROOT% | %APPDATA% | | %HOMEDRIVE% | %HOMESHARE | |


| ### ShortCuts * Sticky Keys โ€“ Press SHIFT 5 times * Mouse Keys โ€“ SHIFT+ALT+NUMLOCK * High Contrast โ€“ SHIFT+ALT+PRINTSCN * Toggle Keys โ€“ Hold NUMLOCK for 5 seconds * Filter Keys โ€“ Hold right SHIFT for 12 seconds * WINDOWS+F1 โ€“ Windows Search * WINDOWS+D โ€“ Show Desktop * WINDOWS+E โ€“ Launch Windows Explorer * WINDOWS+R โ€“ Run * WINDOWS+U โ€“ Ease of Access Centre * WINDOWS+F โ€“ Search * SHIFT+F10 โ€“ Context Menu * CTRL+SHIFT+ESC โ€“ Task Manager * CTRL+ALT+DEL โ€“ Splash screen on newer Windows versions * F1 โ€“ Help F3 โ€“ Search * F6 โ€“ Address Bar * F11 โ€“ Toggle full screen within Internet Explorer * CTRL+H โ€“ Internet Explorer History * CTRL+T โ€“ Internet Explorer โ€“ New Tab * CTRL+N โ€“ Internet Explorer โ€“ New Page * CTRL+O โ€“ Open File * CTRL+S โ€“ Save CTRL+N โ€“ New RDP / Citrix ### Swipes * Swipe from the left side to the right to see all open Windows, minimizing the KIOSK app and accessing the whole OS directly; * Swipe from the right side to the left to open Action Center, minimizing the KIOSK app and accessing the whole OS directly; * Swipe in from the top edge to make the title bar visible for an app opened in full screen mode; * Swipe up from the bottom to show the taskbar in a full screen app. ### Internet Explorer Tricks #### 'Image Toolbar' It's a toolbar that appears on the top-left of image when it's clicked. You will be able to Save, Print, Mailto, Open "My Pictures" in Explorer. The Kiosk needs to be using Internet Explorer. #### Shell Protocol Type this URLs to obtain an Explorer view: * `shell:Administrative Tools` * `shell:DocumentsLibrary` * `shell:Libraries` * `shell:UserProfiles` * `shell:Personal` * `shell:SearchHomeFolder` * `shell:NetworkPlacesFolder` * `shell:SendTo` * `shell:UserProfiles` * `shell:Common Administrative Tools` * `shell:MyComputerFolder` * `shell:InternetFolder` * `Shell:Profile` * `Shell:ProgramFiles` * `Shell:System` * `Shell:ControlPanelFolder` * `Shell:Windows` * `shell:::{21EC2020-3AEA-1069-A2DD-08002B30309D}` --> Control Panel * `shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}` --> My Computer * `shell:::{{208D2C60-3AEA-1069-A2D7-08002B30309D}}` --> My Network Places * `shell:::{871C5380-42A0-1069-A2EA-08002B30309D}` --> Internet Explorer ### Show File Extensions Check this page for more information: [https://www.howtohaven.com/system/show-file-extensions-in-windows-explorer.shtml](https://www.howtohaven.com/system/show-file-extensions-in-windows-explorer.shtml) ## Browsers tricks Backup iKat versions: [http://swin.es/k/](http://swin.es/k/)\ [http://www.ikat.kronicd.net/](http://www.ikat.kronicd.net)\\ Create a common dialog using JavaScript and access file explorer: `document.write('')`\ Source: https://medium.com/@Rend\_/give-me-a-browser-ill-give-you-a-shell-de19811defa0 ## iPad ### Gestures and bottoms * Swipe up with four (or five) fingers / Double-tap Home button: To view the multitask view and change App * Swipe one way or another with four or five fingers: In order to change to the next/last App * Pinch the screen with five fingers / Touch Home button / Swipe up with 1 finger from the bottom of the screen in a quick motion to the up: To access Home * Swipe one finger from the bottom of the screen just 1-2 inches (slow): The dock will appear * Swipe down from the top of the display with 1 finger: To view your notifications * Swipe down with 1 finger the top-right corner of the screen: To see iPad Pro's control centre * Swipe 1 finger from the left of the screen 1-2 inches: To see Today view * Swipe fast 1 finger from the centre of the screen to the right or left: To change to next/last App * Press and hold the On/**Off**/Sleep button at the upper-right corner of the **iPad +** Move the Slide to **power off** slider all the way to the right: To power off * Press the On/**Off**/Sleep button at the upper-right corner of the **iPad and the Home button for a few second**: To force a hard power off * Press the On/**Off**/Sleep button at the upper-right corner of the **iPad and the Home button quickly**: To take a screenshot that will pop up in the lower left of the display. Press both buttons at the same time very briefly as if you hold them a few seconds a hard power off will be performed. ### Shortcuts You should have an iPad keyboard or a USB keyboard adaptor. Only shortcuts that could help escaping from the application will be shown here. | Key | Name | | --- | ------------ | | โŒ˜ | Command | | โŒฅ | Option (Alt) | | โ‡ง | Shift | | โ†ฉ | Return | | โ‡ฅ | Tab | | ^ | Control | | โ† | Left Arrow | | โ†’ | Right Arrow | | โ†‘ | Up Arrow | | โ†“ | Down Arrow | #### System shortcuts These shortcuts are for the visual settings and sound settings, depending on the use of the iPad. | Shortcut | Action | | -------- | ------------------------------------------------------------------------------ | | F1 | Dim Sscreen | | F2 | Brighten screen | | F7 | Back one song | | F8 | Play/pause | | F9 | Skip song | | F10 | Mute | | F11 | Decrease volume | | F12 | Increase volume | | โŒ˜ Space | Display a list of available languages; to choose one, tap the space bar again. | #### iPad navigation | Shortcut | Action | | -------------------------------------------------- | ------------------------------------------------------- | | โŒ˜H | Go to Home | | โŒ˜โ‡งH (Command-Shift-H) | Go to Home | | โŒ˜ (Space) | Open Spotlight | | โŒ˜โ‡ฅ (Command-Tab) | List last ten used apps | | โŒ˜\~ | Go t the last App | | โŒ˜โ‡ง3 (Command-Shift-3) | Screenshot (hovers in bottom left to save or act on it) | | โŒ˜โ‡ง4 | Screenshot and open it in the editor | | Press and hold โŒ˜ | List of shortcuts available for the App | | โŒ˜โŒฅD (Command-Option/Alt-D) | Brings up the dock | | ^โŒฅH (Control-Option-H) | Home button | | ^โŒฅH H (Control-Option-H-H) | Show multitask bar | | ^โŒฅI (Control-Option-i) | Item chooser | | Escape | Back button | | โ†’ (Right arrow) | Next item | | โ† (Left arrow) | Previous item | | โ†‘โ†“ (Up arrow, Down arrow) | Simultaneously tap selected item | | โŒฅ โ†“ (Option-Down arrow) | Scroll down | | โŒฅโ†‘ (Option-Up arrow) | Scroll up | | โŒฅโ† or โŒฅโ†’ (Option-Left arrow or Option-Right arrow) | Scroll left or right | | ^โŒฅS (Control-Option-S) | Turn VoiceOver speech on or off | | โŒ˜โ‡งโ‡ฅ (Command-Shift-Tab) | Switch to the previous app | | โŒ˜โ‡ฅ (Command-Tab) | Switch back to the original app | | โ†+โ†’, then Option + โ† or Option+โ†’ | Navigate through Dock | #### Safari shortcuts | Shortcut | Action | | ----------------------- | ------------------------------------------------ | | โŒ˜L (Command-L) | Open Location | | โŒ˜T | Open a new tab | | โŒ˜W | Close the current tab | | โŒ˜R | Refresh the current tab | | โŒ˜. | Stop loading the current tab | | ^โ‡ฅ | Switch to the next tab | | ^โ‡งโ‡ฅ (Control-Shift-Tab) | Move to the previous tab | | โŒ˜L | Select the text input/URL field to modify it | | โŒ˜โ‡งT (Command-Shift-T) | Open last closed tab (can be used several times) | | โŒ˜\[ | Goes back one page in your browsing history | | โŒ˜] | Goes forward one page in your browsing history | | โŒ˜โ‡งR | Activate Reader Mode | #### Mail shortcuts | Shortcut | Action | | -------------------------- | ---------------------------- | | โŒ˜L | Open Location | | โŒ˜T | Open a new tab | | โŒ˜W | Close the current tab | | โŒ˜R | Refresh the current tab | | โŒ˜. | Stop loading the current tab | | โŒ˜โŒฅF (Command-Option/Alt-F) | Search in your mailbox | ## References * [https://www.macworld.com/article/2975857/6-only-for-ipad-gestures-you-need-to-know.html](https://www.macworld.com/article/2975857/6-only-for-ipad-gestures-you-need-to-know.html) * [https://www.tomsguide.com/us/ipad-shortcuts,news-18205.html](https://www.tomsguide.com/us/ipad-shortcuts,news-18205.html) * [https://thesweetsetup.com/best-ipad-keyboard-shortcuts/](https://thesweetsetup.com/best-ipad-keyboard-shortcuts/) * [http://www.iphonehacks.com/2018/03/ipad-keyboard-shortcuts.html](http://www.iphonehacks.com/2018/03/ipad-keyboard-shortcuts.html) {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** ๐Ÿ’ฌ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** ๐Ÿฆ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}