XSS and bypassing an Imperva WAF with JSFuck
Doesn’t it not make you grump when people fail to adapt and change with the times in IT. Where the IT decision makers are informed and make choices based on methodologies that are older than MySpace. Hell they might not have noticed the passing of geocities they are that old and set in their ways! I expect in a few years, someone will be writing or saying the same about me! Long live Batch Files and VBScripts???
Since 2012 Windows Server has had the new Windows 8 style start menu/screen. It is changing back again in Windows 10 to a sort of middle ground, in as all these people out there screamed in one voice that the change was too much!
I think they are just scared of change, and they are trying to hold back the time as they see the fact that their jobs are no longer really that relevant. I strongly believe in IT you need to diversify and add so much to your bows these day to be competitive. As for the start screen if you use it for a week, you forget it’s there. You just adapt! That is my view. As long as the uptime, is incrementing my job is done! The rest is semantics.
It does makes me grumpy to admit the following but our users aren’t that dumb really and would get used to the new start screen eventually it in time. It might take a bit of poking and user education, no lift shafts required thank you Mr BOFH!!… Well when it comes to security and passwords then yeah well maybe a staged fatal office accident in which they are “having congress with the photocopier before their electrocution” is the path best suited for the overarching protection and security of the network and system!
Well this morning the boss turned around and said he hates having to always customise the start menu on servers. He means the start screen, when he logs in to a new server (we don’t use roaming profiles)… I was like…. seriously if that is such problem as to cause me to be beckoned over to his desk to moan about it then just use a defined layout xml file and force all servers to use it via GPO, then I can read Dilbert and drink my coffee in peace…. He looked at me blankly, this was concept alien to him. Stemming from his lack of understanding of how the start screen works and a lack of experimenting with later versions of Windows. Strong believe in you have to be current to provide the best for your customers.
So I decided to whip this demo up for him to show him that it was very easy to do as the start screen was one of the justification he stated for not upgrading the terminal servers to 2012 r2 but to settle for Windows Server 2008 R2. Meh… I do as I am told that why he is the Boss and gets paid more money than me!
I thought I would share this little demo as I have been a bit busy and not doing many posts these days, so I am sorry it isn’t an depth technical post with 1 line of PowerShell in it! But might be useful to someone!
I am going to demo this on a Windows 8.1 machine. The same process should be done for Windows Server 2012 R2.
This GPO setting works for Windows Server 2012 R2 and Windows 8.1 only. As with most things, you should be up there at the cutting edge right??? Like most of my demos and proof of concept work, it will be done inside my little Azure playground!
Ok, let’s hit the start menu/screen and have look at it! I am Logged in as the local admin \hazzy on grumpywin8. Local admin on this domain connected Windows 8.1 machine!
Exciting isn’t it… useful and vibrant… debatable but meh, so now let mess around and add a few groups and a few applications and customise this to our taste. Remove some of junk tiles, this is how we want any user to see the start menu/screen.
Now we need to save this layout down as an XML file. PowerShell, is here to help with a cmdlet just for this purpose. May I introduce?
as with most things, I like to run the Get-Help first, just to check the syntax!
There it seems it simple as this
Export-StartLayout -Path C:\Users\Hazzy\Desktop\win8layout.xm
As you can see it put the xml file on the desktop, now let’s try and open it up in notepad…
Yuck, that doesn’t seem right does it! The start screen layout requires xml! This isn’t XML its sort of encoded! So we have to export it as xml – so out command actually should be
Export-StartLayout -Path C:\Users\Hazzy\Desktop\win8layout.xml -as xml
Now let switch over to our server, and do the required admin work over there! I going to just us the GUI rather than PowerShell today!
First thing I want to do, is store the generated xml in a network share that is accessible to all machines!
So create a directory structure to suit my needs, and then share it! I would strongly advice using an administrative share here, so it’s hidden! That any share with a $ after it! It doesn’t get enumerated in the network neighbourhood thing.
Personally, while not the best security practice, it will just to make things easier for me! I am going to share the parent directory , as I might have other things I need to put in there in the future. So my share will be
Next let’s put our xml file in our nice folder structure – use whatever method you want!!! I used copy and paste between RDP sessions… makes no odd! If I have to write a tutorial on how to copy and past files between servers… then we are in trouble! I wouldn’t trust you with my Xbox!
After you have copied the xml file, the unc for our file will be the following
You can check this, anyway you want as this is a sort of PowerShell blog, I will do the old fashion
True – Excellent, that works now let’s have a look at applying this start menu/screen xml layout to the Windows 8.1 machine via gpo. If I wasn’t a lazy admin and running low on Azure Credit, I would provision another 8.1 box to use to prove it works on. But just take my word for it right?
On the server, or your RSAT client load up the GPO Management console. You can get grumpy with me, as I am doing it via the server, not via the RSAT tools… meh! I accept its bad doing direct admin work like this via rdp but this is my test lab guys forgive and forget right?
Now let’s create a new GPO
Now we have a blank GPO – we only want it to apply to Windows 8.1 machines… we can use WMI filtering to help out!
Basically, we do a wmi query where we check the version is “like 6.3” then with a wild card for the exact build number as that can change!
Now let’s assign this WMI filter to the GPO – excellent.
Right let’s now put the actual layout xml settings in to our GPO! Now for me, the logical place to put this setting is in the user settings part of the profile!
Lucky for us there is an Administrative template, where this setting is defined. So let’s drill down to that GPO setting and have a look at some of the options!
83 different settings!!! wow exciting stuff! Right, all I want to do is set the layout, let’s have a look… ah there you are!
So all I really need to do is click enable and enter in my UNC! Apply and OK! Easy! As a good admin, I of course add in a little comment for my fellow admins.
Now to test it out!
Now if I log into the Win8 box with firstname.lastname@example.org then I should get the defined start screen layout!
As you can see – we do!!! Excellent. That wasn’t so hard really was it? This is great, but what if don’t want the GPO to apply to the Domain Administrators only the minion users.
Well we can use the normal methods to override it in GPO. For example, we can put a deny in the apply group policy for Domain Admins security group.
This will allow domain admins to customise their own start menu and be forced to have the fixed layout one! As one of things enforcing a start menu/screen layout in this way does is disable the user’s ability to modify the start screen layout! So email@example.com (Domain Admin) get the layout and is prevented from making changes to his start screen.
Now we should be able to modify the start screen layout in as an admin user, once we click apply and ok on the deny! We have the layout because it of course cached, but we can no modify. If we delete the local profile and recreate it will use the default.
There we go, done! Tested and working.