Without a doubt, kiosk hacking assessments have the simplest objective... Gain command execution!
During one of my engagements, I was provided with locked-down desktop that had most/all functionality disabled.
The user account, of course, was unprivileged.
The system administrators blacklisted cmd.exe (Command Prompt) but did not prevent the use of batch scripts.
So although I was unable to work within a command prompt session, I could still run batch scripts to execute commands.
[side note: When locking-down, always opt for whitelisting applications rather than blacklisting]
Instead of constantly modifying-and-running batch scripts, I threw together some quick+dirty batch-fu to mimic a command prompt:
set /P CMDIN=Cmd: %=%
I'm sure it's been done before, but I'm positive that writing the above script was faster than google'ing for an existing implementation.
For brownie points, which application / tool does the "Cmd:" prompt most resemble?
A while back I found the need for a Win32 shim DLL, so I took the opportunity to create a quick hack-up.
Shim DLLs are normally used to extend or alter the functionality offered by a regular DLL.
In my case, I just wanted to observe the data being transmitted from an application to its crypto / hashing library.
So we start with an application we'll call SecProggie and its respective hashing library, SecLibbie.
Now SecLibbie is exporting a few methods but none of them are decorated.
As such, we don't know what argument combination the methods are expecting, unless I take a look at the library's ASM.
I'm avoiding that because I wasnt something I can reuse again later.