Decrypt this code! (+high school computer security)



  • (Skip to bottom for challenge)



    Schools always seem to be places where IT is incompetent and and things never work as well as they're supposed to. I just finished high school, and also have come from one of the worse computer security systems I've seen over the years. Here's how their security worked: everything was locked down. That is, no right clicking on the desktop or the taskbar, minimal start menu, no browsing the C: drive (not even through shortcut), no storing EXEs, Word, Excel, PowerPoint, scripts, etc. on the student drive... you get the idea. Unless you mess with computers frequently, the best you can do is use Chrome and run a few school-approved apps. Of course, you could plug in a USB drive on the few computers that had unlocked cabinets.



    I did some research on what the various lockdown techniques were, and how they were applied. Turns out most of them were policies, and a number of them are defined as registry keys in HKCU. Now that made things easier, because the user has access to HKCU all the time. I wrote a quick AutoIt script to delete the policies, and presto! the computer was more or less unlocked. Now, that had to be run from a USB stick, and not every computer you can plug one in. So the next year, I decided to write some sort of script that wasn't blocked so I can run it quickly from the student drive. Turns out, out of all the script types that were blocked, HTA was not. Not sure what those IT people were thinking, but HTA is a nice vector for VBA and JavaScript code. So for the first month, I wrote a HTA script (completely at school, BTW), tested, made sure it worked, and stuck it inside my student share. For good measures, I obfuscated the code (which you will be decrypting). It's not tough obfuscation, and will take all of 5 minutes to reverse it, but I wagered that the IT people are too stupid to figure it out.



    So, some exploration reveals a nice WTF. Apparently everyone is an admin on the computers. That means once the lockdown is removed, users can install/remove software, write to anywhere on the hard drive, change any registry keys, and all that good stuff. This is security by obscurity at its best. I took advantage by installing Visual C# on the few computers I regularly use so I can write random programs. To get by the file extension restrictions on the student share, I made a TrueCrypt container there and installed TrueCrypt whenever I needed it. Cleanup is easy (just delete the container), and if there was anything incriminating they wouldn't know about it.



    Here's another WTF from the same school: they have a Googles Apps Site (Google Apps was a side effect of "cost cutting" switching from Microsoft Office, and it really sucked for most of the time it was there; the techs hid Office... by deleting their shortcuts) that had a whole bunch of IT info regarding the school. Although it was internal, it was accessible by anyone within the school division. That means not only techs, but all students, even those from different schools, can access it. There were calendars with what they plan on doing in the summer, usage diagrams for lab bookings, and some server hardware info. But the most interesting was the hardware database, which listed all the computers in the school, all monitors, printers, and peripherals, and repair records dating back to the late 90's. Amazingly, they also stored student accommodation info (for those who requested the use of computers for midterms), complete with name, teacher, course, and what room they were in. Some security by these people.



    (Tip: if you want to prevent Faronics Insight from spying on you, get a third-party task manager, pause Student.exe, use services.msc to disable its service, and then kill the process. It'll try to restart, but fail every time. Some teachers don't know better that you've dropped off the radar.)



    Other WTFs from previous schools:
    -My elementary/junior high school had user folders set up in a common folder on their server. They were hidden using some Windows naming convention involving '$'. Of course, they failed to secure the folders, and as long as you knew someone else's login name, you can do whatever you want to their files.
    -In grade 2 I asked my computer teacher why the lab Macs were so slow. She replied that the computers probably had viruses or something, whatever. (The same teacher also taught music, and had the class give me a round of applause when I showed her how to use the Repeat button.)



    So, the decrypt this code challenge:

    This link is to the "release" version of my lockdown remover. It's obfuscated. Your task is to deobfuscate it back to the original code. You can do it with such accuracy that I am supplying the MD5 and size of the source. First person to get it right gets one of my random programming projects (TBD). Upload it somewhere so I can check



    Release file: http://dl.dropbox.com/u/29365870/FreedomDeliverer_release.hta

    Source MD5: dfc6b72a58968c65f17c811c1f2a08a2

    Source length: 2153 bytes



  • @GMMan said:

    First person to get it right gets one of my random programming projects (TBD).

    If I win I have to maintain your buggy-ass code?



  • Maybe. I haven't thought of what I'd give out yet. What, you want money? A joke? Technical documents?




  • Too much work. Would rather just do a programming project by myself with the work, then I know exactly what kind of quality I'm getting.

    Seriously, this is the sidebar. It's where people slack off, not where they post challenges ūüėČ



  • I hope reading that much text was relaxing.





  • Not bad. That is the code, but it's not the original file. Add in the HTML bits and verify your MD5. Meanwhile, I'll dig through my archives and see what I can come up with.



  • This is what I got after using an online decoder:¬†

     

     <html>
    <HEAD>
        <TITLE>Freedom Deliverer</TITLE>
        <HTA:APPLICATION ID="oFreedomD"
            APPLICATIONNAME="FreedomDeliverer"
            BORDER="dialog"
            CAPTION="yes"
            SHOWINTASKBAR="yes"
            SINGLEINSTANCE="yes"
            SYSMENU="no"
            WINDOWSTATE="normal"
            MAXIMIZEBUTTON="no"
            MINIMIZEBUTTON="no"
            CONTEXTMENU="no"
            SCROLL="no"
            VERSION="1.1.1">
    </HEAD>
    <SCRIPT Language="VBScript.Encode">
    'Start Encode
        Sub onLoad()
            window.ResizeTo 150,80

            const HKEY_CURRENT_USER = &H80000001
            strComputer = "."
            
            Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\" & strComputer & "\root\default:StdRegProv")

            ' Delete Policies registry key
            strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Policies"
            DeleteSubkeys HKEY_CURRENT_USER, strKeyPath, objReg

            ' Remove IE restrictions
            strKeyPath = "Software\Policies\Microsoft\Internet Explorer"
            DeleteSubkeys HKEY_CURRENT_USER, strKeyPath, objReg
            
            ' Enable Command Prompt
            objReg.SetDWORDValue HKEY_CURRENT_USER, "Software\Policies\Microsoft\Windows\System", "DisableCMD", 0

            ' Kill Explorer.exe
            Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\" & strComputer & "\root\cimv2")
            Set colProcessList = objWMIService.ExecQuery _
                ("Select * from Win32_Process Where Name = 'explorer.exe'")
            For Each objProcess in colProcessList
                objProcess.Terminate(1)
            Next

            ' Launch Explorer.exe
            Set objShell = CreateObject("Wscript.Shell")
            objShell.Run "explorer.exe"
            Set objShell = Nothing

            document.parentWindow.setTimeout "CloseMe()", 3000
            End Sub
            
            ' Recursively delete registry keys
        Sub DeleteSubkeys(HKEY_CURRENT_USER, strKeyPath, objRegistry)
            objRegistry.EnumKey HKEY_CURRENT_USER, strKeyPath, arrSubkeys

            If IsArray(arrSubkeys) Then
                For Each strSubkey In arrSubkeys
                    DeleteSubkeys HKEY_CURRENT_USER, strKeyPath & "" & strSubkey, objRegistry
                Next
            End If

            objRegistry.DeleteKey HKEY_CURRENT_USER, strKeyPath
        End Sub

        ' Close the window
        Sub CloseMe()
            close
        End Sub
    </SCRIPT>
    <body onLoad="onLoad()">
    Freedom delivered!
    </body>
    </html>


     



  • Removing the 'start encode' comment and adding a type="text/vbscript" attribute to the script tag got it to the exact same length (2153), but I don't see how we'll ever get the exact md5sum when there's so many opportunities for changes in case of letters.

     



  • To me, the scary part is that on my fully-patched Win 7 install with Avast and Windows Defender, the part that kills Windows Explorer still works without so much as a shield prompt.



  • @DaveK said:

    Removing the 'start encode' comment and adding a type="text/vbscript" attribute to the script tag got it to the exact same length (2153), but I don't see how we'll ever get the exact md5sum when there's so many opportunities for changes in case of letters.

     

    If you remove ".Encode" off of "VBScript.Encode", you'll have the right file. The script encoder retains the exact same code down to the indentation, so the code that's reversed should be identical to the source.

    Anyway, here's the prize. It's not my code, but something I pulled out of an HP laptop. It will loop the HP logo over and over again until you press Alt-F4 (I bet in the first time setup they just kill the app). It also only works on DirectX 10+ (relies on Direct2D). You can swap out the images with your own, if you'd like. http://www.mediafire.com/file/0tij67aftmpzcgt/HPAnimatedLogo.zip



  • @Seahen said:

    To me, the scary part is that on my fully-patched Win 7 install with Avast and Windows Defender, the part that kills Windows Explorer still works without so much as a shield prompt.

    Windows Explorer is just another unprivileged process running with your own user account's security token. Why would you expect it to have UAC protection against being killed and restarted?



  • @flabdablet said:

    @Seahen said:
    To me, the scary part is that on my fully-patched Win 7 install with Avast and Windows Defender, the part that kills Windows Explorer still works without so much as a shield prompt.

    Windows Explorer is just another unprivileged process running with your own user account's security token. Why would you expect it to have UAC protection against being killed and restarted?

    I'd expect a browser to not let random websites close my desktop. Is that too much to ask?



  • @GMMan said:

    Here's how their security worked: everything was locked down. That is, no right clicking on the desktop or the taskbar, minimal start menu, no browsing the C: drive (not even through shortcut), no storing EXEs, Word, Excel, PowerPoint, scripts, etc. on the student drive... you get the idea.

    I'm a primary school netadmin. At my site, staff user accounts get local admin rights, student accounts get normal user rights. I don't use any of the idiot Group Policy "lockdown" features, for the exact reason you document at length - they're basically just irritants, and all they do is create the social conditions for a war between the IT department and any user with sufficient IT aptitude to find the rather trivial workarounds.

    Personally, I'd rather that users with that kind of aptitude are on my side so that I can learn from them and make use of their roaming eyeballs to alert me to user problems I might not otherwise find out about. Because IT aptitude is relatively rare, it usually costs very very little to set them up with the extra resources they need to make them happy and comfortable. And when they do the usual teenage thing of thinking their skillz are more 1337 than they actually are and breaking something as a result, I can enlist their willing help in getting it fixed and we both learn something.

    Most kids are not arseholes except to people whose default position is to treat them as such.



  • @Seahen said:

    To me, the scary part is that on my fully-patched Win 7 install with Avast and Windows Defender, the part that kills Windows Explorer still works without so much as a shield prompt.

    Actually, the really interesting part is it uses WinMgmt to get the process list. I haven't checked exactly what you can do with it and under non-admin conditions, but if you can do everything it would definitely be a security hole.



  • @flabdablet said:

    @GMMan said:
    Here's how their security worked: everything was locked down. That is, no right clicking on the desktop or the taskbar, minimal start menu, no browsing the C: drive (not even through shortcut), no storing EXEs, Word, Excel, PowerPoint, scripts, etc. on the student drive... you get the idea.

    I'm a primary school netadmin. At my site, staff user accounts get local admin rights, student accounts get normal user rights. I don't use any of the idiot Group Policy "lockdown" features, for the exact reason you document at length - they're basically just irritants, and all they do is create the social conditions for a war between the IT department and any user with sufficient IT aptitude to find the rather trivial workarounds.

    Personally, I'd rather that users with that kind of aptitude are on my side so that I can learn from them and make use of their roaming eyeballs to alert me to user problems I might not otherwise find out about. Because IT aptitude is relatively rare, it usually costs very very little to set them up with the extra resources they need to make them happy and comfortable. And when they do the usual teenage thing of thinking their skillz are more 1337 than they actually are and breaking something as a result, I can enlist their willing help in getting it fixed and we both learn something.

    Most kids are not arseholes except to people whose default position is to treat them as such.

     

    Oh, I see you are not trainning them for their future jobs.

     



  • Had to join and comment on this one...definitely a creative way of getting access ūüôā Never would've thought to use an HTA application. Of course, the absolute incompetenece of the school's IT made that possible (not even bothering to use restricted user accounts for students? WTF). The TrueCrypt idea was interesting. A security application used to beat...unwanted security.

    I had a creative way of doing it at my high school, but since they got the security (mostly) right, my solution ended up involving modded network gear, linux, and BartPE:

    The challenge faced: No admin access, Deep Freeze on most systems, and all the typical restrictions (no regedit, no cmd, no task manager, no browsing C:, no control panel, etc). Physical security was tight (locked boxes, so no USB devices or CDs), but the power and network cables were exposed at the wall jacks.

    Solution? I had seen IT use PXE for reimaging so I knew it was enabled, and I could get to the network cable. Nothing was stopping me from providing my own boot server. Since all I needed were DHCP and TFTP, I put custom firmware on a Linksys WRT54G...I had one already, and it fit in my backpack, had a network adapter, and ran linux. I removed the antennas and added a battery to eliminate the wall wart.

    The router served a small linux image to the PC, which contained just enough to download a BartPE ISO over the internet and chainload it. The PE had software (written in AutoIt, VBScript, and batch) to create a new account, grant rights, thaw Deep Freeze, and unlock the UI on the AV/HIPS software they used. Another script let me undo it all. After it ran, I'd log in using a new account "aty" that had full access and a password I knew.

    It took me a month to get this together (someone else had to do the Linux stuff, I did the PE work), and it worked for 1.5 years until a friend found a far better solution (another story entirely, if anyone's interested, I'll share). The router is still around, but its now sitting next to my PC doing...routing.



  • @flabdablet said:

    I'm a primary school netadmin. At my site, staff user accounts get local admin rights, student accounts get normal user rights. I don't use any of the idiot Group Policy "lockdown" features, for the exact reason you document at length - they're basically just irritants, and all they do is create the social conditions for a war between the IT department and any user with sufficient IT aptitude to find the rather trivial workarounds.

    Personally, I'd rather that users with that kind of aptitude are on my side so that I can learn from them and make use of their roaming eyeballs to alert me to user problems I might not otherwise find out about. Because IT aptitude is relatively rare, it usually costs very very little to set them up with the extra resources they need to make them happy and comfortable. And when they do the usual teenage thing of thinking their skillz are more 1337 than they actually are and breaking something as a result, I can enlist their willing help in getting it fixed and we both learn something.

    Most kids are not arseholes except to people whose default position is to treat them as such.

    +1


  • @flabdablet said:

    I'm a primary school netadmin.

    @Mcoder said:

    Oh, I see you are not trainning them for their future jobs.

    Correct - trainning isn't a responsibility of a netadmin.

    @flabdablet said:

    Most kids are not arseholes except to people whose default position is to treat them as such.

    +1 here also. You can't change other people, but you can change your attitude towards them, and that - in turn - may shape their attitude towards you.

     



  • @Seahen said:

    To me, the scary part is that on my fully-patched Win 7 install with Avast and Windows Defender, the part that kills Windows Explorer still works without so much as a shield prompt.
     

     

    Not that scary I think. HTA files are treated as local applications, not as websites IIRC. So if you can write an application that kills explorer there's no reason why a HTA shouldn't be able to do it. At least if it's treated the same way when it comes to starting it.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.