Real Life Pentest Scenarios #3 – Hacking an ATM

Target: International Bank
Access Point: Physical
Test Profile: Guest

Before Test:

The customer said that they had penetration testing services from different consulting companies a few times and fixed all vulnerabilities; they just want to be sure about they have enough cyber security maturity and the ATMs are ready to go. They also added that there should be no exceptions, no test accounts, and that the scope of the penetration testing should not include MITM based attack vectors.

Day 1:

When I was discovering the assets in the bank, an ATM caught my attention. I noticed that it was possible to reach the cover on the back of the machine, but the cover was locked. When I examined the cover, I also noticed that there was a simple lock mechanism on the thin sheet. I managed to open the lid with a few lockpicking tools I have.

After opening the first cover, I had the chance to analyze the inside of the machine better. At the top of the machine were the computer components, and below them was the cash section. The cash section was inside a thick safe that was protected by both keys and passwords.

Several USB ports caught my attention. I connected a mouse and keyboard, after that it was possible to control it like a usual computer but, after the Windows operating system that customized by the bank booted, it was not possible to use any key or mouse button. I tried to boot Kali Live USB and noticed that ATM has full disk encryption.

I had no choice but to analyze the customized operating system’s working logic as much as possible and find new methods.

I noticed that it was possible to trigger advanced startup options by pressing the button F8 a few seconds after the boot screen and a few seconds before the windows logo. I booted the windows in safe mode and I was able to use the mouse and keyboard but, it was not possible to open the start menu or any other application. Also, no shortcuts were working.

While testing few tricks I know I realized that after pressing the button F1, it was possible to open the help window. In the help window, I found a link to open Microsoft help web site. After clicking on that, I was able to open Internet Explorer.

After typing “file://C:/windows/system32/cmd.exe” to the address section, I was able to open the console and use it.

I realized that I have a low authorized user account and I decided to go with privilege escalation techniques.

I noticed that there was a few unquoted service paths.

Unquoted Service Paths

While creating a service, if you are using a long file name that contains a space, use quoted strings to indicate where the file name ends and the arguments begin; otherwise, the file name is ambiguous. For example, consider the string “c:\program files\sub dir\program name”. This string can be interpreted in several ways. The system tries to interpret the possibilities in the following order:

  • c:\program.exe
  • c:\program files\sub.exe
  • c:\program files\sub dir\program.exe
  • c:\program files\sub dir\program name.exe

I created a malicious exe file and put it in the target folder. After restarting the computer, I had taken over the administrative rights.

After that, I used the SAM file to get the hashes and with the pass the hash method, I was able to start the lateral movement on the internal network.

The impact of minor configuration mistakes on the integrity of organizations has been proven once again.