iBAHN Hotel Site Kiosks and How to Pwn One

by Sandwich

The company iBAHN produces hotel computer kiosks that provide travelers with public computer access while abroad.

These kiosks allow you to access various applications (Word, Excel, etc.), Internet (via their custom browser), Skype, and Pinball/Solitaire, for a nominal fee.  Why someone would pay to play Solitaire on one of these things is beyond me.  This article is about one such kiosk, found at a Best Western in the U.K.

The one I visited was locked down a la Alcatraz.  Thanks to software called SiteKiosk, context menus were banned, system dialog boxes were banned, and Ctrl+Alt+Del was banned.  Of course, unpaid access to domains outside their internal whitelist were also not allowed, resulting in a prompt to pay for access to what you requested.

At first glance, it felt like one of the more solid interfaces I'd seen, given the flexibility of apps that could run on it.  However, there's always a loophole.  You just have to find it.  On that note, let's browse around on the hard drive, shall we?

There are a few ways to do this, but there's something elegant about doing it via the company's own website:

1.)  Click the iBAHN logo in the top-right (or type in the URL box of an Internet window) to get the www.ibahn.com webpage.  Their website is whitelisted (free), so you can browse to it.

2.)  Go to their "Resources" section and choose any PDF.  It will load inline in the browser, thanks to the Adobe Acrobat plug-in.

3.)  In Adobe's PDF plug-in viewer, click the "Document" icon on the left ("Pages").

4.)  Click the "Options" button and click "Print Pages".  This pops up Adobe's print dialog, which isn't blocked.

5.)  In the print dialog, choose the Microsoft XPS Document Writer, then click O.K.  A "Save the file as" dialog will be presented.  Again, this dialog is not closed by the SiteKiosk software.

You can now browse around the hard drive using the filename text box!

Use C:\*.* to reveal the contents of C: drive.  You cannot right-click to get a context menu for running anything, but it's interesting to see what's deployed on the machine.

A brief tour around the HD reveals that they are running Windows and have various third-party apps installed, like pcAnywhere (for remote monitoring/control), Altiris (for asset management), SiteKiosk, and iBAHN .

Some of these apps have "logs" directories, with curious ones under folders names "CreditCardPayment" and "Revenue."

I could not immediately find a way to open and view these files through this interface, but the exploration has just begun.

After a whirlwind tour through the hard drive of an Internet kiosk, sometimes one just needs to just sit back, relax, put their feet up, and get some free Internet access.

In any Internet window, you can enter the URL of the site you wish to access in the address bar.

Interestingly enough, the logic used to check if you're visiting one of their whitelisted websites is string based, not IP based.

The software scans from the left of the URL for a match.  This means that typing a URL of http://www.ibahn.com@<enter website here> allows you to get to any webpage, as the logic allows for URLs starting with http://www.ibahn.com.

However, if you try to access a link on subsequent pages, you will be blocked, unless you manually type the URL of the link in the address bar, using the URL prefix.  This quickly becomes a real pain.  There's got to be a way around this.

Well, there is!

If you can bury a URL in an <iframe>, the parent frame's URL doesn't change, so the SiteKiosk software doesn't pick up on it and block you.

So, use the "free" trick to get to Google and do a search for "iframe example" sites that show you how to build an <iframe> in HTML, with accompanying samples embedded in the page.  Choose your poison and you can navigate freely within the <iframe>!

With this in mind, a prepared boy scout would ensure that they set up such a webpage on a free hosting site with an <iframe> that fills the whole screen before traveling to such a hotel, to give the greatest flexibility at one of these kiosks.

Now to answer a few final questions:

1.)  Is there a more comfortable way to browse around through Windows Explorer?  Download a large ZIP file off of the Internet and, while it's downloading, uncheck the "Close this dialog box when download completes" checkbox.  Then click "Open" or "Open Folder".  An error message will pop up, but a stripped-down Windows Explorer window will open, allowing you to browse around.

2.)  How can I open a text file on the hard drive?  Through Windows Explorer via answer #1, find a text file and double-click it.  Notepad will open, but SiteKiosk will pick-up on this and immediately try to close it.  So, as soon as Notepad opens, quickly press Space to modify the document.  SiteKiosk will try to close Notepad on you but, because you modified the document, the "Do you want to save your changes" dialog will keep Notepad open long enough for you to read the contents of the text file.

3.)  How can I force a reboot of the system?  Once you've located the Credit Card Payment application on the hard drive, attempt to run the application and the system will reboot.  Safe Mode is also protected by the SiteKiosk software with a password, but you can boot off of a USB stick to get around this if you wish to pwn the box.

When I was doing the above, the machine started rebooting any time I started browsing the hard drive.  It was quite clear that an administrator was monitoring the box and was issuing reboots via pcAnywhere.  An angry admin makes for a bad experience if you happen to meet him or her in person.  Just keep that in mind.

So, without further ado, explore these machines, enjoy your free Internet, and don't do anything I wouldn't do!