Bypass Win11 Kiosk Mode / Attended Access via USB Smuggling of Renamed ftp.exe as D:\msedge.exe

Another short video / small breadcrumb for upcoming @CactusCon 14 talk w/ Ezra Woods, releasing our kiosk testing framework called CTRL+ESC+HOST. Win11 Kiosk Mode / Attended Access disables access to USBs, right? Or does it just hide them from the constrained file dialog view by default? It turns out, unless other more granular USB control polices or products have been implemented, you can just plug in a USB, generate a file dialog box (e.g., Ctrl+O), and then launch executables, as long as those executables are named msedge.exe (in the demo we use ftp.exe, renamed as msedge.exe). Here are the steps to replicate: • Format a USB and stage a copy of ftp.exe, renamed to msedge.exe • Plug in USB (if you are testing in a VM, be sure to map the USB to the VM). • Press Ctrl+O or Ctrl+S • Click in the file path area, and type the direct file path to your file, guessing the USB drive letter (e.g., D:\msedge.exe). • Once ftp.exe launches, you can use ! followed by PowerShell to run scripts. • Launch PowerShell.exe or Cmd.exe from here to gain full shell (in userland). Special shoutout to Spencer Alessi, John Hammond, and The Bingus Man for contributing key foundational elements for this one.