Citrix
Citrix Break-Out
- Dialog Boxes
Various methods exist that can be used to bring up a dialog, however simple examples are:
“Save as” / “Open as” option
“Print” feature – selecting “print to file” option (XPS/PDF/etc)
Once in a dialog box, one can attempt to do the following:
Renaming cmd.exe: Right-click cmd.exe, select "Rename", and change the name to something else (e.g., cmd1.exe), then attempt to run it.
Executing cmd.exe: Type cmd.exe into the "File name" field and press Enter to try launching it.
Dropping payloads: Use the "Save As" dialog to save a batch file or executable in a writable directory like Desktop or Documents.
Copying cmd.exe: Right-click cmd.exe, select "Copy", and paste it into a user-accessible folder, then try executing it from there.
- Help Menus
Windows Help (Windows+F1): Press Windows + F1, search for "Command Prompt," and click the link to open cmd.exe.
Right-click View Source: In any help window, right-click on whitespace, select "View Source" to open Notepad, and explore for further execution options.
Print Icon in Help Menu: Use the print icon in the help window, select "Print to file," and use the dialog to navigate or save files for potential execution.
Language Bar Help Menu: Access the help menu from the Language Bar (if available), and explore for links or options that open additional system windows or functions.
Vendor Website Hyperlink: Click on the vendor’s website hyperlink in the help menu to open Internet Explorer, then pivot for further interaction with the system.
- Environmental Variables / Bypassing Path Restrictions
Use Environment Variables: Instead of navigating directly to restricted directories like C:\Windows\System32, type environment variables like %SYSTEMROOT%\System32\cmd.exe into file dialog boxes to access critical directories indirectly.
Use Shell Commands: Type commands such as shell:UserProfiles or shell:Personal in file dialogs or the Run prompt to open restricted folders.
File Protocol Handlers: Use file handlers like about:, ftp:, or mailto: in the address bar of Internet Explorer or the Run prompt to interact with specific protocols or open restricted applications.
UNC Paths: Access directories via UNC paths like \\127.0.0.1\c$\Windows\System32, using network protocols to bypass local browsing restrictions and directly reach otherwise blocked areas.
- Accessing Command-Line Interfaces
Cmd.exe / Start Menu Shortcut: Check if cmd.exe is available through the Start Menu and open it directly if accessible.
"Run" (Windows+R): Press Windows+R, type cmd, powershell, or any other executable (e.g., COMMAND.COM) to launch a shell.
Access via File Browser: Browse to C:\Windows\System32\, right-click on cmd.exe or powershell.exe, and select "Open."
Drag-and-Drop: Drag and drop any file (even with invalid extensions) onto cmd.exe to launch a Command Prompt.
Hyperlink/Shortcut: Create a link using file:///C:/Windows/System32/cmd.exe or similar, and launch it via dialog boxes or applications like Microsoft Office.
Task Manager (CTRL+SHIFT+ESC): Open Task Manager, go to "File > Run new task," and type cmd.exe or powershell.exe to start a shell.
Task Scheduler (taskschd.msc): Use Task Scheduler to create a new task to run cmd.exe at a specified time or upon system events like logon.
COMMAND.COM: Try using COMMAND.COM, a legacy 16-bit shell still available on some systems, especially if cmd.exe is restricted.
PowerShell.exe: Open PowerShell from the Start Menu, "Run" dialog, or Task Manager, and gain access to an advanced shell with .NET integration.
MSPaint Shell: Use MS Paint to craft a BMP file. Due to the encoding algorithm used to write BMP files, it is possible to dictate ASCII data written into a file by carefully selecting certain RGB colours.
Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels
Zoom in to make the following tasks easier
Using the colour picker, set pixels values to (from left to right):
1st: R: 10, G: 0, B: 0
2nd: R: 13, G: 10, B: 13
3rd: R: 100, G: 109, B: 99
4th: R: 120, G: 101, B: 46
5th: R: 0, G: 0, B: 101
6th: R: 0, G: 0, B: 0
Save it as 24-bit Bitmap (*.bmp;*.dib)
Change its extension from bmp to bat and run.
Bypassing Console Restrictions:
Interactive Shell: Use cmd.exe /K pause to bypass interactive console restrictions.
Non-interactive Shell: Use cmd.exe /C <command> to run single commands without opening an interactive shell (e.g., cmd.exe /C tasklist > c:\tasks.txt).
FTP Client as a Limited Shell: Use the FTP client (ftp) to browse files via commands like !dir, !whoami, !date, or !ping 127.0.0.1.
- Bypassing Write Restrictions
This section covers techniques to bypass write restrictions on systems, allowing you to find writable areas to upload tools or store data from enumeration.
Temporary Folders: Start by checking common temporary folders, which usually allow write access. Use the %TEMP% variable to find the location:
Run echo %TEMP% to see the temp folder path (typically C:\Users\USER\AppData\Local\Temp).
Also check directories like C:\temp\ or C:\tmp\.
User Profile Directory: The %USERPROFILE% directory can sometimes allow write access, though it might link to network shares. Use it as a potential writable location:
Navigate to C:\Users\USER\ and try writing files to subfolders like Documents or Desktop.
Accesschk.exe: Use the Sysinternals AccessChk tool to find directories with write permissions:
Run accesschk.exe -uwdqs Users c:\ to check for write permissions for the Users group.
Alternatively, use accesschk.exe -uwdqs "Authenticated Users" c:\ to check for authenticated users' write access.
These methods help identify writable areas even in restricted environments, enabling uploads and data writing for further testing.
- Bypassing Executable Restrictions
Renaming Executables: Rename restricted executables (e.g., malware.exe) to an allowed filename like mspaint.exe or another approved application to bypass filename-based restrictions.
Directory Whitelisting: If an entire directory is whitelisted (e.g., where WINWORD.EXE is located), copy your executable into the same folder to bypass directory-based restrictions and run it from there.
- Internet Explorer for System Access
This section outlines ways to exploit Internet Explorer (IE) to interact with the operating system and potentially bypass restrictions on locked-down environments like Citrix, kiosks, or terminal services.
Address Bar Exploitation: Use the IE address bar with paths or environment variables (e.g., file://C:/windows/system32/cmd.exe) to launch programs or access files.
Dialog Boxes and Menus:
Help, Print, Search Menus: Utilize links in these menus to open system elements like Windows Explorer.
Right-Click Context Menu: Use "View Source" to open Notepad or "Save Picture As" to access file save dialogs.
Favourites Menu: Press ALT+C, drag a folder (e.g., "MSN Websites") to the browser window to explore further options.
Custom Homepage: Set the IE homepage to cmd.exe or another executable to run it when IE opens.
F12 Developer Tools:
Access F12 Developer Tools with the F12 key, go to "File > Customize Internet Explorer View Source", and set the source viewer to C:\windows\system32\cmd.exe.
Right-click on any webpage and select "View Source" to open the Command Prompt.
Certificate Import Wizard:
Go to Internet Options > Content > Certificates > Import. This opens a file dialog, allowing you to navigate and potentially escalate privileges by accessing system folders.
Browser Add-Ons / Applets:
Use Active-X controls, Flash, or Java applets (if enabled) to interact with the operating system via dynamic content, potentially opening up execution paths.
Browser-Based Exploits:
Leverage unpatched vulnerabilities in older versions of IE using crafted links or client-side exploits (e.g., via Metasploit) to execute malicious code. You could also trick a privileged user into visiting such links.
- Microsoft Office for System Access
Microsoft Office is commonly available in environments, providing multiple opportunities to exploit the system for gaining command access or executing arbitrary code.
VBA Macros and Reverse Shells:
Use msfencode/msfpayload to generate VBA code that creates a reverse shell or Meterpreter shell, often bypassing antivirus software.
Example VBA for a reverse shell can be easily embedded within Word, Excel, or other Office documents.
Enabling Developer Tools:
In Office 2010+ versions, go to File > Options > Customize Ribbon, enable Developer Tools, and use available Active-X controls or macros to interact with the operating system.
Example: Create a custom web browser or interface if Internet Explorer is disabled but Excel is available.
Launching Commands via VBA:
Use VBA to directly execute commands or launch applications:
MS SQL Server Access:
If Office has any database functionality linked to Microsoft SQL Server, check if XP_CMDSHELL is enabled to run commands remotely on the SQL server if poor security configurations exist.
Dialog Boxes and Shortcuts:
Embed shortcuts in Office documents (e.g., file://C:/windows/system32/cmd.exe) to trigger file dialogs or potentially execute system commands when the document is opened.
- Exploiting ICA Files to Gain System Access
Citrix configurations that use ICA (Independent Computing Architecture) files can be manipulated to gain access or execute commands by modifying key parameters. Here's how you can take advantage of this:
Modify InitialProgram Parameter:
Edit the InitialProgram parameter in the ICA file to run system-level programs, such as cmd.exe or explorer.exe, instead of the default application (e.g., notepad.exe):
InitialProgram=cmd.exe
This will launch the specified program (like a command prompt) when the Citrix session starts.
Enumerating Valid Executables:
If cmd.exe is blocked or requires additional authentication, fuzz the InitialProgram parameter with different executable names to discover which ones are allowed.
Tools for Enumerating Published Applications:
Use tools like Nmap (NSE plugin citrix-enum-apps) or Metasploit (auxiliary/gather/citrix_published_applications) to enumerate applications published on the Citrix server and find potentially exploitable executables.
These techniques help manipulate ICA files to launch unauthorized programs, enabling you to bypass restricted applications and potentially gain system access through the Citrix environment.
- Shortcuts for System Access
Windows provides numerous shortcuts that can be leveraged to bypass superficial hardening, especially when Start Menu links or other access points have been removed. Here's how to use these shortcuts to your advantage:
Create Shortcuts
Context Menu: Right-click on the Desktop or in File Explorer and create a new shortcut linking to key resources, such as %WINDIR%\system32\cmd.exe, to launch restricted applications.
Accessibility Shortcuts:
Sticky Keys: Press SHIFT 5 times to open the Sticky Keys dialog, which can provide a pivot to the Ease of Access Center.
Mouse Keys: Press SHIFT+ALT+NUMLOCK to activate Mouse Keys, bringing up a pop-up dialog that may provide further access.
High Contrast: Use SHIFT+ALT+PRINTSCREEN to bring up the high contrast dialog for potential system interaction.
Filter Keys: Hold the right SHIFT for 12 seconds to activate Filter Keys and trigger a pop-up window.
Useful Windows Shortcuts:
WINDOWS+R: Open the Run dialog to execute commands like cmd or powershell.
WINDOWS+E: Launch File Explorer to browse the system.
WINDOWS+U: Open the Ease of Access Center for further options to interact with the system.
CTRL+SHIFT+ESC: Open Task Manager to run new tasks or manage processes.
F1, F3, F6, F11, and CTRL+T: Use these Internet Explorer shortcuts to manipulate the browser for potential system access.
These shortcuts provide direct ways to open dialogs, manage system functions, or interact with restricted parts of the system, making them valuable in environments with superficial hardening.
- Batch Files and Scripts to Execute Commands
When interactive shells are restricted, batch files (.BAT, .CMD) and Windows Script Host (WSH) scripts can provide alternative ways to run system commands.
Batch Files (.BAT or .CMD)
Create a Batch File:
Right-click on the desktop or a folder to create a new text file.
Rename the file extension to .bat or .cmd.
Edit the Batch File:
Right-click the file and select Edit.
Add the system command you want to run (e.g.,
echo Hello Worldorstart cmd.exe).
Run the Batch File:
Right-click the file and select Open to execute the commands within the batch script.
Windows Script Host (WSH)
Creating a VBScript File:
Save the following code snippet in a file with the .vbs extension:
set objApp = CreateObject("WScript.Shell")objApp.Run "CMD C:\"
Run the Script:
Double-click the .vbs file to execute it, or run it from the command line with cscript.exe or wscript.exe (e.g., cscript.exe script.vbs).
Other Scripting Languages
Check for Support: If other languages like Python, Perl, or PHP are installed, you can use their interpreters (e.g., python.exe, perl.exe, php.exe) to execute scripts.
Java: Use javac.exe to compile Java code or java.exe to run Java applications, which can be useful for bypassing restrictions.
- Useful RDP / Citrix Shortcuts for System Interaction
When working within Citrix or RDP environments, specific shortcuts (hotkeys) provide ways to interact with the remote system or switch between different functions. These shortcuts can be useful for testing or bypassing certain restrictions.
Remote Desktop Hotkeys (RDP)
CTRL+ALT+END: Opens the Windows Security dialog on the remote system.
CTRL+ALT+BREAK: Switches between windowed and full-screen mode.
ALT+INSERT: Cycles through active open windows.
ALT+HOME: Displays the Start Menu on the remote desktop.
ALT+DELETE: Displays the Control/Context Menu for the remote desktop.
CTRL+ALT+Number Pad Minus: Takes a screenshot of the active window and copies it to the RDP clipboard.
CTRL+ALT+Number Pad Plus: Takes a screenshot of the entire RDP session and copies it to the RDP clipboard.
Citrix ICA Hotkeys
SHIFT+F1: Displays the Windows Task List on the Citrix session.
SHIFT+F2: Toggles the Citrix title bar on or off.
SHIFT+F3: Closes the current remote application or Citrix connection.
CTRL+F1: Displays the Windows NT Security desktop in Citrix.
CTRL+F2: Displays the remote task list or Start Menu.
CTRL+F3: Opens the Task Manager on the remote session.
ALT+F2: Cycles through maximized and minimized windows.
ALT+PLUS: Cycles forward through open windows.
ALT+MINUS: Cycles backward through open windows.
These shortcuts help you navigate and control your Citrix or RDP session, offering useful functionality for testing or interacting with restricted environments.
- Executables
If the virtual desktop allow to run executables:
Run malware (RAT, …)
Legit executables (ssh clientes, terminals) to run commands and tunneling to the internal network: MobaXterm
Last updated