Citrix Breakout
Features like Save, Save As, Open, Load, Browse, Import, Export, Help, Search, Scan, and Print, usually provide an attacker with an opportunity to invoke a Windows dialog box. There are multiple ways to open dialog box in windows using tools such as Paint, Notepad, Wordpad, etc.
Run Paint
from start menu and click on File > Open
to open the Dialog Box.
With the windows dialog box open for paint, we can enter the UNC path \\127.0.0.1\c$\users\pmorgan
under the File name field, with File-Type set to All Files
and upon hitting enter we gain access to the desired directory.
Accessing SMB share from restricted environment
Right-click on the pwn.exe
binary and select Open
, which should prompt us to run it and a cmd console will be opened.
pwn.exe:
Explorer++
to copy files from the \\10.13.38.95\share
location to the Desktop belonging to the user pmorgan
.
Being a portable application, it can be executed directly without the need for installation
Alternate Registry Editors
Alternative Registry editors can be employed to bypass the standard group policy restrictions. Simpleregedit, Uberregedit and SmallRegistryEditor are examples of such GUI tools
Modify existing shortcut file
Other options: transfer an existing shortcut file using an SMB server. Alternatively, we can create a new shortcut file using PowerShell
Script Execution
Create a new text file and name it "evil.bat".
Open "evil.bat" with a text editor such as Notepad.
Input the command "cmd" into the file.
Escalating Privileges
WinPeas or PowerUp -> AlwaysInstallElevated
Miscellaneous TechniquesBypass UAC
Last updated