Citrix Breakout

Test Details

Legend	Description
*	Confirmed
+	No Issue
!	Warning
?	To Check

Project:
Dates:

Target List:

Accounts:

Guides & Tools

Scanning

nmap:
- TCP: (e.g., nmap -sT <target>)
- UDP: (e.g., nmap -sU <target>)
Nessus:
(Scan for misconfigured services, open shares, or auxiliary breakout vectors)
SSLScan/TestSSL:
(Verify SSL/TLS configurations that might expose additional services)

Dialog Boxes

Dialog boxes in restricted environments often provide unexpected pivot points. Test all available inputs thoroughly.

Creating new files

BAT files
Right click > New > Text File > rename to .BAT (or .CMD) > edit > open

Shortcuts
Right click > New > Shortcut > “%WINDIR%\system32”

Example: Some file-open dialogs may let you type a file name. Try entering a path like:
```
  %WINDIR%\system32\cmd.exe
  
```
to see if it launches a command shell.
Open a new Windows Explorer instance

Right click any folder > select “Open in new window”
Exploring Context Menus

Right click any file/folder and explore context menus
Clicking “Properties”, especially on shortcuts, can yield further access via “Open File Location”
Input Boxes

Many input boxes accept file paths; try entering UNC paths such as “\attacker-pc\” or “\127.0.0.1\c$” or local paths like “C:\”
Bypass File Restrictions

Enter . or *.exe or a relative path (e.g., ..\..\windows\system32\cmd.exe) in file name fields to test if wildcards can bypass filters.
Settings Menus

If the Windows context menus are obscured by a custom GUI (e.g., in kiosk or Citrix clients), check settings menus or help sections for file path inputs.

Gaining A Command Shell

If you can bypass the UI restrictions, these methods can help launch a shell:

Explorer Method

C:\windows\system32\cmd.exe
Run Command

Start Menu > Run > cmd
Windows Key + R > cmd
Task Manager

Press Ctrl+Shift+Esc > File > Run new task > Enter “cmd.exe” or “powershell.exe”
Alternate Approach (HackTricks Inspired)
If direct access to cmd.exe is blocked, try launching PowerShell with bypass flags:
```
  powershell.exe -NoProfile -ExecutionPolicy Bypass
```

Bypassing Restrictions

Restricted environments often enforce limitations on file paths and executable access. Consider the following techniques:

Path Restrictions
Some environments restrict direct navigation to sensitive directories. Try these bypass methods:

Symbolic Links / Environment Variables

%ALLUSERSPROFILE%  
%APPDATA%  
%CommonProgramFiles%  
%COMMONPROGRAMFILES(x86)%  
%COMPUTERNAME%  
%COMSPEC%  
%HOMEDRIVE%  
%HOMEPATH%  
%LOCALAPPDATA%  
%LOGONSERVER%  
%PATH%  
%PATHEXT%  
%ProgramData%  
%ProgramFiles%  
%ProgramFiles(x86)%  
%PROMPT%  
%PSModulePath%  
%Public%  
%SYSTEMDRIVE%  
%SYSTEMROOT%  
%TEMP%  
%TMP%  
%USERDOMAIN%  
%USERNAME%  
%USERPROFILE%  
%WINDIR%  
shell:Administrative Tools  
shell:DocumentsLibrary  
shell:Libraries  
shell:UserProfiles  
shell:Personal  
shell:SearchHomeFolder  
shell:System  
shell:NetworkPlacesFolder  
shell:SendTo  
shell:Common Administrative Tools  
shell:MyComputerFolder  
shell:InternetFolder

File Protocol Handlers

about:  
data:  
ftp:  
mailto:  
news:  
res:  
telnet:  
view-source:

UNC Paths
```
\\127.0.0.1\c$\Windows\System32
```
Relative Paths
If absolute paths are blocked, try relative path notation, e.g.,
```
..\..\windows\system32\cmd.exe
```

Write Restrictions
Temporary directories typically allow write access. Use these to your advantage:

Warning

Writing to the %USERPROFILE% directory can be another tactic, though it might map to a network share.

Examples:
- C:\Users\<USER>\AppData\Local\Temp
- C:\temp\
- C:\tmp\

Accesschk.exe
Use this tool to identify directories with weak write restrictions:

accesschk.exe -uwdqs Users c:\  
accesschk.exe -uwdqs "Authenticated Users" c:\

Additional Techniques

Exploit File Dialog Vulnerabilities:
Some file dialog boxes do not properly sanitize input. Try entering:
```
%WINDIR%\system32\cmd.exe
```
or relative paths like:
```
..\..\windows\system32\cmd.exe
```
to bypass restrictions.
Clipboard Injection:
Pre-load commands into your clipboard and paste them into input boxes if keystrokes are filtered.
Shortcut Creation:
Create a shortcut in an allowed directory pointing to an executable (e.g., cmd.exe or powershell.exe). Then execute the shortcut.
Scheduled Tasks Abuse:
If Task Scheduler is accessible, create a task to launch a shell:

  schtasks /create /tn "BreakoutTask" /tr "powershell.exe -NoProfile -ExecutionPolicy Bypass" /sc once /st 00:00

Registry Editing via Run Dialog:
Launch regedit.exe (if available) to inspect run keys for potential persistence or execution vectors.
Using Alternative Applications:
Look for other installed applications (image viewers, PDF readers, etc.) that allow file path inputs or have vulnerabilities you can leverage for breakout.
Accessibility Features:
Check for enabled accessibility features (such as Sticky Keys or On-Screen Keyboard) that might be abused to launch a command shell.

Post-Breakout Exploitation

After gaining a shell, further enumeration is key:

Privilege Escalation:
Run commands such as whoami, systeminfo, and review mapped drives with net use. Check for misconfigured services or stored credentials.
Network Pivoting:
From the breakout shell, scan internal networks to identify lateral movement opportunities (e.g., using nmap or arp -a).
Persistence & Clean-Up:
Document your findings with command outputs and screenshots. Look for autorun registry keys or scheduled tasks that could provide persistence.
Log Analysis:
Review system and application logs to understand which restrictions were bypassed and to plan remediation strategies.

aex.red

Explorer

Citrix Breakout

Test Details

Guides & Tools

Scanning

Dialog Boxes

Gaining A Command Shell

Bypassing Restrictions

Additional Techniques

Post-Breakout Exploitation

Graph View