Citrix Breakout

I previously posted about breaking out of restrictive desktop environments to gain access to a CMD shell or acess to Powershell. However sometimes the environment is even tighter, for example with Citrix environments you may not even be on a desktop but simply have an application exposed to you.

For example I recently tested a Citrix environment which exposed the following application:

The methodology is the same with desktops as it is with application-only breakouts. Gain access to a dialog and abuse that dialog. Things to aim for are the help system, “open” dialogs and “print” dialogs. For example on the above application I was able to almost immediately gain access to cmd.exe through simply hitting F1.

This opens the built in help and a quick search for “cmd” reveals the option “open a cmd window”! As below:

The option of gaining access to an “open” dialog is generally just to utilise the application in its intended way until the ability to open a file presents itself. For example with the following simple application:

This application exposes a File > Open option, which allows me to reach a cmd through simply typing cmd.exe in the dialog, as following:

Finally using the print dialog. This can be accessed in a couple of different ways, such as CTRL+P, File > Print, or through an application specific print button. The idea is to get the print option set to “Save as PDF” which will essentially open up a dialog like above. Take the following application:

Here the application’s built in print button presents this menu, which has at the top right a “Print to PDF” button, alternatively I can hit the printer icon at the top right and choose “Print to PDF” from that menu, which allows me to gain access to a cmd like this:

Alternatively I could have selected to print from a regular printer and chosen the “Add Printer” option here:

The Add Printer menu exposes an “open” dialog which can be abused like all of the ones above! Hopefully these notes and my previous notes about breaking out of restrictive desktop environments should arm you well to get out of the restrictions and PrivUp!