Citrix is a software which allows enterprise or individuals to work and collaborate remotely, technically we can say it is a jump server for enterprises out there. During our penetration testing engagements we usually encounter this technology to be part of the client’s environment. Following post describes a few common techniques which we have executed during our pen testing engagements to break out of Citrix environments.
#1 Abusing Firefox
In one of our engagements, we found Firefox version 55.0 which is prone to a command execution vulnerability in web console. By abusing
and creating a NSILocalFil
e
a local attacker can leverage this to escape out of Citrix environment. ContractID
- Firefox provides a component known as
nsILocalFile
- With
nsILocalFile
you can navigate to different path separators used on different platforms, query the state of any file or directory. - This component can be refer using the string
@mozilla.org/file/local;1
to create an instance which can also be known asContract ID
. - Using JavaScript and
CID (Contract ID)
we can refer any other components in the system.
Example: var File = Components.classes[“@mozilla.org/file/local;1”].createInstance();

Proof of concept: f=Components.classes['@mozilla.org/file/local;1'].createInstance(Components.interfaces.nsILo calFile);f.initWithPath('c:\Windows\System32\calc.exe');f.launch(
)
Additional information: about:newtab
is considered as privileged tab if devtools.chrome.enabled
is set to false.
#2 HTML Injection
Creating a contact card under Explorer which was prone to HTML injection. This can be one of the technique to escape Citrix.
Open explorer, right click and create a contact card. Put first name, last name in email put the below payload.
Payload: <a href="powershell.exe">fastrack.r@gmail.com</a>
Once done add this to email address, an exception will be generated saying invalid email format, click on “YES”.

Further clicking the generated href link will pop the powershell.

#3 Creating Shortcut
This is one of the known technique in which we can create shortcut files and point them to specific binaries which needs to be invoked.

NOTE: If in case the browse option does not help you to navigate via explorer.exe
try entering the full path.

Conclusion
This post provided some insight about common break out techniques, there are certain additional methods such as LOLbins, misconfigured environment variables etc. The below mentioned reference could help you harden your terminal services.
References:
1. https://twitter.com/xxbyte/status/1089214985438457865/
2. https://docs.microsoft.com/en-us/previous-versions//cc264467(v=technet.10)?redirectedfrom=MSDN
Read other blog posts
1. Bypassing Symantec Endpoint for Fun & Profit
2. Hacking Smart TV’s
3. Pwning Wireless Peripherals