Wednesday, March 11, 2009

Abusing Citrix - Part 2

So after my previous post I received a comment that a reader would be having another look at the security of his Citrix farm. This is exactly the type of thing I hoped to achieve when set out blogging so now I'm a happy nerdy blogger.

Anyway, back to the Citrix abuse.

So now i have started to really lock down the Citrix server. I have prevented access to local drives, menu items, locked down the available programs and generally made the server almost unusable.

This time I'm going into the published desktop and as you can see in the screenshot below there's almost nothing left to play with. Using a very restrictive set of group policies I have locked everything down.

So now without access to drives I'm pretty stuck as I try to browse the server.

And I guess with no access to toolbars I'll be prevented from my evilness?

Well admittedly with web access I can do a lot but lets not take the easy way out just yet. But we will come back to that.

In fact I'm that restricted with these policies that under normal circumstances I wouldn't be able to work. So i guess if I can bypass these restrictions then were cooking with gas eh!

So this is how I get my shell back ad do a little enumeration along the way, and this is just one of a few ways.

First i go to the Help in Notepad and have a poke around. After a few seconds I see that even though it's pretty restricted I can get to the Internet Options (yes that's right, from the Notepad help menu WTF!!!)

From there I can hop into the file system.

But it won't let me browse. Thats a bugger!

Well not all is lost because thanks to yet another help menu we can get to some pretty useful info and tools.


And these tools can be used to do alot of our work for us.

And if you ask for a shell, Windows will happily give you one.

And now we can browse the local drives and the network.

But wait, there's more to come..........

No comments: