Collection of different things to try when attempting to breakout of a Windows environment such as Citrix, AWS AppStream, CyberArk PSM, etc.
- General Tips & Ideas
- Keyboard Shortcuts
- Restricted CMD Shell
- CMD/PowerShell Blocked
- Allowed Applications
- Checks to Perform After Breaking Out
General Tips & Ideas
Dialogs
- Attempt to open Dialog Windows in the application such as Open, Save, New, Import, Export, etc.
- When Saving/Exporting, does the file auto open? Is there an
Auto Open
option. - If the Dialog window is restricted, always right click in the Window and on Files to look for additional options.
Help/About/Guide
- Look for Help/About/Guide pages and options in the application to try and launch a Web Browser.
Hyperlinks
- Look for hyperlinks in the UI as they may be opened by a browser when clicked.
Sticky Keys
- (Shift x5)
- Click
Ease of Access
link. - Control Panel should now be open if it’s allowed.
Magnifier
- (Win + +)
- Settings Icon
- Click
Control whether Magnifier starts when I sign in
. - Control Panel should now be open if it’s allowed.
Narrator
- (Win + Enter).
- A small window may open in the bottom left. If so, enlarge it.
- Click
General
. - Click
Control whether Narrator starts when I sign in
. - Control Panel should now be open if it’s allowed.
Interrupt Startup
- Are there any process/setups that can be interrupted (e.g. using CTRL + C) during startup/loading of the session?
- Can Task Manager be opened while the session is loading?
Right Click
- Right click everywhere in and on the application to find additional options. This can lead to more opportunities to try the above steps.
Keyboard Shortcuts
Various key combinations to press to try and abuse the target application into opening Windows functionality.
- Windows Key
- Ctrl + Alt + End
- Ctrl + Alt + Del
- Ctrl + Alt + Ins
- Ctrl + Alt + Esc
- Win + R
- Win + E
- Alt + Tab
- Print functionality (Ctrl + P).
- (Windows + Left/Right/Up/Down) to Move the app.
Restricted CMD Shell
Idea 1:
- Open explorer from CMD (if allowed).
- Enter CMD in the location bar.
- See if new CMD prompt is restricted.
Idea 2:
- While in a restricted shell change directory to
C:\Windows\System32
. - Run
cmd.exe
. - See if new CMD prompt is restricted.
Idea 3:
- Same as Idea 2, but with PowerShell directory.
- Run
powershell.exe
orpowershell_ise.exe
.
CMD/PowerShell Blocked
Idea 1:
- If CMD is blocked, try PowerShell and vice versa.
Idea 2:
- Create a bat file that contains
cmd
. - Run the bat file via Windows Explorer.
Allowed Applications
Are any of the following applications enabled and accessible?
Command Prompt:
- C:\Windows\system32\cmd.exe
PowerShell:
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
Internet Explorer:
- C:\Program Files\Internet Explorer\iexplore.exe
File Transfer Protocol (FTP):
- C:\Windows\system32\ftp.exe
Remote Desktop Connection (RDP):
- C:\Windows\system32\mstsc.exe
Explorer:
- Desktop Environment - C:\Windows\explorer.exe
- File Explorer - C:\Windows\system32\explorer.exe
Services:
- C:\Windows\system32\services.msc
Notepad:
- C:\Windows\system32\notepad.exe
Control Panel:
- C:\Windows\system32\control.exe
Narrator:
- C:\Windows\system32\Narrator.exe
Magnify:
- C:\Windows\system32\Magnify.exe
Checks to Perform After Breaking Out
- Has internet access been restricted?
- Is outbound DNS enabled?
- If RDP is in use, is Copy-Paste enabled? Can you copy files/payloads to the machine this way?
- Are there sensitive files stored on the machine (Documents, Downloads, Pictures, Videos, User Directory, Other Drives, Network Shares, etc).
- What privilege is the underlying session running as?
- Is the Operating System in use old and/or missing updates?
- Can the host communicate with other computers or shares in the network?
- Is privilege escalation possible?
- If privilege level allows for it, can the LSASS process be dumped?