Wednesday, November 7, 2007

Citrix Hacking


**This post is late, i realize the "buzz" about the topic is way past but...

Over on the gnucitizen blog (if you dont read that blog you should, its got tons of web app sec info) awhile back there was some cool CITRIX hacking going on

http://www.gnucitizen.org/blog/hacking-citrix-the-forceful-way
http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor

anyway, its there (this post is late but hey, i was moving to Washington D.C.) about editing the .ica files to get a shell on the remote box. Most of the .ica files want to funnel you into the single application that they want you to run, this application is listed in the ica file like:

InitialProgram=#PlanVue yakyakyak

but you can simply change that value to whatever you want. now, you might go, hey let me get my cmd.exe immediately but frankly a cmd.exe shell doesnt give you alot of options. of more interest is explorer.exe which will basically give you that little "My Computer" pop up, from there you can take a peek at all the computers on the network via network neighborhood or just poke around for info that probably shouldnt be available to everyone. since hacking is rapidly moving from possessing the root shell to possessing the data its a great way to do some digging into the network.


so to get that nifty explorer.exe box we just need to change it to:

InitialProgram=explorer.exe

and we go from



to



Big fun!

now, you'll still be running as the citrix client so it shouldn't (better not be) any kind of account with privs but you might be able to take a look at that passwords.txt file and get everything you need :-)

-CG
CG

No comments: