Main Content

Citrix Breakout

I previously posted about breaking out of restrictive desktop environments to gain access to a CMD shell or acess to Powershell. However sometimes the environment is even tighter, for example with Citrix environments you may not even be on a desktop but simply have an application exposed to you.

For example I recently tested a Citrix environment which exposed the following application:

A very basic login box.

The methodology is the same with desktops as it is with application-only breakouts. Gain access to a dialog and abuse that dialog. Things to aim for are the help system, “open” dialogs and “print” dialogs. For example on the above application I was able to almost immediately gain access to cmd.exe through simply hitting F1.

This opens the built in help and a quick search for “cmd” reveals the option “open a cmd window”! As below:

Windows Help and Support showing a search for CMD resulting in a single option to Click to open a Command Prompt.



The option of gaining access to an “open” dialog is generally just to utilise the application in its intended way until the ability to open a file presents itself. For example with the following simple application:
A simple application called XPS Viewer showing the File option highlighted.

This application exposes a File > Open option, which allows me to reach a cmd through simply typing cmd.exe in the dialog, as following:

A standard Windows file open dialog window showing CMD.EXE in the top bar.


Finally using the print dialog. This can be accessed in a couple of different ways, such as CTRL+P, File > Print, or through an application specific print button. The idea is to get the print option set to “Save as PDF” which will essentially open up a dialog like above. Take the following application:

A print preview menu showing the contents of a file blurred out. There is an option at the top for print and an option at the top for save as PDF.

Here the application’s built in print button presents this menu, which has at the top right a “Print to PDF” button, alternatively I can hit the printer icon at the top right and choose “Print to PDF” from that menu, which allows me to gain access to a cmd like this:

A standard windows dialog for saving a file showing cmd.exe in the top bar.

Alternatively I could have selected to print from a regular printer and chosen the “Add Printer” option here:

The default windows Add-Printer dialog box showing Select a shared printer highlighted in the middle.

The Add Printer menu exposes an “open” dialog which can be abused like all of the ones above! Hopefully these notes and my previous notes about breaking out of restrictive desktop environments should arm you well to get out of the restrictions and PrivUp!