Breaking out of Windows Environments

Collection of different things to try when attempting to breakout of a Windows environment such as Citrix, AWS AppStream, CyberArk PSM, etc.

1. General Tips & Ideas
   • Dialogs
   • Help/About/Guide
   • Hyperlinks
   • Sticky Keys
   • Magnifier
   • Narrator
   • Interrupt Startup
   • Right Click
2. Keyboard Shortcuts
3. Restricted CMD Shell
4. CMD/PowerShell Blocked
   • Idea 1
   • Idea 2
   • Idea 3
5. Allowed Applications
6. Checks to Perform After Breaking Out

General Tips & Ideas

Dialogs

• Attempt to open Dialog Windows in the application such as Open, Save, New, Import, Export, etc.
• When Saving/Exporting, does the file auto open? Is there an Auto Open option.
• If the Dialog window is restricted, always right click in the Window and on Files to look for additional options.

Help/About/Guide

• Look for Help/About/Guide pages and options in the application to try and launch a Web Browser.

Hyperlinks

• Look for hyperlinks in the UI as they may be opened by a browser when clicked.

Sticky Keys

• (Shift x5)
• Click Ease of Access link.
• Control Panel should now be open if it’s allowed.

Magnifier

• (Win + +)
• Settings Icon
• Click Control whether Magnifier starts when I sign in.
• Control Panel should now be open if it’s allowed.

Narrator

• (Win + Enter).
• A small window may open in the bottom left. If so, enlarge it.
• Click General.
• Click Control whether Narrator starts when I sign in.
• Control Panel should now be open if it’s allowed.

Interrupt Startup

• Are there any process/setups that can be interrupted (e.g. using CTRL + C) during startup/loading of the session?
• Can Task Manager be opened while the session is loading?

Right Click

• Right click everywhere in and on the application to find additional options. This can lead to more opportunities to try the above steps.

Keyboard Shortcuts

Various key combinations to press to try and abuse the target application into opening Windows functionality.

• Windows Key
• Ctrl + Alt + End
• Ctrl + Alt + Del
• Ctrl + Alt + Ins
• Ctrl + Alt + Esc
• Win + R
• Win + E
• Alt + Tab
• Print functionality (Ctrl + P).
• (Windows + Left/Right/Up/Down) to Move the app.

Restricted CMD Shell

Idea 1:

• Open explorer from CMD (if allowed).
• Enter CMD in the location bar.
• See if new CMD prompt is restricted.

Idea 2:

• While in a restricted shell change directory to C:\Windows\System32.
• Run cmd.exe.
• See if new CMD prompt is restricted.

Idea 3:

• Same as Idea 2, but with PowerShell directory.
• Run powershell.exe or powershell_ise.exe.

CMD/PowerShell Blocked

Idea 1

• If CMD is blocked try
  • powershell.exe
  • ftp.exe
  • python

Idea 2

• Create a bat file that contains cmd.
• Run the bat file via Windows Explorer.

Idea 3

• Create a bat file that contains some fake command that doesn’t exists test123 then cmd on the next line.
• Create another file (e.g. text or bat) and save it.
• Drag the 2nd file onto the 1st file in explorer/dialog.
• If CMD is blocked, try PowerShell and FTP. Even if they’re blocked they might work with this method.
• If nothing is working to get an interactive shell, you should be able to just run commands directly. You can test it with a bat file like:

test123
hostname
whoami
ipconfig
cmd

• You might still need CMD at the end even if it’s blocked to prevent the window from closing. pause is also worth try if the window is closing.

Allowed Applications

Are any of the following applications enabled and accessible?

Command Prompt:

• C:\Windows\system32\cmd.exe

PowerShell:

• C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

File Transfer Protocol (FTP):

• C:\Windows\system32\ftp.exe

Internet Explorer:

• C:\Program Files\Internet Explorer\iexplore.exe

Task Manager:

• C:\Windows\system32\taskmgr.exe

Remote Desktop Connection (RDP):

• C:\Windows\system32\mstsc.exe

Explorer:

• Desktop Environment - C:\Windows\explorer.exe
• File Explorer - C:\Windows\system32\explorer.exe

Services:

• C:\Windows\system32\services.msc

Notepad:

• C:\Windows\system32\notepad.exe

Control Panel:

• C:\Windows\system32\control.exe

Narrator:

• C:\Windows\system32\Narrator.exe

Magnify:

• C:\Windows\system32\Magnify.exe

Checks to Perform After Breaking Out

• Has internet access been restricted?
• Is outbound DNS enabled?
• If RDP is in use, is Copy-Paste enabled? Can you copy files/payloads to the machine this way?
• Are there sensitive files stored on the machine (Documents, Downloads, Pictures, Videos, User Directory, Other Drives, Network Shares, etc).
• What privilege is the underlying session running as?
• Is the Operating System in use old and/or missing updates?
• Can the host communicate with other computers or shares in the network?
• Is Defender enabled?
• Is privilege escalation possible?
• If privilege level allows for it, can the LSASS process be dumped?