During one of my pentests recently I was able to gain access to a Citrix server with user-level privileges. The user had access to some client-specific applications and read/write access to a share. Changing .ica shortcuts to point to other programs did not work out; access to cmd.exe was disabled by the administrators. So, what to do? Why, create a .bat file on that writable share, of course! It’s not cmd.exe that’s important, it’s running commands such as “net user” what really matters. But, just a “net user” by itself won’t do — the window closes right after execution. Not a big deal, throw a “pause” in there which will make it wait for user input before exiting. Editing and saving the .batch file to run new commands each time is tiresome, though. That is why I created a tiny script that simply loops and keeps asking for new commands to execute:
@echo off :awesome echo %CD%^> set /p cmd= %cmd% goto awesome
With this I was able to easily enumerate the domain. Unfortunately that’s where I had to stop due to time constraints. What would I have done if I could have kept going? Probably enumerate all the users and do some sweeps for weak passwords using command to map network drives. Perhaps enumerate the network and scan for misconfigured hosts that have domain users in their local administrators group. Maybe TFTP out and download a malicious tool or document to leave for the user to open. Maybe all of the above and more! I wish I had more time because that would have been a lot of fun!
Edit: updated the script slightly (%CD% is to show current working directory and ^ is to escape greater than sign).