A VDI Adventure – From Home-Worker to Server Admin
Context
During a five-day red-team for “MegaCorp”, we assessed a Citrix VDI used for smart-working. Goal: exfiltrate data from the internal network despite heavy lockdown policies.
Key Attack Path
| Phase | Highlight |
|---|---|
| Foothold | Limited clipboard + transfer features; copy/paste disabled → abused IBM Cloud & ZeroBin to bypass proxy categories. |
| Exfiltration | Built DNS-over-AES script to stream payloads via TXT records. |
| Sandbox Escape | Leveraged Office VBA macros and FTP interactive console to spawn commands; abused rundll32 to run custom-code command line tool when cmd.exe was blocked. |
| Privilege Escalation | Dumped Groups.xml / Drives.xml, cracked cpassword, reused local Admin on five hosts, including a DC. |
Impact
- Full domain-admin in ≤ 1 day.
- Demonstrated data exfiltration routes that bypassed DLP / SSL inspection.
- Customer implemented PAC-file hardening, device isolation, and GPO whitelisting.