Windows Privilege Escalation - Citrix Breakout

Hi, half year ago I finished Module “Windows Privilege Escalation”. Now this module is updated with the section “Citrix Breakout”. Very interesting lesson and well explained how to achieve window privilege escalation in a restricted environment. However, to answer the questions you have to RDP and results in a linux os machine (Ubuntu). Admittedly in a “windows-like” environment (Xfce4 installed). So it is reachable by RDP, but still remains linux. I tried everything but can’t get the windows powershell etc.

1 Like

facing same issue

have you solved?


I got it,
After you loggedin via rdp
in the rdp machine, open browser and visit On the Internet: Be Cautious When Connected — FBI
then use the following credential

Username: pmorgan
Password: Summer1Summer!
Domain: htb.local


Thanks. Actually it was written in the lesson. I tried the link earlier in my own browser and that yielded the FBI website (redirecting to https site). In the RDP environment it worked as was told in the text…
Thanks again!!!

1 Like

Can’t run any .ps1 files on target system. I have got the pmorgan flag.txt but can’t escalate privileges. Help would be great :smiley:

1 Like

Setting the execution policy to ‘Bypass’ at the process level is a decision that should be made with caution, as it allows the execution of scripts without restrictions with ‘Set-ExecutionPolicy Bypass -Scope Process’.


Hi were you able to resolve it?

Yes, we need to ‘Set-ExecutionPolicy Bypass -Scope Process’ before trying to run any .ps1.


Hi, I’m trying to repeat “Accessing SMB share from restricted environment” in this task, but when trying to run " " an error is being issued, how did you manage to do this action?

It looks like you have no permission to run it. You are htb-student at this moment.
Try to be root!!!

I was not given the password from “root”, unless of course it is the same as that of “htb-student”
As a result, in order not to waste time, I transferred the file in another way to the machine.
Hmm, it’s true, in the task this command was executed under “root”, it’s true. I didn’t pay attention at first.

You could use “sudo -s” and then you are asked…
[sudo] password for htb-student:
and then you were root
root@ubuntu:/home/htb-student/Tools# …


run it as root.
su -s