In the middle of a black box test, external network, social engineering, client-side attacks, the whole nine yards. We started off with an external recon of open ports and services and then to the social engineering. We've already obtained several usable usernames and passwords, but the issue externally is that only a few open ports and services are available. No golden nuggests such as RDP unfortunately. THere is a Citrix portal which we managed to discover that one user has access to (the rest do not). We installed the Citrix client and are able to open a Windows Explorer window on the Citrix box itself for this one user. I've already tried all the basics to create local users and even launching AD Users and Computers for their domain and adding IDs or changing permissions on acounts but the environment is fairly locked down and the user does not have permission to install software on the box, etc.
I can attempt to map drives and try some light brute forcing, since ive been enable to enumerate who the domain admins are, etc, etc and i have a list of every internal host name. I just don't yet have that 'in' that affords me access to a desktop or internal domain. I simply have 'domain user' creds in a locked down environment and a citrix portal...so far. We're still in the middle of testing but I was wondering if anyone had guidance on things we can do from this Citrix server since its officially some sort of internal session. I can also browse network drives and I've been downloading sensitive information left and right...so we're partly successful but we would like to eventually add ourselves as a domain user or admin/domain admin (would be our end game).