In the previous chapter, we performed careful network reconnaissance to identify Citrix databases and even managed to grab and crack the password of the service account sqlexpress. Amid the thrill of this significant new opportunity in the grim world that is Strat Jumbo’s defensive network, we can’t wait to test our access to the Citrix database using our newly acquired credentials.

But hold your horses! Opening a new interactive session—either RDP or NTLM—on a random server must be done carefully, especially with ATA lurking around. There’s a small chance that some admins might regularly initiate connections to the database ...