Bypassing Citrix , Firewall Restrictions & DLP to exfiltrate data using Grammarly

Hi Guys,

It been really long time since I have wrote any blogs. Busy doing Red Team Challenge labs and learning on AV/EDR bypasses using known techniques. I will definitely blog about those in near future.

Let's not waste time and jump to the actual topic.

I was on an engagement where I was tasked to exfiltrate data from the server which was behind Citrix. Client had provided me with low privilege user and I had limited internet access from that server.

Note:- All images and information are not related to client it's from my labs or some image from google.

What is Citrix?

According to Citrix :
In a Citrix application delivery setup, applications and resources are hosted on central servers. XenApp isolates these applications from the underlying OS and other applications, and streams them into an isolated environment on the target device where they are executed
It basically a reverse RDP where all the activities execute into one central system and you receive the execution data on your screen.

What is Grammarly?

Grammarly is an online platform for improving English, grammar checking, spell checking, and plagiarism detection platform for the English language


Step 1:
Accessed the servers using Citrix (image pulled from another blog)

Step 2:
Create a dummy word document with some text.
Used certutil.exe to encode the word document.
Command: certutil -encode dataexfiltrate.docx popo.txt

Step 3:
Login to and upload the encoded file generated from certutil.exe.

Step 4: 
Once file is uploaded from Critix to grammarly you can access the file from anywhere using your credential and download the file.

Step 5:
Decode the file again using certutil.
Command: certutil -decode popo.txt igothedata.docx


Even with limited internet access there might be some online sites which could provide you the functionality to upload data or write some data in text which can be leverage to exfiltrate data even from the secured environments. The certutil trick also works for bypassing mostly all of the DLP which are working on document fingerprinting or keyword matching.

Thanks for reading the post 👍
Thanks to my friends who always support me for learning.


  1. That was a good presence of mind!!..keep rocking

  2. We are an SEO house. The first thing I do when we hire a new freelancer in our content creation agency we get them a Grammarly sign-in so they aren't buffoons in front of clients. Now we also have to subscribe to a crazy amount of programs and that is a lot of cut and pasting. My team is trialing a brand new program called INK for All with an included AI that edits grammar, tone, punctuation, and it understands how a web page is found in search engines. Definitely already experiencing successes for our clients.


Post a Comment

Popular posts from this blog

GadgetToJScript, Covenant, Donut

Introduction to Callidus

Process Injection - Part V