Bypassing Citrix , Firewall Restrictions & DLP to exfiltrate data using Grammarly
Hi Guys,
It been really long time since I have wrote any blogs. Busy doing Red Team Challenge labs and learning on AV/EDR bypasses using known techniques. I will definitely blog about those in near future.
What is Grammarly?
Grammarly is an online platform for improving English, grammar checking, spell checking, and plagiarism detection platform for the English language
Details:
Step 1:
Step 2:
Create a dummy word document with some text.
Step 4:
Step 5:
Conclusion:
Even with limited internet access there might be some online sites which could provide you the functionality to upload data or write some data in text which can be leverage to exfiltrate data even from the secured environments. The certutil trick also works for bypassing mostly all of the DLP which are working on document fingerprinting or keyword matching.
It been really long time since I have wrote any blogs. Busy doing Red Team Challenge labs and learning on AV/EDR bypasses using known techniques. I will definitely blog about those in near future.
Let's not waste time and jump to the actual topic.
Background:
I was on an engagement where I was tasked to exfiltrate data from the server which was behind Citrix. Client had provided me with low privilege user and I had limited internet access from that server.
Note:- All images and information are not related to client it's from my labs or some image from google.
What is Citrix?
According to Citrix :
In a Citrix application delivery setup, applications and resources are hosted on central servers. XenApp isolates these applications from the underlying OS and other applications, and streams them into an isolated environment on the target device where they are executed
It basically a reverse RDP where all the activities execute into one central system and you receive the execution data on your screen.
Note:- All images and information are not related to client it's from my labs or some image from google.
What is Citrix?
According to Citrix :
In a Citrix application delivery setup, applications and resources are hosted on central servers. XenApp isolates these applications from the underlying OS and other applications, and streams them into an isolated environment on the target device where they are executed
It basically a reverse RDP where all the activities execute into one central system and you receive the execution data on your screen.
What is Grammarly?
Grammarly is an online platform for improving English, grammar checking, spell checking, and plagiarism detection platform for the English language
Details:
Step 1:
Step 2:
Create a dummy word document with some text.
Used certutil.exe to encode the word document.
Command: certutil -encode dataexfiltrate.docx popo.txt
Step 3:
Step 4:
Once file is uploaded from Critix to grammarly you can access the file from anywhere using your credential and download the file.
Step 5:
Decode the file again using certutil.
Command: certutil -decode popo.txt igothedata.docx
Command: certutil -decode popo.txt igothedata.docx
Conclusion:
Even with limited internet access there might be some online sites which could provide you the functionality to upload data or write some data in text which can be leverage to exfiltrate data even from the secured environments. The certutil trick also works for bypassing mostly all of the DLP which are working on document fingerprinting or keyword matching.
Thanks for reading the post 👍
Thanks to my friends who always support me for learning.
Thanks to my friends who always support me for learning.
That was a good presence of mind!!..keep rocking
ReplyDeleteWe are an SEO house. The first thing I do when we hire a new freelancer in our content creation agency we get them a Grammarly sign-in so they aren't buffoons in front of clients. Now we also have to subscribe to a crazy amount of programs and that is a lot of cut and pasting. My team is trialing a brand new program called INK for All with an included AI that edits grammar, tone, punctuation, and it understands how a web page is found in search engines. Definitely already experiencing successes for our clients.
ReplyDeleteI like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot. crackspick.org I hope to have many more entries or so from you.
ReplyDeleteVery interesting blog.
crackspick.org
All Working Software Links Is Available
Grammarly Crack