Bypassing Citrix , Firewall Restrictions & DLP to exfiltrate data using Grammarly

Hi Guys,

It been really long time since I have wrote any blogs. Busy doing Red Team Challenge labs and learning on AV/EDR bypasses using known techniques. I will definitely blog about those in near future.

Let's not waste time and jump to the actual topic.

Background:
I was on an engagement where I was tasked to exfiltrate data from the server which was behind Citrix. Client had provided me with low privilege user and I had limited internet access from that server.

Note:- All images and information are not related to client it's from my labs or some image from google.

What is Citrix?

According to Citrix :
In a Citrix application delivery setup, applications and resources are hosted on central servers. XenApp isolates these applications from the underlying OS and other applications, and streams them into an isolated environment on the target device where they are executed
It basically a reverse RDP where all the activities execute into one central system and you receive the execution data on your screen.

What is Grammarly?

Grammarly is an online platform for improving English, grammar checking, spell checking, and plagiarism detection platform for the English language

Details:

Step 1:
Accessed the servers using Citrix (image pulled from another blog)



Step 2:
Create a dummy word document with some text.
Used certutil.exe to encode the word document.
Command: certutil -encode dataexfiltrate.docx popo.txt



Step 3:
Login to https://app.grammarly.com/ and upload the encoded file generated from certutil.exe.


Step 4: 
Once file is uploaded from Critix to grammarly you can access the file from anywhere using your credential and download the file.


Step 5:
Decode the file again using certutil.
Command: certutil -decode popo.txt igothedata.docx



Conclusion:

Even with limited internet access there might be some online sites which could provide you the functionality to upload data or write some data in text which can be leverage to exfiltrate data even from the secured environments. The certutil trick also works for bypassing mostly all of the DLP which are working on document fingerprinting or keyword matching.

Thanks for reading the post 👍
Thanks to my friends who always support me for learning.

Comments

Post a Comment

Popular posts from this blog

Windows Red Team Lab Journey

Process Injection - Part I

Android Root Detection Bypass