Bypassing Citrix , Firewall Restrictions & DLP to exfiltrate data using Grammarly

Written by on
Hi Guys,

It been really long time since I have wrote any blogs. Busy doing Red Team Challenge labs and learning on AV/EDR bypasses using known techniques. I will definitely blog about those in near future.

Let's not waste time and jump to the actual topic.

Background:
I was on an engagement where I was tasked to exfiltrate data from the server which was behind Citrix. Client had provided me with low privilege user and I had limited internet access from that server.

Note:- All images and information are not related to client it's from my labs or some image from google.

 What is Citrix?

According to Citrix :
In a Citrix application delivery setup, applications and resources are hosted on central servers. XenApp isolates these applications from the underlying OS and other applications, and streams them into an isolated environment on the target device where they are executed
It basically a reverse RDP where all the activities execute into one central system and you receive the execution data on your screen.

What is Grammarly?

 Grammarly is an online platform for improving English, grammar checking, spell checking, and plagiarism detection platform for the English language

Details:

Step 1:
Accessed the servers using Citrix (image pulled from another blog)



Step 2:
Create a dummy word document with some text.
Used certutil.exe to encode the word document.
Command: certutil -encode dataexfiltrate.docx popo.txt



Step 3:
Login to https://app.grammarly.com/ and upload the encoded file generated from certutil.exe.


Step 4: 
Once file is uploaded from Critix to grammarly you can access the file from anywhere using your credential and download the file.


Step 5:
Decode the file again using certutil.
Command: certutil -decode popo.txt igothedata.docx



Conclusion:

Even with limited internet access there might be some online sites which could provide you the functionality to upload data or write some data in text which can be leverage to exfiltrate data even from the secured environments. The certutil trick also works for bypassing mostly all of the DLP which are working on document fingerprinting or keyword matching.

Thanks for reading the post 👍
Thanks to my friends who always support me for learning.

Comments

  1. AllwinAugust 23, 2019 at 1:09 AM

    That was a good presence of mind!!..keep rocking

    ReplyDelete
  2. samyukthaNovember 21, 2019 at 11:53 AM

    We are an SEO house. The first thing I do when we hire a new freelancer in our content creation agency we get them a Grammarly sign-in so they aren't buffoons in front of clients. Now we also have to subscribe to a crazy amount of programs and that is a lot of cut and pasting. My team is trialing a brand new program called INK for All with an included AI that edits grammar, tone, punctuation, and it understands how a web page is found in search engines. Definitely already experiencing successes for our clients.

    ReplyDelete
  3. numanFebruary 10, 2022 at 8:41 PM

    I like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot. crackspick.org I hope to have many more entries or so from you.
    Very interesting blog.
    crackspick.org
    All Working Software Links Is Available
    Grammarly Crack

    ReplyDelete

Post a Comment

Popular posts from this blog

Process Injection - Part I

Written by on
Image
Hello All, After publishing the post about Dumping Process Memory with Custom C# Code my friend Himanshu suggested me to write a tool & a blog post about Process Injection for learning and he referenced his post about Code Injection which covers the concept about the vanilla process injection technique. It was quite interesting to learn and understand the core concepts about Process Injection techniques and as a learning path to code in c# leveraging Windows API I started writing the tool for Process Injection. What is Process Injection ? Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. Why Process Injection ?
Read more

Introduction to Callidus

Written by on
Image
Hello All, Performing Red Team assessments are becoming challenging day by day. In mature environments we see a lot of custom tool development and new techniques are getting discovered by the community to overcome various challenges. While thinking about such challenges, I came up with the idea of creating a tool that can leverage legitimate services for establishing command & control communication channel which is likely to be whitelisted or are less monitored due to the nature of services used by the corporate environments. This is not a new technique, we have already seen similar projects that were developed to leverage legitimate services for command & control. Communication channels such as Slackor for Slack C2, DaaC2 for Discord C2 or  Domain Fronting techniques etc. In this post I will introduce you to a tool called "Callidus" which I created to learn & to improve my knowledge about developing custom toolset in C# and learning how to leverage
Read more

Exploring the Dark Side of Package Files and Storage Account Abuse

Written by on
Image
 Hello All, In this blog, we dive into the dark side of package files and Storage Account abuse within the Azure Function App service. We explore how package files can be leveraged to enhance the functionality of the Functions Apps, shedding light on the potential abuse of package files. By examining the connection between the Function App and Storage Account, we uncover how attackers can abuse the Storage Account's connection string to gain unauthorized access to the Function Apps. We will provide step-by-step insights into replacing binary files and deploying custom code, enabling attackers to take control of the Function App.  The research was jointly done by  Raunak and myself . What are Function Apps? Function Apps (Lambda in AWS) are serverless computing services provided by Azure Cloud. They allow developers to build and deploy small, functions that can be triggered by events such as simple HTTP request. Function Apps provide an environment for executing our code without th
Read more