Is this by "breaking out"
Most of the Citrix setups aren't setup properly. So from a dialogue box, such as a save box, you can browse the local server, run cmd, then run IE or whatever other browser is installed. Then use their server to browse the Internet bypassing any local filtering. Also download all your exploits to that server from itself.
No one would leave a server so open I hear you say. Yes they would. A finance department were using a very small company to supply them with their finance app. With the main company we were at forcing a move to "cloud" for every department this small company didn't want to loose business so said they now had a "cloud" version of their app. They didn't really. It was just stuck on a server in one data centre. I said I wanted to test it before fully going live. They hadn't implemented 2fa, which they put on after my suggestion. Then once on the server it was easy to break out of the app, browse the server, run whatever you wanted and surf the net to your hearts content. They originally were gonna make it live in that state!