Victory
Last updated
Was this helpful?
Last updated
Was this helpful?
Lets first perform MFASweep to check for MFA for the azintegration user.
From the output, it seems like we can only access M365 with a mobile user agent.
We can verify this by attempting to authenticate with the credentials on Azure Portal, it will ask for a MFA via Authenticator.
This is probably due to conditional access policy.
Recall that in previous flag, we managed to get the credentials of the nina user, lets attempt to use nina user to enumerate the conditonal access policy. We willl be using the tool roadrecon to do it.
Looking at the CAP, we are able to see the azure aws integration account user has MFA requirements for all platform, except for Android and iOS. Which is same as the result from the MFASweep.
We are able to easily bypass CAP based on Devie types as it checks based on the user agent.
By using a browser devtools, we are able to modify the user-agent to the device we want it to be, thus bypassing the CAP check. We are also able to just use a mobile phone instead.
Remember to check the Auto-open devtools for popups so that there wont be the MFA prompt when it open a new tab.
With that we have succesfully bypassed the Conditional Access Policy and gained access to the m365 instance.
At first glance, it seems like the azintegration user have access over the admin portal so lets try and see what we can do with it
Looking at the dashboard, the user has permission over user management, being able to edit a user, as well as resetting its password
When clicking on edit user button, the result pop up for the user magnus.
We are able to then reset the password for magnus.
Next, lets perform MFASweep again to see if we are able to get MFA as well as being able to bypass them
It seems like we are able to access office with iPhone user agent. Lets look at the condtional access policy we enumerated previoisly to see if theres any CAP for magnus.
This is again inline with the output from MFASweep. Again, we are able to bypass with devtools as done before.
It looks like magnus user does not have much permissions over M365, so lets try taking a look at Azure Portal instead.
Looking at the recent resources, there is a Key vault named ITHelpdesk
As we are unable to access key vault secrets via the Azure Portal, we will need to use az cli.
First we run az login as per normal
On the browser pop up tab, run the dev tools to change our user agent to iPhone user agent.
With that, we are able to authenticate to az cli and bypass the MFA.
From the keyvault enumeration, theres a secret called New-Joiner-Ming-Zhang, which is probably the credentials for a User.
We aer able to get the email address by cross referencing our user list.
Looking at the conditional access policy we enumerated previously, Ming Zhang MFA is scoped more securely, ensuring that it is including all platform. Howeverm looking at the excluded application, we are able to use Ming's credential to access Windows Azure Service Management API, as well as Graph Command Line Tools.
It means that we can just run az login or Connect-AzAccount to authenticate.
Next, I will be using the tool azurehound to perform automated enumeration.
Upload the output.json into bloodhound. Since we have access over Ming's account, lets set it as owned and look at what Ming has permission over. Using Bloodhound, we are able to identify that Ming owns the group IT-Admin.
In return, the IT-Admins role has Role of Directory Readers as well as Printer Technician. Interestingly, the IT-Admins group does not have any existing member
Since Ming is the owner of the group, he is able to add user to it. Lets add Ming to the group and try enumerating with the escalated Directory Readers permission. We will be using roadtools to request for an access token with the scope msgraph
Next, using the graph api, lets add Ming to the IT-ADMINS group
We can then verify by checking the group members, Ming is in it now.
With our new permission, lets attempt to enumerate az resources. (Note you will need to relogin to az cli)
From the resource listing, it seems like there is another storage account called securebackups. Lets attempt to enumerate it using the management api.
There is a container called files, lets try listing the blobs. But first we will need to request another token for storage api.
Within the file listing, theres a file named mp-ga-creds.zip, lets download that file.
The zip file is password protected.
I had attempted to use zip2john with our apssword list and rockyou to crack the password, but to no avail.
Then I recall, in previous steps theres always a bad practice within the massive-pharma organization to send plaintext credentials over Teams/Outlook. So lets try and enumerate those to see if theres anything similar.
First, lets get an access token for teams using AADInternals.
As expected, the password for the zip is send again over plaintext in the teams message.
As a bonus, we are also given the global admin credentials???
However, sven MFA ensures that everything is blocked and we cant sadly login as the GA.
The password is also sadly resetted
Check for MFA on azintegration user
Using nina account, enumerate conditonal access policy
Bypass conditional access policy using browser devtools to modify the user agent
Reset magnus password using the M365 web portal
Bypass CAP similarly using browser devtools
Authenticate as Magnus on Azure Portal with devtools
Notice that Magnus has access to keyvault
Authenticate to magnus account on CLI with az loginand bypass CAP using devtools
Retrieve Ming's password from az keyvault
Use azurehound to perform automated enumeration
Identify Ming own's the group IT-ADMINS
Add Ming to the IT-ADMINS group, and enumerate Azure Resources
Identify another storage account which contains mp-ga-creds.zip
Download the file and try cracking the zip password to no avail
Enumerate Teams message to retrieve the zip password
Unzip and win
