GITBOOK-506: change request with no subject merged in GitBook

SUMMARY.md

@@ -337,6 +337,7 @@
     * [Az - Pass the PRT](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md)
     * [Az - Phishing Primary Refresh Token (Microsoft Entra)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md)
     * [Az - Primary Refresh Token (PRT)](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md)
+    * [Az - Roadtx - Authentication](pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-roadtx-authentication.md)
   * [Az - Persistence](pentesting-cloud/azure-security/az-persistence.md)
   * [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/dynamic-groups.md)
 * [Digital Ocean Pentesting](pentesting-cloud/digital-ocean-pentesting/README.md)

pentesting-ci-cd/gitea-security/README.md

@@ -18,7 +18,7 @@ Other ways to support HackTricks:
 
 **Gitea** is a **self-hosted community managed lightweight code hosting** solution written in Go.
 
-![](<../../.gitbook/assets/image (5) (1) (1) (1).png>)
+![](<../../.gitbook/assets/image (5) (1) (1) (1) (1).png>)
 
 ### Basic Information
 

pentesting-ci-cd/jenkins-security/scm-ip-whitelisting-bypass.md

@@ -80,7 +80,7 @@ If the login attempt fails, we’re redirected to the login error page.
 
 But if the **login is successful**, we’re redirected to the main Jenkins page, and a **session cookie is set**.
 
-<figure><img src="../../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (3) (1) (1) (2).png" alt=""><figcaption></figcaption></figure>
 
 So, we can **brute-force Jenkins credentials and get a session cookie!**\
 However, we are a bit limited – we can only **send one stateless request each time**, and the **cookie can’t be attached** to our request, as we can’t control the headers.

pentesting-ci-cd/okta-security/README.md

@@ -64,19 +64,19 @@ getST.py -spn HTTP/clientname.kerberos.okta.com -dc-ip 1.2.3.4 LAB/comprommisedu
 
 With a ticket retrieved for the AD user, we need to inject this on a host we control using Rubeus or Mimikatz:
 
-<figure><img src="../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 You’ll need to make sure that `clientname.kerberos.okta.com` is added to the “Intranet” security zone in Internet Options. And then, in our browser, if we hit the below URL, we should find that we receive a JSON response providing an `OK` result when the Kerberos ticket is accepted:
 
-<figure><img src="../../.gitbook/assets/image (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 Heading over to the Okta dashboard, if everything is OK, you’ll be signed in.
 
 Moreover, if we are able to compromise the actual Okta service account exposing the delegation SPN, we can perform a Silver Ticket attack.
 
 It should be noted that as Okta only support AES for ticket encryption, we’ll need to ensure we have the AES key or plaintext password to authenticate:
 
-<figure><img src="../../.gitbook/assets/image (2) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (2) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 To craft our ticket for the victim user of `testuser`, we use:
 
@@ -88,7 +88,7 @@ ticketer.py -domain-sid S-1-5-21-4170871944-1575468979-147100471 -domain lab.loc
 
 And again, deliver this to Okta via our browser session:
 
-<figure><img src="../../.gitbook/assets/image (3) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (3) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 ### Hijacking Okta AD Agent
 
@@ -104,11 +104,11 @@ C:\Program Files (x86)\Okta\Okta AD Agent
 
 We’re going to take a look at the `OktaAgentService.exe.config`, which contains a few interesting bits of XML:
 
-<figure><img src="../../.gitbook/assets/image (4) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (4) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 The Base64 encoded `AgentToken` is where we set our sights. If we open up `OktaAgentService.exe` in dnSpy, we can see how these values are decrypted:
 
-<figure><img src="../../.gitbook/assets/image (5) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../.gitbook/assets/image (5) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 That’s right.. good ol’ DPAPI! The `RandomEntropy` value is set to a value of:
 

pentesting-ci-cd/travisci-security/README.md

@@ -44,7 +44,7 @@ It looks like It's not possible to set crons inside the `.travis.yml` according
 
 TravisCI by default disables sharing env variables with PRs coming from third parties, but someone might enable it and then you could create PRs to the repo and exfiltrate the secrets:
 
-![](<../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png>)
+![](<../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png>)
 
 ### Dumping Secrets
 

pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-kms-post-exploitation.md

@@ -106,7 +106,7 @@ aws kms put-key-policy --key-id mrk-c10357313a644d69b4b28b88523ef20c \
 Note that if you change that policy and only give access to an external account, and then from this external account you try to set a new policy to **give the access back to original account, you won't be able**.
 {% endhint %}
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 ### Destroy keys
 

pentesting-cloud/aws-pentesting/aws-post-exploitation/aws-s3-post-exploitation.md

@@ -42,7 +42,7 @@ For example, **airflow** could be storing **DAGs** **code** in there, or **web p
 
 The following screenshot shows an example of a file that was targeted for a ransomware attack. As you can see, the account ID that owns the KMS key that was used to encrypt the object (7\*\*\*\*\*\*\*\*\*\*2) is different than the account ID of the account that owns the object (2\*\*\*\*\*\*\*\*\*\*1).
 
-![](<../../../.gitbook/assets/image (2) (1) (1) (1) (1).png>)
+![](<../../../.gitbook/assets/image (2) (1) (1) (1) (1) (1).png>)
 
 Here you can [find a ransomware example](https://github.com/RhinoSecurityLabs/Cloud-Security-Research/blob/master/AWS/s3\_ransomware/s3-ransomware-poc.py) that does the following:
 

pentesting-cloud/aws-security/aws-persistence/aws-ecr-persistence.md

@@ -62,7 +62,7 @@ Note that ECR requires that users have **permission** to make calls to the **`ec
 
 It's possible to automatically replicate a registry in an external account configuring cross-account replication, where you need to **indicate the external account** there you want to replicate the registry.
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 First, you need to give the external account access over the registry with a **registry policy** like:
 

pentesting-cloud/aws-security/aws-services/aws-api-gateway-enum.md

@@ -248,7 +248,7 @@ It's possible to generate API keys in the API Gateway portal and even set how mu
 
 To make an API key work, you need to add it to a **Usage Plan**, this usage plan mus be added to the **API Stage** and the associated API stage needs to have a configured a **method throttling** to the **endpoint** requiring the API key:
 
-<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 ## Unauthenticated Access
 

pentesting-cloud/aws-security/aws-services/aws-security-and-detection-services/aws-cloudtrail-enum.md

@@ -119,7 +119,7 @@ AWS Access Advisor relies on last 400 days AWS **CloudTrail logs to gather its i
 Therefore, Access Advisor informs about **the unnecessary permissions being given to users** so the admin could remove them
 {% endhint %}
 
-<figure><img src="../../../../.gitbook/assets/image (2) (1) (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../../.gitbook/assets/image (2) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 ## Actions
 

pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md

@@ -40,22 +40,36 @@ There are different token types in Azure AD that each have their own limitations
 
 * **Access tokens**, which can be used to **talk to APIs and access resources**, for example over the Microsoft Graph. They are tied to a **specific client** (the application that requested them), and a **specific resourc**e (the API that you are accessing).
 * **Refresh tokens**, which are issued to applications to **obtain new access tokens**, since access tokens have a relatively short lifetime. They can only be used by the application they were issued to, or in some cases by a group of applications.
-* **Primary Refresh Tokens**, which are used for **Single Sign On on devices** that are Azure AD joined, registered or hybrid joined. They can be used both in **browser sign-in** flows to web applications and for signing in to **mobile and desktop applications** running on the device. They can be used to request **access tokens**.
+* **Primary Refresh Tokens (PRT)**, which are used for **Single Sign On on devices** that are Azure AD joined, registered or hybrid joined. They can be used both in **browser sign-in** flows to web applications and for signing in to **mobile and desktop applications** running on the device. They can be used to request **access tokens**.
+
+PRT is the most interesting type of token, check more information about them in:
+
+{% content-ref url="az-primary-refresh-token-prt.md" %}
+[az-primary-refresh-token-prt.md](az-primary-refresh-token-prt.md)
+{% endcontent-ref %}
 
 ## Pivoting Techniques
 
 From the **compromised machine to the cloud**:
 
-* [**Pass the Cookie**](az-pass-the-cookie.md)
-* [**Pass the PRT**](pass-the-prt.md)
-* [**Pass the Certificate**](az-pass-the-certificate.md)
-* [**Phishing Primary Refresh Token**](az-phishing-primary-refresh-token-microsoft-entra.md)
+* [**Pass the Cookie**](az-pass-the-cookie.md): Steal Azure cookies from the browser and use them to login
+* [**Phishing Primary Refresh Token**](az-phishing-primary-refresh-token-microsoft-entra.md)**:** Phish the PRT to abuse it
+* [**Pass the PRT**](pass-the-prt.md): Steal the device PRT to access Azure impersonating it.
+* [**Pass the Certificate**](az-pass-the-certificate.md)**:** Generate a cert based on the PRT to login from one machine to another
 
 From compromising **AD** to compromising the **Cloud** and from compromising the **Cloud to** compromising **AD**:
 
 * [**Azure AD Connect**](azure-ad-connect-hybrid-identity/)
 * **Another way to pivot from could to On-Prem is** [**abusing Intune**](../intune.md)
 
+### [Roadtx](https://github.com/dirkjanm/ROADtools)
+
+This tool allows to perform several actions like register a machine in Azure AD to obtain a PRT, and use PRTs (legit or stolen) to access resources in several different ways. These are not direct attacks, but it facilitates the use of PRTs to access resources in different ways. Find more info in:
+
+{% content-ref url="az-roadtx-authentication.md" %}
+[az-roadtx-authentication.md](az-roadtx-authentication.md)
+{% endcontent-ref %}
+
 <details>
 
 <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-pass-the-certificate.md

@@ -40,7 +40,7 @@ RequestCert.py [-h] --tenantId TENANTID --prt PRT --userName USERNAME --hexCtx H
 ```
 {% endcode %}
 
-The certificates will last the same as the PRT. To use the certificate you can use the python tool [**AzureADJoinedMachinePTC**](https://github.com/morRubin/AzureADJoinedMachinePTC) **** that will **authenticate** to the remote machine, run **PSEXEC** and **open a CMD** on the victim machine. This will allow us to use Mimikatz again to get the PRT of another user.
+The certificates will last the same as the PRT. To use the certificate you can use the python tool [**AzureADJoinedMachinePTC**](https://github.com/morRubin/AzureADJoinedMachinePTC) that will **authenticate** to the remote machine, run **PSEXEC** and **open a CMD** on the victim machine. This will allow us to use Mimikatz again to get the PRT of another user.
 
 ```bash
 Main.py [-h] --usercert USERCERT --certpass CERTPASS --remoteip REMOTEIP

pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-phishing-primary-refresh-token-microsoft-entra.md

@@ -42,27 +42,27 @@ Therefore, it's possible to use a regular refresh token, that is not tied to a d
 
 The “upgrade” from normal refresh token to primary refresh token is not possible with every refresh token. It requires a specific application ID (client ID) in the sign-in flow. Windows uses the client ID `29d9ed98-a469-4536-ade2-f981bc1d605e` (Microsoft Authentication Broker) and resource `https://enrollment.manage.microsoft.com/` for this request. We can emulate this flow with the roadtx `gettokens` command, which supports several different authentication flows:
 
-<figure><img src="../../../.gitbook/assets/image.png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
 
 If there is a policy that requires MFA to sign in, we can instead use the `interactiveauth` module:
 
-<figure><img src="../../../.gitbook/assets/image (1).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (1) (1).png" alt=""><figcaption></figcaption></figure>
 
 The resulting refresh token (which is cached in the `.roadtools_auth` file) can be used to request a token for the device registration service, where we can create the device:
 
-<figure><img src="../../../.gitbook/assets/image (2).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (2) (1).png" alt=""><figcaption></figcaption></figure>
 
 Now that we have a device identity, we can combine this with the same refresh token to obtain a PRT (both refresh tokens shortened for readability):
 
-<figure><img src="../../../.gitbook/assets/image (3).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (3) (1).png" alt=""><figcaption></figcaption></figure>
 
 Tokens resulting from the authentication will contain the same authentication method claims as used during the registration, so **any MFA usage will be transferred to the PRT**. The PRT that we get can be used in any authentication flow, so we can expand the scope of our limited refresh token to any possible app.
 
-<figure><img src="../../../.gitbook/assets/image (4).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (4) (1).png" alt=""><figcaption></figcaption></figure>
 
 We can also use this to sign in to browser flows:
 
-<figure><img src="../../../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
+<figure><img src="../../../.gitbook/assets/image (5) (1).png" alt=""><figcaption></figcaption></figure>
 
 ### Provisioning Windows Hello for Business keys <a href="#provisioning-windows-hello-for-business-keys" id="provisioning-windows-hello-for-business-keys"></a>
 

pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/az-primary-refresh-token-prt.md

@@ -14,7 +14,7 @@ Other ways to support HackTricks:
 
 </details>
 
-**Post copied from** [**https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/**](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/)
+**Post copied from** [**https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/**](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/) although another post explaining the same can be found in [**https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30**](https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30)
 
 ## Basic Information
 
@@ -188,6 +188,14 @@ Check how to obtain a PRT token from a compromised device and use it to access A
 [pass-the-prt.md](pass-the-prt.md)
 {% endcontent-ref %}
 
+## [Roadtx](https://github.com/dirkjanm/ROADtools)
+
+This tool allows to perform several actions like register a machine in Azure AD to obtain a PRT, and use PRTs (legit or stolen) to access resources in several different ways. These are not direct attacks, but it facilitates the use of PRTs to access resources in different ways. Find more info in:
+
+{% content-ref url="az-roadtx-authentication.md" %}
+[az-roadtx-authentication.md](az-roadtx-authentication.md)
+{% endcontent-ref %}
+
 <details>
 
 <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>