Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  1. Cloud
  2. Azure
  3. Privilege Escalation

Illicit Consent Grant

PreviousPrivilege EscalationNextMacro enabled Word-files (Revshell)

Last updated 3 months ago

When we have initial access to a user, we can create a application (this is a default setting).

A recommendation is to deny users to create applications

With this application we can ask another user to consent their permissions to our application. When the user consents, we get their access token. With this access token we can interact with perhaps the Graph API.

Attack

We first go to https://portal.azure.com and register a application from our initial access user. We should use a url that we own as redirect url. So for example https://172.16.10.10/login/authorized. For the permissions, we add User.ReadBasic.All:

If we save and run the attack, a shell pops up with a phishing link:

We sent this link to the victim. If the victim consents to our application, we receive a update on the GUI:

We can copy the access_token and use that to connect to Microsoft Graph.

PS C:\Windows\system32> $token = 'eY.....'
PS C:\Windows\system32> Connect-MgGraph -AccessToken ($Token | ConvertTo-SecureString -AsPlainText -Force)
Welcome to Microsoft Graph!

Connected via userprovidedaccesstoken access using bd46fc07-1626-43be-80b7-fkfkfkf
Readme: https://aka.ms/graph/sdk/powershell
SDK Docs: https://aka.ms/graph/sdk/powershell/docs
API Docs: https://aka.ms/graph/docs

NOTE: You can use the -NoWelcome parameter to suppress this message.

PS C:\Windows\system32> Get-MgContext


ClientId               : bd46fc07-1626-43be-80b7fgfgfgfgff
TenantId               : 2d50cb29-5f7b-48a4-87ceffgffgfgfg
Scopes                 : {User.Read, User.ReadBasic.All, profile, openid...}
AuthType               : UserProvidedAccessToken
TokenCredentialType    : UserProvidedAccessToken
CertificateThumbprint  :
CertificateSubjectName :
SendCertificateChain   : False
Account                : x@pp.onmicrosoft.com
AppName                : student60
ContextScope           : Process
Certificate            :
PSHostVersion          : 5.1.17763.1490
ManagedIdentityId      :
ClientSecret           :
Environment            : Global

Next, we spin up a tool called 365-stealer. Which is a tool created by Altered Security to give a GUI to manage our phishing attack. . This tool allows us to fill in the app's information:

☁️
https://github.com/AlteredSecurity/365-Stealer
Illicit Consent Grant attack explained