Az - Pass the Cookie
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Browser cookies are a great mechanism to bypass authentication and MFA. Because the user has already authenticated in the application, the session cookie can just be used to access data as that user, without needing to re-authenticate.
You can see where are browser cookies located in:
The challenging part is that those cookies are encrypted for the user via the Microsoft Data Protection API (DPAPI). This is encrypted using cryptographic keys tied to the user the cookies belong to. You can find more information about this in:
With Mimikatz in hand, I am able to extract a user’s cookies even though they are encrypted with this command:
For Azure, we care about the authentication cookies including ESTSAUTH
, ESTSAUTHPERSISTENT
, and ESTSAUTHLIGHT
. Those are there because the user has been active on Azure lately.
Just navigate to login.microsoftonline.com and add the cookie ESTSAUTHPERSISTENT
(generated by “Stay Signed In” option) or ESTSAUTH
. And you will be authenticated.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)