Title Text
1/337
Speedrun edition
Features
- Group, bookings and scheduling mailbox
- Github workflow injection
- Asking PRT Cookie
2/337
Ceci n'est pas un rump sur le cyclimse
Group
(and user info sometime)
3/337
Warning:
- Je n'ai jamais installé ni (A)AD ni O365, mon vocabulaire pourrait être approximatif
4/337
En cliquant sur compte on peut parfois changer nom/prénom alors que sur myAccount on peut pas.
5/337
Le groupe est visible dans la liste de contact
6/337
Bookings
Most official way
7/337
Toutes les cascades dans ces slides sont réalisés en simple user.
8/337
Du coup, Sasuke c'est mieux que Naruto
9/337
Exchange/outlok à l'air de créer un compte membre dans l'AD
10/337
Pro
- Nice interface
- Fully managed
- No code
- User created on AAD
Con
- Weird name to mailbox conversion (remove dot, lowercase, ...)
- Booking can be disabled (33% of success)
11/337
Scheduling mailbox
The forgotten API?
12/337
On dit "retro compatible"
13/337
PB: cga8U9Wd / RTFM
Well, use -Scope CurrentUser to install without local admin right
Pro
- Better control than bookings
- Should be disabled in addition to booking (100% success)
- We can choose domain!
Get-AcceptedDomain
- Create a member in (A)AD
Con
Scheduling mailbox are still limited (can't login)
14/337
https://outlook.office.com/mail/sasuke@orga.com for read/write email
Github workflow injection
15/337
Messieurs de synacktiv, fermez les yeux 3 minutes
Documented
16/337
17/337
C'est comme eval(`alert('${userInput}')`);
18/337
19/337
Indirect run can be impacted
Did you know Tribanol?
21/337
Several "alias" to run
PRT Cookie
Asking politely
22/337
GetCookieInfoForUri pour les intimes
23/337
24/337
PB: kue64T0B / RTFM
(C'est un zero)
AADInternal a été mis à jour hier, cool !
How to
Go to portal.azure.com
- redirect to login
- edit/add cookie as provided
- Go again on portal.azure.com
- Enjoy
TTL ?
Session SSO: 5 minutes ?
Portal: a few hours ?
Teams: a week ?
outlook: did it even renew?
Other orga linked to SSO ?
25/337
Other ?
PRT Cookie is provided after MFA, and most policies to restrict account login ...
26/337
27/337
PB: CZ2jzdEx / RTFM
Nice parser, hopefully client will sanitize
More ?
28/337
Once powershell module installed:
- Get-Module: get list of module (look at tmp one)
- Get-Command -ListImported -Module tmpEXO_blah.blah
Powershell Exchange
29/337
30/337
Nothing here
The end
337/337
Ps: Claire elle est trop cool.
deck
By Tr4l
deck
- 328