38C3 - From Simulation to Tenant Takeover
HTML-код
- Опубликовано: 7 фев 2025
- All I wanted was for Microsoft to deliver my phishing simulation. This journey took me from discovering trivial vulnerabilities in Microsoft's Attack Simulation platform, to a Chinese company to which Microsoft outsourced its support department that wanted all my access tokens. I finally ended up hijacking remote PowerShell sessions and obtaining all data from random Microsoft 365 tenants, all the while reeling in bug bounties along the way.
This talk is the result of what happens when you ask a hacker to simply automate sending out a phishing simulation.
My first attempt with Microsoft's new Attack Simulation platform resulted in three bug bounties for the most trivial vulnerabilities and no more faith in the product.
Then I tried building a phishing simulation program myself and the last thing I needed was to allowlist my IP address in Exchange Online.
I ended up in a rabbit hole where I discovered that Microsoft outsourced their support department to a Chinese company that wanted all my access tokens.
I then tried intercepting client-side requests made by the Security & Compliance center with the goal of replaying these to a backend API, only to discover that by fiddling with some parameters I could now hijack remote PowerShell sessions and access Microsoft 365 tenants that were not mine. Tenants where I could now export everything, e-mail, files, etc.
Vaisha Bernard
events.ccc.de/...
#38c3 #Security
Licensed to the public under creativecommons...
![I.N "HALLUCINATION" | [Stray Kids : SKZ-PLAYER]](http://i.ytimg.com/vi/n5B5q1Hwt_U/mqdefault.jpg)
This talk makes bug hunting at Microsoft look like an infinite money glitch 😂
...he could have registered all 200+ domains and get 3000x200=over 600K sound like good money to me :D :D :D
I am terrified that most of the talks about cybersecurity vulnerabilities are really just someone stumbling around having issues and then finding truly horrifying vulnerabilities
I personally have a privilege escalation to root with the dotnet installation under linux like 8 years ago. Got a bug bounty from Microsoft.
Found it by reading the official docs. They did wget the apt repo, and then sudo mv'd it, same with the public key.
Now any process running as the user could replace the repository to point to an arbitrary server, replace the key with one you have the pk for, and the next time you run apt-get upgrade you'd have RCE as root.
It really was just reading the docs, and I got paid a pretty penny for that. Kinda crazy in hindsight.
At least those are the people who are willing to talk about it. I suspect most of the people who actively go looking for vulnerabilities (or plant backdors themselves) don't give talks about it.
Hacking is forbidden in Germany so they happen stumble over things. There are no white hats in Germany, only Security Researchers™.
I was fucking around with inviting a new user on EntraId, got some weird behaviour, stumbled on an open redirect from the main Microsoft sign-in domain. Through messing around I managed to get the (plaintext) password of every student at my highschool, and address/phone/email/etc. of most students at my university. (Plus more) It's just insane how much crap is out there
Man this is something else than defcon entirely. Feels so nice to watch a recording from a hacking convention that isn't littered with audio glitches and poor quality. Great job, CCC!
Yeah so many Defcon talks have their flow ruined by all the tech issues, not even just the recording but on stage too. Surely they can afford to hire a few actual production guys to oversee everything...
It’s funny, I just watched three CCCC videos in a row with miserable audio and presentation failures and this is the first CCCC video I’ve seen that actually was fine.
man i really need to look into cybersecurity more.
This is an absolute blast watching and figuring out odd solutions where things might break.
Absolutely brilliant talk! L337 hacks, presented in a way that makes them seem trivial with sone hilarious commentary! Can't wait for more!
Well done!
20:22 oh….oh no….😂🤣😂🤣😂🤣
25:04 Really disappointed in the audience there
Yeah I expected way more reaction to that. Maybe this was a very early / late talk?
I feel sorry for the camera angel that had to film him pacing from one side of the stage to the other the whole talk.
Coincidentally I was just watching this while “falling” for a phishing simulation. On behalf of someone who forwarded me the link. Feel sorry for them.