Skip to content

Latest commit

 

History

History
57 lines (34 loc) · 3.95 KB

az-pass-the-cookie.md

File metadata and controls

57 lines (34 loc) · 3.95 KB
Raw

Az - Pass the Cookie

Support HackTricks and get benefits!

Why Cookies?

Browser cookies are a great mechanism to bypass authentication and MFA. Because the user has already authenticated in the application, the session cookie can just be used to access data as that user, without needing to re-authenticate.

You can see where are browser cookies located in:

{% embed url="https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/browser-artifacts?q=browse#google-chrome" %}

Attack

The challenging part is that those cookies are encrypted for the user via the Microsoft Data Protection API (DPAPI). This is encrypted using cryptographic keys tied to the user the cookies belong to. You can find more information about this in:

{% embed url="https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords" %}

With Mimikatz in hand, I am able to extract a user’s cookies even though they are encrypted with this command:

mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\cookies /unprotect" exit

For Azure, we care about the authentication cookies including ESTSAUTH, ESTSAUTHPERSISTENT, and ESTSAUTHLIGHT. You can see those are there because the user has been active on Azure lately:

Just navigate to login.microsoftonline.com and add the cookie ESTSAUTHPERSISTENT (generated by “Stay Signed In” option) or ESTSAUTH. And you will be authenticated.

References

Support HackTricks and get benefits!