Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

While browsing Shodan one day, they noticed a subdomain associated with Microsoft - guest.microsoft.com. Once logged in via a phone number, no information was given. This seemed like it wasn't meant to be publicly accessible.

Looking at the Burp Suite logs, they found an interesting API relating to their previous stays: /api/v1/config/ with a JSON parameter called buildingIds. Since they had not visited any buildings, none of the information was provided, though the array of buildings was empty. By providing an ID of 1, they were able to see some building information.

Surprisingly, a lot of building information was provided: access codes in some of them, address/building name, parking info, GPS coordinates, QR code data, Microsoft employee emails, etc. After iterating over more IDs, they found buildings from Israel to the United States.

They wanted to increase the impact some more. After some more effort reversing the JavaScript, they found the API /api/v1/host. By providing an email, PII about the employee, such as phone number, office location, mailing address, and more was provided. The same issue existed on guests based upon their email as well.

They couldn't find any exposed APIs around explicit visits, so they tried digging further. They tried for some path traversals via secondary context vulnerabilities. After using ..%2f..%2f..%2f or ../../../ URL encoded, they were able to get an Azure functions page. But why!? The proxy was decoding the URL encoded / and being used by the actual Azure function. Neat!