> For the complete documentation index, see [llms.txt](https://kabinet.gitbook.io/ctf-writeup/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kabinet.gitbook.io/ctf-writeup/2025/thuderdome/victory.md). # Victory ## Solve Lets first perform MFASweep to check for MFA for the azintegration user.

Invoke-MFASweep -Username azintegration@massive-pharma.com -Password KeepTh1sSecure@777!

From the output, it seems like we can only access M365 with a mobile user agent.

We can verify this by attempting to authenticate with the credentials on Azure Portal, it will ask for a MFA via Authenticator.

This is probably due to conditional access policy. Recall that in previous flag, we managed to get the credentials of the nina user, lets attempt to use nina user to enumerate the conditonal access policy. We willl be using the tool roadrecon to do it.

Looking at the CAP, we are able to see the azure aws integration account user has MFA requirements for all platform, except for Android and iOS. Which is same as the result from the MFASweep. We are able to easily bypass CAP based on Devie types as it checks based on the user agent. By using a browser devtools, we are able to modify the user-agent to the device we want it to be, thus bypassing the CAP check. We are also able to just use a mobile phone instead.

Remember to check the Auto-open devtools for popups so that there wont be the MFA prompt when it open a new tab.

With that we have succesfully bypassed the Conditional Access Policy and gained access to the m365 instance.

At first glance, it seems like the azintegration user have access over the admin portal so lets try and see what we can do with it

Looking at the dashboard, the user has permission over user management, being able to edit a user, as well as resetting its password When clicking on edit user button, the result pop up for the user magnus.

We are able to then reset the password for magnus.

Next, lets perform MFASweep again to see if we are able to get MFA as well as being able to bypass them

It seems like we are able to access office with iPhone user agent. Lets look at the condtional access policy we enumerated previoisly to see if theres any CAP for magnus.

This is again inline with the output from MFASweep. Again, we are able to bypass with devtools as done before.

It looks like magnus user does not have much permissions over M365, so lets try taking a look at Azure Portal instead. Looking at the recent resources, there is a Key vault named ITHelpdesk

As we are unable to access key vault secrets via the Azure Portal, we will need to use az cli. First we run `az login` as per normal

On the browser pop up tab, run the dev tools to change our user agent to iPhone user agent.

With that, we are able to authenticate to az cli and bypass the MFA.

From the keyvault enumeration, theres a secret called New-Joiner-Ming-Zhang, which is probably the credentials for a User.

We aer able to get the email address by cross referencing our user list.

Looking at the conditional access policy we enumerated previously, Ming Zhang MFA is scoped more securely, ensuring that it is including all platform. Howeverm looking at the excluded application, we are able to use Ming's credential to access Windows Azure Service Management API, as well as Graph Command Line Tools.

It means that we can just run az login or Connect-AzAccount to authenticate.

Next, I will be using the tool azurehound to perform automated enumeration.

Upload the output.json into bloodhound. Since we have access over Ming's account, lets set it as owned and look at what Ming has permission over. Using Bloodhound, we are able to identify that Ming owns the group IT-Admin.

In return, the IT-Admins role has Role of Directory Readers as well as Printer Technician. Interestingly, the IT-Admins group does not have any existing member

Since Ming is the owner of the group, he is able to add user to it. Lets add Ming to the group and try enumerating with the escalated Directory Readers permission. We will be using roadtools to request for an access token with the scope msgraph

Next, using the graph api, lets add Ming to the IT-ADMINS group ```bash curl -X POST 'https://graph.microsoft.com/v1.0/groups/F6F83AFC-E612-4905-9D5B-09F4E909700F/members/$ref' \ -H "Authorization: Bearer $at" \ -H "Content-Type: application/json" \ -d '{ "@odata.id": "https://graph.microsoft.com/v1.0/users/65272AB6-B183-4F12-B72B-C584DCE8B7CB" }' ``` We can then verify by checking the group members, Ming is in it now. ```bash curl -X GET "https://graph.microsoft.com/v1.0/groups/F6F83AFC-E612-4905-9D5B-09F4E909700F/members" \ -H "Authorization: Bearer $at" \ -H "Content-Type: application/json" ```

With our new permission, lets attempt to enumerate az resources. (Note you will need to relogin to az cli)

From the resource listing, it seems like there is another storage account called securebackups. Lets attempt to enumerate it using the management api.

```bash curl -s -X GET "https://management.azure.com/subscriptions/41b63b94-5bb3-41b2-a2ad-2b411979dc26/resourceGroups/it-admin/providers/Microsoft.Storage/storageAccounts/securebackups/blobServices/default/containers?api-version=2023-01-01" \ -H "Authorization: Bearer $at" \ -H "Content-Type: application/json" | jq ```

There is a container called files, lets try listing the blobs. But first we will need to request another token for storage api.

```bash curl -s -X GET "https://securebackups.blob.core.windows.net/files?restype=container&comp=list" \ -H "x-ms-version: 2021-12-02" \ -H "Authorization: Bearer $at" ```

Within the file listing, theres a file named mp-ga-creds.zip, lets download that file. ```bash curl -s -X GET "https://securebackups.blob.core.windows.net/files/mp-ga-creds.zip" \ -H "x-ms-version: 2021-12-02" \ -H "Authorization: Bearer $at" -o mp-ga-creds.zip ```

The zip file is password protected.

I had attempted to use zip2john with our apssword list and rockyou to crack the password, but to no avail. Then I recall, in previous steps theres always a bad practice within the massive-pharma organization to send plaintext credentials over Teams/Outlook. So lets try and enumerate those to see if theres anything similar. First, lets get an access token for teams using AADInternals.

``` Get-AADIntTeamsMessages | Format-Table id,content,deletiontime,*type*,DisplayName ```

As expected, the password for the zip is send again over plaintext in the teams message.

As a bonus, we are also given the global admin credentials???

However, sven MFA ensures that everything is blocked and we cant sadly login as the GA.

The password is also sadly resetted

## TLDR * Check for MFA on azintegration user * Using nina account, enumerate conditonal access policy * Bypass conditional access policy using browser devtools to modify the user agent * Reset magnus password using the M365 web portal * Bypass CAP similarly using browser devtools * Authenticate as Magnus on Azure Portal with devtools * Notice that Magnus has access to keyvault * Authenticate to magnus account on CLI with `az login`and bypass CAP using devtools * Retrieve Ming's password from az keyvault * Use azurehound to perform automated enumeration * Identify Ming own's the group IT-ADMINS * Add Ming to the IT-ADMINS group, and enumerate Azure Resources * Identify another storage account which contains mp-ga-creds.zip * Download the file and try cracking the zip password to no avail * Enumerate Teams message to retrieve the zip password * Unzip and win ## Reference * * * * --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://kabinet.gitbook.io/ctf-writeup/2025/thuderdome/victory.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.