Az - Pass the Cookie

Reading time: 2 minutes

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Why Cookies?

Browser cookies are a great mechanism to bypass authentication and MFA. Because the user has already authenticated in the application, the session cookie can just be used to access data as that user, without needing to re-authenticate.

You can see where are browser cookies located in:

Browser Artifacts - HackTricks

Attack

The challenging part is that those cookies are encrypted for the user via the Microsoft Data Protection API (DPAPI). This is encrypted using cryptographic keys tied to the user the cookies belong to. You can find more information about this in:

DPAPI - Extracting Passwords - HackTricks

With Mimikatz in hand, I am able to extract a user’s cookies even though they are encrypted with this command:

bash
mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\cookies /unprotect" exit

For Azure, we care about the authentication cookies including ESTSAUTH, ESTSAUTHPERSISTENT, and ESTSAUTHLIGHT. Those are there because the user has been active on Azure lately.

Just navigate to login.microsoftonline.com and add the cookie ESTSAUTHPERSISTENT (generated by “Stay Signed In” option) or ESTSAUTH. And you will be authenticated.

References

tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks