In flag 3, we used Nacer’s M365 refresh token to acquire a new access token. This led to some M365 email pillaging which gave us a password we could use to spray a bunch of usernames we obtained. We were then able to access the Azure portal and discover a deleted blob containing hashes passwords - we managed to crack one of them and get a password, which we added to our stash. After that, flag 3 and some more credentials were discovered via a Function App API endpoint which was vulnerable to time-based SQL injection.

Next steps

We have the following credentials to work with:

Username - nina

Password - wcy4^UV%#^hv35C@^!

Since our recent findings were in Azure, let’s try the above credentials with Azure as well. In flag 3 we used a tool called MSOLSpray to password spray a list of M365 users. There’s another tool we can use to password spray, validate M365 users, credentials and domains, called Oh365UserFinder. You can download it from here - The target is still Massive Pharma so let’s add the domain to the user nina and add this username to a file called nina.txt. Now we can run oh365userfinder:

python3 ./ -p 'wcy4^UV%#^hv35C@^!' --pwspray --elist nina.txt


The credentials appear to be valid. We could just go straight to the Azure portal and try to sign in, but let’s run the credentials through MFASweep and see if we can determine what MFA and Conditional Access Policy information we can gather with respect to accessing Microsoft APIs. Download the tool from here Start powershell (I’m running it on my Kali box) and run the following:

Note - make sure the password is typed correctly so you don’t lock out the account - you are reminded of this by MFASweep:

Confirm MFA Sweep
[*] WARNING: This script is about to attempt logging into the [[email protected]](<mailto:[email protected]>) account TEN (10) different times (11 if you included ADFS). If
you entered an incorrect password this may lock the account out. Are you sure you want to continue?
Import-Module ./MFASweep/MFASweep.ps1
Invoke-MFASweep -Username [email protected] -Password 'wcy4^UV%#^hv35C@^!' -Recon


Once it’s finished, any Single Factor access vectors (no MFA) will be marked with a YES :