Closed donalduck35 closed 1 year ago
donalduck35
commented
1 year ago I realized what's happening but still need guidance on working around it. The email address I'm using while sending the -u argument has domain X but the underlying SharePoint domain that corresponds to domain X is different, so it cannot be resolved. Therefore it builds a bad link that cannot resolve. Do I need to hardcode "senderSharepointURL" for this to work?
Octoberfest7
commented
1 year ago Yeah you might try that. In my development I was using a stock AAD tenant/sharepoint setup, so if your configuration deviates from that (maybe with custom domain specified instead of xxx.onmicrosoft.com, etc) you could try hardcoding. In the latest release i'd look at line 674:
senderSharepointURL = "https://%s-my.sharepoint.com" % senderInfo.get('tenantName')
blueteam0ps
commented
1 year ago I had the exact same issue just now and I am using a xxx.onmicrosoft.com domain
Octoberfest7
commented
1 year ago How are the sender domain and the sharepoint domains different?
donalduck35
commented
1 year ago How are the sender domain and the SharePoint domains different?
For example, if you started an MSFT account that is contoso256@onmicrosoft.com and you tied it to a domain let's say, yourcompanydomain.com the underlying MSFT will still be contoso256-mysharepoint.com rather than yourcompanydomain-mysharepoint.com, make sense?
Octoberfest7
commented
1 year ago Yep, I chased this issue down with another user. The unsolved question at this point is how to resolve the address the sharepoint site truly lives at; the code currently assumes that the domain returned in the senderInfo UPN is the same as the sharepoint one, but this isn't the case when a custom domain is used.
donalduck35
commented
1 year ago Yep, I chased this issue down with another user. The unsolved question at this point is how to resolve the address the sharepoint site truly lives at; the code currently assumes that the domain returned in the senderInfo UPN is the same as the sharepoint one, but this isn't the case when a custom domain is used.
Got it. Thank you. I changed the domain explicitly and hardcoded it to this variable but right now I'm getting: Uploading file: hello.txt..................................................[-] Error uploading file: 401
No additional info apart from it:
Reading target email list..................................................[+] SUCCESS! Fetching Bearer token for Teams............................................[+] SUCCESS! Fetching Skype token.......................................................[+] SUCCESS! Fetching sender info.......................................................[+] SUCCESS! Fetching Bearer token for SharePoint.......................................[+] SUCCESS! Uploading file: hello.txt..................................................[-] Error uploading file: 401
Octoberfest7
commented
1 year ago I believe this should be addressed by 22b521a.
Octoberfest7
commented
1 year ago See the -s switch in the help menu in the latest version
blueteam0ps
commented
1 year ago @Octoberfest7 I used the -s option and the previous error is no longer there but now im getting a 404 after it starts the upload.. I tried both using a custom domain and an onmicrosoft one but still the 404 is there.
Reading target email list..................................................[+] SUCCESS! Fetching Bearer token for Teams............................................[+] SUCCESS! Fetching Skype token.......................................................[+] SUCCESS! Fetching sender info.......................................................[+] SUCCESS! Fetching Bearer token for SharePoint.......................................[+] SUCCESS! Uploading file: /opt/TeamsPhisher/test.zip ............................[-] Error uploading file: 404
TH3xACE
commented
1 year ago @Octoberfest7 I used the -s option and the previous error is no longer there but now im getting a 404 after it starts the upload.. I tried both using a custom domain and an onmicrosoft one but still the 404 is there.
Reading target email list..................................................[+] SUCCESS! Fetching Bearer token for Teams............................................[+] SUCCESS! Fetching Skype token.......................................................[+] SUCCESS! Fetching sender info.......................................................[+] SUCCESS! Fetching Bearer token for SharePoint.......................................[+] SUCCESS! Uploading file: /opt/TeamsPhisher/test.zip ............................[-] Error uploading file: 404
I am having the same issue as @blueteam0ps
TH3xACE
commented
1 year ago Does the attachment need to be on Sharepoint ? could be on github also (I saw a POC using a file hosted on it for this CVE) ? or on a web server ?
Octoberfest7
commented
1 year ago Edit fixed 401/404 errors by hardcoding senderDrive @ line 694. Seems like it's not always constant.
Drop me a dm on twitter @Octoberfest73 or on discord Octoberfest (octoberfest#0860)
MasalaGianluca
commented
1 year ago @Octoberfest7 I used the -s option and the previous error is no longer there but now im getting a 404 after it starts the upload.. I tried both using a custom domain and an onmicrosoft one but still the 404 is there. Reading target email list..................................................[+] SUCCESS! Fetching Bearer token for Teams............................................[+] SUCCESS! Fetching Skype token.......................................................[+] SUCCESS! Fetching sender info.......................................................[+] SUCCESS! Fetching Bearer token for SharePoint.......................................[+] SUCCESS! Uploading file: /opt/TeamsPhisher/test.zip ............................[-] Error uploading file: 404
I am having the same issue as @blueteam0ps
I have the same problem, has anyone been able to find a solution? :(
Octoberfest7
commented
1 year ago This should now be fixed in 4e34fce.
When users first set up a tenant they must specify an initial domain name (which will be an *.onmicrosoft.com one). For the sake of this example this will be: mytesttenant.onmicrosoft.com
Their email/login would then be for example tom@mytesttenant.onmicrosoft.com
They can then go change their tenant to use a custom domain name, lets say mycustomname.net
Their email/login is now tom@mycustomname.net
However their sharepoint site still exists at mytesttenant-my.sharepoint.com
While the sharepoint name does not change, the uri for their personal sharepoint DOES and now uses their current email e.g. /personal/tom_mycustomname_net as opposed to /personal/tom_mytesttenant_onmicrosoft_com
This has been fixed in v1.1.2. Additionally, if a non-*.onmicrosoft.com username is used, TeamsPhisher will require the use of the -s switch and that the sharepoint is explicitly specified so as to head off any potential mismatch issues that can arise when trying to resolve the sharepoint name when a custom domain is being used.
olafskaug
commented
1 year ago Why not just define the senderDrive outside the custom SharePoint argument check since the UPN is unrelated?
# SharePoint custom tenant name doesn't change UPN.
senderDrive = senderInfo.get('userPrincipalName').replace("@", "_").replace(".", "_").lower()
# Assemble Sharepoint name
if args.sharepoint:
senderSharepointURL = "https://%s-my.sharepoint.com" % (args.sharepoint)
else:
senderSharepointURL = "https://%s-my.sharepoint.com" % senderInfo.get('tenantName')Why not just define the senderDrive outside the custom SharePoint argument check since the UPN is unrelated?
# SharePoint custom tenant name doesn't change UPN. senderDrive = senderInfo.get('userPrincipalName').replace("@", "_").replace(".", "_").lower() # Assemble Sharepoint name if args.sharepoint: senderSharepointURL = "https://%s-my.sharepoint.com" % (args.sharepoint) else: senderSharepointURL = "https://%s-my.sharepoint.com" % senderInfo.get('tenantName')
This latest version does this. Except it just uses the supplied username, which is the same thing that the UPN returns
It appears that all the previous steps are successful however, when the file is being uploaded I'm seeing this message "Name or service not known" I'm assuming it is unable to resolve the tenant name? The machine is configured with a proper DNS so I wonder why I'm seeing the below message:
`[+] SUCCESS! Uploading file: /root/test/text.txt........................................Traceback (most recent call last): File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 159, in _new_conn conn = connection.create_connection( File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 61, in create_connection for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM): File "/usr/lib/python3.8/socket.py", line 918, in getaddrinfo for res in _socket.getaddrinfo(host, port, family, type, proto, flags): socket.gaierror: [Errno -2] Name or service not known
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 665, in urlopen httplib_response = self._make_request( File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 376, in _make_request self._validate_conn(conn) File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 996, in _validate_conn conn.connect() File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 314, in connect conn = self._new_conn() File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 171, in _new_conn raise NewConnectionError( urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7f475bdea4f0>: Failed to establish a new connection: [Errno -2] Name or service not known`