Challenge: Santa is currently very busy preparing for Christmas. But he noticed that elves changed his “naughty list.txt” from his SharePoint folder “https://owaspsi.sharepoint.com/sites/xmas2020/Shared Documents”. Can you help him solve the mystery of how did they get access to it?

Vm0xd1MwMUdiRmhUV0doV1YwZDRWVmxVU205V2JHeDBaVVYwVmxKc2NIaFZNakExWVd4S2MyTklhRlppV0dob1ZrY3hTMU5IVWpaVGJGcE9ZbXhLZVZkV1VrZFhiVlpIVkc1S2FWSnNjSEJWYWtwdlYxWmFjVk51Y0d4U01VcFpWVzEwYjFWR1dYZFhiRkphWWtkU2RsWldXbUZXTVdSMFpFWlNhVlpzY0RaWFZFSlhZakpHUjFOWWNGSmhlbXhXVm14YVlVMXNVbGhsUjNSWFRWZFNlVlJzVlRGV01ERldZak5rVjFaRmEzaFdWRVpUWXpGd1JsZHNVbWxXVm5CWFZtMTBWMU13TUhoVmJHaHNVMFUxVUZsclZURldiRnAwVFZoT1YwMUVSbGRaTUZaaFZqRkplbUZJU21GU1JYQklWbTF6ZUZkV1NuTlViV2hvWld4YVlWWnRNSGRsUjBsNFZtdGthbEp0YUU5V2JYUjNZekZhYzFWdVRsaGlSM2g1VjJ0V2ExWnJNVlpPVldSV1RXNW9TRll3V2xwbGJFWnpVV3hhYkdFd1dUQldWRUpoVXpKT2MyTkZaRlJpVjNod1ZUQldTMDB4V25OYVNHUlRUVmQ0V0ZaSE5VOVdiVXBIWTBab1dtSkdTbGhXVjNoaFZqRldXVnBHUWxaV1JFRTE=

First I have to say, this was for me the best challenge, perhaps because it was so “real”.

Well the firs part not so much, but you need to start somewhere.

The blob is a base64 encoded base64 encoded base64 encoded base64 encoded base64 encoded base64 encoded base64 encoded base64 encoded string with user and password for an Office 365 account.

username:santa.claus@owaspsi.onmicrosoft.compassword:NorthPoleH0H

Ok, login works, but it want’s a MFA (Multi Factor Authentication) step.

No way I’m breaking the MFA with Microsoft Authenticator. Perhaps the TOTP (Time-based One-Time Password)? But in order for the author to set up that, Microsoft would need to allow some very bad/unsecure parameters…

I searched around for some time and landed on this: https://paulryan.com.au/2014/spo-remote-authentication-rest/

So the steps are:

1. https://login.microsoftonline.com/extSTS.srf
2. https://owaspsi.sharepoint.com/_forms/default.aspx?wa=wsignin1.0
3. https://owaspsi.sharepoint.com/sites/xmas2020/_api/web/GetFolderByServerRelativeUrl('Shared Documents')/Files('naughty list.txt')/$value

In step one we POST a huge XML with user and password and get back the Security Token inside another huge XML. Care must be taken to correctly unescape the contents.

In step two we post that token and get back, well, some HTML and a lot of Cookies. We need rtFa and FedAuth.

With those cookies we can talk to the SharePoint API.

We can query files by calling https://owaspsi.sharepoint.com/sites/xmas2020/_api/web/GetFolderByServerRelativeUrl('Shared Documents')/Files and than the contents of the file…

Some docs to help.

I talked to the author and he told me this was a real-life case they worked on. I actually encountered similar situation with Google services, where less-secure, legacy protocols needed to be enabled (IMAP).

Flag: xmas{ro5y_che3k5}

What did I learn: A real bypass of MFA that is apparently still enabled by default.