This is a multipart challenge. All the flags can be found within the live Microsoft 365 instance that we’ll ssh into.
The clue is street address. I’m not too fluent in the capabilities of AADInternals, so the first thing I do is head over to the documentation.
If I do a search on ‘street’ I see that it’s part of an Output example for Get-AADintTenantDetails
Ok, let’s give that command a go.
And there’s the flag under the street value.
For the next one, It not so subtly says that Conditional Access Policies will be part of this, so again we reference the docs. Get-AADIntConditionalAccessPolicies seems like a good candidate.
Two for two.
Microsoft Teams will be our focus on the third one. There’s dozens of Teams commands available within AADInternals. If we focus on message, that will get us to Get-AADIntTeamsMessages.
Having the documentation for the syntax really helped on this one.
And for the last one, no there isn’t a Get-AADIntPresident command. That would be too easy. How about a command that will show us all the users?
Scrolling up through the output, we find that the President (PattiF), has a flag in the telephone number field.
4 out of 4.
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
Baker Street Forensics 