Power Pwn v2.1.3 releases: An offensive and defensive security toolset for Microsoft 365 Power Platform

Power Pwn

Power Pwn is an offensive and defensive security toolset for Microsoft Power Platform.

Disclaimer: These materials are presented from an attacker’s perspective to raise awareness of the risks of underestimating the security impact of No Code/Low Code. No Code/Low Code is excellent.

How to set up your power-pwn cloud account

Set up a malicious Microsoft tenant

1. Set up your free Microsoft tenant by following Microsoft guidelines

   

2. Create a malicious user account and assign it a Power platform administrator role. The admin role isn’t necessary, it’s just convenient.

   

3. On a private browser tab

   1. Go to https://flow.microsoft.com and log in with the malicious user. Follow through the sign-in process to initiate a Power Automate trial license.

   2. Follow the same process with https://make.powerapps.com to initiate a Power Apps trial license.

4. Create a Service Principal by following Microsoft guidelines and note the tenantId, applicationId, and secret.

Infect a test victim machines

1. Infect a test machine by following the How to infect a victim machine guide.

2. Verify that the machine has been onboarded

   1. Log into https://flow.microsoft.com as the malicious user

   2. Click Go to Monitor and then Machines and verify that the test victim machine is there

   

Upload pwntoso to your Power Automate cloud environment

1. Log into https://flow.microsoft.com with the malicious user.

2. Go to Solutions and click Import solution

   

3. Zip the content of pwntoso_1_0_0_1 and select it when asked to provide a solution file. Follow the guided process to completion.

   1. When asked to provide a connection, follow the guided process to create a new machine connection. Use the test victim machine credentials.

4. Go to My flows and search for Endpoint

   

   Click on Edit and then on When an HTTP request is received and copy the URL under HTTP POST URL

   

5. Note the HTTP Post URL for use with the Python module.

Changelog v2.1.3

Split powerpwn dump command into two different commands:

1. powerpwn recon – Recon for available data connections
2. powerpwn dump – Dump content for all available connection from recon

Use