Slack For RedTeaming

Hello fellas, I hope you’re doing well. In this article, I would like to share my thoughts on a sweet technique I utilized during a real-time red teaming exercise.

Introduction
Having gained access to the company’s network, we were also provided with Office 365 accounts by the client to assess the employees’ preparedness against spear phishing attacks. Through internal reconnaissance, we discovered that the company relies on Slack as its primary communication platform among colleagues. With our Office 365 accounts at hand, we attempted to connect to Slack and determine if we could gain access to any open channels.

Slack : Slack is a proprietary business communication platform developed by American software company Slack Technologies1. It is a messaging app for business that connects people to the information they need. Slack offers many IRC-style features, including persistent chat rooms (channels) organized by topic, private groups, and direct messaging. Slack is the productivity platform that empowers everyone with no-code automation and AI, makes search and knowledge sharing seamless, and keeps teams connected and engaged.

With our sneaky Office account, we effortlessly waltzed right into the company’s Slack party. And boy, were we in for a wild ride! Picture our surprise when we realized that most of the channels were wide open, like a shindig without any security. We dove headfirst into the treasure trove of chats, flipping through the pages of history with a mischievous grin. It was like stumbling upon a secret hangout spot where juicy gossip and scandalous secrets were freely shared. We stumbled upon pinned messages that held the keys to kingdoms — passwords, SSH keys, and other top-secret goodies, all laid bare for our curious eyes.

Now, discovering those credentials was already a major breakthrough, and we thought about using them for some sneaky sideways moves. But that’s not the real reason I’m here to spill the beans today. Brace yourselves, folks, because the trick I’m about to unveil is even easier than we could have imagined.

Tricky scenarion :

So I joined the slack channel, and lets take this as example : im this user “Guillaume le thug”

I noticed that there are other users online, like “Alice and Maurice.” Keep in mind that this is just an example, but in a company Slack, you can find over 50 users to the point where you can’t even scroll through the list anymore.

I’ve been pondering on how I can approach these users and convince them to download my malicious macros or visit a phishing page. But hey, let’s face it, I’m Guillaume le thug — no one’s going to trust me. It’s pretty sad and unfair, but let’s move on to other things, hehe!

While trying to grasp how Slack operates, I realized something interesting. I can actually change my profile information. I can be someone else entirely, not just “le thug.” But here’s the real question: Can I use the same profile information as another existing user?

And guess what? The answer is yes! Slack allows you to modify your information — your name and picture — to anything you want, even if it’s the same as another user’s. The only thing we can’t change is the email, but hey, they won’t notice that until they actually click on your profile to check. Sneaky, right?

Now, here’s the juicy part. I had a whopping number of over 50 users online, not to mention the ones offline. The big question was: Which one should I choose to impersonate? Decisions, decisions!

To make the right call, I invested some time in good old open-source intelligence (OSINT). I dug deep into the users’ profiles, searching for the perfect match for my little game. And guess what? With a stroke of luck, I stumbled upon the perfect candidate: Mr. Maurice!

Mr. Maurice had an intriguing profile. Not only did he hold a high-ranking position in the company’s IT department, but guess what? It was his birthday today! Talk about perfect timing and a reason to celebrate! I couldn’t help but chuckle at the serendipity of the situation. Fate seemed to be smiling upon me, presenting an ideal opportunity to dive into the festivities with a little twist of my own.

And voila! Another Maurice has entered the world today, adding to the celebration of namesakes. It’s like the universe couldn’t resist sprinkling a touch of Maurice magic into the mix. A new addition to the Maurice clan, ready to join in the birthday extravaganza! It seems fate has a sense of humor, doubling the fun and intrigue. Now, with two Maurices in the picture, it’s time to embark on an adventure that will surely leave everyone wondering what on earth is happening. Let the mischief begin!

At this very moment, the notion of approaching other users has been thrown out the window. Why go chasing after them when I can sit back and let them come to me with warm birthday wishes?
That moment when the heart is on but the mind off, I’ll seize the opportunity to ask for some simple favors.

Picture this: “Hey, Alice, would you mind taking a quick look at this report for me? I would be incredibly grateful!” It’s a cunning plan, capitalizing on the cheerful atmosphere and creating an opportune moment to gently sway their willingness. After all, who can resist granting a birthday request? Let the good vibes and favors flow!

Indeed, everything we witnessed in this scenario was rooted in the art of social engineering. It revolved around the cunning strategy of gaining people’s trust and exploiting it using Slack’s features.
Ther still other ways other than sending a malcious macro files, think of Devices spoofing for example and ask the victime to try the new printer in the network …
Check here to know more about this : Spoofing SSDP and UPnP Devices with EvilSSDP — HackTricks

Thanks for reading!