Base64 : Taking a peek with Encoding and decoding

If you’re not aware Base64 is an encoding methodology that primarily uses hexadecimal values which to the uninitiated looks like a load of garbled text which spams from A-F and 0-9 that is not natively is human readable, the human readable format is ASCII (after decoding)

Fogot about Teams during Packet Capture

I was doing another article about figuring out iOS software updates and decrypting https:// traffic - and on that journey of trying to figure out where traffic was flowing, I actually forgot I had my Teams client running on my phone.

HTTPS Decryption

This means with description enabled all the data being sent to Teams was going via my VPN configuration, The way the description works means Teams talks to my VPN connection (Which in this case is an application called http watch) that is where the secure channel terminates, from there, my VPN will reestablish the connection to the actual destination.

SSL integrity broken with decryption

This means the integrity of SSL has been broken because I’ve trusted a root certificate and I’ve allowed it to intercept my connection and seamlessly pass it through the application before the application then sends the request on to the final destination.

The technical way of telling you this information is called man in the middle attack (MiTM) in this instance http watcher is that man in the middle.

Teams : Blissfully unaware (and it has no way on knowing either)

Teams, thinking about unicorns and saving the planet is blissfully unaware, but when it tries to talk to its final destination, it’s actually talking to the application that will then break the connection and the application will then seamlessly reestablish a session with the team servers.

In this particular configuration, I can see everything teams to try to access right down to the full URL path which also includes the authorization headers which are base64 encoded, I also observed that this particular application can actually display images within the Teams application. 

Emoji images visable in chats

If we look in my application at request 57 that is the point where somebody sent me a party popper Emoji, not only can I tell the server it’s coming from and a full path to that emoji but I can also see a visual representation of that emoji:

Note : in this example I have protected the teams application with app protection which is a InTune policy policy that keeps all my data secure and restricted to the application, However, while I’m unable to see the content, I can see data within the chat that calls external resources because that will be a web request - which is exactly what my VPN is logging.

This will the give you the full request as below which tells you where the "party popper" PNG is coming from and other juicy information like this iOS version and the country as well with the time zone as well:

Chats are logged, but content (excluding external content) is not logged

If we can move right to request 59, this is the request to write data to my chat I’m having with the recipient, you will notice the operation is now “put” not “get”

You can then instantly observe exactly what server it’s talking to in order to display my chat GUID that will then contain the messages as below:

Analysing captured data

This also means I can observe the headers of this traffic as well, which happens to include authorization header as you can see below, this might look like hieroglyphics But as you will find later on, we Can attain some quite interesting information from these authorization headers:

This Authorisation will be encoded in Base64 so lets take a look at that data shall we before we do that as this will not be strict Base64 I would put it thought a Base64 repair which you can do here - paste in the Base64 and click Repair:

You will then get returned a couple of Base64 fragments and for me the interesting data was in Fragment #1 and #3 this is shown below: 

You now need to decode this data to ACSII which you can do with the link here you need to paste in the repaired Basse64 and then use the decode button as below:

This will then give you that data in ACSII format, when we decode all this data I ended up being able to extract the following information from that request:

1. Tenant ID
2. Authentication Method
3. Application ID
4. Device ID
5. Family Name
6. Given Name
7. Account Type
8. Source IP address
9. Full Name
10. OID
11. SID (Active Directory SID)
12. Unique Name
13. UPN

This is what that data looked like:

{"aud":"https://ic3.teams.office.com","iss":"https://sts.windows.net/<redacted>/","iat":1726816639,"nbf":1726816639,"exp":1726821304,"acct":0,"acr":"1","aio":"AcQAO/8XAAAApLb<REDACTED>","amr":["rsa","mfa"],"appid":"1fec8e78-<REDACTED>","appidacr":"0","capolids_latebind":["2d934a6c-31ed-49a0-aedc-e87618fe4f88"],"deviceid":"cd1aa03c-8b45-4cb5-a412-5c5492715115","family_name":"Perpertrator","given_name":"Bear","idtyp":"user","ipaddr":"12.55.345.88","name":"Bear Perpertrator","oid":"1a38222f-519b-4488-bafd-8fdd41c9438e","onprem_sid":"S-1-5-21-142122122-1548130249-1115540648-12023","puid":"10033FFF946EABCB","rh":"0.AUcAmR5c4<REDACTED>","scp":"Teams.AccessAsUser.All","sub":"JMyxNxitGGp5LcXIMx3wZkqtf0CGuYjkQGmv7nDXAjk","tid":"e15c1e99-7be3-495c-978e-eca7b8ea9f31","unique_name":"Bear.Perpertrator@pokebearswithsticks.com","upn":"Bear.Perpertrator@pokebearswithsticks.com","uti":"qXrBWzwft0ymsC9lKsQOAA","ver":"1.0","xms_cc":["CP1","protapp"],"xms_idrel":"1 30","xms_ssm":"1"}

I also think that fragment #3 may have exposed the algorithm for my password encryption:

{"typ":"JWT","nonce":"GrfqwmmtMWP<REDACTED>","alg":"RS256","x5t":"H9nj5A<REDACTED>","kid":"H9nj5A<REDACTED>"}

Encoding Commands with Powershell

If you have commands you want to run using Powershell then you can encode the commands in Base64 and run those commands via Powershell using this command:

Powershell -EncodedCommand “<Base64>”

We now need some commands to test with so how about a nice toast Notification this has been generated  with encoded Powershell, first we need to start with the code:

# Define variables

$Title = "Encoded Notification"

$Message = "This a a test of an encoded notification"

$Type = "info"

# Load necessary assemblies

Add-Type -AssemblyName System.Windows.Forms

Add-Type -AssemblyName System.Drawing

# Get the icon from the current process

$processPath = (Get-Process -Id $PID).Path

$icon = [System.Drawing.Icon]::ExtractAssociatedIcon($processPath)

# Create and configure the notification

$notifyIcon = New-Object System.Windows.Forms.NotifyIcon

$notifyIcon.Icon = $icon

$notifyIcon.Visible = $true

# Show the balloon tip

$notifyIcon.ShowBalloonTip(10000, $Title, $Message, [System.Windows.Forms.ToolTipIcon]::$Type)

# Optional: Keep notification alive for a while to prevent immediate termination of the script

Start-Sleep -Seconds 15

# Hide and dispose of the notification icon

$notifyIcon.Visible = $false

$notifyIcon.Dispose()

That code will produce this notification, which is also called a toast notification:

We now need to add this code to a string so to we need to add the sections in bold to the code:

$EncodingScript = @'

# Define variables

$Title = "Encoded Notification"

$Message = "This a a test of an encoded notification"

$Type = "info"

# Load necessary assemblies

Add-Type -AssemblyName System.Windows.Forms

Add-Type -AssemblyName System.Drawing

# Get the icon from the current process

$processPath = (Get-Process -Id $PID).Path

$icon = [System.Drawing.Icon]::ExtractAssociatedIcon($processPath)

# Create and configure the notification

$notifyIcon = New-Object System.Windows.Forms.NotifyIcon

$notifyIcon.Icon = $icon

$notifyIcon.Visible = $true

# Show the balloon tip

$notifyIcon.ShowBalloonTip(10000, $Title, $Message, [System.Windows.Forms.ToolTipIcon]::$Type)

# Optional: Keep notification alive for a while to prevent immediate termination of the script

Start-Sleep -Seconds 15

# Hide and dispose of the notification icon

$notifyIcon.Visible = $false

$notifyIcon.Dispose()

'@

We now need to convert that to Base64 with this command:

$EncodedScript = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($EncodingScript))

Then call $EncodedScript to get the Base64 as you can see below:

You can use this to copy that to the clipboard:

$EncodedScript | Clip

Then you will have that in your clipboard then to run the command you need to use the -EncodedCommand in quotes as above like this, you can also but all your Base64 in quotes as well:

Powershell -EncodedCommand $EncodedScript

Then Powershell will run your encoded command, magic:

The problem is you could easily weaponised this and do something more interesting with it.