Merge pull request #51 from petrsnm/patch-1

s/PTR/PRT/g
HackTricks-wiki · Jun 4, 2024 · 8de0502 · 8de0502
2 parents b05b804 + 06f1b44
commit 8de0502
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md b/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md
@@ -58,7 +58,7 @@ The **LSASS** process will send to the TPM the **KDF context**, and the TPM will
 
 The **KDF context is** a nonce from AzureAD and the PRT creating a **JWT** mixed with a **context** (random bytes).
 
-Therefore, even if the PTR cannot be extracted because it's located inside the TPM, it's possible to abuseLSASS to **request derived keys from new contexts and use the generated keys to sign Cookies**.
+Therefore, even if the PRT cannot be extracted because it's located inside the TPM, it's possible to abuseLSASS to **request derived keys from new contexts and use the generated keys to sign Cookies**.
 
 <figure><img src="../../../.gitbook/assets/image (31).png" alt=""><figcaption></figcaption></figure>
 
@@ -126,7 +126,7 @@ Connect-AzureAD --AadAccessToken <token> --AccountId <acc_ind>
 
 ### Attack - Using roadrecon
 
-### Attack - Using AADInternals an leaked PTR
+### Attack - Using AADInternals and a leaked PRT
 
 `Get-AADIntUserPRTToken` **gets user’s PRT token** from the Azure AD joined or Hybrid joined computer. Uses `BrowserCore.exe` to get the PRT token.
 
@@ -269,7 +269,7 @@ HttpOnly: Set to True (checked)
 The rest should be the defaults. Make sure you can refresh the page and the cookie doesn’t disappear, if it does, you may have made a mistake and have to go through the process again. If it doesn’t, you should be good.
 {% endhint %}
 
-#### Option 2 - roadrecon using PTR
+#### Option 2 - roadrecon using PRT
 
 * Renew the PRT first, which will save it in `roadtx.prt`: