From 8090429d5f01ef726d4c2e33caed6d08e8523b75 Mon Sep 17 00:00:00 2001 From: CPol Date: Sat, 30 Nov 2024 03:49:49 +0000 Subject: [PATCH] GITBOOK-717: No subject --- SUMMARY.md | 6 +- .../az-authorization-privesc.md | 61 ++++++++++++++++++- .../azure-security/az-services/az-azuread.md | 16 +++-- 3 files changed, 73 insertions(+), 10 deletions(-) diff --git a/SUMMARY.md b/SUMMARY.md index 7a77df6069..f7a2f16eae 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -399,7 +399,7 @@ * [Az - Device Code Authentication Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-device-code-authentication-phishing.md) * [Az - Password Spraying](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying.md) * [Az - Services](pentesting-cloud/azure-security/az-services/README.md) - * [Az - Entra ID (formerly AzureAD - AAD) & IAM](pentesting-cloud/azure-security/az-services/az-azuread.md) + * [Az - Entra ID (AzureAD) & Azure IAM](pentesting-cloud/azure-security/az-services/az-azuread.md) * [Az - Management Groups, Subscriptions & Resource Groups](pentesting-cloud/azure-security/az-services/az-management-groups-subscriptions-and-resource-groups.md) * [Az - ACR](pentesting-cloud/azure-security/az-services/az-acr.md) * [Az - Application Proxy](pentesting-cloud/azure-security/az-services/az-application-proxy.md) @@ -442,13 +442,13 @@ * [Az - Blob Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md) * [Az - Queue Storage Post Exploitation](pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md) * [Az - Privilege Escalation](pentesting-cloud/azure-security/az-privilege-escalation/README.md) - * [Az - Authorization Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md) + * [Az - Azure IAM Privesc (Authorization)](pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md) * [Az - EntraID Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md) * [Az - Conditional Access Policies & MFA Bypass](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md) * [Az - Dynamic Groups Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md) - * [Az - Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md) * [Az - Key Vault Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md) * [Az - Queue Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md) + * [Az - Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md) * [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md) * [Az - Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md) * [Az - Queue Storage Persistence](pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md) diff --git a/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md b/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md index 9bf7035442..ee41873df4 100644 --- a/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md +++ b/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md @@ -1,4 +1,4 @@ -# Az - Authorization Privesc +# Az - Azure IAM Privesc (Authorization) {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ @@ -15,9 +15,17 @@ Learn & practice GCP Hacking: {% endhint %} +## Azure IAM + +Fore more information check: + +{% content-ref url="../az-services/az-azuread.md" %} +[az-azuread.md](../az-services/az-azuread.md) +{% endcontent-ref %} + ### Microsoft.Authorization/roleAssignments/write -This permission allows to assign roles to principals over a specific scope: +This permission allows to assign roles to principals over a specific scope, allowing an attacker to escalate privileges by assigning himself a more privileged role: {% code overflow="wrap" %} ```bash @@ -26,6 +34,55 @@ az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e55 ``` {% endcode %} +### Microsoft.Authorization/roleDefinitions/Write + +This permission allows to modify the permissions granted by a role, allowing an attacker to escalate privileges by granting more permissions to a role he has assigned. + +Create the file `role.json` with the following **content**: + +```json +{ + "Name": "", + "IsCustom": true, + "Description": "Custom role with elevated privileges", + "Actions": [ + "*" + ], + "NotActions": [], + "DataActions": [ + "*" + ], + "NotDataActions": [], + "AssignableScopes": [ + "/subscriptions/" + ] +} +``` + +Then update the role permissions with the previous definition calling: + +```bash +az role definition update --role-definition role.json +``` + +### Microsoft.Authorization/elevateAccess/action + +This permissions allows to elevate privileges and be able to assign permissions to any principal to Azure resources. It's meant to be given to Entra ID Global Administrators so they can also manage permissions over Azure resources. + +{% hint style="success" %} +I think the user need to be Global Administrator in Entrad ID for the elevate call to work. +{% endhint %} + +{% code overflow="wrap" %} +```bash +# Call elevate +az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01" + +# Grant a user the Owner role +az role assignment create --assignee "" --role "Owner" --scope "/" +``` +{% endcode %} + {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte) diff --git a/pentesting-cloud/azure-security/az-services/az-azuread.md b/pentesting-cloud/azure-security/az-services/az-azuread.md index beddaf5588..7d0be5a172 100644 --- a/pentesting-cloud/azure-security/az-services/az-azuread.md +++ b/pentesting-cloud/azure-security/az-services/az-azuread.md @@ -1,4 +1,4 @@ -# Az - Entra ID (formerly AzureAD - AAD) & IAM +# Az - Entra ID (AzureAD) & Azure IAM {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ @@ -930,10 +930,16 @@ Get-AzureADMSScopedRoleMembership -Id | fl #Get role ID and role members {% endtab %} {% endtabs %} -## Privilege Escalation +## Entra ID Privilege Escalation -{% content-ref url="../az-privilege-escalation/" %} -[az-privilege-escalation](../az-privilege-escalation/) +{% content-ref url="../az-privilege-escalation/az-entraid-privesc/" %} +[az-entraid-privesc](../az-privilege-escalation/az-entraid-privesc/) +{% endcontent-ref %} + +## Azure Privilege Escalation + +{% content-ref url="../az-privilege-escalation/az-authorization-privesc.md" %} +[az-authorization-privesc.md](../az-privilege-escalation/az-authorization-privesc.md) {% endcontent-ref %} ## Defensive Mechanisms @@ -980,7 +986,7 @@ It allows the admin to configure it to **block** attempts when the risk is "Low Nowadays it's recommended to add these restrictions via Conditional Access policies where it's possible to configure the same options. {% endhint %} -## Entra Password Protection +### Entra Password Protection Entra Password Protection ([https://portal.azure.com/#view/Microsoft\_AAD\_ConditionalAccess/PasswordProtectionBlade](https://portal.azure.com/#view/Microsoft_AAD_ConditionalAccess/PasswordProtectionBlade)) is a security feature that **helps prevent the abuse of weak passwords in by locking out accounts when several unsuccessful login attempts happen**.\ It also allows to **ban a custom password list** that you need to provide.