impr

HackTricks-wiki · Jan 26, 2025 · 98c7e56 · 98c7e56
1 parent 27d07ae
commit 98c7e56
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 8 deletions.
diff --git a/src/pentesting-cloud/azure-security/README.md b/src/pentesting-cloud/azure-security/README.md
@@ -38,6 +38,7 @@ With this information the most common ways to try to get a foothold are:
 - Vulnerabilities in Azure-Hosted Applications
   - [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint
   - **Subdomain takeovers** like in [https://godiego.co/posts/STO-Azure/](https://godiego.co/posts/STO-Azure/)
+  - **Other azure services misconfigurations**
 - If some developer laptop is compromised ([WinPEAS and LinPEAS](https://github.com/peass-ng/PEASS-ng) can find this info):
   - Inside **`<HOME>/.Azure`**
     - **`azureProfile.json`** contains info about logged in users from the past
@@ -54,6 +55,11 @@ With this information the most common ways to try to get a foothold are:
     - In Windows this just generates id tokens.
     - Possible to see if Az PowerShell was used in Linux and macSO checking is `$HOME/.local/share/.IdentityService/` exists (although the contained files are empty and useless)
 
+Find **other Azure Services misconfigurations** that cal lead to a foothold in the following page:
+
+{{#ref}}
+az-unauthenticated-enum-and-initial-entry/
+{{#endref}}
 
 > [!NOTE]
 > Remember that usually the **noisiest** part of the enumeration is the **login**, not the enumeration itself.
@@ -159,13 +165,32 @@ az-enumeration-tools.md#automated-post-exploitation-tools
 
 Once you know who you are, you can start enumerating the **Azure services you have access to**.
 
+You should start finding out the **permissions you have** over the resources. For this:
+
+1. **Find the resource you have some acecss to**:
+
 The Az PoswerShell command **`Get-AzResource`** lets you **know the resources your current user has visibility over**.
 
 Moreover, you can get the same info in the **web console** going to [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) or searching for "All resources" or executing: `az rest --method GET --url "https://management.azure.com/subscriptions/<subscription-id>/resources?api-version=2021-04-01"`
 
-Furthermore, with enough permissions, the role **`Get-AzRoleAssignment`** can be used to **enumerate all the roles** in the subscription or the permission over a specific resource indicatig it like in: **`Get-AzRoleAssignment -Scope /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.RecoveryServices/vaults/vault-m3ww8ut4`**
+2. **Find the permissions you have over the resources you have access to and find the roles assigned to you**:
+
+Note that you need the permission **`Microsoft.Authorization/roleAssignments/read`** to execute this action.
+
+Furthermore, with enough permissions, the role **`Get-AzRoleAssignment`** can be used to **enumerate all the roles** in the subscription or the permission over a specific resource indicatig it like in: **`Get-AzRoleAssignment -Scope /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.RecoveryServices/vaults/vault-m3ww8ut4`**. 
+
+It's also possible to get this information running **`az rest --method GET --uri "https://management.azure.com/<Scope>/providers/Microsoft.Authorization/roleAssignments?api-version=2020-08-01-preview" | jq ".value"`** like in:
+
+- **`az rest --method GET --uri "https://management.azure.com//subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/vault-m3ww8ut4/providers/Microsoft.Authorization/roleAssignments?api-version=2020-08-01-preview" | jq ".value"`**
+
+3. **Find the granular permissions of the roles attached to you **:
+
+Then, to get the granular permission you could run **`(Get-AzRoleDefinition -Id "<RoleDefinitionId>").Actions`**.
+
+Or call the API directly with **`az rest --method GET --uri "https://management.azure.com//subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<RoleDefinitionId>?api-version=2020-08-01-preview" | jq ".properties"`**.
+
 
-In the following section you can find information about the most common Azure services and how to enumerate them:
+In the following section you can find **information about the most common Azure services and how to enumerate them**:
 
 {{#ref}}
 az-services/

diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md
diff --git a/...d/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md b/...d/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md
@@ -46,4 +46,3 @@ Use [**Storage Explorer**](https://azure.microsoft.com/en-us/features/storage-ex
 {{#include ../../../banners/hacktricks-training.md}}
 
 
-
Original file line number	Diff line number	Diff line change
Expand Up		@@ -46,4 +46,3 @@ Use [Storage Explorer](https://azure.microsoft.com/en-us/features/storage-ex
		{{#include ../../../banners/hacktricks-training.md}}