From 98c7e569024baaee7f4631c763b7c8da81e5ed53 Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Sun, 26 Jan 2025 11:42:59 +0100 Subject: [PATCH] impr --- src/pentesting-cloud/azure-security/README.md | 29 +++++++++++++++++-- .../az-privilege-escalation/README.md | 5 ---- .../az-storage-unauth.md | 1 - 3 files changed, 27 insertions(+), 8 deletions(-) delete mode 100644 src/pentesting-cloud/azure-security/az-privilege-escalation/README.md diff --git a/src/pentesting-cloud/azure-security/README.md b/src/pentesting-cloud/azure-security/README.md index 2e82437a9f..ad01e10c1a 100644 --- a/src/pentesting-cloud/azure-security/README.md +++ b/src/pentesting-cloud/azure-security/README.md @@ -38,6 +38,7 @@ With this information the most common ways to try to get a foothold are: - Vulnerabilities in Azure-Hosted Applications - [**Server Side Request Forgery**](https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html) with access to metadata endpoint - **Subdomain takeovers** like in [https://godiego.co/posts/STO-Azure/](https://godiego.co/posts/STO-Azure/) + - **Other azure services misconfigurations** - If some developer laptop is compromised ([WinPEAS and LinPEAS](https://github.com/peass-ng/PEASS-ng) can find this info): - Inside **`/.Azure`** - **`azureProfile.json`** contains info about logged in users from the past @@ -54,6 +55,11 @@ With this information the most common ways to try to get a foothold are: - In Windows this just generates id tokens. - Possible to see if Az PowerShell was used in Linux and macSO checking is `$HOME/.local/share/.IdentityService/` exists (although the contained files are empty and useless) +Find **other Azure Services misconfigurations** that cal lead to a foothold in the following page: + +{{#ref}} +az-unauthenticated-enum-and-initial-entry/ +{{#endref}} > [!NOTE] > Remember that usually the **noisiest** part of the enumeration is the **login**, not the enumeration itself. @@ -159,13 +165,32 @@ az-enumeration-tools.md#automated-post-exploitation-tools Once you know who you are, you can start enumerating the **Azure services you have access to**. +You should start finding out the **permissions you have** over the resources. For this: + +1. **Find the resource you have some acecss to**: + The Az PoswerShell command **`Get-AzResource`** lets you **know the resources your current user has visibility over**. Moreover, you can get the same info in the **web console** going to [https://portal.azure.com/#view/HubsExtension/BrowseAll](https://portal.azure.com/#view/HubsExtension/BrowseAll) or searching for "All resources" or executing: `az rest --method GET --url "https://management.azure.com/subscriptions//resources?api-version=2021-04-01"` -Furthermore, with enough permissions, the role **`Get-AzRoleAssignment`** can be used to **enumerate all the roles** in the subscription or the permission over a specific resource indicatig it like in: **`Get-AzRoleAssignment -Scope /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.RecoveryServices/vaults/vault-m3ww8ut4`** +2. **Find the permissions you have over the resources you have access to and find the roles assigned to you**: + +Note that you need the permission **`Microsoft.Authorization/roleAssignments/read`** to execute this action. + +Furthermore, with enough permissions, the role **`Get-AzRoleAssignment`** can be used to **enumerate all the roles** in the subscription or the permission over a specific resource indicatig it like in: **`Get-AzRoleAssignment -Scope /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.RecoveryServices/vaults/vault-m3ww8ut4`**. + +It's also possible to get this information running **`az rest --method GET --uri "https://management.azure.com//providers/Microsoft.Authorization/roleAssignments?api-version=2020-08-01-preview" | jq ".value"`** like in: + +- **`az rest --method GET --uri "https://management.azure.com//subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/vault-m3ww8ut4/providers/Microsoft.Authorization/roleAssignments?api-version=2020-08-01-preview" | jq ".value"`** + +3. **Find the granular permissions of the roles attached to you **: + +Then, to get the granular permission you could run **`(Get-AzRoleDefinition -Id "").Actions`**. + +Or call the API directly with **`az rest --method GET --uri "https://management.azure.com//subscriptions//providers/Microsoft.Authorization/roleDefinitions/?api-version=2020-08-01-preview" | jq ".properties"`**. + -In the following section you can find information about the most common Azure services and how to enumerate them: +In the following section you can find **information about the most common Azure services and how to enumerate them**: {{#ref}} az-services/ diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md deleted file mode 100644 index 6e0dca1993..0000000000 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# Az - Privilege Escalation - - - - diff --git a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md index c0579d8c83..e52ae398be 100644 --- a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md +++ b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md @@ -46,4 +46,3 @@ Use [**Storage Explorer**](https://azure.microsoft.com/en-us/features/storage-ex {{#include ../../../banners/hacktricks-training.md}} -