Merge branch 'master' of github.com:HackTricks-wiki/hacktricks-cloud

HackTricks-wiki · Feb 22, 2025 · f0f7813 · f0f7813
2 parents b1fcb10 + 93b40db
commit f0f7813
Show file tree

Hide file tree

Showing 6 changed files with 220 additions and 28 deletions.
diff --git a/searchindex.js b/searchindex.js
diff --git a/searchindex.json b/searchindex.json
diff --git a/...ng-cloud/azure-security/az-post-exploitation/az-logic-apps-post-exploitation.md b/...ng-cloud/azure-security/az-post-exploitation/az-logic-apps-post-exploitation.md
@@ -20,6 +20,46 @@ az logic workflow identity remove/assign \
   --user-assigned "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identity_name>"
 ```
 
+Addittionaly with just `Microsoft.Logic/workflows/write` you can change some configurations such as Allowed inbound IP addresses or Run history retention days:
+```bash
+az rest --method PUT \
+  --uri "https://management.azure.com/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Logic/workflows/<workflow_name>?api-version=2019-05-01" \
+  --headers "Content-Type=application/json" \
+  --body '{
+    "location": "<location>",
+    "properties": {
+      "state": "Enabled",
+      "definition": {
+        "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+        "contentVersion": "1.0.0.0",
+        "parameters": {},
+        "triggers": {
+          "<trigger_name>": {
+            "type": "Request",
+            "kind": "Http"
+          }
+        },
+        "actions": {},
+        "outputs": {}
+      },
+      "runtimeConfiguration": {
+        "lifetime": {
+          "unit": "day",
+          "count": <count>
+        }
+      },
+      "accessControl": {
+        "triggers": {
+          "allowedCallerIpAddresses": []
+        },
+        "actions": {
+          "allowedCallerIpAddresses": []
+        }
+      }
+    }
+  }'
+```
+
 ### `Microsoft.Web/sites/read`, `Microsoft.Web/sites/write`
 With these permissions, you can create or update Logic Apps hosted on an App Service Plan. This includes modifying settings such as enabling or disabling HTTPS enforcement.
 
@@ -39,7 +79,6 @@ az webapp start/stop/restart \
   --resource-group <resource_group_name>
 ```
 
-
 ### `Microsoft.Web/sites/config/list/action`, `Microsoft.Web/sites/read` && `Microsoft.Web/sites/config/write`
 
 With this permission, you can configure or modify settings for web apps, including Logic Apps hosted on an App Service Plan. This allows changes to app settings, connection strings, authentication configurations, and more.
@@ -131,6 +170,19 @@ az logic integration-account session create \
   }'
 ```
 
+### `Microsoft.Logic/workflows/regenerateAccessKey/action`
+
+Users with this permission are able to regenerate Logic App access keys, and if misused, it can lead to service disruptions.
+
+```bash
+az rest --method POST \
+  --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Logic/workflows/<workflow-name>/regenerateAccessKey?api-version=<api-version>" \
+  --body '{"keyType": "<key-type>"}' \
+  --headers "Content-Type=application/json"
+
+```
+
+
 ### "*/delete"
 With this permissions you can delete resources related to Azure Logic Apps
 

diff --git a/...entesting-cloud/azure-security/az-privilege-escalation/az-logic-apps-privesc.md b/...entesting-cloud/azure-security/az-privilege-escalation/az-logic-apps-privesc.md
@@ -35,6 +35,69 @@ az rest \
   --body '{}' \
   --headers "Content-Type=application/json"
 ```
+Addittionaly with just `Microsoft.Logic/workflows/write` you change the Authorization Policy, giving for example another tenant the capability to trigger the workflow:
+```bash
+az rest --method PUT \
+  --uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Logic/workflows/<workflow-name>?api-version=2016-10-01" \
+  --body '{
+    "location": "<region>",
+    "properties": {
+      "definition": {
+        "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+        "contentVersion": "1.0.0.0",
+        "parameters": {
+          "$connections": {
+            "defaultValue": {},
+            "type": "Object"
+          }
+        },
+        "triggers": {
+          "<trigger-name>": {
+            "type": "Request",
+            "kind": "Http"
+          }
+        },
+        "actions": {},
+        "outputs": {}
+      },
+      "accessControl": {
+        "triggers": {
+          "openAuthenticationPolicies": {
+            "policies": {
+              "<policy-name>": {
+                "type": "AAD",
+                "claims": [
+                  {
+                    "name": "iss",
+                    "value": "<issuer-url>"
+                  }
+                ]
+              }
+            }
+          }
+        }
+      }
+    }
+  }'
+
+```
+
+### `Microsoft.Logic/workflows/triggers/listCallbackUrl/action`
+You can get the callback URL of the trigger and run it.
+
+```bash
+az rest --method POST \
+  --uri "https://management.azure.com/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Logic/workflows/<workflow_name>/triggers/<trigger_name>/listCallbackUrl?api-version=2019-05-01"
+```
+
+This will return a callback URL like `https://prod-28.centralus.logic.azure.com:443/workflows/....`. Now we can run it with:
+
+```bash
+curl --request POST \
+     --url "https://prod-28.centralus.logic.azure.com:443/workflows/<workflow_id>/triggers/<trigger_name>/paths/invoke?api-version=2019-05-01&sp=%2Ftriggers%2F<trigger_name>%2Frun&sv=1.0&sig=<signature>" \
+     --header 'Content-Type: application/json' \
+     --data '{"exampleKey": "exampleValue"}'
+```
 
 ### (`Microsoft.Web/sites/read`, `Microsoft.Web/sites/basicPublishingCredentialsPolicies/read`, `Microsoft.Web/sites/write`, `Microsoft.Web/sites/config/list/action`) && (`Microsoft.Web/sites/start/action`)
 With these permissions, you can deploy, Logic App workflows using ZIP file deployments. These permissions enable actions such as reading app details, accessing publishing credentials, writing changes, and listing app configurations. Alongside the start permissions you can update and deploy a new Logic App with the content desired

diff --git a/src/pentesting-cloud/azure-security/az-services/az-cosmosDB.md b/src/pentesting-cloud/azure-security/az-services/az-cosmosDB.md
@@ -10,7 +10,7 @@ Azure Cosmos DB provides multiple database APIs to model real-world data using d
 
 One key aspect of CosmosDB is Azure Cosmos Account. **Azure Cosmos Account**, acts as the entry point to the databases. The account determines key settings such as global distribution, consistency levels, and the specific API to be used, such as NoSQL. Through the account, you can configure global replication to ensure data is available across multiple regions for low-latency access. Additionally, you can choose a consistency level that balances between performance and data accuracy, with options ranging from Strong to Eventual consistency.
 
-Azure Cosmos DB supports **user-assigned identities** and **system-assigned managed identities** that are automatically created and tied to the resource's lifecycle, allowing for secure, token-based authentication when connecting to other services—provided those services have the appropriate role assignments. However, Cosmos DB doesn't have a built‑in mechanism to directly query external data sources like Azure Blob Storage. Unlike SQL Server's external table features, Cosmos DB requires data to be ingested into its containers using external tools such as Azure Data Factory, the Data Migration Tool, or custom scripts before it can be queried with its native query capabilities.
+Azure Cosmos DB supports **user-assigned identities** and **system-assigned managed identities** that are automatically created and tied to the resource's lifecycle. However, Cosmos DB doesn't have a built‑in mechanism to directly query external data sources like Azure Blob Storage. Unlike SQL Server's external table features, Cosmos DB requires data to be ingested into its containers using external tools such as Azure Data Factory, the Data Migration Tool, or custom scripts before it can be queried with its native query capabilities.
 
 ### NoSQL
 The Azure Cosmos DB NoSQL API is a document-based API that uses JSON as its data format. It provides a SQL-like query syntax for querying JSON objects, making it suitable for working with structured and semi-structured data. The endpoint of the service is:
@@ -20,16 +20,16 @@ https://<Account-Name>.documents.azure.com:443/
 ```
 
 #### Databases
-Within an account, you can create one or more databases, which serve as logical groupings of containers. A database acts as a boundary for resource management and user permissions. Databases can either share provisioned throughput across their containers or allocate dedicated throughput to individual containers. 
+Within an account, you can create one or more databases, which serve as logical groupings of containers. A database acts as a boundary for resource management and user permissions. Databases can either let multiple containers use a shared pool of performance capacity or give each container its own dedicated power. 
 
 #### Containers
 The core unit of data storage is the container, which holds JSON documents and is automatically indexed for efficient querying. Containers are elastically scalable and distributed across partitions, which are determined by a user-defined partition key. The partition key is critical for ensuring optimal performance and even data distribution. For example, a container might store customer data, with "customerId" as the partition key.
 
 #### Key Features
-**Global Distribution**: Enable or disable Geo-Redundancy for cross-region replication and Multi-region Writes for improved availability.
-**Networking & Security**: between public (all/select networks) or private endpoints for connectivity. Secure connections with TLS 1.2 encryption. Supports CORS (Cross-Origin Resource Sharing) for controlled access to resources.
-**Backup & Recovery**: from Periodic, Continuous (7 days), or Continuous (30 days) backup policies with configurable intervals and retention.
-**Data Encryption**: Default service-managed keys or customer-managed keys (CMK) for encryption (CMK selection is irreversible).
+ - **Global Distribution**: Enable or disable Geo-Redundancy for cross-region replication and Multi-region Writes for improved availability.
+ - **Networking & Security**: between public (all/select networks) or private endpoints for connectivity. Secure connections with TLS 1.2 encryption. Supports CORS (Cross-Origin Resource Sharing) for controlled access to resources. Microsoft Defender for Cloud can be enabled. To make the connection you can make use of keys.
+ - **Backup & Recovery**: from Periodic, Continuous (7 days), or Continuous (30 days) backup policies with configurable intervals and retention.
+ - **Data Encryption**: Default service-managed keys or customer-managed keys (CMK) for encryption (CMK selection is irreversible).
 
 #### Enumeration
 
@@ -81,10 +81,7 @@ az cosmosdb mongocluster firewall rule list --cluster-name <name> --resource-gro
 # Connect to in
 brew install mongosh
 mongosh "mongodb://<username>:<password>@<account-name>.mongo.cosmos.azure.com:10255/?ssl=true&replicaSet=globaldb&retryWrites=false" --username <username> --password <password>
-```
-{{#endtab }}
 
-{{#tab name="Az Powershell" }}
 ```
 {{#endtab }}
 
@@ -136,7 +133,9 @@ Get-AzCosmosDBSqlUserDefinedFunction -ResourceGroupName "<ResourceGroupName>" -A
 
 #### Connection
 
+It has 2 key types, Read-write (full) and Read-only. They give the indicated access all databases, collections, and data inside the Cosmos DB account.
 To connect the azure-cosmosDB (pip install azure-cosmos) library is needed. Additionally the endpoint and the key are crutial components to make the connection.
+
 ```python
 from azure.cosmos import CosmosClient, PartitionKey
 
@@ -218,7 +217,7 @@ The core unit of data storage in MongoDB is the collection, which holds document
 
 #### Key Features of Request unit (RU) type
 **Global Distribution**: Enable or disable Geo-Redundancy for cross-region replication and Multi-region Writes for improved availability.
-**Networking & Security**: between public (all/select networks) or private endpoints for connectivity. Secure connections with TLS 1.2 encryption. Supports CORS (Cross-Origin Resource Sharing) for controlled access to resources.
+**Networking & Security**: between public (all/select networks) or private endpoints for connectivity. Secure connections with TLS 1.2 encryption. Supports CORS (Cross-Origin Resource Sharing) for controlled access to resources. To make the connection you can make use of keys.
 **Backup & Recovery**: from Periodic, Continuous (7 days, free), or Continuous (30 days, paid) backup policies with configurable intervals and retention.
 **Data Encryption**: Default service-managed keys or customer-managed keys (CMK) for encryption (CMK selection is irreversible).
 
@@ -253,10 +252,23 @@ az cosmosdb mongodb database list --account-name <AccountName> --resource-group
 # List all collections in a specific MongoDB database within an Azure Cosmos DB account
 az cosmosdb mongodb collection list --account-name <AccountName> --database-name <DatabaseName> --resource-group <ResourceGroupName>
 
+#RBAC FUNCTIONALITIES MUST BE ENABLED TO USE THIS
 # List all role definitions for MongoDB within an Azure Cosmos DB account
 az cosmosdb mongodb role definition list --account-name <AccountName> --resource-group <ResourceGroupName>
 # List all user definitions for MongoDB within an Azure Cosmos DB account
 az cosmosdb mongodb user definition list --account-name <AccountName> --resource-group <ResourceGroupName>
+
+## MongoDB (vCore)
+# Install az cli extension
+az extension add --name cosmosdb-preview
+# List all MongoDB databases in a specified Azure Cosmos DB account
+az cosmosdb mongocluster list
+az cosmosdb mongocluster show --cluster-name <name> --resource-group <ResourceGroupName>
+# Get firewall rules
+az cosmosdb mongocluster firewall rule list --cluster-name <name> --resource-group <ResourceGroupName>
+# Connect to in
+brew install mongosh
+mongosh "mongodb://<username>:<password>@<account-name>.mongo.cosmos.azure.com:10255/?ssl=true&replicaSet=globaldb&retryWrites=false" --username <username> --password <password>
 ```
 {{#endtab }}
 
@@ -297,14 +309,16 @@ Get-AzCosmosDBMongoDBRoleDefinition -AccountName <account-name> -ResourceGroupNa
 
 #### Connection
 
-Here the password you can find them with the keys or with the method decribed in the privesc section.
+RU MongoDB type in CosmoDB has 2 key types, Read-write (full) and Read-only. They give the indicated access all databases, collections, and data inside the Cosmos DB account.
+For the pasword you can use the keys or with the method decribed in the privesc section. 
 ```python
 from pymongo import MongoClient
 
 # Updated connection string with retryWrites=false
 connection_string = "mongodb://<account-name>.mongo.cosmos.azure.com:10255/?ssl=true&replicaSet=globaldb&retryWrites=false"
 
-# Create the client
+# Create the client. The password and username is a custom one if the type is "vCore cluster".
+# In case that is a Request unit (RU) the username is the account name and the password is the key of the cosomosDB account.
 client = MongoClient(connection_string, username="<username>", password="<password>")
 
 # Access the database
@@ -331,6 +345,12 @@ result = collection.insert_one(document)
 print(f"Inserted document with ID: {result.inserted_id}")
 ```
 
+Or using a user within the mongo:
+
+```bash
+mongosh "mongodb://<myUser>:<mySecurePassword>@<account_name>.mongo.cosmos.azure.com:10255/<mymongodatabase>?ssl=true&replicaSet=globaldb&retrywrites=false"
+```
+
 ## References
 
 - [https://learn.microsoft.com/en-us/azure/cosmos-db/choose-api](https://learn.microsoft.com/en-us/azure/cosmos-db/choose-api)