mirror of
https://github.com/HackTricks-wiki/hacktricks-cloud.git
synced 2025-12-07 13:20:48 -08:00
SirBroccoli
@@ -431,6 +431,7 @@
|
||||
- [Az - Static Web Applications](pentesting-cloud/azure-security/az-services/az-static-web-apps.md)
|
||||
- [Az - Storage Accounts & Blobs](pentesting-cloud/azure-security/az-services/az-storage.md)
|
||||
- [Az - Table Storage](pentesting-cloud/azure-security/az-services/az-table-storage.md)
|
||||
- [Az - Virtual Desktop](pentesting-cloud/azure-security/az-services/az-virtual-desktop.md)
|
||||
- [Az - Virtual Machines & Network](pentesting-cloud/azure-security/az-services/vms/README.md)
|
||||
- [Az - Azure Network](pentesting-cloud/azure-security/az-services/vms/az-azure-network.md)
|
||||
- [Az - Permissions for a Pentest](pentesting-cloud/azure-security/az-permissions-for-a-pentest.md)
|
||||
@@ -485,6 +486,7 @@
|
||||
- [Az - Static Web App Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md)
|
||||
- [Az - Storage Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md)
|
||||
- [Az - SQL Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md)
|
||||
- [Az - Virtual Desktop Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-desktop-privesc.md)
|
||||
- [Az - Virtual Machines & Network Privesc](pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md)
|
||||
- [Az - Persistence](pentesting-cloud/azure-security/az-persistence/README.md)
|
||||
- [Az - Automation Accounts Persistence](pentesting-cloud/azure-security/az-persistence/az-automation-accounts-persistence.md)
|
||||
|
||||
@@ -0,0 +1,38 @@
|
||||
# Az - Virtual Desktop Privesx
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
## Azure Virtual Desktop Privesc
|
||||
|
||||
### `Microsoft.DesktopVirtualization/hostPools/retrieveRegistrationToken/action`
|
||||
You can retrieve the registration token used to register virtual machines within an host pool.
|
||||
|
||||
```bash
|
||||
az desktopvirtualization hostpool retrieve-registration-token -n testhostpool -g Resource_Group_1
|
||||
```
|
||||
|
||||
### ("Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleAssignments/write") && ("Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/extensions/read","Microsoft.Compute/virtualMachines/extensions/write")
|
||||
|
||||
With this permissions you can add a user assignment to the Application group, which is needed to access the virtual machine of the virtual desktop.
|
||||
```bash
|
||||
az rest --method PUT \
|
||||
--uri "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments/<NEW_ROLE_ASSIGNMENT_GUID>?api-version=2022-04-01" \
|
||||
--body '{
|
||||
"properties": {
|
||||
"roleDefinitionId": "/subscriptions/<SUBSCRIPTION_ID>/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63",
|
||||
"principalId": "<USER_OBJECT_ID>"
|
||||
}
|
||||
}'
|
||||
```
|
||||
|
||||
Additionally you can change the virtual machine user and password to access it
|
||||
```bash
|
||||
az vm user update \
|
||||
--resource-group <RESOURCE_GROUP_NAME> \
|
||||
--name <VM_NAME> \
|
||||
--username <USERNAME> \
|
||||
--password <NEW_PASSWORD>
|
||||
```
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
@@ -0,0 +1,105 @@
|
||||
# Az - Virtual Desktop
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
## Azure Virtual Desktop
|
||||
|
||||
Virtual Desktop is a **desktop and app virtualization service**. It enables to deliver full Windows desktops, including Windows 11, Windows 10, or Windows Server to users remotely, either as individual desktops or through individual applications. It supports single-session setups for personal use and multi-session environments Users can connect from virtually any device using native apps or a web browser.
|
||||
|
||||
### Host Pools
|
||||
|
||||
Host pools in Azure Virtual Desktop are collections of Azure virtual machines configured as session hosts, providing virtual desktops and apps to users. There are two main types:
|
||||
- **Personal host pools**, where each virtual machine is dedicated to a single user, with its environments
|
||||
- **Pooled host pools**, where multiple users share resources on any available session host. It has a configurable session limit and a session host configuration lets Azure Virtual Desktop automate the creation of session hosts based on a configuration
|
||||
|
||||
Every host pool has a **registration token** is used to register virtual machines within an host pool.
|
||||
|
||||
### Application groups & Workspace
|
||||
Application groups **control user access** to either a full desktop or specific sets of applications available on session hosts within a host pool. There are two types:
|
||||
- **Desktop application groups**, which give users access to a complete Windows desktop (available with both personal and pooled host pools)
|
||||
- **RemoteApp groups**, which allow users to access individual published applications (available only with pooled host pools).
|
||||
A host pool can have one Desktop application group but multiple RemoteApp groups. Users can be assigned to multiple application groups across different host pools. If a user is assigned both desktop and RemoteApp groups within the same host pool, they only see resources from the preferred group type set by administrators.
|
||||
|
||||
A **workspace** is a **collection of application groups**, allowing users to access the desktops and application groups assigned to them. Each application group must be linked to a workspace, and it can only belong to one workspace at a time.
|
||||
|
||||
### Key Features
|
||||
- **Flexible VM Creation**: Create Azure virtual machines directly or add Azure Local virtual machines later.
|
||||
- **Security Features**: Enable Trusted Launch (secure boot, vTPM, integrity monitoring) for advanced VM security (a virtual network is needed). Can integrate Azure Firewall and control traffic via Network Security Groups.
|
||||
- **Domain Join**: Support for Active Directory domain joins with customizable configurations.
|
||||
- **Diagnostics & Monitoring**: Enable Diagnostic Settings to stream logs and metrics to Log Analytics, storage accounts, or event hubs for monitoring.
|
||||
- **Custom image templates**: Create and manage them to use when adding session hosts. Easily add common customizations or your own custom scripts.
|
||||
- **Workspace Registration**: Easily register default desktop application groups to new or existing workspaces for simplified user access management.
|
||||
|
||||
### Enumeration
|
||||
|
||||
```bash
|
||||
az extension add --name desktopvirtualization
|
||||
|
||||
# List HostPool of a Resource group
|
||||
az desktopvirtualization hostpool list --resource-group <Resource_Group>
|
||||
|
||||
# List Application Groups
|
||||
az desktopvirtualization applicationgroup list --resource-group <Resource_Group>
|
||||
# List Application Groups By Subscription
|
||||
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/applicationGroups?api-version=2024-04-03"
|
||||
# List Applications in a Application Group
|
||||
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/applications?api-version=2024-04-03"
|
||||
# List Assigned Users to the Application Group
|
||||
az rest \
|
||||
--method GET \
|
||||
--url "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.DesktopVirtualization/applicationGroups/<APP_GROUP_NAME>/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01" \
|
||||
| jq '.value[] | select((.properties.scope | ascii_downcase) == "/subscriptions/<subscription_id_in_lowercase>/resourcegroups/<resource_group_name_in_lowercase>/providers/microsoft.desktopvirtualization/applicationgroups/<app_group_name_in_lowercase>")'
|
||||
|
||||
|
||||
# List Workspace in a resource group
|
||||
az desktopvirtualization workspace list --resource-group <Resource_Group>
|
||||
# List Workspace in a subscription
|
||||
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/workspaces?api-version=2024-04-03"
|
||||
|
||||
# List App Attach Package By Resource Group
|
||||
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/appAttachPackages?api-version=2024-04-03"
|
||||
# List App Attach Package By Subscription
|
||||
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DesktopVirtualization/appAttachPackages?api-version=2024-04-03"
|
||||
|
||||
# List Desktops
|
||||
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/desktops?api-version=2024-04-03"
|
||||
|
||||
# List MSIX Packages
|
||||
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/msixPackages?api-version=2024-04-03"
|
||||
|
||||
# List private endpoint connections associated with hostpool.
|
||||
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/privateEndpointConnections?api-version=2024-04-03"
|
||||
# List private endpoint connections associated By Workspace.
|
||||
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/workspaces/{workspaceName}/privateEndpointConnections?api-version=2024-04-03"
|
||||
|
||||
# List the private link resources available for a hostpool.
|
||||
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/privateLinkResources?api-version=2024-04-03"
|
||||
# List the private link resources available for this workspace.
|
||||
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/workspaces/{workspaceName}/privateLinkResources?api-version=2024-04-03"
|
||||
|
||||
# List sessionHosts/virtual machines.
|
||||
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts?api-version=2024-04-03"
|
||||
|
||||
# List start menu items in the given application group.
|
||||
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/applicationGroups/{applicationGroupName}/startMenuItems?api-version=2024-04-03"
|
||||
|
||||
# List userSessions.
|
||||
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/sessionHosts/{sessionHostName}/userSessions?api-version=2024-04-03"
|
||||
# List userSessions By Host Pool
|
||||
az rest --method GET --url "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DesktopVirtualization/hostPools/{hostPoolName}/userSessions?api-version=2024-04-03"
|
||||
|
||||
```
|
||||
|
||||
### Connection
|
||||
|
||||
To connect to the virtual desktop via web you can access through https://client.wvd.microsoft.com/arm/webclient/ (most common), or https://client.wvd.microsoft.com/webclient/index.html (classic)
|
||||
There are other methods that are described here [https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client?tabs=windows](https://learn.microsoft.com/en-us/azure/virtual-desktop/users/connect-remote-desktop-client?tabs=windows)
|
||||
|
||||
## Privesc
|
||||
|
||||
{{#ref}}
|
||||
../az-privilege-escalation/az-virtual-desktop-privesc.md
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../../banners/hacktricks-training.md}}
|
||||
|
||||
Reference in New Issue
Block a user