gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-14 22:03:11 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['.github/pull_request_template.md', 'src/pentesting-cloud/az

Browse Source
This commit is contained in:
Translator
2024-12-31 19:02:02 +00:00
parent 7770a50092
commit 2753c75e8b
244 changed files with 8471 additions and 11302 deletions
Download Patch File Download Diff File Expand all files Collapse all files

222
src/pentesting-cloud/azure-security/az-services/az-function-apps.md
View File

@@ -4,99 +4,99 @@
## Basic Information
**Azure Function Apps** are a **serverless compute service** that allow you to run small pieces of code, called **functions**, without managing the underlying infrastructure. They are designed to execute code in response to various triggers, such as **HTTP requests, timers, or events from other Azure services** like Blob Storage or Event Hubs. Function Apps support multiple programming languages, including C#, Python, JavaScript, and Java, making them versatile for building **event-driven applications**, automating workflows, or integrating services. They are cost-effective, as you usually only pay for the compute time used when your code runs.
**Azure Function Apps** is 'n **serverless compute service** wat jou toelaat om klein stukke kode, genoem **functions**, te loop sonder om die onderliggende infrastruktuur te bestuur. Hulle is ontwerp om kode uit te voer in reaksie op verskeie triggers, soos **HTTP versoeke, timers, of gebeurtenisse van ander Azure dienste** soos Blob Storage of Event Hubs. Function Apps ondersteun verskeie programmeertale, insluitend C#, Python, JavaScript, en Java, wat hulle veelsydig maak vir die bou van **event-driven applications**, outomatisering van werksvloei, of integrasie van dienste. Hulle is kostedoeltreffend, aangesien jy gewoonlik net betaal vir die rekenaartyd wat gebruik word wanneer jou kode loop.
> [!NOTE]
> Note that **Functions are a subset of the App Services**, therefore, a lot of the features discussed here will be used also by applications created as Azure Apps (`webapp` in cli).
> Let daarop dat **Functions 'n substel van die App Services is**, daarom sal baie van die funksies wat hier bespreek word ook deur toepassings wat as Azure Apps geskep is (`webapp` in cli) gebruik word.
### Different Plans
- **Flex Consumption Plan**: Offers **dynamic, event-driven scaling** with pay-as-you-go pricing, adding or removing function instances based on demand. It supports **virtual networking** and **pre-provisioned instances** to reduce cold starts, making it suitable for **variable workloads** that dont require container support.
- **Traditional Consumption Plan**: The default serverless option, where you **pay only for compute resources when functions run**. It automatically scales based on incoming events and includes **cold start optimizations**, but does not support container deployments. Ideal for **intermittent workloads** requiring automatic scaling.
- **Premium Plan**: Designed for **consistent performance**, with **prewarmed workers** to eliminate cold starts. It offers **extended execution times, virtual networking**, and supports **custom Linux images**, making it perfect for **mission-critical applications** needing high performance and advanced features.
- **Dedicated Plan**: Runs on dedicated virtual machines with **predictable billing** and supports manual or automatic scaling. It allows running multiple apps on the same plan, provides **compute isolation**, and ensures **secure network access** via App Service Environments, making it ideal for **long-running applications** needing consistent resource allocation.
- **Container Apps**: Enables deploying **containerized function apps** in a managed environment, alongside microservices and APIs. It supports custom libraries, legacy app migration, and **GPU processing**, eliminating Kubernetes cluster management. Ideal for **event-driven, scalable containerized applications**.
- **Flex Consumption Plan**: Bied **dinamiese, gebeurtenis-gedrewe skaal** met 'n betaal-vir-wat-jy-gebruik prysmodel, wat funksie-instanties byvoeg of verwyder gebaseer op vraag. Dit ondersteun **virtuele netwerke** en **vooraf-voorsiene instanties** om koue begin te verminder, wat dit geskik maak vir **veranderlike werklas** wat nie houerondersteuning benodig nie.
- **Traditional Consumption Plan**: Die standaard serverless opsie, waar jy **net betaal vir rekenaarbronne wanneer funksies loop**. Dit skaal outomaties gebaseer op inkomende gebeurtenisse en sluit **koue begin optimalisering** in, maar ondersteun nie houerontplooiings nie. Ideaal vir **intermitterende werklas** wat outomatiese skaal benodig.
- **Premium Plan**: Ontwerp vir **konstante prestasie**, met **voorverhitte werkers** om koue begin te elimineer. Dit bied **verlengde uitvoertye, virtuele netwerke**, en ondersteun **pasgemaakte Linux beelde**, wat dit perfek maak vir **missie-kritieke toepassings** wat hoë prestasie en gevorderde funksies benodig.
- **Dedicated Plan**: Loop op toegewyde virtuele masjiene met **voorspelbare fakturering** en ondersteun handmatige of outomatiese skaal. Dit laat toe om verskeie apps op dieselfde plan te laat loop, bied **rekenaarisolasie**, en verseker **veilige netwerktoegang** via App Service Omgewings, wat dit ideaal maak vir **langdurige toepassings** wat konstante hulpbron toewysing benodig.
- **Container Apps**: Maak dit moontlik om **gecontaineriseerde funksie-apps** in 'n bestuurde omgewing te ontplooi, langs mikrodiens en API's. Dit ondersteun pasgemaakte biblioteke, erfenis app migrasie, en **GPU verwerking**, wat Kubernetes klusterbestuur elimineer. Ideaal vir **gebeurtenis-gedrewe, skaalbare gecontaineriseerde toepassings**.
### **Storage Buckets**
When creating a new Function App not containerised (but giving the code to run), the **code and other Function related data will be stored in a Storage account**. By default the web console will create a new one per function to store the code.
Wanneer 'n nuwe Function App geskep word wat nie gecontaineriseerd is nie (maar die kode om te loop gee), sal die **kode en ander funksie-verwante data in 'n Storage rekening gestoor word**. Standaard sal die webkonsol 'n nuwe een per funksie skep om die kode te stoor.
Moreover, modifying the code inside the bucket (in the different formats it could be stored), the **code of the app will be modified to the new one and executed** next time the Function is called.
Boonop, deur die kode binne die emmer (in die verskillende formate waarin dit gestoor kan word) te wysig, sal die **kode van die app na die nuwe een gewysig en die volgende keer wanneer die funksie genoem word, uitgevoer word**.
> [!CAUTION]
> This is very interesting from an attackers perspective as **write access over this bucket** will allow an attacker to **compromise the code and escalate privileges** to the managed identities inside the Function App.
> Dit is baie interessant vanuit 'n aanvaller se perspektief aangesien **skrywe toegang oor hierdie emmer** 'n aanvaller sal toelaat om die **kode te kompromitteer en bevoegdhede te verhoog** na die bestuurde identiteite binne die Function App.
>
> More on this in the **privilege escalation section**.
> Meer hieroor in die **bevoegdheid verhoging afdeling**.
It's also possible to find the **master and functions keys** stored in the storage account in the container **`azure-webjobs-secrets`** inside the folder **`<app-name>`** in the JSON files you can find inside.
Dit is ook moontlik om die **master en funksies sleutels** wat in die stoor rekening in die houer **`azure-webjobs-secrets`** binne die gids **`<app-name>`** in die JSON-lêers wat jy daarbinne kan vind, te vind.
Note that Functions also allow to store the code in a remote location just indicating the URL to it.
Let daarop dat Functions ook toelaat om die kode in 'n afgeleë ligging te stoor deur net die URL daarna te dui.
### Networking
Using a HTTP trigger:
Met 'n HTTP-trigger:
- It's possible to give **access to a function to from all Internet** without requiring any authentication or give access IAM based. Although its also possible to restrict this access.
- It's also possible to **give or restrict access** to a Function App from **an internal network (VPC)**.
- Dit is moontlik om **toegang tot 'n funksie van die hele Internet** te gee sonder om enige verifikasie te vereis of toegang op IAM basis te gee. Alhoewel dit ook moontlik is om hierdie toegang te beperk.
- Dit is ook moontlik om **toegang te gee of te beperk** tot 'n Function App van **'n interne netwerk (VPC)**.
> [!CAUTION]
> This is very interesting from an attackers perspective as it might be possible to **pivot to internal networks** from a vulnerable Function exposed to the Internet.
> Dit is baie interessant vanuit 'n aanvaller se perspektief aangesien dit moontlik mag wees om **na interne netwerke te pivot** vanaf 'n kwesbare funksie wat aan die Internet blootgestel is.
### **Function App Settings & Environment Variables**
It's possible to configure environment variables inside an app, which could contain sensitive information. Moreover, by default the env variables **`AzureWebJobsStorage`** and **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** (among others) are created. These are specially interesting because they **contain the account key to control with FULL permissions the storage account containing the data of the application**. These settings are also needed to execute the code from the Storage Account.
Dit is moontlik om omgewingsveranderlikes binne 'n app te konfigureer, wat sensitiewe inligting kan bevat. Boonop, standaard word die omgewingsveranderlikes **`AzureWebJobsStorage`** en **`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`** (onder andere) geskep. Hierdie is spesiaal interessant omdat hulle **die rekening sleutel bevat om met VOLLE toestemmings die stoor rekening wat die data van die toepassing bevat, te beheer**. Hierdie instellings is ook nodig om die kode van die Storage Account uit te voer.
These env variables or configuration parameters also controls how the Function execute the code, for example if **`WEBSITE_RUN_FROM_PACKAGE`** exists, it'll indicate the URL where the code of the application is located.
Hierdie omgewingsveranderlikes of konfigurasieparameters beheer ook hoe die Funksie die kode uitvoer, byvoorbeeld as **`WEBSITE_RUN_FROM_PACKAGE`** bestaan, sal dit die URL aandui waar die kode van die toepassing geleë is.
### **Function Sandbox**
Inside the linux sandbox the source code is located in **`/home/site/wwwroot`** in the file **`function_app.py`** (if python is used) the user running the code is **`app`** (without sudo permissions).
Binne die linux sandbox is die bronkode geleë in **`/home/site/wwwroot`** in die lêer **`function_app.py`** (as python gebruik word) die gebruiker wat die kode loop is **`app`** (sonder sudo toestemmings).
In a **Windows** function using NodeJS the code was located in **`C:\home\site\wwwroot\HttpTrigger1\index.js`**, the username was **`mawsFnPlaceholder8_f_v4_node_20_x86`** and was part of the **groups**: `Mandatory Label\High Mandatory Level Label`, `Everyone`, `BUILTIN\Users`, `NT AUTHORITY\INTERACTIVE`, `CONSOLE LOGON`, `NT AUTHORITY\Authenticated Users`, `NT AUTHORITY\This Organization`, `BUILTIN\IIS_IUSRS`, `LOCAL`, `10-30-4-99\Dwas Site Users`.
In 'n **Windows** funksie wat NodeJS gebruik, was die kode geleë in **`C:\home\site\wwwroot\HttpTrigger1\index.js`**, die gebruikersnaam was **`mawsFnPlaceholder8_f_v4_node_20_x86`** en was deel van die **groepe**: `Mandatory Label\High Mandatory Level Label`, `Everyone`, `BUILTIN\Users`, `NT AUTHORITY\INTERACTIVE`, `CONSOLE LOGON`, `NT AUTHORITY\Authenticated Users`, `NT AUTHORITY\This Organization`, `BUILTIN\IIS_IUSRS`, `LOCAL`, `10-30-4-99\Dwas Site Users`.
### **Managed Identities & Metadata**
Just like [**VMs**](vms/), Functions can have **Managed Identities** of 2 types: System assigned and User assigned.
Net soos [**VMs**](vms/), kan Functions **Managed Identities** van 2 tipes hê: Stelsel toegeken en Gebruiker toegeken.
The **system assigned** one will be a managed identity that **only the function** that has it assigned would be able to use, while the **user assigned** managed identities are managed identities that **any other Azure service will be able to use**.
Die **stelsel toegeken** een sal 'n bestuurde identiteit wees wat **net die funksie** wat dit toegeken het, kan gebruik, terwyl die **gebruiker toegeken** bestuurde identiteite bestuurde identiteite is wat **enige ander Azure diens kan gebruik**.
> [!NOTE]
> Just like in [**VMs**](vms/), Functions can have **1 system assigned** managed identity and **several user assigned** ones, so it's always important to try to find all of them if you compromise the function because you might be able to escalate privileges to several managed identities from just one Function.
> Net soos in [**VMs**](vms/), kan Functions **1 stelsel toegeken** bestuurde identiteit en **verskeie gebruiker toegeken** hê, so dit is altyd belangrik om te probeer om al hulle te vind as jy die funksie kompromitteer omdat jy dalk bevoegdhede kan verhoog na verskeie bestuurde identiteite vanaf net een Funksie.
>
> If a no system managed identity is used but one or more user managed identities are attached to a function, by default you wont be able to get any token.
> As 'n geen stelsel bestuurde identiteit gebruik word nie, maar een of meer gebruiker bestuurde identiteite aan 'n funksie geheg is, sal jy standaard nie in staat wees om enige token te kry nie.
It's possible to use the [**PEASS scripts**](https://github.com/peass-ng/PEASS-ng) to get tokens from the default managed identity from the metadata endpoint. Or you could get them **manually** as explained in:
Dit is moontlik om die [**PEASS scripts**](https://github.com/peass-ng/PEASS-ng) te gebruik om tokens van die standaard bestuurde identiteit van die metadata eindpunt te kry. Of jy kan dit **handmatig** kry soos verduidelik in:
{% embed url="https://book.hacktricks.xyz/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf#azure-vm" %}
Note that you need to find out a way to **check all the Managed Identities a function has attached** as if you don't indicate it, the metadata endpoint will **only use the default one** (check the previous link for more info).
Let daarop dat jy 'n manier moet vind om **al die Bestuurde Identiteite wat 'n funksie het, te kontroleer** aangesien as jy dit nie aandui nie, die metadata eindpunt **net die standaard een sal gebruik** (kyk die vorige skakel vir meer inligting).
## Access Keys
> [!NOTE]
> Note that there aren't RBAC permissions to give access to users to invoke the functions. The **function invocation depends on the trigger** selected when it was created and if a HTTP Trigger was selected, it might be needed to use an **access key**.
> Let daarop dat daar geen RBAC toestemmings is om toegang aan gebruikers te gee om die funksies aan te roep nie. Die **funksie-aanroep hang af van die trigger** wat gekies is toe dit geskep is en as 'n HTTP Trigger gekies is, mag dit nodig wees om 'n **toegang sleutel** te gebruik.
When creating an endpoint inside a function using a **HTTP trigger** it's possible to indicate the **access key authorization level** needed to trigger the function. Three options are available:
Wanneer 'n eindpunt binne 'n funksie geskep word met 'n **HTTP trigger** is dit moontlik om die **toegang sleutel outorisatienvlak** aan te dui wat nodig is om die funksie te aktiveer. Drie opsies is beskikbaar:
- **ANONYMOUS**: **Everyone** can access the function by the URL.
- **FUNCTION**: Endpoint is only accessible to users using a **function, host or master key**.
- **ADMIN**: Endpoint is only accessible to users a **master key**.
- **ANONYMOUS**: **Enigiemand** kan toegang tot die funksie verkry deur die URL.
- **FUNCTION**: Eindpunt is slegs toeganklik vir gebruikers wat 'n **funksie, gasheer of meester sleutel** gebruik.
- **ADMIN**: Eindpunt is slegs toeganklik vir gebruikers met 'n **meester sleutel**.
**Type of keys:**
**Tipe sleutels:**
- **Function Keys:** Function keys can be either default or user-defined and are designed to grant access exclusively to **specific function endpoints** within a Function App allowing a more fine-grained access over the endpoints.
- **Host Keys:** Host keys, which can also be default or user-defined, provide access to **all function endpoints within a Function App with FUNCTION access level**.
- **Master Key:** The master key (`_master`) serves as an administrative key that offers elevated permissions, including access to all function endpoints (ADMIN access lelvel included). This **key cannot be revoked.**
- **System Keys:** System keys are **managed by specific extensions** and are required for accessing webhook endpoints used by internal components. Examples include the Event Grid trigger and Durable Functions, which utilize system keys to securely interact with their respective APIs.
- **Funksie Sleutels:** Funksie sleutels kan of standaard of gebruiker-gedefinieerd wees en is ontwerp om toegang eksklusief tot **spesifieke funksie eindpunte** binne 'n Function App toe te laat wat 'n meer fynkorrelige toegang oor die eindpunte toelaat.
- **Gasheer Sleutels:** Gasheer sleutels, wat ook standaard of gebruiker-gedefinieerd kan wees, bied toegang tot **alle funksie eindpunte binne 'n Function App met FUNKSIE toegang vlak**.
- **Meester Sleutel:** Die meester sleutel (`_master`) dien as 'n administratiewe sleutel wat verhoogde toestemmings bied, insluitend toegang tot alle funksie eindpunte (ADMIN toegang vlak ingesluit). Hierdie **sleutel kan nie herroep word nie.**
- **Stelsel Sleutels:** Stelsel sleutels word **deur spesifieke uitbreidings bestuur** en is nodig vir toegang tot webhook eindpunte wat deur interne komponente gebruik word. Voorbeelde sluit die Event Grid trigger en Durable Functions in, wat stelsel sleutels gebruik om veilig met hul onderskeie API's te kommunikeer.
> [!TIP]
> Example to access a function API endpoint using a key:
> Voorbeeld om toegang tot 'n funksie API eindpunt te verkry met 'n sleutel:
>
> `https://<function_uniq_name>.azurewebsites.net/api/<endpoint_name>?code=<access_key>`
### Basic Authentication
Just like in App Services, Functions also support basic authentication to connect to **SCM** and **FTP** to deploy code using a **username and password in a URL** provided by Azure. More information about it in:
Net soos in App Services, ondersteun Functions ook basiese verifikasie om te verbind met **SCM** en **FTP** om kode te ontplooi met 'n **gebruikersnaam en wagwoord in 'n URL** wat deur Azure verskaf word. Meer inligting daaroor in:
{{#ref}}
az-app-service.md
@@ -104,12 +104,11 @@ az-app-service.md
### Github Based Deployments
When a function is generated from a Github repo Azure web console allows to **automatically create a Github Workflow in a specific repository** so whenever this repository is updated the code of the function is updated. Actually the Github Action yaml for a python function looks like this:
Wanneer 'n funksie gegenereer word uit 'n Github repo, laat die Azure webkonsol toe om **automaties 'n Github Workflow in 'n spesifieke repository te skep** sodat wanneer hierdie repository opgedateer word, die kode van die funksie opgedateer word. Trouens, die Github Action yaml vir 'n python funksie lyk soos volg:
<details>
<summary>Github Action Yaml</summary>
```yaml
# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
# More GitHub Actions for Azure: https://github.com/Azure/actions
@@ -118,95 +117,93 @@ When a function is generated from a Github repo Azure web console allows to **au
name: Build and deploy Python project to Azure Function App - funcGithub
on:
push:
branches:
- main
workflow_dispatch:
push:
branches:
- main
workflow_dispatch:
env:
AZURE_FUNCTIONAPP_PACKAGE_PATH: "." # set this to the path to your web app project, defaults to the repository root
PYTHON_VERSION: "3.11" # set this to the python version to use (supports 3.6, 3.7, 3.8)
AZURE_FUNCTIONAPP_PACKAGE_PATH: "." # set this to the path to your web app project, defaults to the repository root
PYTHON_VERSION: "3.11" # set this to the python version to use (supports 3.6, 3.7, 3.8)
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Python version
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Setup Python version
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Create and start virtual environment
run: |
python -m venv venv
source venv/bin/activate
- name: Create and start virtual environment
run: |
python -m venv venv
source venv/bin/activate
- name: Install dependencies
run: pip install -r requirements.txt
- name: Install dependencies
run: pip install -r requirements.txt
# Optional: Add step to run tests here
# Optional: Add step to run tests here
- name: Zip artifact for deployment
run: zip release.zip ./* -r
- name: Zip artifact for deployment
run: zip release.zip ./* -r
- name: Upload artifact for deployment job
uses: actions/upload-artifact@v4
with:
name: python-app
path: |
release.zip
!venv/
- name: Upload artifact for deployment job
uses: actions/upload-artifact@v4
with:
name: python-app
path: |
release.zip
!venv/
deploy:
runs-on: ubuntu-latest
needs: build
deploy:
runs-on: ubuntu-latest
needs: build
permissions:
id-token: write #This is required for requesting the JWT
permissions:
id-token: write #This is required for requesting the JWT
steps:
- name: Download artifact from build job
uses: actions/download-artifact@v4
with:
name: python-app
steps:
- name: Download artifact from build job
uses: actions/download-artifact@v4
with:
name: python-app
- name: Unzip artifact for deployment
run: unzip release.zip
- name: Unzip artifact for deployment
run: unzip release.zip
- name: Login to Azure
uses: azure/login@v2
with:
client-id: ${{ secrets.AZUREAPPSERVICE_CLIENTID_6C3396368D954957BC58E4C788D37FD1 }}
tenant-id: ${{ secrets.AZUREAPPSERVICE_TENANTID_7E50AEF6222E4C3DA9272D27FB169CCD }}
subscription-id: ${{ secrets.AZUREAPPSERVICE_SUBSCRIPTIONID_905358F484A74277BDC20978459F26F4 }}
- name: Login to Azure
uses: azure/login@v2
with:
client-id: ${{ secrets.AZUREAPPSERVICE_CLIENTID_6C3396368D954957BC58E4C788D37FD1 }}
tenant-id: ${{ secrets.AZUREAPPSERVICE_TENANTID_7E50AEF6222E4C3DA9272D27FB169CCD }}
subscription-id: ${{ secrets.AZUREAPPSERVICE_SUBSCRIPTIONID_905358F484A74277BDC20978459F26F4 }}
- name: "Deploy to Azure Functions"
uses: Azure/functions-action@v1
id: deploy-to-function
with:
app-name: "funcGithub"
slot-name: "Production"
package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
- name: "Deploy to Azure Functions"
uses: Azure/functions-action@v1
id: deploy-to-function
with:
app-name: "funcGithub"
slot-name: "Production"
package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
```
</details>
Moreover, a **Managed Identity** is also created so the Github Action from the repository will be able to login into Azure with it. This is done by generating a Federated credential over the **Managed Identity** allowing the **Issuer** `https://token.actions.githubusercontent.com` and the **Subject Identifier** `repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>`.
Boonop, 'n **Gemanagte Identiteit** word ook geskep sodat die Github Aksie van die repository in Azure kan aanmeld. Dit word gedoen deur 'n Federated credential oor die **Gemanagte Identiteit** te genereer wat die **Uitgewer** `https://token.actions.githubusercontent.com` en die **Onderwerp Identifiseerder** `repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>` toelaat.
> [!CAUTION]
> Therefore, anyone compromising that repo will be able to compromise the function and the Managed Identities attached to it.
> Daarom sal enigeen wat daardie repo kompromitteer, in staat wees om die funksie en die Gemanagte Identiteite wat daaraan gekoppel is, te kompromitteer.
### Container Based Deployments
### Houer-gebaseerde Ontplooiings
Not all the plans allow to deploy containers, but for the ones that do, the configuration will contain the URL of the container. In the API the **`linuxFxVersion`** setting will ha something like: `DOCKER|mcr.microsoft.com/...`, while in the web console, the configuration will show the **image settings**.
Nie al die planne laat toe om houers te ontplooi nie, maar vir diegene wat dit doen, sal die konfigurasie die URL van die houer bevat. In die API sal die **`linuxFxVersion`** instelling iets soos hê: `DOCKER|mcr.microsoft.com/...`, terwyl die webkonsol, die konfigurasie die **beeldinstellings** sal wys.
Moreover, **no source code will be stored in the storage** account related to the function as it's not needed.
## Enumeration
Boonop, **geen bronkode sal in die stoor** rekening wat met die funksie verband hou, gestoor word nie, aangesien dit nie nodig is nie.
## Enumerasie
```bash
# List all the functions
az functionapp list
@@ -218,15 +215,15 @@ az functionapp show --name <app-name> --resource-group <res-group>
# Get details about the source of the function code
az functionapp deployment source show \
--name <app-name> \
--resource-group <res-group>
--name <app-name> \
--resource-group <res-group>
## If error like "This is currently not supported."
## Then, this is probalby using a container
# Get more info if a container is being used
az functionapp config container show \
--name <name> \
--resource-group <res-group>
--name <name> \
--resource-group <res-group>
# Get settings (and privesc to the sorage account)
az functionapp config appsettings list --name <app-name> --resource-group <res-group>
@@ -242,7 +239,7 @@ az functionapp config access-restriction show --name <app-name> --resource-group
# Get more info about a function (invoke_url_template is the URL to invoke and script_href allows to see the code)
az rest --method GET \
--url "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions?api-version=2024-04-01"
--url "https://management.azure.com/subscriptions/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/functions?api-version=2024-04-01"
# Get source code with Master Key of the function
curl "<script_href>?code=<master-key>"
@@ -252,7 +249,6 @@ curl "https://newfuncttest123.azurewebsites.net/admin/vfs/home/site/wwwroot/func
# Get source code
az rest --url "https://management.azure.com/<subscription>/resourceGroups/<res-group>/providers/Microsoft.Web/sites/<app-name>/hostruntime/admin/vfs/function_app.py?relativePath=1&api-version=2022-03-01"
```
## Privilege Escalation
{{#ref}}
@@ -264,7 +260,3 @@ az rest --url "https://management.azure.com/<subscription>/resourceGroups/<res-g
- [https://learn.microsoft.com/en-us/azure/azure-functions/functions-openapi-definition](https://learn.microsoft.com/en-us/azure/azure-functions/functions-openapi-definition)
{{#include ../../../banners/hacktricks-training.md}}