gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-27 05:03:31 -08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:HackTricks-wiki/hacktricks-cloud

Browse Source
This commit is contained in:
Carlos Polop
2025-02-22 17:12:56 +01:00
parent 77da1e58ca 516553f4bf
commit 2d32b37d9c
5 changed files with 219 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
src/pentesting-cloud/azure-security/az-post-exploitation/az-logic-apps-post-exploitation.md
View File

@@ -20,6 +20,46 @@ az logic workflow identity remove/assign \
--user-assigned "/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identity_name>"
```
Addittionaly with just `Microsoft.Logic/workflows/write` you can change some configurations such as Allowed inbound IP addresses or Run history retention days:
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Logic/workflows/<workflow_name>?api-version=2019-05-01" \
--headers "Content-Type=application/json" \
--body '{
"location": "<location>",
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"triggers": {
"<trigger_name>": {
"type": "Request",
"kind": "Http"
}
},
"actions": {},
"outputs": {}
},
"runtimeConfiguration": {
"lifetime": {
"unit": "day",
"count": <count>
}
},
"accessControl": {
"triggers": {
"allowedCallerIpAddresses": []
},
"actions": {
"allowedCallerIpAddresses": []
}
}
}
}'
```
### `Microsoft.Web/sites/read`, `Microsoft.Web/sites/write`
With these permissions, you can create or update Logic Apps hosted on an App Service Plan. This includes modifying settings such as enabling or disabling HTTPS enforcement.
@@ -39,7 +79,6 @@ az webapp start/stop/restart \
--resource-group <resource_group_name>
```
### `Microsoft.Web/sites/config/list/action`, `Microsoft.Web/sites/read` && `Microsoft.Web/sites/config/write`
With this permission, you can configure or modify settings for web apps, including Logic Apps hosted on an App Service Plan. This allows changes to app settings, connection strings, authentication configurations, and more.
@@ -131,6 +170,19 @@ az logic integration-account session create \
}'
```
### `Microsoft.Logic/workflows/regenerateAccessKey/action`
Users with this permission are able to regenerate Logic App access keys, and if misused, it can lead to service disruptions.
```bash
az rest --method POST \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Logic/workflows/<workflow-name>/regenerateAccessKey?api-version=<api-version>" \
--body '{"keyType": "<key-type>"}' \
--headers "Content-Type=application/json"
```
### "*/delete"
With this permissions you can delete resources related to Azure Logic Apps

63
src/pentesting-cloud/azure-security/az-privilege-escalation/az-logic-apps-privesc.md
View File

@@ -35,6 +35,69 @@ az rest \
--body '{}' \
--headers "Content-Type=application/json"
```
Addittionaly with just `Microsoft.Logic/workflows/write` you change the Authorization Policy, giving for example another tenant the capability to trigger the workflow:
```bash
az rest --method PUT \
--uri "https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Logic/workflows/<workflow-name>?api-version=2016-10-01" \
--body '{
"location": "<region>",
"properties": {
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"<trigger-name>": {
"type": "Request",
"kind": "Http"
}
},
"actions": {},
"outputs": {}
},
"accessControl": {
"triggers": {
"openAuthenticationPolicies": {
"policies": {
"<policy-name>": {
"type": "AAD",
"claims": [
{
"name": "iss",
"value": "<issuer-url>"
}
]
}
}
}
}
}
}
}'
```
### `Microsoft.Logic/workflows/triggers/listCallbackUrl/action`
You can get the callback URL of the trigger and run it.
```bash
az rest --method POST \
--uri "https://management.azure.com/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Logic/workflows/<workflow_name>/triggers/<trigger_name>/listCallbackUrl?api-version=2019-05-01"
```
This will return a callback URL like `https://prod-28.centralus.logic.azure.com:443/workflows/....`. Now we can run it with:
```bash
curl --request POST \
--url "https://prod-28.centralus.logic.azure.com:443/workflows/<workflow_id>/triggers/<trigger_name>/paths/invoke?api-version=2019-05-01&sp=%2Ftriggers%2F<trigger_name>%2Frun&sv=1.0&sig=<signature>" \
--header 'Content-Type: application/json' \
--data '{"exampleKey": "exampleValue"}'
```
### (`Microsoft.Web/sites/read`, `Microsoft.Web/sites/basicPublishingCredentialsPolicies/read`, `Microsoft.Web/sites/write`, `Microsoft.Web/sites/config/list/action`) && (`Microsoft.Web/sites/start/action`)
With these permissions, you can deploy, Logic App workflows using ZIP file deployments. These permissions enable actions such as reading app details, accessing publishing credentials, writing changes, and listing app configurations. Alongside the start permissions you can update and deploy a new Logic App with the content desired

44
src/pentesting-cloud/azure-security/az-services/az-cosmosDB.md
View File

@@ -10,7 +10,7 @@ Azure Cosmos DB provides multiple database APIs to model real-world data using d
One key aspect of CosmosDB is Azure Cosmos Account. **Azure Cosmos Account**, acts as the entry point to the databases. The account determines key settings such as global distribution, consistency levels, and the specific API to be used, such as NoSQL. Through the account, you can configure global replication to ensure data is available across multiple regions for low-latency access. Additionally, you can choose a consistency level that balances between performance and data accuracy, with options ranging from Strong to Eventual consistency.
Azure Cosmos DB supports **user-assigned identities** and **system-assigned managed identities** that are automatically created and tied to the resource's lifecycle, allowing for secure, token-based authentication when connecting to other services—provided those services have the appropriate role assignments. However, Cosmos DB doesn't have a builtin mechanism to directly query external data sources like Azure Blob Storage. Unlike SQL Server's external table features, Cosmos DB requires data to be ingested into its containers using external tools such as Azure Data Factory, the Data Migration Tool, or custom scripts before it can be queried with its native query capabilities.
Azure Cosmos DB supports **user-assigned identities** and **system-assigned managed identities** that are automatically created and tied to the resource's lifecycle. However, Cosmos DB doesn't have a builtin mechanism to directly query external data sources like Azure Blob Storage. Unlike SQL Server's external table features, Cosmos DB requires data to be ingested into its containers using external tools such as Azure Data Factory, the Data Migration Tool, or custom scripts before it can be queried with its native query capabilities.
### NoSQL
The Azure Cosmos DB NoSQL API is a document-based API that uses JSON as its data format. It provides a SQL-like query syntax for querying JSON objects, making it suitable for working with structured and semi-structured data. The endpoint of the service is:
@@ -20,16 +20,16 @@ https://<Account-Name>.documents.azure.com:443/
```
#### Databases
Within an account, you can create one or more databases, which serve as logical groupings of containers. A database acts as a boundary for resource management and user permissions. Databases can either share provisioned throughput across their containers or allocate dedicated throughput to individual containers.
Within an account, you can create one or more databases, which serve as logical groupings of containers. A database acts as a boundary for resource management and user permissions. Databases can either let multiple containers use a shared pool of performance capacity or give each container its own dedicated power.
#### Containers
The core unit of data storage is the container, which holds JSON documents and is automatically indexed for efficient querying. Containers are elastically scalable and distributed across partitions, which are determined by a user-defined partition key. The partition key is critical for ensuring optimal performance and even data distribution. For example, a container might store customer data, with "customerId" as the partition key.
#### Key Features
**Global Distribution**: Enable or disable Geo-Redundancy for cross-region replication and Multi-region Writes for improved availability.
**Networking & Security**: between public (all/select networks) or private endpoints for connectivity. Secure connections with TLS 1.2 encryption. Supports CORS (Cross-Origin Resource Sharing) for controlled access to resources.
**Backup & Recovery**: from Periodic, Continuous (7 days), or Continuous (30 days) backup policies with configurable intervals and retention.
**Data Encryption**: Default service-managed keys or customer-managed keys (CMK) for encryption (CMK selection is irreversible).
- **Global Distribution**: Enable or disable Geo-Redundancy for cross-region replication and Multi-region Writes for improved availability.
- **Networking & Security**: between public (all/select networks) or private endpoints for connectivity. Secure connections with TLS 1.2 encryption. Supports CORS (Cross-Origin Resource Sharing) for controlled access to resources. Microsoft Defender for Cloud can be enabled. To make the connection you can make use of keys.
- **Backup & Recovery**: from Periodic, Continuous (7 days), or Continuous (30 days) backup policies with configurable intervals and retention.
- **Data Encryption**: Default service-managed keys or customer-managed keys (CMK) for encryption (CMK selection is irreversible).
#### Enumeration
@@ -81,10 +81,7 @@ az cosmosdb mongocluster firewall rule list --cluster-name <name> --resource-gro
# Connect to in
brew install mongosh
mongosh "mongodb://<username>:<password>@<account-name>.mongo.cosmos.azure.com:10255/?ssl=true&replicaSet=globaldb&retryWrites=false" --username <username> --password <password>
```
{{#endtab }}
{{#tab name="Az Powershell" }}
```
{{#endtab }}
@@ -136,7 +133,9 @@ Get-AzCosmosDBSqlUserDefinedFunction -ResourceGroupName "<ResourceGroupName>" -A
#### Connection
It has 2 key types, Read-write (full) and Read-only. They give the indicated access all databases, collections, and data inside the Cosmos DB account.
To connect the azure-cosmosDB (pip install azure-cosmos) library is needed. Additionally the endpoint and the key are crutial components to make the connection.
```python
from azure.cosmos import CosmosClient, PartitionKey
@@ -218,7 +217,7 @@ The core unit of data storage in MongoDB is the collection, which holds document
#### Key Features of Request unit (RU) type
**Global Distribution**: Enable or disable Geo-Redundancy for cross-region replication and Multi-region Writes for improved availability.
**Networking & Security**: between public (all/select networks) or private endpoints for connectivity. Secure connections with TLS 1.2 encryption. Supports CORS (Cross-Origin Resource Sharing) for controlled access to resources.
**Networking & Security**: between public (all/select networks) or private endpoints for connectivity. Secure connections with TLS 1.2 encryption. Supports CORS (Cross-Origin Resource Sharing) for controlled access to resources. To make the connection you can make use of keys.
**Backup & Recovery**: from Periodic, Continuous (7 days, free), or Continuous (30 days, paid) backup policies with configurable intervals and retention.
**Data Encryption**: Default service-managed keys or customer-managed keys (CMK) for encryption (CMK selection is irreversible).
@@ -253,10 +252,23 @@ az cosmosdb mongodb database list --account-name <AccountName> --resource-group
# List all collections in a specific MongoDB database within an Azure Cosmos DB account
az cosmosdb mongodb collection list --account-name <AccountName> --database-name <DatabaseName> --resource-group <ResourceGroupName>
#RBAC FUNCTIONALITIES MUST BE ENABLED TO USE THIS
# List all role definitions for MongoDB within an Azure Cosmos DB account
az cosmosdb mongodb role definition list --account-name <AccountName> --resource-group <ResourceGroupName>
# List all user definitions for MongoDB within an Azure Cosmos DB account
az cosmosdb mongodb user definition list --account-name <AccountName> --resource-group <ResourceGroupName>
## MongoDB (vCore)
# Install az cli extension
az extension add --name cosmosdb-preview
# List all MongoDB databases in a specified Azure Cosmos DB account
az cosmosdb mongocluster list
az cosmosdb mongocluster show --cluster-name <name> --resource-group <ResourceGroupName>
# Get firewall rules
az cosmosdb mongocluster firewall rule list --cluster-name <name> --resource-group <ResourceGroupName>
# Connect to in
brew install mongosh
mongosh "mongodb://<username>:<password>@<account-name>.mongo.cosmos.azure.com:10255/?ssl=true&replicaSet=globaldb&retryWrites=false" --username <username> --password <password>
```
{{#endtab }}
@@ -297,14 +309,16 @@ Get-AzCosmosDBMongoDBRoleDefinition -AccountName <account-name> -ResourceGroupNa
#### Connection
Here the password you can find them with the keys or with the method decribed in the privesc section.
RU MongoDB type in CosmoDB has 2 key types, Read-write (full) and Read-only. They give the indicated access all databases, collections, and data inside the Cosmos DB account.
For the pasword you can use the keys or with the method decribed in the privesc section.
```python
from pymongo import MongoClient
# Updated connection string with retryWrites=false
connection_string = "mongodb://<account-name>.mongo.cosmos.azure.com:10255/?ssl=true&replicaSet=globaldb&retryWrites=false"
# Create the client
# Create the client. The password and username is a custom one if the type is "vCore cluster".
# In case that is a Request unit (RU) the username is the account name and the password is the key of the cosomosDB account.
client = MongoClient(connection_string, username="<username>", password="<password>")
# Access the database
@@ -331,6 +345,12 @@ result = collection.insert_one(document)
print(f"Inserted document with ID: {result.inserted_id}")
```
Or using a user within the mongo:
```bash
mongosh "mongodb://<myUser>:<mySecurePassword>@<account_name>.mongo.cosmos.azure.com:10255/<mymongodatabase>?ssl=true&replicaSet=globaldb&retrywrites=false"
```
## References
- [https://learn.microsoft.com/en-us/azure/cosmos-db/choose-api](https://learn.microsoft.com/en-us/azure/cosmos-db/choose-api)

83
src/pentesting-cloud/azure-security/az-services/az-logic-apps.md
View File

@@ -10,9 +10,6 @@ Logic Apps provides a visual designer to create workflows with a **wide range of
When creating a Logic App, you must either create or link an external storage account that stores the workflow state, run history, and artifacts. This storage can be configured with diagnostic settings for monitoring and can be secured with network access restrictions or integrated into a virtual network to control inbound and outbound traffic.
### Managed Identities
Logic Apps has **system-assigned managed identity** tied to its lifecycle. When enabled, it receives a unique Object (principal) ID that can be used with Azure RBAC to grant the necessary permissions to access other Azure services securely. This eliminates the need to store credentials in code because the identity is authenticated through Microsoft Entra ID. Additionally, you can also use **user-assigned managed identities**, which can be shared across multiple resources. These identities allow workflows and Logic Apps to interact securely with external systems, ensuring that the necessary access controls and permissions are managed centrally through Azure's security framework.
### Examples
- **Automating Data Pipelines**: Logic Apps can automate **data transfer and transformation processes** in combination with Azure Data Factory. This is useful for creating scalable and reliable data pipelines that move and transform data between various data stores, like Azure SQL Database and Azure Blob Storage, aiding in analytics and business intelligence operations.
@@ -42,15 +39,66 @@ curl -XPOST 'https://prod-44.westus.logic.azure.com:443/workflows/2d8de4be6e9741
There are several hosting options:
* **Consumption**
- **Multi-tenant**: provides shared compute resources, operates in the public cloud, and follows a pay-per-operation pricing model. This is ideal for lightweight and cost-effective workloads.
- **Multi-tenant**: provides shared compute resources, operates in the public cloud, and follows a pay-per-operation pricing model. This is ideal for lightweight and cost-effective workloads. This deploys a "Single Worlfow".
* **Standard**
- **Workflow Service Plan**: dedicated compute resources with VNET integration for networking and charges per workflow service plan instance. It is suitable for more demanding workloads requiring greater control.
- **App Service Environment V3** dedicated compute resources with full isolation and scalability. It also integrates with VNET for networking and uses a pricing model based on App Service instances within the environment. This is ideal for enterprise-scale applications needing high isolation.
- **Hybrid** designed for local processing and multi-cloud support. It allows customer-managed compute resources with local network access and utilizes Kubernetes Event-Driven Autoscaling (KEDA).
- **App Service Environment V3** dedicated compute resources with full isolation and scalability. It also integrates with VNET for networking and uses a pricing model based on App Service instances within the environment.
- **Hybrid** designed for local processing and multi-cloud support. It allows customer-managed compute resources with local network access and utilizes Kubernetes Event-Driven Autoscaling (KEDA). It relies on a Container App Connected Environment.
### Workflows
### Key Features
- **Storage**: Logic Apps require an external Azure Storage account to store workflow state, run history… and must be in the same resource group as the Logic App.
- **Networking & Security**: Logic Apps can be configured with public or private access. By default, the app is open to the internet but can be integrated with an Azure Virtual Network for isolated connectivity.
- **Application Insights**: Application Performance Management (APM) through Azure Monitor Application Insights can be enabled to track performance, detect anomalies, and provide analytics.
- **Access Control**: Logic apps support System Managed Identities & User Managed Identities.
Workflows in Azure Logic Apps are the core automated processes that orchestrate actions across various services. A workflow starts with a trigger—an event or schedule—and then executes a series of actions, such as calling APIs, processing data, or interacting with other Azure services. Workflows can be defined visually using a designer or via code (JSON definitions) and are managed through commands like az logic workflow create, az logic workflow show, and az logic workflow update. They also support identity management (via the identity subgroup) to securely manage permissions and integrations with external resources.
### "Single" Workflows
A **workflow** is a structured sequence of automated steps or tasks that execute a specific process or objective. It defines how different actions, conditions, and decisions interact to achieve a desired outcome, streamlining operations and reducing manual effort. Workflows can integrate multiple systems, trigger events, and rules, ensuring consistency and efficiency in processes.
Azure Logic apps gives the functionality of **creating a single workflow without the need of a Logic App** itself.
Each workflow has different **triggers**. These triggers are the steps that the workflow follows. Each trigger have their parameters that can vary depending on the type of the trigger:
- Connection name
- **Authentication Type** than can be, Access Key, Microsoft Entra ID, Integrated Service principal authentication and Logic Apps Managed Identity.
Triggers also have various settings:
- Schema Validation: Ensures incoming data follows a predefined structure.
- Concurrency Control: Limits the number of parallel runs
- Trigger Conditions: conditions that must be met before the trigger fires.
- Networking: Configures chunk size for data transfer and allows suppressing workflow headers in responses.
- **Security**: Enables **Secure Inputs/Outputs to hide** sensitive data in logs and the outputs.
**Settings & API Conections:**
A workflow has different settings such:
- Allowed inbound IP addresses: This setting lets you restrict who can trigger or start your Logic App. The options are Any IP, Only other Logic Apps and Specific IP ranges.
- Integration account: Here, you can link your Logic App to an Integration Account.
- High throughput: This setting enables your Logic App to handle more requests quickly.
- Run history retention: for how long the history of your Logic App's executions is kept.
You can see the different API connections the workflow has. Inside each of these connections they have different properties and the possibility of edit the API connection where the Authentication type can be changed.
**History & Versions:**
It has the option to access **history** of the different executions, it shows, Settings, Output, Parameters and the Code.
Also has the option of accessing different **versions** of the workflow, where you can check the code and change the present workflow with an older version of it.
**Authorization:**
Azure Logic Apps support **authorization policies** with Entra ID to secure request-based triggers by requiring a valid access token. This token must include specific claims:
- Issuer (iss) to verify the identity provider
- Audience (aud) to ensure the token is intended for the Logic App
- Subject (sub) to identify the caller
- JWT ID (JSON Web Token identifier)
- Custom Claim
When a request is received, Logic Apps validates the token against these claims and allows execution only if they match the configured policy. This can be used to allow another tenant to trigger the workflow or deny trigger from other sources, for example just allowing the trigger if comes from https://login.microsoftonline.com/.
**Access Keys:**
When you save a request-based trigger for the first time, Logic Apps automatically creates a unique endpoint with a SAS signature (created from the Access Key) that grants permission to call the workflow. This SAS signature is embedded in the triggers URL. This key can be regenerated and it will give new SAS signature, but the keys can not be listed.
The URL to invoke it with the Access Key:
https://<region>.logic.azure.com:443/workflows/<workflow-id>/triggers/<trigger-name>/paths/invoke?api-version=<api-version>&sp=%2Ftriggers%2F<trigger-name>%2Frun&sv=<version>&sig=<signature>
### Enumeration
@@ -104,11 +152,6 @@ az rest \
--uri "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Logic/workflows/{workflowName}/versions/{versionName}?api-version=2016-06-01" \
--headers "Content-Type=application/json"
az rest \
--method GET \
--uri "https://examplelogicapp1994.scm.azurewebsites.net/api/functions/admin/download?includeCsproj=true&includeAppSettings=true" \
--headers "Content-Type=application/json"
# List all Logic Apps in the specified resource group
az logicapp list --resource-group <ResourceGroupName>
@@ -117,6 +160,20 @@ az logicapp show --name <LogicAppName> --resource-group <ResourceGroupName>
# List all application settings for a specific Logic App
az logicapp config appsettings list --name <LogicAppName> --resource-group <ResourceGroupName>
# Get a Parameters from an Azure App Service using Azure REST API
az rest --method GET --url "https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Web/sites/{app-service-name}/hostruntime/admin/vfs/parameters.json?api-version=2018-11-01&relativepath=1"
# Get webhook-triggered workflows from an Azure Logic App using Azure REST API
az rest --method GET --url "https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Web/sites/{logic-app-name}/hostruntime/runtime/webhooks/workflow/api/management/workflows?api-version=2018-11-01"
# Get workflows from an Azure Logic App using Azure REST API
az rest --method GET --url "https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Web/sites/{logic-app-name}/workflows?api-version=2018-11-01"
# Get details of a specific workflow including its connections and parameters in Azure Logic Apps using Azure REST API
az rest --method GET --uri "https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Web/sites/{logic-app-name}/workflows/{workflow-name}?api-version=2018-11-01&\$expand=connections.json,parameters.json"
```
{{#endtab }}