gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-02-04 19:11:41 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/pentesting-cloud/azure-security/az-privilege-escalation

Browse Source
This commit is contained in:
Translator
2025-01-09 01:06:21 +00:00
parent 918853e70b
commit 323b7a59ae
2 changed files with 63 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
src/pentesting-cloud/azure-security/az-privilege-escalation/az-authorization-privesc.md
View File

@@ -4,7 +4,7 @@
## Azure IAM
Za više informacija pogledajte:
Fore more information check:
{{#ref}}
../az-services/az-azuread.md
@@ -12,38 +12,45 @@ Za više informacija pogledajte:
### Microsoft.Authorization/roleAssignments/write
Ova dozvola omogućava dodeljivanje uloga principima unutar specifičnog opsega, omogućavajući napadaču da eskalira privilegije dodeljivanjem sebi privilegovanije uloge:
This permission allows to assign roles to principals over a specific scope, allowing an attacker to escalate privileges by assigning himself a more privileged role:
```bash
# Example
az role assignment create --role Owner --assignee "24efe8cf-c59e-45c2-a5c7-c7e552a07170" --scope "/subscriptions/9291ff6e-6afb-430e-82a4-6f04b2d05c7f/resourceGroups/Resource_Group_1/providers/Microsoft.KeyVault/vaults/testing-1231234"
```
### Microsoft.Authorization/roleDefinitions/Write
Ova dozvola omogućava modifikaciju dozvola koje dodeljuje uloga, omogućavajući napadaču da eskalira privilegije dodeljivanjem više dozvola ulozi koju je dodelio.
This permission allows to modify the permissions granted by a role, allowing an attacker to escalate privileges by granting more permissions to a role he has assigned.
Create the file `role.json` with the following **content**:
Kreirajte datoteku `role.json` sa sledećim **sadržajem**:
```json
{
"Name": "<name of the role>",
"IsCustom": true,
"Description": "Custom role with elevated privileges",
"Actions": ["*"],
"NotActions": [],
"DataActions": ["*"],
"NotDataActions": [],
"AssignableScopes": ["/subscriptions/<subscription-id>"]
"Name": "<name of the role>",
"IsCustom": true,
"Description": "Custom role with elevated privileges",
"Actions": ["*"],
"NotActions": [],
"DataActions": ["*"],
"NotDataActions": [],
"AssignableScopes": ["/subscriptions/<subscription-id>"]
}
```
Zatim ažurirajte dozvole uloge sa prethodnom definicijom pozivajući:
Then update the role permissions with the previous definition calling:
```bash
az role definition update --role-definition role.json
```
### Microsoft.Authorization/elevateAccess/action
Ova dozvola omogućava podizanje privilegija i dodeljivanje dozvola bilo kojem principalu za Azure resurse. Namenjena je Entra ID Global Administratorima kako bi mogli da upravljaju dozvolama nad Azure resursima.
This permissions allows to elevate privileges and be able to assign permissions to any principal to Azure resources. It's meant to be given to Entra ID Global Administrators so they can also manage permissions over Azure resources.
> [!TIP]
> Mislim da korisnik treba da bude Global Administrator u Entra ID da bi poziv za podizanje privilegija radio.
> I think the user need to be Global Administrator in Entrad ID for the elevate call to work.
```bash
# Call elevate
az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01"
@@ -51,22 +58,27 @@ az rest --method POST --uri "https://management.azure.com/providers/Microsoft.Au
# Grant a user the Owner role
az role assignment create --assignee "<obeject-id>" --role "Owner" --scope "/"
```
### Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write
Ova dozvola omogućava dodavanje federisanih kredencijala upravljanim identitetima. Na primer, omogućava pristup Github Actions u repozitorijumu upravljanom identitetu. Zatim, omogućava **pristup bilo kojem korisnički definisanom upravljanom identitetu**.
This permission allows to add Federated credentials to managed identities. E.g. give access to Github Actions in a repo to a managed identity. Then, it allows to **access any user defined managed identity**.
Example command to give access to a repo in Github to the a managed identity:
Primer komande za davanje pristupa repozitorijumu u Github-u upravljanom identitetu:
```bash
# Generic example:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'
--uri "https://management.azure.com//subscriptions/<subscription-id>/resourceGroups/<res-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<managed-identity-name>/federatedIdentityCredentials/<name-new-federated-creds>?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:<org-name>/<repo-name>:ref:refs/heads/<branch-name>","audiences":["api://AzureADTokenExchange"]}}'
# Example with specific data:
az rest --method PUT \
--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
--uri "https://management.azure.com//subscriptions/92913047-10a6-2376-82a4-6f04b2d03798/resourceGroups/Resource_Group_1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/funcGithub-id-913c/federatedIdentityCredentials/CustomGH2?api-version=2023-01-31" \
--headers "Content-Type=application/json" \
--body '{"properties":{"issuer":"https://token.actions.githubusercontent.com","subject":"repo:carlospolop/azure_func4:ref:refs/heads/main","audiences":["api://AzureADTokenExchange"]}}'
```
{{#include ../../../banners/hacktricks-training.md}}

51
src/pentesting-cloud/gcp-security/gcp-services/gcp-source-repositories-enum.md
View File

@@ -1,37 +1,38 @@
# GCP - Enum Repozitorijumi Izvora
# GCP - Source Repositories Enum
{{#include ../../../banners/hacktricks-training.md}}
## Osnovne Informacije <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
## Basic Information <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
Google Cloud Source Repositories je potpuno opremljena, skalabilna, **privatna Git usluga za repozitorijume**. Dizajnirana je da **hostuje vaš izvorni kod u potpuno upravljanom okruženju**, besprekorno se integrišući sa drugim GCP alatima i uslugama. Pruža kolaborativno i sigurno mesto za timove da čuvaju, upravljaju i prate svoj kod.
Google Cloud Source Repositories is a fully-featured, scalable, **private Git repository service**. It's designed to **host your source code in a fully managed environment**, integrating seamlessly with other GCP tools and services. It offers a collaborative and secure place for teams to store, manage, and track their code.
Ključne karakteristike Cloud Source Repositories uključuju:
Key features of Cloud Source Repositories include:
1. **Potpuno Upravljano Git Hosting**: Pruža poznatu funkcionalnost Gita, što znači da možete koristiti uobičajene Git komande i radne tokove.
2. **Integracija sa GCP Uslugama**: Integrira se sa drugim GCP uslugama kao što su Cloud Build, Pub/Sub i App Engine za end-to-end praćenje od koda do implementacije.
3. **Privatni Repozitorijumi**: Osigurava da je vaš kod pohranjen sigurno i privatno. Možete kontrolisati pristup koristeći Cloud Identity and Access Management (IAM) uloge.
4. **Analiza Izvornog Koda**: Radi sa drugim GCP alatima kako bi pružila automatsku analizu vašeg izvornog koda, identifikujući potencijalne probleme kao što su greške, ranjivosti ili loše prakse kodiranja.
5. **Alati za Saradnju**: Podržava kolaborativno kodiranje sa alatima kao što su zahtevi za spajanje, komentari i recenzije.
6. **Podrška za Ogledala**: Omogućava vam da povežete Cloud Source Repositories sa repozitorijumima hostovanim na GitHub-u ili Bitbucket-u, omogućavajući automatsku sinhronizaciju i pružajući jedinstven prikaz svih vaših repozitorijuma.
1. **Fully Managed Git Hosting**: Offers the familiar functionality of Git, meaning you can use regular Git commands and workflows.
2. **Integration with GCP Services**: Integrates with other GCP services like Cloud Build, Pub/Sub, and App Engine for end-to-end traceability from code to deployment.
3. **Private Repositories**: Ensures your code is stored securely and privately. You can control access using Cloud Identity and Access Management (IAM) roles.
4. **Source Code Analysis**: Works with other GCP tools to provide automated analysis of your source code, identifying potential issues like bugs, vulnerabilities, or bad coding practices.
5. **Collaboration Tools**: Supports collaborative coding with tools like merge requests, comments, and reviews.
6. **Mirror Support**: Allows you to connect Cloud Source Repositories with repositories hosted on GitHub or Bitbucket, enabling automatic synchronization and providing a unified view of all your repositories.
### OffSec informacije <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
### OffSec information <a href="#reviewing-cloud-git-repositories" id="reviewing-cloud-git-repositories"></a>
- Konfiguracija repozitorijuma izvora unutar projekta će imati **Servisni Nalog** koji se koristi za objavljivanje Cloud Pub/Sub poruka. Podrazumevani koji se koristi je **Compute SA**. Međutim, **ne mislim da je moguće ukrasti njegov token** iz Source Repositories jer se izvršava u pozadini.
- Da biste videli kod unutar GCP Cloud Source Repositories web konzole ([https://source.cloud.google.com/](https://source.cloud.google.com/)), potrebno je da kod bude **unutar master grane po defaultu**.
- Takođe možete **napraviti ogledalo Cloud Repozitorijuma** koje pokazuje na repo sa **Github-a** ili **Bitbucket-a** (dajući pristup tim platformama).
- Moguće je **kodirati i debagovati iz GCP-a**.
- Po defaultu, Source Repositories **sprečava privatne ključeve da budu poslati u commit-ima**, ali ovo se može onemogućiti.
- The source repositories configuration inside a project will have a **Service Account** used to publishing Cloud Pub/Sub messages. The default one used is the **Compute SA**. However, **I don't think it's possible steal its token** from Source Repositories as it's being executed in the background.
- To see the code inside the GCP Cloud Source Repositories web console ([https://source.cloud.google.com/](https://source.cloud.google.com/)), you need the code to be **inside master branch by default**.
- You can also **create a mirror Cloud Repository** pointing to a repo from **Github** or **Bitbucket** (giving access to those platforms).
- It's possible to **code & debug from inside GCP**.
- By default, Source Repositories **prevents private keys to be pushed in commits**, but this can be disabled.
### Otvorite u Cloud Shell
### Open In Cloud Shell
Moguće je otvoriti repozitorijum u Cloud Shell-u, prompt poput ovog će se pojaviti:
It's possible to open the repository in Cloud Shell, a prompt like this one will appear:
<figure><img src="../../../images/image (325).png" alt=""><figcaption></figcaption></figure>
Ovo će vam omogućiti da kodirate i debagujete u Cloud Shell-u (što može dovesti do kompromitovanja cloudshell-a).
This will allow you to code and debug in Cloud Shell (which could get cloudshell compromised).
### Enumeration
### Enumeracija
```bash
# Repos enumeration
gcloud source repos list #Get names and URLs
@@ -42,7 +43,7 @@ gcloud source repos get-iam-policy <repo_name>
gcloud source repos clone <REPO NAME>
gcloud source repos get-iam-policy <REPO NAME>
... git add & git commit -m ...
git push --set-upstream origin master
git push --set-upstream origin $BRANCH
git push -u origin master
# Access via git
@@ -50,16 +51,20 @@ git push -u origin master
git clone ssh://username@domain.com@source.developers.google.com:2022/p/<proj-name>/r/<repo-name>
git add, commit, push...
```
### Eskalacija privilegija i post eksploatacija
### Privilege Escalation & Post Exploitation
{{#ref}}
../gcp-privilege-escalation/gcp-sourcerepos-privesc.md
{{#endref}}
### Neautentifikovana enumeracija
### Unauthenticated Enum
{{#ref}}
../gcp-unauthenticated-enum-and-access/gcp-source-repositories-unauthenticated-enum.md
{{#endref}}
{{#include ../../../banners/hacktricks-training.md}}